How to Create a Nonprofit AI Policy

Do thoughts like these pop into your mind as you sit in traffic or scroll social media? 

I wonder what my colleagues are doing with AI.  

Are they doing things our nonprofit might not approve of?  

Not even on purpose, just because…what the heck WOULD our nonprofit approve of doing with AI? Nobody’s ever told us. 

If these thoughts sound familiar, your nonprofit might need an AI policy. 

Artificial intelligence—a broad term for technology that allows computers and machines to respond to input similarly to how humans do—is shaking up workplaces around the country, including nonprofits. The Chronicle of Philanthropy Technology Leadership Survey recently found that 46% of nonprofits are using AI and 77% expect to use it in the next three to five years. 

But recent surveys estimate the percentage of nonprofits that have an AI policy at 10 to 15 percent. Luckily, that’s a gap you can fill. 

An AI policy can give your organization a foundation for how to use this technology in ways that support your mission and values, and avoid uses that would conflict with your mission. In this article, we’ll explore how an AI policy can benefit your organization, how to create one, and what to include. 

Startling Truths About Workplace AI Worries and Wants 

Your employees—the very people who probably complain about some of the policies you already have, and may not always comply with them—might want an AI policy. 

The nonprofit employees we talk to have concerns about AI, from its environmental impact to its potential for harm in society to whether it will take their jobs. Some nonprofit employees also worry that their organizations aren’t using AI enough, and will fall behind on their ability to innovate and serve clients. And we’ve heard from employees at all points on that continuum who just want to know what their boss expects of them on AI and how they can and can’t use it. 

An AI policy can help team members understand why you’re spending time on this; know the limits of how they can use the technology; and navigate challenging questions that arise. And nonprofits need that foundation sooner than later. 

A recent survey by the firm Resume Now across all workplaces, not just nonprofits, found that nearly 60% of workers admitted to using AI in ways that might not meet company policy.  

On the other hand, a study by generative AI platform Writer found that a third of respondents were refusing to adopt their company’s AI tools. Many of those people indicated they didn’t believe the technology was useful. 

An AI policy helps your team understand the rules of the road and operate within them. It helps your organization think through what uses of AI would align with your values and which ones you absolutely want to avoid.  

So what the heck do you put in your policy? 

First, Know Your Purpose 

Sometimes nonprofit leaders NRMC works with send us their AI policies for feedback. I see lots of things teams are doing well and plenty of areas to keep improving their policies. There is one area I find myself redlining in almost every single AI policy we receive. 

That section is the purpose. The purpose section of most draft policies we review says something like, “We’ve created this policy because AI has a boatload of risks.” That’s fair, accurate, and important. Your policy should include a discussion of AI’s concerning risks. What I don’t typically see in draft policies is a positive statement of what organizations hope to do by bringing AI into their work. What good work do you hope to do with AI that you couldn’t do without it?  

Without some positive element in your statement of purpose, you’ll have a hard time getting employees to even read your policy, let alone comply with it and spend time on training to get up to speed on AI. 

Here are a few examples of policy language we’ve helped nonprofits craft to convey the positive things they hope to do with AI. 

• Some of our team members have expressed a desire to use these technologies in ways they believe will help our organization innovate and improve. 

• AI technologies hold the potential to automate some of our team’s repetitive and time-consuming tasks and give us more time to do what we do best: serve children and families.  

• We seek to use AI in ways that support our work, benefit our team and constituents, and protect employees, clients, and community members we work with from harm.  

Beyond Purpose: Get Into the Details 

Purpose is just one area you’ll want to consider including in your AI policy. There are a boatload of risks that come with using AI, and your team needs guidance to navigate them. Other areas to consider including in your policy: 

What kinds of AI use are encouraged, and within what parameters. What AI uses fit with your nonprofit’s mission and values?  

What kinds of AI use are prohibited. What behaviors and uses will your nonprofit not allow under any circumstances?  

How your organization will train, equip and educate team members to use AI. How will you work with your team to find out what skills they want to develop and help them do that within your budget?  

