Writing an AI Policy for Your Nonprofit: Template and Guide

Artificial intelligence is no longer a future concern for nonprofits. It is here now. Your staff is already using ChatGPT, Google Workspace with AI features, Canva, Notion, and dozens of other tools with embedded artificial intelligence capabilities. Without a policy to guide that use, you are exposing your organization to data breaches, compliance violations, reputational damage, and financial waste.

Yet most nonprofits have not written an artificial intelligence policy. According to recent surveys, 47% of nonprofit organizations have no formal policy governing artificial intelligence use. Many lack governance frameworks for technology in general. This creates risk without intention. Your nonprofit needs a practical, implementable artificial intelligence policy that your board can approve and your staff can actually follow.

This guide provides everything you need: a framework for what your policy should cover, templates for key policy sections, board resolution language, staff training requirements, vendor evaluation criteria, and a step-by-step implementation roadmap. You do not need to start from scratch. You can adapt this guide to match your organization's size, risk tolerance, and artificial intelligence maturity.

Why Every Nonprofit Needs an AI Policy Now

An artificial intelligence policy is not about restricting innovation. It is about managing risk while enabling your team to use powerful tools effectively. Here are the three critical reasons your nonprofit needs a policy today.

Risk Management

Every time a staff member pastes confidential data into ChatGPT, uploads donor information to an AI tool, or uses artificial intelligence to make decisions affecting your program beneficiaries, your nonprofit faces real risk. That risk includes data privacy violations, intellectual property problems, bias in artificial intelligence systems, and regulatory compliance issues. A policy establishes clear guardrails that prevent these problems before they occur. You cannot manage what you do not govern.

Vendor Accountability

The artificial intelligence tools your staff uses have terms of service, privacy policies, and data handling practices. Most staff members never read these. Your nonprofit might be using tools that violate HIPAA if you serve health-related beneficiaries, that violate FERPA if you work with educational data, or that violate data protection regulations in the jurisdictions where you operate. An artificial intelligence policy ensures you evaluate vendors before adoption, not after data breach.

Board Fiduciary Duty

Your board has a fiduciary duty to protect organizational assets, including donor data, program beneficiary information, and organizational reputation. Having no artificial intelligence policy is a governance gap. Funders, auditors, and legal counsel increasingly expect nonprofits to demonstrate that they govern technology use intentionally. A formal policy documented in board minutes creates evidence of proper governance.

What an AI Policy Should Cover

A practical nonprofit artificial intelligence policy does not need to be lengthy. It should cover eight core elements. Your policy can be five to fifteen pages depending on your organization's complexity and risk exposure. The following sections should be included in your nonprofit's artificial intelligence policy framework.

1. Scope and Applicability

Define what your policy covers. Does it apply only to tools that use large language models, or all artificial intelligence including recommendation algorithms, predictive analytics, and automation tools? Does it apply to all staff or only certain departments? A scope statement prevents confusion and makes the policy implementable.

Example language: "This policy applies to all artificial intelligence tools and systems used by employees, contractors, and volunteers in their work for the nonprofit. This includes but is not limited to large language models, machine learning systems, automated decision-making tools, and chatbots. The policy applies to artificial intelligence tools used on nonprofit devices and on personal devices for nonprofit work."

2. Approved Tools and Systems

Maintain a living list of artificial intelligence tools your organization has evaluated and approved. Include tools that are approved for general use without individual approval and tools that require departmental approval before use. This list changes as new tools emerge and old tools are retired. Update it at least quarterly.

Example tools to consider approving: ChatGPT (general writing), Google Workspace artificial intelligence features (productivity), Canva (design), Microsoft Copilot (writing), Notion artificial intelligence (documentation). Your approved list should reflect your nonprofit's actual use cases and risk tolerance.

3. Prohibited Uses

Be explicit about what artificial intelligence cannot be used for. Common prohibited uses include: using artificial intelligence to make consequential decisions affecting program beneficiaries without human review, uploading confidential donor information to artificial intelligence tools, using artificial intelligence to generate communications that misrepresent organizational positions, and training artificial intelligence models on organizational data without explicit vendor approval.

