The AI Guidelines Your Board Keeps Asking For. Already Written.
Your team is already using AI. The question is whether they’re using it with a map or making it up as they go. I built the complete, board-ready guidelines so you don’t have to spend your weekend on it.
No email required. No catch. Tell the board you spent all weekend on it. ๐๐พ
AI Guidelines for Nonprofit Organizations
of nonprofits are already using AI tools
have formal governance guidelines in place
of ready-to-adopt guidance in this document
Why Guidelines Instead of a Policy?
AI changes by the minute. Guidelines are easy to edit and update as new tools show up. A Policy is stricter and usually needs board approval to change.
My rule of thumb: start with Guidelines. If they haven’t changed in a year, graduate them into a Policy.
I know an ED who wrote a Policy allowing only ChatGPT and Gemini. When Claude blew up, she needed a full board vote just to let her team try the free version. And tomorrow there will be another tool worth trying.
Guidelines keep you flexible. That’s the whole point.
A Simple Green / Yellow / Red System Your Whole Team Gets
No legal jargon. Every AI use case in your organization lands in one of three lanes, so staff always know where they stand.
Go For It
- Meeting notes & action items
- Routine email drafts
- Grant research assistance
- Data analysis & templates
Extra Review First
- Donor communications
- Grant proposal drafting
- Annual reports & press releases
- Job descriptions & HR content
Hard Stops
- Client PII in AI platforms
- Autonomous decisions on people
- Mental health or legal advice
- Resume screening without oversight
Seven Principles That Keep Your Mission in Charge
Every rule in the document traces back to one of these. Humans stay in control. Your community stays protected.
Human Oversight
AI drafts. Your people decide. Every output gets human review.
Verification
Every claim cross-checked with 2โ3 authoritative sources before use.
Bias Mitigation
Testing across demographics before anything touches the people you serve.
Accountability
Clear ownership, documentation, and audit trails for all AI use.
Data Privacy
Client and donor PII never enters commercial AI platforms.
Mission Alignment
AI earns its place only when it advances your mission.
Explainability
You can explain your AI use to boards, funders, and community.
+ Full Governance
Roles, training schedules, incident response, and tool evaluation included.
Read Every Section Right Here
All twelve sections, ready to adopt. Grab the editable copy when you’re ready to make it yours.
These guidelines establish our organization’s framework for responsible artificial intelligence (AI) adoption. With 82% of nonprofits already using AI tools yet less than 10% having formal governance policies, this document addresses the critical governance gap while positioning AI as a beneficial tool that serves, not replaces, mission-driven work.
The approach balances innovation with ethical responsibility, recognizing both AI’s transformative potential and documented risks including hallucination, bias affecting vulnerable populations, and privacy concerns. These guidelines ensure AI augments human judgment rather than replacing it.
Implementation approach: the guidelines operate on a self-governing, honor-system model that trusts your team to exercise professional judgment โ with leadership reserving the right to escalate oversight, add safeguards, or revise the guidelines if concerns arise. This adaptive approach keeps your organization AI-friendly while protecting the communities you serve.
1. Human Control & Oversight. AI tools support human decision-making; they never make final decisions autonomously. All AI outputs require human review before implementation. High-stakes decisions (program eligibility, hiring, resource allocation) maintain mandatory human oversight. Staff retain ultimate authority and accountability for all decisions.
2. Validation & Reliability. Every AI-generated output undergoes verification before use. All factual claims, statistics, and references must be cross-checked with at least 2โ3 authoritative sources. Suspicious or overly confident claims trigger additional scrutiny. Subject matter experts review technical, specialized, or high-stakes content.
3. Inclusiveness & Bias Mitigation. AI systems must not discriminate against or harm the vulnerable populations you serve. Run bias impact assessments before deploying AI in client-facing applications, test performance across demographic groups, and give affected individuals a way to report concerns.
4. Accountability & Transparency. Clear ownership, documentation, and audit trails for all AI use. Maintain records of verification steps and human review, and establish clear escalation procedures when AI outputs raise concerns.
5. Data Privacy & Protection. Constituent data remains confidential and secure. Never input personally identifiable information about donors, clients, or constituents into commercial AI platforms without explicit consent. Follow applicable privacy laws (GDPR, CCPA, HIPAA where relevant), practice data minimization, and securely dispose of AI outputs containing sensitive information.
6. Social Impact & Mission Alignment. AI adoption must advance your mission and values. Question whether AI adds genuine value for each use case, prioritize applications that improve service delivery and community impact, and avoid AI use that could undermine trust with the communities you serve.
7. Explainability. Understand how your AI tools work and be able to explain their use to boards, funders, and communities. Staff receive training on AI capabilities and limitations, and vendor transparency guides tool selection.