How you will preserve the security and privacy of data in your AI use. What practices will you use to safeguard sensitive data?  

What security requirements will you have for AI services, vendors and products?  

What will you do if data is breached?  

When and how will you use informed consent?  

How can constituents opt out of their data being used with AI?  

When and how you will disclose your nonprofit’s use of AI to internal and external audiences. How will you document and communicate your use of AI?  

What measures you will take to ensure accuracy and mitigate or avoid bias in your use of AI.  

How will you educate your team about potential AI biases and check for them?  

How will you ensure that a diverse group of constituents reviews all AI-generated work?  

What will you do if bias is found in AI-generated work, before or after the fact?   

How will you create safeguards to reduce the risk of plagiarizing from published material?  

What consequences will result from intentional or unintentional violations of the policy. What responsibilities do team members have to report suspected violations?  

How should they report them?  

What will happen if someone made an honest mistake in their use of AI? 

What if someone intentionally misled others about their use of AI, or used it in a malicious way?  

Get Your Team’s Support 

Once you’ve outlined what you want an AI policy to cover, ask your team for their input. How do team members feel about AI use? Where do they want help and guidance on AI? Their answers will help you build a custom policy to guide how your team informs and educates itself and its community. And once you have a draft policy, get feedback before you roll it out. 

A logical next question for many teams: Can we use AI to write our AI policy? Sure —with caveats.  

• Does having AI draft or assist with drafting your policy fit the values and approach your team has identified for your AI use? 

• Would a team member using AI to draft a policy from scratch fit with how your leadership wants your team to use this technology?  

• If yes, use thoughtful, specific prompts to ask an approved AI tool to create a draft policy that meets your needs. 

• If no, consider how you might use AI to assist in creating a policy in ways that meet your nonprofit’s values.  

• Could your team do its own rough draft and prompt AI to draft elements or provisions that stumped you? 

• Could you do a rough draft with no confidential information and feed it into an AI tool—ideally an enterprise one—to ask it what areas you might have missed or could strengthen?  

Remember: Presumably, your nonprofit wants to use AI to augment and support your work, not replace critical thinking. If your team has decided an AI policy is important, make human review at the beginning and end a priority, and keep all the actual decision-making with humans. 

Making It Happen 

Here are some concrete next steps you can use to help your policy become reality

Form a small AI policy team 

• Involve a handful of people from key areas of your organization—programs, communications, operations, development, HR, IT. 

• Consider appointing a key player or two, then asking for volunteer

Do an AI inventory 

• Conduct a brief anonymous survey: What tools do people use now? For what purpose? With what data? 

• Evaluate what you learn about existing AI use for risks and prioritize policy elements accordingly.

Create a first draft

• Focus on basic components: Purpose, Acceptable/Prohibited Uses, Data Privacy, Governance, Training/Review. You can add nuance later. 

• Aim for good, not perfect! 

Share and train

• Hold a short all-staff briefing and share one‑page “Do / Don’t” guidance. 

• Reinforce and discuss the policy at onboarding and manager check‑ins with team members. 

Review and evolve

• Create a policy review schedule (e.g., 6–12 months) to incorporate lessons learned and new requirements from regulators, funders, or other parties. 

• Build in processes for feedback from staff and, ideally, your community. 

Stay Flexible 

Once you establish your AI policy, revisit it regularly. You may need to make changes and additions as you uncover new challenges and benefits of AI use. A simple, flexible structure will provide a consistent backbone for your work with AI as technology rapidly evolves. Your team has learned lots of new things together and navigated complex issues. Draw on that knowledge to help you shape a policy to navigate AI. You’ve got this. 

Rachel Sams is Lead Consultant and Editor at the Nonprofit Risk Management Center. She holds an AI for Nonprofits certificate from NTEN and has spent the past several years curious, concerned, and in learning mode on AI risk for nonprofits. Reach her with thoughts or questions about this article at rachel@nonprofitrisk.org or (505) 456-4045.