Example language: "Staff may not use artificial intelligence tools to: make final decisions about program eligibility, benefits, or outcomes without human review and approval; upload or process confidential donor, beneficiary, or personnel information without explicit approval; generate external communications that represent nonprofit positions without review by appropriate leadership; or use organizational data to train artificial intelligence models without explicit written consent from the nonprofit."

4. Data Handling and Privacy Requirements

Your artificial intelligence policy must address what data can be used with artificial intelligence tools. At minimum, establish rules about confidential information, personally identifiable information, and sensitive data. Define what artificial intelligence uses trigger additional approvals or prohibitions. Many nonprofits restrict confidential information from going into any third-party artificial intelligence tool.

Example language: "Confidential information, including donor names, beneficiary personal information, grant funding details, and personnel records, may not be uploaded to artificial intelligence tools unless the tool's vendor has signed a data processing agreement confirming they do not use the data for model training, retain it only for the specified purpose, and comply with all applicable privacy regulations."

5. Accountability and Oversight

Clarify who is responsible for artificial intelligence governance. Designate an artificial intelligence policy committee, a compliance officer, or an executive sponsor. Define who approves new tools, investigates violations, and updates the policy. Without clear accountability, a written policy becomes an unused document.

Example language: "The Technology Governance Committee, comprised of representatives from executive leadership, finance, program delivery, and communications, oversees artificial intelligence policy implementation. The Committee reviews new tool requests, approves exceptions, investigates violations, and recommends policy updates at least annually."

6. Transparency and Disclosure

Establish when staff must disclose that artificial intelligence was used. If your nonprofit uses artificial intelligence in program delivery, research, or communications, your beneficiaries and stakeholders may have a right to know. Define what counts as appropriate disclosure and what contexts require it.

Example language: "When artificial intelligence is used in ways that affect program beneficiaries, program decisions, or external communications, the nonprofit will disclose this use clearly and accurately. Disclosure must identify that artificial intelligence was used, explain how it was used, note any limitations or biases, and confirm that humans reviewed the output for accuracy before it affected beneficiaries."

7. Vendor Evaluation Criteria

Create a simple checklist that staff must use when requesting approval for a new artificial intelligence tool. This prevents your organization from adopting tools that do not meet your standards for security, privacy, or ethics. Include questions about data usage, training practices, security certifications, and vendor reputation.

Evaluation criteria include: Does the vendor have a published privacy policy explaining how they handle data? Do they encrypt data in transit and at rest? Do they use customer data to train their models? Have they undergone a security audit or obtained SOC 2 certification? Are they transparent about how their artificial intelligence systems work? Do they have a responsible artificial intelligence or ethics commitment? Can they sign a data processing agreement if required?

8. Staff Training Requirements

A policy only works if staff understand it. Require initial training for all staff on the artificial intelligence policy, what tools are approved, what data can be used, and what to do if they encounter a problem or want to request a new tool. Schedule refresher training annually.

Training should cover: Why your nonprofit has an artificial intelligence policy, what artificial intelligence tools your organization uses and how to use them safely, what data cannot go into artificial intelligence tools, how to request approval for a new tool, what to do if you think there is a policy violation, and who to contact with questions.

Step-by-Step Policy Development Process

Writing an artificial intelligence policy does not require months of work. With a clear process and stakeholder commitment, you can draft, approve, and launch your policy in four to six weeks. Here is the timeline.

Week One: Leadership and Board Alignment

Schedule a meeting with your executive director, finance director, and the board chair or governance committee chair. In this meeting, accomplish three things: First, agree on why your nonprofit is writing an artificial intelligence policy. Are you responding to a specific risk you have encountered? Are you preparing for a funder audit? Are you trying to get ahead of governance gaps? Second, clarify your organization's approach to artificial intelligence. Will you be permissive and approve most tools unless they present clear risks? Or will you be cautious and require multiple approvals? Third, identify who will lead the policy development process. Usually this is the executive director with support from a policy committee or a designated staff leader.

