When AI-Generated Abuse Happens on a School Device: The Liability No One Is Prepared For

Content note: This article discusses AI-enabled sexual abuse imagery involving minors (non-graphic).

Key Takeaways

• UNICEF (February 2026) reports that across 11 countries, at least 1.2 million children reported their images being turned into sexually explicit deepfakes in the past year. The prevalence range across surveyed countries was 0.4% to 4.3%, with schools explicitly named as "frontline environments" for prevention and response.

• The exposure is not limited to the student who creates the content. Device custody, school networks and IP logs, approved vendor stacks, and WiFi/BYOD access all create a traceable institutional nexus most districts have not mapped.

• Insurance is moving: Verisk/ISO has filed optional general liability endorsements (CG 40 47, CG 40 48, CG 35 08) that enable carriers to exclude generative AI liabilities from common coverage programs. Several carriers have already implemented proprietary exclusions independently.

• Due diligence is shifting from policy language to operational artifacts: professional development logs, vendor review records, incident response playbooks, and documented human oversight.

My first day teaching in Poland, I had prepared meticulously. Class list in hand, fifteen students, age twelve. Lesson plans, activities, backups, a seating chart. Then four seventeen-year-olds walked through the door.

Everything I had prepared was useless. I improvised for ninety minutes. The director thought I had failed to prepare. I showed her the schedule they had given me with the wrong class listed. It did not matter. The mistake was in the system, but the accountability landed on me.

That moment taught me something I have carried through nearly three decades in education: due diligence is not about predicting every scenario. It is about building systems flexible enough to respond when reality changes on a dime, and documented enough to prove you were not asleep at the wheel when it did.

That principle has never been more urgent. UNICEF released an issue brief this week that quantifies a threat most school districts have no governance infrastructure to address. AI-generated child sexual abuse material is happening between students, on school devices, during school hours. The liability implications touch every layer of institutional operations, from the device in a student's hands to the insurance policy on the superintendent's desk. This article examines where the exposure sits, what due diligence requires in practice, and why independent assurance is becoming a prerequisite rather than a luxury.

The Data

The UNICEF brief, published in partnership with ECPAT International and INTERPOL under the Disrupting Harm project, surveyed approximately 11,000 children across 11 countries. At least 1.2 million children reported having their images manipulated into sexually explicit deepfakes through AI tools in the past year. The prevalence range across countries was 0.4% to 4.3%. At the upper end, that represents roughly 1 in 25 children, or one child in a typical classroom.

The UK's Internet Watch Foundation found nearly 14,000 suspected AI-generated child sexual abuse images on a single dark-web forum in one month, with almost a third confirmed as criminal content. South Korea reported a tenfold increase in AI and deepfake-related sexual offenses between 2022 and 2024, with teenagers constituting the majority of the accused. In the United States, a Thorn survey found that 1 in 10 teenagers knew of cases where peers had used generative AI tools to create synthetic non-consensual intimate images of other children.

The critical shift UNICEF identifies is that a child's image can now be weaponized without their knowledge, involvement, or awareness. No message needs to be sent. No photo needs to be shared. The violation happens remotely, invisibly, and permanently. UNICEF explicitly names schools as "frontline environments," calling on educators to address AI-related risks including deepfake nudes and "nudify" tools, train staff to respond, and encourage reporting of harmful behaviour.

The Liability Surface Schools Have Not Mapped

Most districts think about AI governance in terms of acceptable use policies and maybe a few professional development sessions. The actual liability surface for AI-generated harm is far more expansive, and far more traceable, than most administrators realize.

School-owned devices are the most obvious exposure point. Every Chromebook and iPad issued to a student is serial-numbered, logged, and assigned. If a student uses that device to access AI image generation tools or produce harmful content, the institution owns the hardware that facilitated the harm.

Managed networks and IP addresses compound the problem. All traffic routed through a school network is traceable to the institution's IP address. In any law enforcement investigation, that institutional address is the first thing that surfaces. Even if the student used a personal device, connecting through school WiFi establishes the institutional nexus.

Then there are vendor-supplied tools. If an EdTech platform in the school's approved technology stack has generative AI capabilities or inadequate guardrails against misuse, the school endorsed that tool through its procurement process. The approval decision, whether documented or not, is itself an artifact. The absence of a documented vendor review may be more damaging than a flawed one, because it suggests the institution never evaluated the risk at all.

Tying everything together is the documentation gap. Most schools cannot currently produce evidence showing which AI tools are accessible on their network, who approved them, what safeguards are in place, or what the escalation protocol is when something goes wrong. When an incident occurs, the absence of that documentation is itself evidence of inadequate governance.

What Insurers Are Already Doing

The insurance market is not waiting for schools to catch up. Verisk/ISO has filed new optional endorsements (CG 40 47, CG 40 48, CG 35 08) that enable carriers to exclude generative AI liabilities from commercial general liability policies at renewal. Several carriers have moved independently. Berkeley Insurance has implemented an "Absolute AI Exclusion" covering Directors and Officers, Errors and Omissions, and fiduciary liability products. Hamilton Select has introduced blanket exclusions for claims involving generative AI. Philadelphia Indemnity excludes content created using generative AI for third-party work.