GREEN LIGHT (encouraged with standard review). Administrative and operational efficiency: meeting note summaries and action items, routine email drafts (with review), calendar coordination, translation of materials (with native speaker verification), research assistance for grants and reports, data analysis and visualization. Content development at draft stage only: blog and newsletter drafts, social media ideas, internal training materials, document templates. Technical: database query help, spreadsheet formulas, basic coding with technical review, formatting and accessibility improvements.
YELLOW LIGHT (permitted with enhanced review). Donor communication drafts (two-level review), grant proposal research and initial drafting (expert review plus compliance check), annual report content (multi-level review), press release drafts (senior leadership approval). Program development: needs assessment analysis, program design research, outcome measurement, and survey design โ each with expert or supervisor validation. Human resources: job description drafting with HR review, interview question development (never candidate evaluation), training curricula with SME review, performance review templates (never actual evaluations).
RED LIGHT (prohibited or extreme caution). Absolutely prohibited: autonomous decision-making without human review for hiring, program eligibility, or resource allocation; processing confidential client information (medical records, legal status, mental health, trauma histories) through commercial AI platforms; mental health counseling or crisis intervention; legal advice for clients without verified resources; medical diagnosis; child welfare assessments; resume screening without robust human oversight and bias testing; final compliance documents or legal contracts without attorney review. Extreme caution (expert consultation mandatory): crisis communications, correspondence about traumatic events, major donor solicitations over $10,000 without management approval, government or foundation reporting with compliance requirements, any application affecting vulnerable populations’ access to services, financial modeling without financial expertise validation.
Tier 1 โ Low-risk content (single human review). Internal meeting notes, routine scheduling, staff brainstorming. The creator reviews for accuracy, appropriateness, and tone, fact-checks claims, and documents AI assistance in file notes.
Tier 2 โ Medium-risk content (two-level review). Social media posts, blog articles, donor thank-you notes, internal newsletters. Creator edits and fact-checks, verifies brand alignment, checks for bias. Supervisor gives final approval with a fresh perspective and documents AI assistance if content is public-facing.
Tier 3 โ High-risk content (multi-level review). Major donor communications, grant proposals, press releases, annual reports. AI drafts or researches only. Creator edits heavily and fact-checks comprehensively; a subject matter expert verifies accuracy; legal/compliance reviews as applicable; senior leadership approves; final proofreading and documentation close it out.
Tier 4 โ Critical content (comprehensive review plus expert consultation). Legal documents, regulatory filings, crisis communications, client-facing policy documents. A human expert creates the content with AI assisting research only, followed by dedicated fact-checking, multiple SME reviews, mandatory legal counsel review, executive approval, compliance sign-off, and a complete audit trail.
Universal fact-checking protocol. For all AI-generated content verify: names and titles, exact quotations and sources, organization names, all numbers and dates, sequences of events, scientific and technical claims, and citations (confirm DOIs exist and papers are real). Research shows ChatGPT fabricates references 47% of the time and provides fully accurate citations only 7% of the time โ always verify citations in scholarly work.
Before deploying AI for client-facing applications, ask: Who will be affected? What are the potential harms to vulnerable populations? How will bias be detected and monitored? Does the training data represent the diversity of people you serve? Are there proxy variables (ZIP codes, names, language patterns) that could encode discrimination?
Testing: test model performance separately across racial, ethnic, gender, age, disability, and language groups; examine training data for representation of marginalized communities; review for historical biases embedded in data.
Ongoing monitoring: collect disaggregated performance data, keep feedback channels open for clients and staff, review AI performance and equity metrics quarterly, and engage community members in evaluating applications that affect them.
When bias is detected: immediately pause the tool for affected applications, investigate root causes with a diverse team, implement fixes, re-test with affected populations, document the incident, and consider discontinuing the tool.
Why this matters: healthcare algorithms have favored white patients over Black patients, reducing Black patients identified for extra care by more than 50%. Facial recognition systems misclassify Black women at rates up to 35% while misclassifying white men at only 1%. These harms directly contradict nonprofit missions and values.
Never input into commercial AI platforms: personally identifiable information about clients, donors, or constituents; immigration status or legal information; medical or mental health records; financial information tied to specific individuals; information about specific minors without explicit parental consent; attorney-client privileged communications; proprietary organizational strategies before they’re public.
Permitted: de-identified aggregated demographic data, public information, anonymized program outcome data, general organizational information, and template documents without personal details.
Data minimization: collect only what’s truly necessary, remove unnecessary data after use, audit data retention quarterly, and dispose of data securely.
Vendor security bar: clear privacy policies with regulatory compliance, disclosed training data sources, enterprise-grade encryption at rest and in transit, acceptable retention and deletion policies, security certifications (SOC 2, ISO 27001), and no broad data-rights claims in the terms of service โ 92% of AI vendors claim these, so negotiate them out.