Week Two: Stakeholder Input and Assessment

Host three to four listening sessions with different staff groups. Invite program staff, finance and operations, communications, and technology staff if you have a dedicated technology team. In each session, ask: What artificial intelligence tools do you currently use? What problems are you trying to solve with artificial intelligence? What concerns do you have about artificial intelligence use? What policy rules would create problems for your team? Document this input. You will use it to inform policy language that is realistic and implementable.

Also conduct an audit of your current artificial intelligence tool usage. Ask staff to report what tools they use. Many times you will discover artificial intelligence adoption that leadership was not aware of. This audit informs your approved tools list.

Week Three: Policy Drafting

Using the template sections provided in this guide, draft your policy. Customize the language to match your organization's tone, risk tolerance, and artificial intelligence maturity. Create your initial approved tools list based on the audit you conducted. Draft the vendor evaluation criteria that staff will use when requesting new tools. Define your governance structure and accountability mechanisms. At the end of week three, you should have a first draft ready for review.

Week Four: Legal and Compliance Review

Have your policy reviewed by legal counsel or a compliance advisor. If you do not have legal counsel, many nonprofit legal clinics offer policy review at reduced cost. Your legal reviewer will ensure the policy complies with regulations applicable to your nonprofit, addresses liability properly, and uses clear language. Budget one to two weeks for legal feedback and revisions.

Week Five: Board Approval and Resolution

Present the finalized policy to your board of directors for approval. Use a board resolution to formally adopt the policy. This creates governance documentation for auditors and funders. The board resolution should reference the policy by name, confirm that the board reviewed and approved it, and authorize the executive director to implement it and update it based on changing circumstances. See the board resolution template section for specific language.

Week Six: Implementation and Training

Once your board approves the policy, communicate it to your entire staff. Schedule a mandatory training session or send a comprehensive email. Explain the policy's purpose, the approved tools list, what data cannot be used with artificial intelligence tools, how to request approval for a new tool, and what to do if staff encounter a violation. Create a simple one-page summary that staff can reference. Designate who staff should contact with questions.

Board Resolution Template for AI Policy Adoption

Here is language you can use for your board resolution. Customize it with your organization's name, the actual date of your board meeting, and any specific details about your policy.

RESOLUTION: ADOPTION OF ARTIFICIAL INTELLIGENCE POLICY

WHEREAS, [Nonprofit Name] recognizes that artificial intelligence and machine learning technologies are increasingly used in nonprofit operations, program delivery, and stakeholder communications; and

WHEREAS, the Board of Directors has a fiduciary duty to ensure that the nonprofit manages technology risks appropriately and protects donor data, beneficiary information, and organizational reputation; and

WHEREAS, the Board has reviewed and discussed the proposed Artificial Intelligence Policy prepared by [committee/staff], which establishes governance frameworks for artificial intelligence use throughout the organization;

NOW, THEREFORE, BE IT RESOLVED that:

1. The Board of Directors of [Nonprofit Name] hereby approves the Artificial Intelligence Policy, as presented, effective as of [date].

2. The Executive Director is authorized to implement the policy, including establishing an Artificial Intelligence Policy Committee, maintaining an approved tools list, conducting staff training, and managing vendor approval processes.

3. The Executive Director shall report to the Board at each regular meeting on: new artificial intelligence tools adopted during the period, any policy violations or incidents, staff training completion rates, and any recommended policy revisions.

4. The Artificial Intelligence Policy shall be reviewed and updated annually by the Board or a designated committee, with any material changes presented to the full Board for approval.

5. The Executive Director shall ensure that all staff, contractors, and volunteers receive training on the policy, including what tools are approved, what data cannot be used with artificial intelligence, and the process for requesting new tools.

