LFG — Leadership. Fundraising. Growth.
70% of nonprofits have no AI policy. Among those that do, the majority downloaded a template, emailed it to staff, and assumed compliance. That's not a policy — it's a PDF. A real AI nonprofit policy handles the gray areas templates ignore: staff using personal AI accounts, AI-generated donor communications, AI in grant applications, and what happens when someone violates the rules.
The market is saturated with nonprofit AI policy templates — NTEN/ANB Advisory, Fundraising.AI, AICPA & CIMA, FreeWill, The Human Stack, AI4NGO. Every one of them shares the same structural deficiencies.
Principles without enforcement. Templates list values — fairness, accountability, transparency — but include zero consequences for violations, no audit schedule, no reporting mechanism for breaches. A policy that says "staff should use AI responsibly" and doesn't define "responsibly" or describe what happens when they don't is organizational decoration.
The personal account blind spot. This is the single biggest policy gap in the nonprofit sector. 47% of employees who use AI at work do so through personal, unmanaged accounts (Netskope 2026). Among workers aged 18–24, 35% say they'd actively refuse company-approved alternatives in favor of personal tools. None of the major templates explicitly address personal AI accounts on work tasks.
Gray areas left unaddressed. What constitutes "AI-generated" versus "AI-assisted" in a grant application when 23% of foundations won't accept AI-generated submissions? Does a fundraiser running donor data through a prompt to draft a personalized ask letter count? What about using AI to brainstorm a case for support that gets rewritten by hand? These distinctions matter — and no template provides guidance.
Effective policy uses risk-tiered governance. Here's the framework synthesized from NIST principles, EU AI Act risk categories, and the NTEN template's data classification system:
Tier 1 — Unrestricted Use. AI for internal brainstorming, grammar checking, research on publicly available information. No donor data, no PII, no approval needed. Examples: drafting an internal meeting agenda, checking grammar on a blog post, researching a policy topic.
Tier 2 — Standard Use. AI for draft content (internal and external), data analysis using de-identified datasets, translation services. Manager awareness required, not approval. Examples: drafting first versions of email appeals, summarizing program data for internal reports, translating a web page.
Tier 3 — Elevated Review. AI involving donor PII, grant applications, program evaluation reports, external stakeholder communications with the organization's name attached. Requires designated reviewer sign-off before use. Examples: personalizing major donor solicitations, drafting grant narrative sections, analyzing donor giving patterns.
Tier 4 — Prohibited or Executive-Approval Only. AI in beneficiary-facing decisions (service eligibility, case prioritization), HR decisions, financial decisions affecting individuals, any processing involving HIPAA or otherwise protected data. Examples: determining which families receive services, screening job applicants, making investment decisions.
The key insight: most nonprofit AI use falls in Tiers 1 and 2, where you want to enable productivity. Tiers 3 and 4 are where risk concentrates and where your policy needs sharp teeth.
The Samsung incident is the canonical warning: three separate engineers pasted proprietary code, software specs, and confidential meeting transcripts into ChatGPT within weeks of each other. In the corporate sector, that's damaging. In the nonprofit sector — where donor data, beneficiary information, and program records carry different obligations — the exposure could trigger regulatory scrutiny, funder withdrawal, and public trust collapse.
Shadow AI in nonprofits has specific characteristics that make it harder to manage than in corporations. There's no IT department monitoring tool usage. Staff frequently use personal devices. Most organizations can't deploy enterprise-level data loss prevention tools. And the culture of resourcefulness that makes nonprofit employees effective also makes them likely to adopt whatever tool solves their immediate problem, regardless of policy.
Your policy must make the sanctioned path easier than the shadow path. That means providing approved AI tools (not just listing prohibited ones), paying for the accounts (free tiers have worse data practices), and making the process for requesting new tool approval fast and lightweight. If your policy creates a 3-week review process to get approval for a tool that a staff member can sign up for in 30 seconds, the policy loses.
Layer 1: Foundation. Mission alignment statement, scope (who's covered — staff, contractors, volunteers, board members), glossary of terms (what counts as "AI" when it's embedded in your CRM and email platform?), and core principles. Keep this to one page.
Layer 2: Classification and Tiering. The four-tier framework above, with specific examples relevant to your organization. Name the tools. Name the use cases. If staff can't look at the tier system and immediately classify their own use case, the policy is too abstract.
Layer 3: Operational Rules. Approved tools and their specific use parameters. Personal account provisions (what's allowed, what's prohibited, what data can never enter a personal account). Data handling requirements by tier. Disclosure requirements for AI-assisted external content. Vendor vetting criteria. Training requirements before access to Tier 2+ tools.
Layer 4: Enforcement and Accountability. Named role responsible for AI policy compliance — not "the organization" or "leadership," a specific person. Consequences for violations by tier (Tier 1 violation: conversation; Tier 4 violation: disciplinary action). Audit and monitoring processes (even basic ones — quarterly check-ins on AI tool usage). Incident response protocol. Board reporting requirements.
