The post-ESSER K-12 CIO playbook for AI is governance, not procurement

A few things happened this week that, taken together, feel like a quiet turning point for K-12 technology leadership.

Canva launched Learn Grid, which lets a teacher spin up three reading levels of the same lesson from a single prompt. Google expanded Gemini and NotebookLM deeper into K-12 and announced free AI literacy training for six million U.S. educators. Anthropic pushed Project Glasswing into K-12 cyber defense. The FCC E-Rate review is live, the FCC cyber pilot opens in August, and state AI-in-schools templates are starting to land in Utah and Maryland.

Underneath those product stories is a quieter shift. The agentic browser is moving from research preview to product. The proxy and web filter layer that districts have lived on for fifteen years was built for a world where a human clicks and a network responds. That world is ending. The tool story is converging. The system story is not. That gap is where the next year of K-12 CIO work actually lives.

AI just stopped being a pilot

For the last two school years, the most common AI conversation in a district went like this: we bought a few licenses, some teachers tried it, we are not sure what to do next.

That phase is ending. A Microsoft research note cited this week puts generative AI use in education at roughly 86 percent, the highest of any industry surveyed. The products are starting to behave like infrastructure: persistent memory, agentic workflows, connectors to the rest of the district's stack. Canva's new connectors to Slack, Gmail, Drive, Calendar, Notion, and Zoom are a small example of a much larger pattern. Tools are reaching across the boundaries we used to keep clean.

The first thing a CIO should do is stop treating AI as a category of software. Treat it as a layer that touches everything you already own. The question stops being which tool do we buy and starts being what system are we building that any of these tools can plug into safely.

The agentic browser breaks the web filter, and we are not ready

For the last fifteen years, K-12 networks have been protected by a fairly stable stack: content filter, proxy, firewall, SSL inspection, and allow and deny lists tuned to CIPA. The stack assumes a human is the actor. A student opens a tab, the filter checks the URL, the policy is applied, the request is logged. Every piece of that stack was designed before the browser had an agent inside it.

This week's signals about what that means started stacking up fast. An autonomous AI bug hunter found a two-year-old remote code execution flaw in Redis. WhatsApp and Slack notifications were shown able to hijack Google Gemini on Android without installing any malicious app. Anthropic shipped a defensive harness for AI code review the same week a flaw in its own Claude Code GitHub Action let a single opened issue take over repositories. The agent now lives in the same channels as the user, and the perimeter was not designed for that.

The agentic browser products are coming: OpenAI, Google, Anthropic, and Perplexity are racing to put the agent in the browser chrome. When a student asks the browser to summarize this page, schedule a meeting, and email the parent, the request does not go to a URL. It goes to a model that can read the page, draft the email, and act. The content filter sees a permitted site. The browser just exfiltrated a child record to a model endpoint the district does not own. That is the threat model for the next eighteen months, and most district filters cannot see it.

Three things need to happen in the next budget cycle. Redraw the perimeter around the data, not the URL. The control plane is the data classification, the identity of the actor, and the policy on what the agent is allowed to do with what it reads. Decide on browser policy before the teachers decide for you. Districts that have a written, short, enforceable answer will be fine. Budget for it under cyber, not under instructional innovation. This is a security architecture change triggered by an instructional tool, and the right budget line is the difference between getting it funded and getting it studied.

Post-ESSER and cybersecurity are the same conversation now

The federal money that padded district technology budgets for three years is fully gone, and operating dollars are now expected to sustain 1:1, cybersecurity, cloud, and digital curriculum on their own. That pressure is killing the pilot everything habit and pushing cybersecurity out of the IT budget and into the enterprise risk budget, alongside insurance, legal exposure, and board-level fiduciary duty. The same discipline shows up in districts making good decisions: a real TCO view on core platforms (SIS, LMS, security stack, assessment suite), a willingness to retire redundant apps, multi-year contracts where the platform is mission-critical, and short contracts where the vendor's AI roadmap is still moving. The districts that come out healthy will not be the ones that kept the most tools. They will be the ones that can explain, in plain language, which tools survived and why.

Two practical shifts are showing up on the cyber side. The first is identity: zero-trust expansion, least-privilege roles, continuous device posture, and student MFA for the systems that touch SIS, finance-adjacent apps, and email. The second is operational readiness: annual cyber training, AI-generated phishing simulations, a documented incident playbook, and tabletop exercises that include the superintendent, the comms team, and the school board. The FCC cyber pilot window opening in August is a reason to do this work in public. The bigger reason is that an incident without a tested playbook is what ends CIO careers.

AI governance is the seat at the table districts keep forgetting to build

AI is being adopted faster than it is being governed. A teacher is using three or four AI tools right now whether the district approved them or not. The work is to make it visible, safe, and aligned to instruction, and to stop pretending the problem is going away.

Districts doing this well have a few things in common. A cross-functional AI governance committee with curriculum, assessment, special education, equity, IT, legal, and communications at the table, with the tech team serving the committee. An acceptable use policy short enough for a teacher to read in five minutes. AI use tied to instructional priorities, not the other way around. AI literacy in the curriculum the same way digital citizenship got written in, except this one has to land faster.

The Utah and Maryland state templates matter. They give districts a starting structure so the work does not start from a blank page. A state template is the floor, not the ceiling. The interesting question is how the governance committee actually makes a decision, and how a parent or a teacher can find out what that decision was.

What I am watching next

Three things on my list for the next two weeks. The FCC E-Rate public comment window, which is a rare chance to shape the next decade of school connectivity. The governed agent conversation, where procurement is shifting from do we allow this to what data are we willing to let it touch, and what is the audit trail. And the assessment redesign work, where the interesting districts are redesigning the task so the work being graded is the work an AI cannot do.

A working note, not a victory lap

None of this is theoretical for me. I sit inside a district that is doing all of it at once, with the same budget pressure and the same staffing reality as everyone else. Some of it is working. Some of it is not. The point of this blog is to write the working notes while the work is still going on, not to publish the polished case study two years after everyone already figured it out.

The week ahead looks like more of the same: more AI in the stack, more pressure on the budget, more cyber risk, more state guidance, and not enough staff to do all of it. The post-ESSER budget cycle is forcing the issue whether we wanted it or not. If you are in a district doing this work, the door is open.