Organizational practices: role-based access controls, multi-factor authentication, audit logs, annual vendor security reviews, an incident response plan, and staff training on data protection.
U.S. copyright rule: works must have human authorship to receive copyright protection. AI-generated content without significant human creative input enters the public domain immediately. To maintain copyright, use AI as a research and drafting tool only, and edit all AI outputs with original human expression.
Materials needing strong copyright: curriculum and training materials for potential licensing, original research reports, proprietary program methodologies, marketing materials with significant investment, and publications intended for distribution or sale.
Vendor contracting: negotiate clear terms on output ownership, IP rights, data portability, service level agreements, liability and indemnification, and exit clauses protecting organizational data.
Data centers contribute roughly 1% of global electricity consumption. Right-size your AI use: pick the smallest model sufficient for each task, favor text over image generation, and minimize video generation. Prefer vendors with low power usage effectiveness and renewable energy commitments. Use simple, clear prompts, batch similar queries, question whether AI adds value beyond a spreadsheet, and track usage to find optimization opportunities.
Before adopting any AI tool, assess: organizational fit (mission alignment, clearly defined need, vendor nonprofit commitment, sustainable cost); technical capability (functional requirements, capacity fit, integration, scalability); data governance (privacy policy, training data disclosure, encryption, certifications, no problematic IP claims); bias and fairness (documented bias testing, training data diversity, regular audits); transparency (explainable decisions, honest limitations); human oversight (review processes, override mechanisms, audit trails); and pilot testing (trial period with success metrics, staff training, feedback mechanism, exit strategy).
Executive Director: final authority on AI strategy and policy, board communication, budget allocation, crisis response. AI Governance Lead: day-to-day implementation, tool evaluation, training coordination, quarterly reviews, incident investigation. Data Protection Officer: privacy compliance, data governance enforcement, vendor security assessment, breach response. Program representatives: use case identification, bias impact assessment, community feedback. IT/technical: capability assessment, security implementation, performance monitoring. Legal/compliance (as available): contract review, regulatory verification, risk assessment.
Decision authority: the Board approves the AI policy and reviews the annual governance report. The Executive Director approves tool purchases over $5,000 annually and authorizes high-risk applications. The AI Governance Lead approves low-risk trials and standard applications. Staff use approved tools within guidelines and report concerns immediately.
All staff using AI (annual): capabilities and limitations, hallucination recognition, bias awareness, data privacy, appropriate vs. prohibited use, verification and documentation. Supervisors (bi-annual): review protocol oversight, bias impact assessment, incident response, quality assurance. Governance team (quarterly): emerging developments, legal and regulatory updates, vendor evaluation, risk assessment. Board members (annual): governance overview, risk and opportunity landscape, oversight responsibilities.
Track: efficiency gains (time saved, cost reductions, capacity increases), quality indicators (accuracy after verification, errors caught in review, stakeholder satisfaction), risk metrics (errors or harms, privacy near-misses, bias complaints), and governance effectiveness (policy compliance, training completion).
Quarterly review: incident reports, performance trends, new tools and use cases, approved-tool list updates, training needs, and policy revisions. Annual board report: strategy progress, cost-benefit analysis, risk management effectiveness, significant incidents, and future opportunities.
When AI errors or harms occur: immediately halt the affected process and mitigate harm; notify the Executive Director within 24 hours; investigate root causes within 72 hours; implement corrective actions within one week; update policies and training within two weeks.
These guidelines position AI as a powerful tool serving nonprofit missions. Human judgment remains central to all decisions affecting people’s lives. Verification precedes publication. Vulnerable populations receive extra protection through bias testing and human oversight. Transparency and accountability govern all AI applications. Data privacy is non-negotiable for sensitive constituent information. These are living guidelines โ review them regularly as technology evolves, regulations develop, and your experience grows.
What About the Colorado AI Act?
Colorado passed the country’s first state AI law (SB 24-205) in 2024. In May 2026, lawmakers replaced it with a revised law โ SB 26-189 โ that takes effect January 1, 2027. The new version focuses on disclosure and transparency when automated systems help make consequential decisions about people: hiring, housing, access to services.
For most Colorado nonprofits the practical takeaway is simple. Keep a human making the final call on any decision that affects a person, and be transparent about where AI is involved. These guidelines already have you covered on both.
Updated for SB 26-189 ยท Effective Jan 1, 2027Guidelines on Paper Are Step One. Want Help Making Them Real?
The teams that get the most out of AI sit down, open their laptops, and practice with the tools they already have. That’s what I do with Colorado nonprofits every week.
โฑ 5 hours back per week โ guaranteed, or you don’t pay.