Plain-English guidance for Village Managers, Clerks, Chiefs, Finance, and Public Works across the Chicago Suburbs.
AI has moved from headlines into day-to-day municipal work. For villages from the I‑294 corridor to the I‑55 spine to the I-94 Edens, that means new risks touching FOIA, finance controls, public safety systems, and resident trust. You don’t need to be an AI expert—but you do need a clear plan you can defend at the board table.
The Three Real Risks (and Where They Hit Village Operations)
1) Deepfakes & Impersonation on Video Calls
Bad actors can now mimic faces and voices well enough to fool a quick glance. In government, that matters because a faked “Chief” or “Director” can push staff to share files or change permissions.
What to watch for
- Off lighting, unnatural eye movement, or delayed lip sync
- Odd pauses before answers or dodging follow‑ups
- Unusual requests tied to urgency ("do this before the meeting")
Controls that work for villages
- Callback rule: Any request on video to change CAD permissions, payroll, or vendor bank info must be verified by a separate line (dispatch, direct office line). Log the check for audit.
- Meeting admission policy: Only allow named accounts; no “guest” IDs for sensitive sessions (police/finance).
- Recordkeeping: Save meeting chats/decisions to your retention repository so FOIA and audit trails stay intact.
2) Smarter Phishing and Business Email Compromise
AI now writes clean, in‑style emails. Villages are seeing spoofed vendor invoices, impersonated department heads, and fake grant notices—especially around budget and year‑end cycles.
Controls that work for villages
- MFA everywhere (email, VPN, CJIS‑relevant apps).
- Payment change protocol: Any ACH/bank change requires positive pay and phone verification to a known number in your vendor file—no exceptions.
- Quarterly staff training: Short, board‑approved refreshers that include local examples (IML/TOI conference travel, utility vendors, seasonal grants).
- Mailbox rules audit: Quarterly check for forwarding rules and inbox automations set by attackers.
3) “Skeleton” Software (Shadow AI Tools)
Malware is often disguised as trendy AI plug‑ins and “free” video editors—tempting during hectic seasons.
Controls that work for villages
- Allow‑list only: Staff may install only pre‑approved tools; all new AI apps go through IT for vetting first.
- Software request form: Simple web form routes to IT/MSP; decisions documented for transparency and FOIA.
- Retail season freeze: From budget adoption through calendar year‑end, freeze new tool installs unless security‑reviewed.
Department-by-Department Quick Map
Police (CJIS/NIST): Enforce MFA, restrict CAD role changes to ticketed requests with supervisor approval and callback verification. Keep audit logs.
Clerk/FOIA: Centralize email and chat retention; save meeting artifacts (recordings, chat) to your retention repository.
Finance: Payment change verification by phone; dual approval for wire/ACH; monthly vendor master file review.
Public Works: Segment SCADA/OT from the office network; require service‑account changes via ticket with callback.
Administration: Use named accounts for board/committee sessions; publish a simple “how we verify unusual requests” policy for staff.
A Simple, Board‑Ready Safeguard Plan (90 Minutes Total)
1) 30‑minute Risk Huddle
Department heads list their top two “what keeps me up” items (e.g., vendor fraud, retention gaps, permission creep). Capture what’s already in place.
2) 30‑minute Control Check
Confirm the four non‑negotiables: MFA, payment‑change callback, software allow‑list, mailbox rule audit.
3) 30‑minute Documentation
Create a one‑page summary with: current controls, next two priorities, and who owns them. File it with the Clerk and attach to the next board packet.
How We Help (Built for Chicagoland Municipalities)
- Fast, local response (goal: sub‑15 minutes) for service‑impacting tickets—because dispatch, FOIA queues, and utility billing can’t wait.
- Compliance made simple: CJIS/NIST guidance, email/chat retention setup, and audit‑ready documentation your trustees can read at a glance.
- Co‑managed flexibility: Augment your small internal team without replacing them.
- Predictable pricing: Fixed monthly fees you can defend to Finance and the board.
“Plain English, no scare tactics. Just steps you can defend at the board table.”
FAQ (The Questions Trustees Ask)
“Do we really need MFA for everyone?”
Yes. It’s the single highest‑value control against phishing and account takeover.
“Will this slow down Public Works or Police?”
No—set it once, and day‑to‑day use is minimal. The risk reduction is significant.
“How much training do we need?”
Short, quarterly refreshers with local examples are enough to keep people alert without burning time.
“Can we phase this in?”
Absolutely. Start with email and payment controls, then expand to systems with sensitive data.
Ready When You Are
Schedule a Board‑Ready Risk Review. In one session, we’ll map AI‑driven risks across Police, Clerk/FOIA, Finance, and Public Works, confirm the four non‑negotiables, and leave you with a one‑page brief for your next agenda.
Appendix: Copy‑Ready Policy Language (Paste into Your Handbook)
Unusual Request Verification
All requests to change system permissions, process payments, or add software must be verified via a second channel (phone to a known number or in‑person). Results are documented in the ticketing system and retained per policy.
Email & Meeting Retention
Email, chat, and meeting artifacts (recordings, transcripts, and chat logs) related to village business are retained per the Clerk’s schedule and stored in the designated repository.
Software Installation
Staff may install only applications from the village allow‑list. New requests are submitted via the Software Request Form and approved by IT; emergency exceptions require Administrator sign‑off and post‑review.
Payment Change Protocol
Any change to vendor banking information must be confirmed by phone using a number on file—never from the request email. Two‑person approval is required for final changes.