Staff Training Requirements and Content Template

Every staff member should understand your artificial intelligence policy. Here is the training content you should cover. Deliver this as an in-person meeting, virtual session, or comprehensive email depending on your organization's size and structure. Budget thirty minutes to one hour for staff to absorb this material and ask questions.

Part One: Why We Have This Policy

Explain that artificial intelligence tools are useful for your nonprofit's work, but they carry risks that need to be managed. Describe the specific risks your nonprofit identified: data privacy concerns with sensitive donor or beneficiary information, potential bias in artificial intelligence systems affecting program decisions, intellectual property issues, vendor lock-in, compliance risks with regulations that apply to your nonprofit. Frame the policy as a tool that allows your team to use artificial intelligence confidently while protecting the organization.

Part Two: Approved Tools and How to Use Them

Walk through your approved tools list. For each tool, explain: what it does, who can use it, what it is approved for, and what data cannot go into it. Provide concrete examples. If ChatGPT is approved for general writing but not for processing beneficiary information, say that explicitly. If Google Workspace artificial intelligence features are approved but with restrictions on certain data types, explain the restrictions. Make it easy for staff to understand what they can and cannot do with each tool.

Part Three: Confidential Information and Data Restrictions

Many nonprofit staff do not realize that pasting information into a cloud-based artificial intelligence tool means that information is being sent to the tool's vendor. Explain your nonprofit's rules about confidential information. What data absolutely cannot go into artificial intelligence tools? What data requires approval first? What data can be used only with certain approved vendors? Give practical examples: a staff member can use ChatGPT to help draft grant narrative language, but cannot paste actual grant amounts, funder restrictions, or specific program outcomes into the tool.

Part Four: Requesting Approval for a New Tool

Explain the process for staff who want to use an artificial intelligence tool that is not on your approved list. Describe how they complete a tool request, what information they need to provide, who reviews the request, how long approval takes, and what evaluation criteria the review committee uses. Make the process simple and clear. If the process is cumbersome, staff will skip it and use unapproved tools anyway.

Part Five: What to Do If You See a Problem

Establish a reporting mechanism for suspected violations or problems. It can be as simple as an email address where staff can report concerns. Assure staff that reporting a violation or concern will not result in punishment unless the violation was intentional or repeated. Emphasize that the goal is to fix problems, not penalize people. Provide the contact information for whoever oversees policy implementation and compliance.

Vendor Evaluation Criteria for AI Tools

When a staff member requests approval for a new artificial intelligence tool, your artificial intelligence policy committee should evaluate it using a standard checklist. This ensures consistent evaluation and prevents the organization from adopting tools that do not meet your standards. Here is a template evaluation form.

AI TOOL EVALUATION CHECKLIST

Tool Name: _______________
Requested by: _______________
Business Use Case: _______________

Privacy and Data Handling

• Does the vendor have a published privacy policy? Yes / No
• Does the privacy policy clearly explain how customer data is handled? Yes / No
• Does the vendor use customer data to train their artificial intelligence models? Yes / No
• Can the vendor sign a Data Processing Agreement (DPA) confirming they do not train on our data? Yes / No
• How long does the vendor retain customer data? _________
• Where is customer data stored geographically? _________

Security and Compliance

• Does the vendor encrypt data in transit (during transfer)? Yes / No
• Does the vendor encrypt data at rest (in storage)? Yes / No
• Has the vendor completed a SOC 2 audit or equivalent security audit? Yes / No
• Does the vendor comply with applicable regulations for our nonprofit (HIPAA, FERPA, etc.)? Yes / No / N/A
• Does the vendor have documented security incident response procedures? Yes / No

Artificial Intelligence Model Transparency

• Does the vendor provide documentation about how their artificial intelligence model works? Yes / No
• Does the vendor acknowledge known limitations or biases in their artificial intelligence? Yes / No
• Has the vendor published responsible artificial intelligence or ethics principles? Yes / No
• Can the vendor explain what training data was used to build their artificial intelligence model? Yes / No

