IA, US · AI law tracker
SF 2200 — IA, US
SF 2200 is an AI governance legislation from IA, currently introduced. Iowa SF 2200 mandates AI-driven email security solutions for schools by January 1, 2027 [2]. AIGI tracks 1 primary-source update on this bill; the most recent was published on 2026-02-04.
Status & timeline
- Regulatory stage
- introduced
- Bill status
- introduced
- Authority / governing body
- Iowa Legislature
- Chamber
- senate
- Document type
- legislation
Next deadline: January 1, 2027
Subscriber only
Full obligation matrix
| Actor | Obligation | Deadline | Source |
|---|---|---|---|
| deployer | Implement an email security solution. | 2027-01-01 | — |
| deployer | Ensure the email security solution provides inbound and outbound filtering of email traffic for spam, malware, phishing, ransomware, and advanced persistent threats. | 2027-01-01 | — |
| deployer | Ensure the email security solution utilizes artificial intelligence-driven threat detection, including behavioral analysis, sandbox execution, and real-time analysis of embedded uniform resource locators and attachments. | 2027-01-01 | — |
| deployer | Ensure the email security solution offers full-spectrum impersonation protection, including domain and display name spoofing defense, user impersonation alerts, and forged sender blocking. | 2027-01-01 | — |
| deployer | Ensure the email security solution includes data loss prevention policies capable of scanning subject lines, body content, and attachments for personally identifiable information, protected health information, and student records, and triggering block, quarantine, or encryption workflows as appropriate. | 2027-01-01 | — |
| deployer | Ensure the email security solution provides policy-based encryption of outbound email traffic containing protected or confidential content. | 2027-01-01 | — |
| deployer | Ensure the email security solution includes quarantine and end-user self-service portals, enabling safe engagement and reducing administrative burden. | 2027-01-01 | — |
| deployer | Ensure the email security solution supports directory service integration to enable role-based policy application and user-level visibility. | 2027-01-01 | — |
| deployer | Ensure the email security solution provides comprehensive logging, alerting, and forensic analysis, including the ability to correlate threats across users and time, and generate detailed reporting for compliance purposes. | 2027-01-01 | — |
| deployer | Ensure the email security solution supports integration with productivity platforms without dependence on their native filtering features. | 2027-01-01 | — |
| deployer | Ensure the email security platform or vendor used continues to meet all specified requirements to avoid being considered noncompliant. | 2027-01-01 | — |
Subscriber only
Enforcement risk score
25
/ 100
Announced regulation; enforcement footprint still forming.
Subscriber only
Role-based compliance checklist
- board_director Approve the budget and strategic plan for the procurement and implementation of a compliant email security solution. (2027-01-01)
- cto Lead the research, selection, and deployment of an email security solution that explicitly meets all technical requirements, including AI-driven threat detection, data loss prevention, encryption, and logging capabilities. (2027-01-01)
- compliance_officer Review the chosen email security solution and its configurations against the bill's requirements to ensure full compliance by the specified deadline. (2027-01-01)
- privacy_officer Ensure Data Loss Prevention (DLP) policies are accurately configured and maintained to protect personally identifiable information (PII), protected health information (PHI), and student education records. (2027-01-01)
Subscriber only
Vendor impact assessment
- Vendor risk class
- high
- Procurement categories
- security_tooling
Email security vendors serving the education sector in Iowa must demonstrate robust AI-driven threat detection, advanced DLP, and comprehensive reporting features to meet the explicit mandates of this bill. School districts will prioritize vendors whose products directly align with these requirements to ensure compliance and avoid non-compliance penalties.
Sample vendor questions
- Does your email security solution include AI-driven threat detection capabilities with behavioral analysis and sandboxing?
- How does your solution provide full-spectrum impersonation protection, covering domain spoofing, display name spoofing, and user impersonation alerts?
- Describe your Data Loss Prevention (DLP) functionalities for identifying and managing PII, PHI, and student records within email content and attachments.
- Can your solution automatically enforce policy-based encryption for outbound emails containing sensitive or confidential data?
- What comprehensive logging, alerting, and forensic analysis features does your solution offer for compliance reporting and threat correlation?
- Does your solution support seamless integration with common productivity platforms without relying on their native filtering features?
Intelligence briefs (1)
legislation introduced 2/4/2026
Iowa Bill Mandates AI-Driven Email Security Standards for Schools
Iowa SF 2200 mandates AI-driven email security solutions for schools by January 1, 2027 [2].
This signals a legislative mandate for specific AI system capabilities within public sector operational technology infrastructure.
Deadline: January 1, 2027
Primary source →Frequently asked questions
- What is SF 2200?
- Iowa Senate File 2200 mandates the implementation of specific email security standards for school districts, charter schools, and area education agencies [1]. The required email security solutions must incorporate artificial intelligence-driven threat detection, including behavioral analysis and sandbox execution, to protect against various cyber threats [2]. Full compliance is stipulated by January 1, 2027. Primary source →
- Why does SF 2200 matter?
- This signals a legislative mandate for specific AI system capabilities within public sector operational technology infrastructure. Primary source →
- Who does SF 2200 affect?
- This legislation primarily impacts Iowa school districts, charter schools, and area education agencies, specifically their IT security, procurement, and risk management functions. The scope includes AI use cases related to email security, such as advanced threat detection leveraging machine learning, artificial intelligence-driven threat detection, data loss prevention, and impersonation protection systems. Primary source →
- What are the key dates for SF 2200?
- January 1, 2027 Primary source →
- What is the current status of SF 2200?
- As of the last published update, SF 2200 is at the "introduced" stage, with bill status "introduced". Primary source →
- Where can I find the primary source for SF 2200?
- The primary source for the most recent update is at https://www.legis.iowa.gov/publications/search/document?fq=id:1597073&q=artificial+intelligence. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →
Related
Stay informed