How to Write an AI Use Policy for Your Nonprofit

Your staff are already using AI. Some are drafting emails with it, some are summarizing meeting notes, and at least one person has probably pasted donor data into ChatGPT without thinking twice. An AI use policy gives your organization a shared understanding of what's appropriate before something goes wrong.

Why this matters now

A year ago, most organizations could afford to wait and see how AI played out. That window has largely closed. Funders are starting to ask about AI use in grant applications, board members are asking questions at meetings, and staff are adopting tools on their own whether or not leadership has weighed in.

The risk of not having a policy isn't that your team will do something dramatic. It's that ten people will make ten different judgment calls about what's okay, and you won't know about any of them until one creates a problem. A policy doesn't need to be long or complicated, but it does need to exist.

What a good policy covers

I've helped several organizations draft these, and the ones that get followed tend to share a few things in common: they're short, they're specific about the hard lines, and they leave room for the tools to change without rewriting the whole document.

Here's what I'd recommend covering, roughly in this order:

1. Approved and prohibited uses

Start with what staff can use AI for and where it's off-limits. Be specific enough that someone can read this section and know whether their use case is okay.

For most organizations, reasonable starting lines look something like:

Drafting internal communications, meeting summaries, and first drafts of non-sensitive content is generally fine
Entering client names, case details, health information, or any data covered by your confidentiality agreements is not
Using AI to generate content that will be published under the organization's name requires a human review before it goes out

2. Data boundaries

This is the section that protects you. Spell out exactly what types of data should never be entered into an AI tool, and name the categories explicitly: client PII, donor financial information, employee records, confidential program data, anything covered by HIPAA or FERPA if those apply to your work.

A good rule of thumb: if the data would be a problem in a breach notification, it shouldn't go into a general-purpose AI tool.

3. Approved tools

Rather than trying to evaluate every AI product on the market, name the specific tools your organization has reviewed and approved. This makes the policy easy to follow and gives you a clear process for adding new tools later.

Include whether the approved tools are the free or paid versions. This matters because paid tiers of most AI tools come with data processing agreements and opt-outs from training on your inputs, while free tiers typically do not.

4. Disclosure requirements

Decide when AI use needs to be disclosed and to whom. Common scenarios to address:

Grant applications and funder reports
Published content (blog posts, newsletters, social media)
Communications with clients or program participants
Board materials and financial reporting

The trend among funders is moving toward expecting disclosure, so getting comfortable with transparency now saves you from a more awkward conversation later.

5. Accountability and review

Name who owns this policy and how often it gets reviewed. AI tools change fast enough that an annual review cycle is the minimum. Designate someone (an operations lead, a tech committee, whoever makes sense for your size) as the person staff can ask when they're unsure whether a use case is okay.

How long should it be?

The best AI policies I've seen for small to mid-size organizations run two to four pages. Long enough to cover the hard lines and give staff clear guidance, short enough that people read it. If your policy requires a table of contents, it's probably too long for your organization's current stage.

A policy that gets read and followed beats a comprehensive one that lives in a shared drive nobody opens. Start with what your team needs to know today, and plan to revisit it as your organization's relationship with AI matures.

Common mistakes to avoid

Banning AI outright. If your staff are already using these tools (and they almost certainly are), a blanket ban just pushes usage underground where you have no visibility into what data is being shared. A clear policy with boundaries is more protective than a prohibition nobody follows.

Writing for a future you haven't reached yet. I've seen organizations spend months drafting policies that cover machine learning model training, algorithmic bias audits, and AI procurement frameworks when their actual AI use is three people using ChatGPT for email drafts. Write the policy for the organization you are today, with a review date that lets you expand it as your usage grows.

Skipping the conversation. A policy that lands in everyone's inbox without context tends to generate anxiety and confusion. Even a 30-minute all-staff discussion about why the policy exists and what it covers makes a real difference in how people receive it. The goal is shared understanding, and that requires an actual conversation.

Getting started

If you're staring at a blank document, start by answering three questions:

What AI tools are people on your team already using, and for what?
What data does your organization handle that should never go into those tools?
What would you need to disclose to your funders, board, or clients if they asked?

The answers to those three questions give you the skeleton of a policy. From there, it's a matter of writing it down clearly enough that any staff member can read it and know what's expected of them.

I help mission-driven organizations draft AI use policies that are practical, board-ready, and built around how your team works. If you'd like help getting started, let's talk.

Book a 30-minute conversation