California's Poppy: How a State AI Assistant Works Within Strict Limits

California has launched Poppy, an AI assistant designed specifically for state government workers. Unlike ChatGPT or other AI tools you might use online, Poppy runs entirely on California's own secure networks and only reads information from official CA.gov websites. The California Department of Technology built it to give state employees AI help while keeping data safe and secure.

Poppy operates on what's called a closed-loop system—think of it as an AI that only reads from a carefully locked filing cabinet rather than the entire internet. This approach solves a core problem for government: how to use AI without accidentally leaking sensitive information or giving workers unreliable answers pulled from random internet sources.

So far, more than 2,600 workers across 66 different state departments are using it. The assistant's name comes from California's state flower, following a local tradition for naming technology projects.

How It's Built and Why That Matters

The way Poppy is designed is simple but smart. By restricting what it reads to CA.gov websites only, California eliminated the main security risks that other government AI projects worry about: accidentally exposing internal documents, getting wrong answers because it pulled bad information from the web, or bad actors manipulating the system through tricky prompts.

This choice has a trade-off. Because Poppy can't access academic papers, news articles, or industry reports like general AI assistants can, it won't help if a state worker needs to research something broad. But for everyday government work—like figuring out how a specific procedure works, understanding regulations, or finding official policies—the information available on CA.gov is probably good enough.

Keeping everything on state-controlled computers also addresses a real compliance headache for government. When a government agency uses an AI tool from a private company, officials worry that their data might be stored elsewhere or processed by third parties. Poppy avoids this problem entirely.

How Many People Are Actually Using It

The fact that 2,600 state workers across 66 departments are using Poppy suggests this isn't just a small test. It's moved past the "proof of concept" stage, which is significant because government technology projects often get stuck in testing and never go wider. Government moves slowly on security reviews and change management, so getting this many people to adopt a new system takes real work.

The spread across departments—roughly 39 users per department on average—hints that people are choosing to use Poppy rather than being forced to. In government technology, adoption usually follows a pattern: IT departments try it first, then word spreads as people see it actually works and doesn't cause problems. That's what looks to be happening here.

State Chief Technology Officer Jonathan Porat and his department, the California Department of Technology, helped make this happen. That institutional backing matters because these large government projects run into all sorts of obstacles around procurement, security approval, and getting different systems to talk to each other. Having the right people in the room helps.

What This Looks Like for Other Governments

This deployment shows how government AI is starting to mature. Rather than building something flashy for the public to use, or trying to copy what commercial AI companies do, California identified a real, practical problem—helping employees navigate procedures and find official information—and solved it with the right constraints in place.

We've seen similar patterns before. When cloud computing first entered government, early projects focused on simple, low-risk tasks before gradually expanding to more important work as people gained confidence in the security. Poppy follows that same path: start small, prove it works, then think about expanding.

California also chose to build Poppy themselves rather than buy a solution from a vendor. That's worth considering. Commercial companies do sell AI tools designed for government, but building your own gives you more control over how data is handled, lets you customize it for your specific workflows, and can cost less over time. Those are big factors in government decision-making.

For other government agencies looking at AI but worried about security, Poppy's approach offers a practical answer. The combination of keeping everything on state networks, limiting data sources, and rolling it out gradually addresses the main concerns agencies raise about AI while still delivering real benefits to workers.

The broader context here is important: Poppy suggests that useful AI doesn't require accessing the entire internet. By limiting itself to official government sources, it also avoids problems that plague general AI systems—relying on unreliable internet content or reflecting the biases baked into training data scraped from the web.

We're also at a moment when governments are scrutinizing AI more carefully, asking questions about transparency, accountability, and whether AI systems are fair. California's technical approach—controlling what data goes in, who controls the computers, and how results are used—gives them a way to address these concerns through architecture rather than just rules and policies.

For other technology leaders in government, Poppy represents a middle ground: you get AI capabilities without sacrificing the security and data control that public agencies need. It may become a template for how other governments approach AI adoption.