Vendor Reputation and Support

• Is the vendor financially stable and likely to remain in business? Yes / No
• Does the vendor offer customer support and training? Yes / No
• Are there known security incidents or data breaches involving this vendor? Yes / No
• Is the vendor transparent about their business practices and company values? Yes / No

Cost and Sustainability

• What is the total cost of ownership (including all licenses, implementation, and training)? $__________
• Is this cost sustainable for our nonprofit? Yes / No
• What happens to our data if we cancel the subscription? _________
• Is the tool or vendor likely to be acquired or shut down in the foreseeable future? Yes / No

Recommendation

• Approve with no restrictions
• Approve with restrictions (specify below)
• Request more information before deciding
• Do not approve

Restrictions or Conditions (if applicable):
_______________________________________________________________

Reviewed by: _______________
Date: _______________

Annual Review and Update Process for Your AI Policy

Artificial intelligence technology changes rapidly. What was a relevant artificial intelligence tool risk two years ago may no longer apply. New tools emerge constantly. Your approved tools list becomes outdated. Your nonprofit needs a formal process for reviewing and updating your artificial intelligence policy at least once per year. Here is the process.

Timing

Schedule your artificial intelligence policy review for a specific time each year. Many nonprofits align this with their fiscal year planning or an annual board meeting. Block four weeks on your calendar for the full review cycle.

Data Collection

One month before your review meeting, collect data on artificial intelligence use during the past year. What new tools did staff request? Which were approved? Which were denied and why? Were there any incidents or violations? What feedback did staff provide about the policy or approved tools? What new artificial intelligence tools have emerged that you should consider? What regulations or compliance requirements have changed? Compile this into a brief report for your policy review committee.

Committee Review

Your artificial intelligence policy committee should meet to discuss the data and identify needed updates. Review the approved tools list and remove tools that are no longer used. Add tools that multiple staff members have requested. Evaluate the vendor evaluation criteria and update them if artificial intelligence technology or your organization's needs have changed. Review incident reports and identify whether policy language needs clarification. Discuss staff feedback about what is working and what is not.

Documentation and Board Approval

Document all changes made to the policy. If the changes are minor (adding or removing a tool from the approved list, clarifying existing language), you may be able to update the policy through administrative action. If the changes are material (changing fundamental policy principles, adding new restrictions or requirements), present the updated policy to the board for re-approval. At minimum, update your board in writing about what changed and why.

Staff Communication

Communicate any policy changes to all staff. Even if the changes seem minor to you, staff need to know that the approved tools list changed or that a new restriction was added. Send an email highlighting the updates and explaining why they were made. Schedule a brief refresher training session if significant changes occurred.

Sample Policy Sections Ready for Customization

The following are complete sample sections from a nonprofit artificial intelligence policy. You can copy these sections directly into your policy document and customize them for your organization. Replace placeholders in brackets with your organization's specific information.

Sample Section One: Prohibited Use of AI Tools

Prohibited Use of Artificial Intelligence Tools

[Nonprofit Name] prohibits the use of artificial intelligence tools for the following purposes:

1. Making consequential decisions without human oversight. Artificial intelligence tools cannot be used to make final decisions about program eligibility, benefits, service levels, or program outcomes without review and approval by an appropriate human staff member. This includes decisions that affect program beneficiaries, donors, or volunteers.
2. Processing confidential or sensitive data without approval. Staff may not upload donor names, beneficiary personal information, financial information, health information, program participant details, or personnel records to artificial intelligence tools without explicit written approval from the Executive Director or designee.
3. Generating external communications that misrepresent the nonprofit. Artificial intelligence tools cannot be used to generate external communications (emails, social media posts, letters, reports) that are submitted to donors, funders, media, or the public without review and approval by appropriate nonprofit leadership. This includes artificial intelligence-generated content that could affect [Nonprofit Name]'s reputation or relationships.
4. Creating intellectual property or program content that is licensed under artificial intelligence terms. Staff may not use artificial intelligence tools to generate program materials, curriculum, research, or other intellectual property that we intend to publish or claim ownership of, unless the artificial intelligence tool's terms of service permit nonprofit ownership. Some artificial intelligence tools claim ownership of generated content. This restriction prevents the nonprofit from accidentally licensing its work to a vendor.
5. Training artificial intelligence models on nonprofit data. Nonprofit data, including program information, research, donor strategies, or organizational information, may not be used to train artificial intelligence models or contribute to artificial intelligence model improvement. This applies even if a vendor offers features that improve their service through data analysis.
6. Automated decision-making without transparency. If artificial intelligence is used in any process that affects beneficiaries, program participants, donors, or vendors, the process must be transparent. Staff cannot hide or misrepresent the role of artificial intelligence in decisions that affect people outside the nonprofit.

