AI at the Reference Desk: What Frontline Staff Need to Know

Let's be honest: Nobody trained you on AI.

One day the discovery system updated and suddenly it's "AI-powered." The ILS vendor mentioned "machine learning" in release notes. Administration sent an email about "exciting new AI features."

And then patrons started asking questions. And you're expected to have answers.

This post is the training you should have gotten. It's written for people who actually work the desk. Not IT staff, not administrators, not vendors. Just you and the patrons asking "What's AI doing with my library data?"

Part 1: Is Our Library Using AI? (How to Find Out)

Here\'s the uncomfortable truth: Most library staff don\'t know which systems use AI.

Let\'s fix that. Here\'s your checklist:

Systems That Probably Use AI:

Discovery systems with "smart search" or "recommended for you"

• Examples: EBSCO Discovery, Primo, Summon, WorldCat Discovery
• What it does: Learns from search patterns to rank results and make recommendations
• Data it uses: Search queries, click patterns, what resources people actually use

Chatbots or "Ask a Librarian" virtual assistants

• Examples: Library-branded chatbots, "Chat with us" widgets
• What it does: Answers common questions automatically, escalates to human staff when needed
• Data it uses: Patron questions, previous conversation patterns

ILS systems with "predictive analytics" or "collection insights"

• Examples: Newer versions of Sierra, Koha, Alma
• What it does: Predicts which books will circulate, suggests weeding candidates, forecasts holds
• Data it uses: Circulation history, holds data, patron borrowing patterns

Digital collections with auto-tagging or OCR

• What it does: Automatically generates subject tags, makes scanned text searchable
• Data it uses: Images, documents, metadata

Self-checkout systems with "smart recommendations"

• What it does: Suggests similar items based on what you're checking out
• Data it uses: Circulation patterns, similar patron preferences

How to Confirm (Ask IT/Administration):

Script to send your supervisor/IT:

"I'm getting patron questions about AI in our library systems. Can you confirm which of our systems use AI or machine learning, and what data they collect? I need this to answer patron privacy questions accurately."

If they don't know (common), escalate:

"Should I reach out to [Vendor Name] directly to ask? Patrons have privacy concerns and I want to give accurate answers."

Emergency Cheat Sheet (Print This):

If you don't know and need to answer a patron RIGHT NOW:

"That\'s a great question. I don\'t have the technical details on hand, but I can find out for you. Can I take your email and get back to you with specifics? Or if you'd like, I can connect you with our IT staff who can explain exactly how the system works."

Then actually follow up. Don't let it drop.

Part 2: Patron FAQ - Copy-Paste Answers

Here are the questions you'll get. These answers are short, honest, and ready to use.

Q: "Is my library data being used to train AI?"

Answer:

"Some of our systems use AI to improve search results and recommendations, but they're trained on anonymized usage patterns, not your personal data. Your checkout history and personal information are protected by library privacy policies. If you want specifics about a particular system, I can find out for you."

When to say more: If they push back or seem concerned, add:

"I share your privacy concerns. Libraries take patron privacy seriously. If you'd like, I can connect you with [IT/Director] who can explain exactly how each system protects your data."

Q: "Is this chatbot safe to use?"

Answer:

"Yes, it\'s safe for general questions like "What are your hours?" or "How do I renew a book?' But avoid entering personal information like your library card number or address. Use your library account page for that instead."

Red flag warning: If the chatbot is asking for library card numbers, passwords, or personal info, escalate to IT immediately. That's not normal and might indicate a problem.

Q: "Why did this feature change/disappear?"

Answer (if you know why):

"Our vendor updated the system. The new version [does X instead of Y]. I can show you the new way to do that, or I can help you directly if it's not working for you."

Answer (if you don't know why):

"I\'m not sure. I noticed that change too. Let me find out what happened and whether there\'s a workaround. Can you give me your email so I can follow up?"

Then escalate to IT/management: "Patrons are asking about [feature that changed]. What should I tell them?"

Q: "What is the library doing about my privacy?"