Layer 5: Living Document Provisions. Review schedule (minimum every 6 months for AI policy — quarterly is better). Emergency review triggers (new regulatory requirements, data breach, significant AI incident in the sector). Version control. Communication plan for updates.
As Oliver Patel, former AstraZeneca AI governance lead, puts it: technical guardrails must be based on codified policy rooted in organizational values, culture, strategy, and risk appetite. A policy without enforcement is "governance by PDF." Guardrails without codified policy have no foundation. You need both.
23% of foundations will not accept AI-generated grant applications. But what does "AI-generated" mean? A proposal entirely written by AI? A proposal where AI helped brainstorm the theory of change? A proposal where AI checked the grammar?
Your policy needs to define three categories: AI-generated (output produced primarily by AI with minimal human editing), AI-assisted (human-authored content where AI contributed to specific elements — research, drafting, editing), and human-authored (no AI involvement). Then map your funder disclosure requirements to these categories.
The practical advice: default to disclosure. If you used AI at any stage of grant development, say so. A simple statement — "AI tools were used to assist with research and first-draft development; all content was reviewed and substantially edited by [staff name]" — protects you. Hiding AI use and getting caught destroys funder trust in ways that disclosure never would.
Your development team is already using AI to draft donor communications. The question is whether your policy provides guidance specific enough to prevent the two failure modes that matter: fabrication and deception.
Fabrication: AI tools hallucinate. They invent program statistics, fabricate donor histories, and create plausible-sounding impact data that doesn't correspond to reality. A major gift solicitation letter that references a donor's "continued commitment since 2018" — when the donor actually started giving in 2022 — damages the relationship and signals carelessness. Your policy should require human verification of every factual claim in AI-assisted donor communications, with specific attention to donor giving history, program statistics, and impact claims.
Deception: 92% of donors demand transparent AI disclosure. 34% name "AI bots portrayed as humans" as their #1 ethical concern. When a donor receives what appears to be a personal letter from the ED but was actually drafted by AI with minimal editing, and the donor later discovers this — they feel deceived. The issue isn't whether AI was used; it's whether the communication authentically represents a human relationship.
Your policy should tier donor communications by risk. Mass email subject line testing and appeal copy drafting? Standard Use. Personalized acknowledgment letters? Standard Use with human review. Major gift solicitation strategy? Elevated Review with senior staff approval. Stewardship for donors over a defined threshold? Human-authored, AI-assisted at most.
Most nonprofits don't have the infrastructure to enforce an AI policy. Without enterprise-level monitoring tools, network analysis, or IT departments, enforcement relies entirely on cultural compliance and trust. This makes the culture of AI governance more important than the document — a reality that most policy consultants avoid because it threatens their primary deliverable.
A good policy is necessary and radically insufficient on its own. It creates clarity, sets expectations, and provides the framework for accountability. It cannot prevent a staff member from pasting donor records into a personal ChatGPT account at 11 PM from their kitchen table. Culture, training, approved tools, and ongoing reinforcement close the gaps that policy can't.
The organizations that handle this well don't lead with restrictions. They lead with enablement — "here are the tools you're allowed to use, here's how to use them well, here's why it matters for our mission" — and then apply restrictions where risk demands it.
Start with the five-layer framework: foundation, classification/tiering, operational rules, enforcement, and living document provisions. Draft it in under 10 pages. Circulate to department heads for feasibility feedback. Get board approval. Train all staff before it takes effect. The entire process should take 4–8 weeks.
You can't enforce it the way a corporation does. Focus on cultural compliance: quarterly AI use check-ins with staff, anonymous reporting for concerns, clear consequences for known violations, and making the approved path genuinely easier than the shadow path by providing paid tools and fast approval processes.
Yes, with disclosure. Define the difference between AI-generated, AI-assisted, and human-authored content. Check each funder's specific requirements. Default to disclosure — a transparent note about AI assistance protects you; hidden use that gets discovered destroys trust.
Yes. 92% of donors demand transparent disclosure. 34% name "AI bots portrayed as humans" as their top ethical concern. Disclosure doesn't mean a disclaimer on every email — it means honest communication about how AI improves your work and clear policies about what AI doesn't do (like replacing personal relationship management).
Every 6 months at minimum. AI tools evolve faster than any other technology your organization uses. Emergency reviews should trigger on: new regulatory requirements affecting your state or sector, a data breach or incident at your organization, a significant AI incident in the nonprofit sector, or a major change in your AI tool stack.
The most common failure mode is "governance by PDF" — a policy exists but nobody follows it because there's no training, no enforcement, and no cultural reinforcement. The fix isn't rewriting the policy. It's investing in the implementation: training, approved tools, ongoing check-ins, and visible accountability.
AI insights, operational playbooks, and fundraising strategy. No fluff. Subscribe to the newsletter.
LFG builds AI policies that staff actually follow — because they're specific to your organization, tiered to your actual risk, and backed by training and implementation support, not just a document delivery. We handle the gray areas that templates ignore and build the enforcement mechanisms that make policies real.
LFG 🚀