Sample Section Two: Data Privacy Requirements

Data Privacy and Information Security Requirements for Artificial Intelligence Tools

Confidential Information Definition: Confidential information includes any data that could identify an individual, reveal sensitive personal circumstances, disclose financial or health information, or harm the nonprofit if disclosed. This includes but is not limited to donor names and giving history, beneficiary names and contact information, beneficiary medical or mental health information, beneficiary family circumstances or personal challenges, grant amounts and funder restrictions, program outcomes for specific participants, personnel salary and performance information, and nonprofit strategic plans or financial information.

Restrictions on Using Confidential Information with Artificial Intelligence Tools:

• Confidential information may not be uploaded to, entered into, or shared with any artificial intelligence tool unless the tool's vendor has signed a Data Processing Agreement with [Nonprofit Name] that includes specific commitments: (a) the vendor does not use customer data to train or improve artificial intelligence models; (b) the vendor stores data only for the time necessary to provide the service; (c) the vendor encrypts data in transit and at rest; (d) the vendor complies with all applicable privacy regulations including [list specific regulations that apply to your nonprofit, such as HIPAA, FERPA, state privacy laws]; and (e) the vendor will delete all customer data within thirty days of contract termination unless nonprofit provides written authorization to retain data longer.
• When artificial intelligence tools are used with confidential information, staff must use the most restrictive privacy settings available. Do not allow the tool to save conversations, analyze content for improvement, or share content with the vendor's research teams.
• Staff should minimize the amount of confidential information shared with artificial intelligence tools. If a task can be completed with general information or redacted information instead of using identifying details, use the redacted version.
• Staff must never share passwords, access credentials, or authentication codes with artificial intelligence tools or allow artificial intelligence tools to connect to other systems that contain confidential information without explicit security review and approval.

Sample Section Three: Tool Request and Approval Process

Requesting Approval for New Artificial Intelligence Tools

Staff who want to use an artificial intelligence tool that is not on [Nonprofit Name]'s approved tools list must submit a tool request for evaluation and approval. The process works as follows:

1. Submit a request. The requesting staff member completes a tool request form available from [contact person/email]. The form requests: the name of the tool, the business use case (what problem the tool solves), whether confidential nonprofit data will be used with the tool, the expected cost, the anticipated adoption (how many staff will use it), and any additional context the requester thinks is relevant.
2. Committee evaluation. The Artificial Intelligence Policy Committee reviews the request within five business days using the vendor evaluation criteria provided in this policy. The Committee evaluates the tool's privacy practices, security measures, compliance with applicable regulations, and alignment with nonprofit values.
3. Approval decision. The Committee makes one of four decisions: (a) approve the tool with no restrictions; (b) approve the tool with specific restrictions (e.g., cannot use with confidential data, can be used only by specific departments); (c) request additional information from the vendor before deciding; or (d) do not approve the tool. The requesting staff member is notified of the decision within ten business days.
4. Appeal process. If a tool request is denied, the requesting staff member may appeal to the Executive Director with additional information or clarification. The Executive Director makes the final appeal decision within ten business days.
5. Implementation. Approved tools are added to the approved tools list and communicated to staff. Training is provided if needed to ensure staff use the tool in compliance with the policy.

Frequently Asked Questions