Answer:

"We take privacy seriously. We don't sell patron data to third parties. Some systems use anonymized usage patterns to improve search results, but your personal information stays private. We also have a privacy policy that spells out exactly what we collect and how we protect it. Would you like me to print you a copy?"

Link them to: Your library's privacy policy (have the URL handy or a printed copy at the desk)

Q: "Can AI see my search history?"

Answer:

"Our search system may use anonymized search patterns to improve results for everyone, but it's not tracking you personally. Your search history in your library account is private and only you can see it. We don't share that with AI companies."

If that\'s NOT true (if vendors ARE training on patron data): Don\'t lie. Say:

"Let me get you accurate information about that. I want to make sure I give you the right answer. Can I connect you with [IT/Director]?"

Then escalate: "Patrons are asking if vendors are using their search history for AI training. What's the accurate answer?"

Q: "Can you guarantee my data isn't being used for AI training?"

Answer (honest version):

"The library does not sell patron data to AI companies. Some vendors may use aggregated or de-identified usage patterns, and we don't control every third-party system directly. If you want specifics about a vendor's AI practices, I can help you request that information."

Don\'t promise what you can\'t deliver. If you don't know, say so.

Q: "Why do I have to agree to AI terms?"

Answer:

"New laws require that we disclose when AI is being used, so you can make informed decisions. It doesn't mean we\'re doing anything new. We\'re just being more transparent about systems that have AI features."

Part 3: Red Flags - When to Escalate

You\'re the eyes and ears. Here\'s when to alert your supervisor/IT:

Patron says the AI gave them incorrect or dangerous information

• Example: Chatbot provides wrong hours, bad health advice, false information
• Action: Document what happened (screenshot if possible) and report to IT immediately

AI is asking for sensitive information

• Example: Chatbot requests library card number, password, Social Security number
• Action: Do NOT enter anything. Report to IT immediately. This might be a compromised system.

Patron receives an email claiming to be from the library about "AI update" or "verify your account"

• This is likely phishing
• Action: Tell patron NOT to click links. Forward the email to IT for verification.

System behavior is weird or different than yesterday

• Example: Search results look wrong, new login screens, unexpected pop-ups
• Action: Report to IT. Could be a sign of system compromise.

Multiple patrons ask the same concerned question about privacy/AI

• This means there's confusion that needs an official response
• Action: Escalate to management: "We're getting repeated questions about [X]. Can we get patron-facing talking points?"

Part 4: Emergency Procedures (Print This)

If Systems Go Down (Ransomware, Outage, Whatever):

Step 1: Don't Panic

• This is not your fault
• Your job is to help patrons, not fix the technical problem

Step 2: Immediately Alert

• Call/text your supervisor
• Alert IT if you can't reach supervisor
• Post signage: "Our computer systems are temporarily offline. We're working to restore service."

Step 3: Manual Mode

• Can you check out books manually? (Ask supervisor for emergency procedures)
• Can you help patrons without computers? (Reference questions, readers' advisory, program registration on paper)
• DO NOT tell patrons "We don\'t know when it\'ll be fixed" (even if true). Instead say "We're working on it and will update you as soon as we know more."

Step 4: Document Everything

• What time did systems go down?
• What can't you do?
• What are patrons asking for?
• This information helps IT prioritize recovery

If You Suspect a Security Incident:

Indicators:

• Computers are locked with ransom messages
• You can't log into systems
• Files have strange extensions (.encrypted, .locked, etc.)
• Pop-ups saying "Your files have been encrypted"

DO:

• Call supervisor/IT IMMEDIATELY
• Disconnect computers from network if instructed
• Take photos of any ransom messages (with your phone, don't save them on library computers)
• Write down what you saw and when

DON'T:

• Try to "fix it" yourself
• Click on anything
• Enter passwords into suspicious login screens
• Post about it on social media (let official communications handle this)

Part 5: Protecting Yourself and Patrons

Basic Phishing Recognition (This Is How Most Attacks Start):

Red Flags in Emails:

• Urgent language: "Your account will be closed!" "Verify immediately!"
• Grammar/spelling errors: Professional companies don't send typo-filled emails
• Suspicious sender: hover over sender email and check if it matches the claimed company
• Generic greetings: "Dear user" instead of your name
• Requests for passwords/personal info: Real companies don't ask via email

Real Example (Library-Targeted Phishing):

Subject: URGENT: Library system update required

Dear staff member,

We are performing a mandatory security update on all library systems. Please click below to verify your credentials:

[Suspicious Link]

Failure to verify will result in account suspension.

