Walk through most workplaces and you’ll see it: free or low-cost AI tools everywhere. Drag a recording into an AI-powered app, you get back what was said along with any tasks assigned; open a long PDF and the tool can summarize it; click a button while on a video call and not only can you get live captions, but it can translate in real time for you; drop in a video and the background noise is gone. Many are one-click actions, baked into smartphones and desktop apps, and good enough to tempt you into using them on your investigations. That convenience is exactly why we need a tighter grip on how – and when – these tools touch investigations.
With all the knowledge and information behind it and the confidence portrayed in a clean and well-written response, it is easy to trust what you get back from AI. But there are countless reports of AI making up facts or even sources. And this bad behavior can apply to an investigation – the AI response can make up information, assert a date, or name someone that isn’t even in the record. NIST’s Generative AI Profile calls this confabulation. If the investigator believes the confabulated response and it makes its way into a report or affidavit, they’ve introduced hearsay-like claims with no evidentiary source. The consequences are much greater if the belief in the confabulation is acted upon or is used in downstream decision-making.
Bias, in its many forms, presents a silent but harmful risk. Harmful biases are manifested much quicker in AI. Such harmful biases can take the form of under/misrepresenting gender, race or physical ability – severely tainting the model’s output. And the risk is not limited to physical attributes. When using AI to translate recordings, if the underlying model is well suited for US-English but performs poorly for Mexican-Spanish, the resulting translation may misrepresent what was said. DOJ’s Artificial Intelligence and Criminal Justice Report ties this directly to due process: accuracy, fairness, and transparency must be demonstrated if AI-touched material influences investigative decisions or prosecutorial judgments. Bottom-line: courts will ask how you checked for bias and what you did when you found it.
Security and privacy leakage are practical – not theoretical – problems. If you copy-paste personal identifying information (PII), informant details, or sealed material into public tools, that data risks being exposed. Prompt injection attacks blur the lines between the user instructions and AI’s own internal system prompts. This confusion manipulates the model’s behavior, causing it to reveal or even alter information.
Another issue is keeping track of what the AI has seen and how it’s used. Prosecutors in King County, Washington have already told agencies they will not accept AI-assisted police reports due to accuracy and integrity concerns, and Seattle’s police watchdog formally urged SPD to set policy after an officer used AI for internal reports.
Courts, as the arbiters of transparency and privacy, are naturally taking AI seriously. If the AI prompts, drafts, and instructions aren’t preserved, you may not be able to submit the information or evidence. The National Center for State Courts (NCSC) and the Conference of State Court Administrators (COSCA) jointly published guidance on AI in courts, emphasizing privacy, verification, and clear disclosure. In July of this year, California’s judiciary has adopted a statewide requirement that every court adopt an AI policy or ban it outright – prioritizing confidentiality, bias mitigation, and verification. Those norms will shape what judges expect from law enforcement across the country.
Some AI applications keep all prompts, the feedback that the user provided, and versions of the output for the user to review or to continue their work later. However, many of these same tools allow use without logging in. Without tying the work product to an account, all the prompts, feedback, etc. in that session are lost. Not having clear AI rules can damage trust in law enforcement. Without proper guidelines, well-intentioned personnel might make up rules on their own. This leaves agency leadership dealing with media scrutiny instead of police work.
Best practices for GenAI use in investigations
What Should You Do:
Start with governance, not tools. Name an AI lead, require pre-approval for use cases, and keep a living inventory. Classify AI uses by risk – low (for grammar), medium (for administrative summaries), high (anything factual that can enter evidence). Then tie each classification to NIST’s AI Risk Management Framework (govern, map, measure, manage) so the controls scale with the stakes.
Draw clear lines for reports. If AI is used on a document, the report should include: a disclosure statement, a human accuracy check, and references to the sources used. And the humans should keep the red line changes over the AI draft. These steps address prosecutors’ concerns about credibility right away and match what courts and prosecutors are expecting now.
Treat prompts, drafts, and outputs as evidence-adjacent artifacts. Save them with timestamps, case numbers, and user IDs. Ban pasting of sensitive data (or uploading files that contain sensitive data) into public models. Keep everything in a controlled environment where logs and access controls are standard. This is straight from NIST’s emphasis on documentation, security, and traceability.
Test it. For each use, define success criteria, assemble fixed test scenarios, measure error rates, and red team for prompt injection and misleading cues. Approve only after passing a documented gate, re-test after model or policy changes. That mirrors DOJ’s performance and fairness expectations and NIST’s lifecycle approach.
Keep a human firmly in the loop. Reviewers must check facts against source material – do not just read it to see if it makes sense or reads well. Accountability rests with the officer or analyst whose name is on the work product. DOJ’s guidance makes this point repeatedly: human oversight isn’t optional.
Limit scope and exposure. It sounds kind of obvious – start with low-risk administrative uses and explicitly prohibit AI from providing anything that substitutes for investigative judgment (such as probable-cause statements, charging recommendations, or narratives). Minimize (or eliminate) PII in prompts and prefer structured inputs over free text. That’s risk minimization 101 under NIST.
Plan for public records and transparency. Put in writing when and how you disclose AI assistance in reports, how you respond to records requests, and what you’ll tell courts and the community. The articles that I mentioned earlier show the cost of ambiguity.
Build an off-ramp. If testing exposes material errors (or a case raises novel legal issues) pause the AI use, document the issue, notify legal, remediate, and only then resume. Continuous “measure and manage” is baked into the NIST approach for a reason.
Align procurement to your policy. Bake policy requirements into your contracts, such as logging and export of prompts and outputs, data-retention limits, security controls, red-team support, model documentation, and audit cooperation. GAO’s review shows agencies that tie contracts to policy are better at sustained compliance.
Use AI to speed up the work, not to lower the standard. With guardrails grounded in NIST and DOJ guidance – and informed by what courts and states now expect – you can get the efficiency without risking the case.
About Kevin McTiernan
Kevin McTiernan is a seasoned professional with over 20 years of experience in the security industry. His extensive expertise spans big data, cybersecurity, network security analysis, and regulatory compliance. As Vice President of Government Solutions at SS8, Kevin specializes in the implementation of advanced intelligence solutions for the U.S. Government, law enforcement, and the Five Eyes alliance. He is an accomplished public speaker and an adamant supporter and volunteer for the National Child Protection Task Force. You can learn more about Kevin on his LinkedIn profile.
About SS8 Networks
As a leader in Lawful and Location Intelligence, SS8 is committed to making societies safer. Our mission is to extract, analyze, and visualize critical intelligence, providing real-time insights that help save lives. With 25 years of expertise, SS8 is a trusted partner of the world’s largest government agencies and communication providers, consistently remaining at the forefront of innovation.
Discovery is the latest solution from SS8. Provided as a subscription, it is an investigative force multiplier for local and state police to fuse, filter, and analyze massive volumes of investigative data – in real time.
Intellego® XT monitoring and data analytics portfolio is optimized for Law Enforcement Agencies to capture, analyze, and visualize complex data sets for real-time investigative intelligence.
LocationWise delivers the highest audited network location accuracy worldwide, providing active and passive location intelligence for emergency services, law enforcement, and mobile network operators.
Xcipio® mediation platform meets the demands of lawful intercept in any network type and provides the ability to transcode (convert) between lawful intercept handover versions and standard families.
To learn more, contact us at info@SS8.com.