The pattern mirrors the evolution of cyber insurance over the past two decades. When cyber risks first emerged, general liability policies provided uncertain coverage. Insurers responded with dedicated products carrying specific underwriting requirements. Over time, those requirements, things like multi-factor authentication, endpoint protection, and incident response plans, became de facto governance standards that institutions had to meet regardless of whether regulation required them. AI insurance is following the same trajectory: exclusions from general liability create demand for specialty products, and specialty underwriters develop governance requirements that become the floor, not the ceiling.

The message from carriers is explicit: coverage availability depends on demonstrable AI risk management. Governance documentation that was previously advisable is becoming a prerequisite for renewal.

What Due Diligence Actually Requires

What does defensible due diligence look like in practice? Without prescribing a full implementation methodology, the general shape of what insurers and regulators are converging on includes several categories of evidence.

It starts with a documented AI acceptable use policy that specifically addresses generative AI capabilities, including image and video generation tools. A generic technology AUP from 2019 with "AI" penciled into the margins will not withstand scrutiny.

Beyond policy, insurers are looking for evidence of professional development: logged, recurring training with documented attendance covering AI risks, incident recognition, reporting protocols, and staff responsibilities. This matters because 85% of teachers and 86% of students used AI at some level during the 2024-25 school year, while only 50% of teachers received even a single PD session on AI. You cannot document human oversight if the humans have not been trained to exercise it. Every other governance artifact depends on a workforce that knows what to look for, how to respond, and what to document.

Vendor oversight artifacts are equally critical: documented review of AI capabilities in approved EdTech tools, contractual language addressing algorithmic accountability, and evidence of ongoing monitoring rather than a one-time approval.

Then there is incident response. Not a generic bullying policy with "AI" appended to the title, but a defined chain of reporting, investigation, documentation, and family notification that accounts for the unique characteristics of synthetic media.

Finally, human oversight logs. Evidence that review and decision-making authority rests with trained personnel, not automated systems. A teacher may exercise sound professional judgment every day, but if that judgment is not logged, the oversight produces no artifact. In a liability dispute, undocumented oversight is indistinguishable from no oversight at all.

The specific artifacts required vary by carrier, jurisdiction, and institutional context. There is no single universal checklist. That variance is precisely why independent assessment matters.

The Question That Is Coming

I think about Poland sometimes. About the moment those teenagers walked in and everything I had planned became irrelevant. The director was wrong to blame me for the schedule error. But she was right about one thing: when the situation in front of you changes, the only thing that matters is whether you can demonstrate you did everything reasonable to prepare.

That question is coming to every school district. And when it arrives, it will not come as a policy review or a board discussion. It will come as an incident involving a student, a device, and AI-generated content that no governance system was built to address.

This is why I developed the AI Assurance Assessment framework and why the work I do through Purdy House exists. Independent, external verification that your governance systems, vendor agreements, professional development documentation, and incident response protocols can withstand scrutiny from regulators, insurers, and the parents sitting across the table from you.

The goal is not perfection. The goal is documented, defensible due diligence that demonstrates your institution took reasonable steps before the incident, not after.

For districts ready to start building that governance infrastructure now, the Stop-Gap AI Compliance Guide provides operational frameworks, ready-to-use forms, and deployment calendars to move from policy to practice. My memoranda series documents the insurance and regulatory landscape in detail for senior leadership and board members who need to understand what is converging on their desks in 2026.

The compliance cliff is here. The question is whether your documentation is.

Ryan James Purdy is the Senior AI Assurance and Compliance Advisor at Purdy House Publishing & AI Consulting. With nearly 30 years of education experience across North America, Europe, and Asia, he is the author of the Stop-Gap AI Policy & Compliance Guide series. His work focuses on bridging the gap between high-level AI policy frameworks and operational school-level implementation.

Contact: LinkedIn | ryanjamespurdy@gmail.com

References

United Nations Children's Fund. (2026, February). Artificial Intelligence and Child Sexual Abuse and Exploitation. UNICEF Issue Brief. https://www.unicef.org/media/178571/file/UNICEF%20AI%20CSEA%20Brief_FINAL4.pdf

Internet Watch Foundation. (2026, January 16). AI becoming 'child sexual abuse machine' adding to 'dangerous' record levels of online abuse, IWF warns. https://www.iwf.org.uk/news-media/news/ai-becoming-child-sexual-abuse-machine-adding-to-dangerous-record-levels-of-online-abuse-iwf-warns/

Thorn. (2024, August 14). REPORT: 1 in 10 Minors Say Peers Have Used AI to Generate Nudes of Other Kids. https://www.thorn.org/press-releases/report-1-in-10-minors-say-peers-have-used-ai-to-generate-nudes-of-other-kids/

The Straits Times. (2025, September 15). Deepfake, other digital sex crimes by teens nearly double in South Korea in four years.

Verisk/Independent Agent. ISO General Liability Endorsements for Generative AI Exposures (CG 40 47, CG 40 48, CG 35 08). https://www.independentagent.com/vu_resource/verisk-to-roll-out-new-general-liability-exclusions-for-generative-ai-exposures/

Hunton Andrews Kurth LLP. (2025). How insurance policies are adapting to AI risk. Legal analysis brief.

Education Week. (2026, January). Fed Regulation of AI Is Virtually Nonexistent. Is This a Problem for Schools? https://www.edweek.org/technology/fed-regulation-of-ai-is-virtually-nonexistent-is-this-a-problem-for-schools/2026/01