- IT Department

What's wrong with this:

• Urgent, threatening language
• Generic greeting ("staff member")
• Asking you to click a link to "verify credentials"
• Real IT would never ask you to enter your password via email link

If you get this: Don't click. Forward to IT with "Is this legit?"

What NOT to Enter Into AI Systems:

• Patron personal information (names, addresses, library card numbers)
• Staff login credentials (usernames, passwords)
• Confidential library information (unreleased reports, personnel info, financial data)
• Patron reference questions that include identifying details

What's okay: General questions, anonymous example scenarios, policy clarifications

Example:

• BAD: "Can you help me find resources for patron John Smith who's researching cancer treatment?"
• GOOD: "What resources do we have on cancer treatment options?"

Part 6: Quick Training Resources (Free)

You didn't get trained on this, so train yourself:

Phishing Recognition (30 minutes):

• CISA's Phishing Training: cisa.gov/stopransomware/phishing
• Google's Phishing Quiz: phishingquiz.withgoogle.com (8 questions, instant feedback)

Library cyber security Basics (1 hour):

• ALA's cyber security Toolkit: ala.org/advocacy/privacy/cyber security
• WebJunction's Library Privacy Resources: webjunction.org/explore-topics/privacy

AI Basics for Libraries (30 minutes):

• AI Fundamentals (Khan Academy): Free, self-paced, no login required
• Library-specific AI resources: Ask your state library association for training materials

Part 7: Printable One-Pagers for the Desk

"AI in Our Library" Desk Sheet

Systems we use that have AI:

• [Fill in: Discovery system, chatbot, etc.]

What it does:

• [Fill in: Recommends books, answers questions, etc.]

Privacy protection:

• We don't sell patron data
• Systems use anonymized usage patterns
• Your personal account info stays private

Questions?

• Email: [library privacy contact]
• Or ask staff to connect you with [IT/Director]

"If Systems Go Down" Desk Sheet

What to do:

1. Alert supervisor: [Phone/text]
2. Alert IT: [Phone/email]
3. Post signage: "Computer systems temporarily offline"
4. Switch to manual processes (see emergency procedures binder)

What to tell patrons:

"Our systems are temporarily offline. We're working to restore service. We can still help you with [list what you CAN do]."

Don't say:

• "We got hacked" (even if you think you did, let official communications handle this)
• "We don\'t know when it\'ll be fixed" (say "We're working on it")

Part 8: What to Ask Administration For

You shouldn\'t have to figure this out alone. Here\'s what you need from leadership:

• Clear list of which systems use AI and what they do
• Pre-written patron FAQ with approved answers
• Emergency procedures for system outages (printed, at every desk)
• Regular training (not "here's an email," actual training time)
• Contact person for security concerns (name, phone, email)
• Authority to escalate patron concerns without pushback
• Patron-facing privacy policy (printed copies, QR code)

How to ask for this:

"Patrons are asking questions about AI and privacy that I can't answer accurately. Can we get official talking points and training? I want to give patrons good information, not guesses."

The Bottom Line

You didn't sign up to be an AI expert or cyber security specialist. You signed up to help patrons find information, connect with resources, and use the library.

But AI and cyber security are now part of patron service. Patrons have questions. They're concerned about privacy. They need accurate answers.

This guide gives you the basics you need to:

• Identify AI in library systems
• Answer common patron questions honestly
• Recognize security red flags
• Protect yourself and patrons
• Escalate appropriately when needed

Print this out. Keep it at the desk. Share it with colleagues.

And when administration asks "Why didn't you know this?" show them this post and say: "Because nobody trained us. Here's what we need."

Need more frontline-specific training resources? Let me know.

Library administrators: Want to develop staff training based on this content? I can help.