May 14, 2026
This year’s ATLIS (Association of Technology Leaders in Independent Schools) Annual Conference reinforced what many independent school technology and security leaders already know: schools are navigating increasingly complex cyber, privacy, artificial intelligence (AI), and operational challenges—often with limited resources, evolving regulations, and growing expectations from families, faculty, and boards. Across sessions and conversations, five themes consistently rose to the top.
1. AI Is Moving Faster Than School Governance
AI was one of the most discussed—and questioned—topics at the conference. Schools are wrestling with how AI tools should be used in the classroom, how they impact academic integrity, and how they affect the security and privacy of school data.
Some schools have embraced AI, allowing students and faculty to use approved tools to enhance learning, productivity, and engagement. Others remain cautious, still evaluating how to demonstrate educational value while managing risks. Regardless of where a school lands on AI adoption, there was broad consensus around one point: AI governance and compliance is no longer optional.
Schools need clear policies that define what data can—and cannot—be entered into AI tools, particularly when sensitive student or employee information is involved. Just as important is education: training faculty, staff, and students on the risks of using AI with confidential data and helping them understand the implications of data ingestion into third-party platforms. Schools have a responsibility to ensure their business partners and vendors (i.e. edtech providers) are transparent with how they use AI with school data, including not using sensitive information for model training. The takeaway was clear—AI can be a powerful asset, but without guardrails, it can quickly become a liability and result in non-compliance.
2. Vendor Risk Management Is a Growing Priority—and a Growing Challenge
Vendor risk management emerged as another area where schools are actively working to mature their programs. Many institutions now rely on 100 or more third-party vendors spanning software platforms, edtech tools, hardware providers, consultants, and managed service partners—each with varying degrees of access to school systems and sensitive data.
Leading schools have taken important first steps by inventorying their third-party assets and implementing formal assessments to evaluate cyber and privacy risks. Others acknowledged they still rely on informal or decentralized processes, making it difficult to track vendors procured outside of IT or business offices.
The takeaway? You can’t manage what you can’t see. Schools recognize the need for centralized visibility, consistent vendor onboarding processes, and risk-based assessments that scale with limited staff. Vendor risk management is no longer just an IT issue—it’s an enterprise-wide responsibility.
3. EDR Adoption Is Becoming the Norm
Endpoint Detection and Response (EDR) implementation has made significant progress across schools in recent years. Where budgets and staffing constraints once made advanced endpoint monitoring feel out of reach, many schools have now found ways to implement EDR through cloud-based tools, bundled security platforms, or outsourced security operations.
Conference discussions highlighted that schools are gaining greater visibility into threats on laptops, desktops, and servers and improving their ability to respond quickly to incidents. While challenges remain—particularly around alert fatigue and staffing—the momentum is unmistakable. EDR is no longer viewed as an “advanced” security capability; it’s increasingly seen as a baseline control for modern school environments.
4. COPPA Compliance Remains Complex and Unsettled
Children’s Online Privacy Protection Act (COPPA) compliance continues to be a source of uncertainty for schools. While COPPA obligations primarily fall on third-party vendors, schools carry the responsibility of vetting tools and providing consent for the collection and use of minors’ data.
Some schools have engaged legal counsel to draft parental consent agreements and formalize their approach, while others are still working to understand where their obligations begin and end, especially given the constant influx of new classroom tools and digital platforms.
The key takeaway was that COPPA compliance, as well as adhering to evolving privacy laws and enforcements on children’s data, is not a one-time exercise. It requires ongoing vendor review, collaboration between legal, IT, and academic teams, and clear documentation of decisions. Understanding privacy compliance also includes managing notices and consent, personal data mapping, and risk assessments. Schools are looking for more practical frameworks to manage this responsibility without slowing innovation in the classroom.
5. Access Management Is Evolving Beyond MFA
Access management sparked some of the most nuanced conversations at the conference. Multi-factor authentication (MFA) is now widely deployed for faculty and staff—but student access remains a gray area.
Schools shared a range of approaches. Some have determined that MFA for students creates too much friction in the classroom. Others use a hybrid model, enabling MFA for older students but not younger ones. Still others require MFA for all students when accessing systems remotely, but not when they are on campus.
Beyond MFA, there was growing recognition that access management must become more role-based and intentional. Schools are beginning to look closely at who truly needs access to sensitive data—and why. Doing this well requires collaboration across departments to define roles, document access needs, and formalize access review processes. The takeaway: access management isn’t just about controls—it’s about alignment between security, operations, and educational mission.
Final Thought
The ATLIS Conference underscored a critical reality: schools are making meaningful progress, but the landscape is becoming more complex—not simpler. AI, vendor ecosystems, regulatory requirements, and security expectations continue to expand. The most successful schools are those moving beyond reactive fixes and towards proactive activities. This includes structured compliance programs, collaboration across departments, and thoughtful cyber privacy, and AI governance.
The path forward isn’t about perfection—it’s about progress, clarity, and collaboration.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm. FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2026 FTI Consulting, Inc. All rights reserved. fticonsulting.com