How nonprofits can use AI safely

Where AI genuinely helps a small nonprofit

These are the use cases we see produce real ROI without much risk:

• Drafting and tightening communications. Newsletters, thank-you notes, grant narratives — drafted by AI, edited by humans.
• Summarizing long documents. Board packets, RFP responses, grant guidelines turned into a one-page brief.
• Meeting notes. Automated transcripts and action-item summaries from staff calls.
• Translation. Drafting bilingual program materials, with native-speaker review.
• Volunteer matching. Sorting incoming volunteer applications against open shift needs.
• Donor research. Synthesizing public profiles of major-gift prospects into a one-page brief.
• Data cleanup. Standardizing addresses, deduplicating donor records, normalizing program data.

Where to keep humans squarely in the loop

These are the categories where AI mistakes hurt more than they help:

• Eligibility decisions. Who gets served, who qualifies for a program, who receives funds — humans only.
• Clinical or legal advice. AI can summarize, but the actual guidance comes from a licensed person.
• Sensitive outreach. Crisis messaging, condolences, anything involving a beneficiary in distress.
• Grant compliance attestations. If you sign something, you read it.
• Public statements. Anything that goes out in your ED's voice or your board's name gets human review.

Three illustrative scenarios

Scenario 1 — A small food bank automates donor thank-yous. They feed donation amount, donor name, and program designation into a structured prompt that produces a draft thank-you in the ED's voice. Staff review and send. Time per letter drops from 12 minutes to 2. Critically: the prompt never sees email addresses, phone numbers, or anything beyond what's needed for the letter itself. The AI vendor has a data-processing agreement and zero-retention setting enabled.

Scenario 2 — A youth-services nonprofit summarizes intake notes. Caseworkers dictate field notes after home visits. An on-platform AI summarizer turns them into a structured record in the case-management system. To avoid sending youth identifiers to a third-party model, the names are tokenized client-side and replaced with codes; the model never sees the real names. A licensed clinical director reviews flagged summaries weekly.

Scenario 3 — A faith-based ministry uses AI to draft sermons-in-progress and small group guides. The ministry has a clear written policy: AI is a research and drafting tool, never a substitute for pastoral discernment. Any AI-assisted material is reviewed by the lead pastor before use. The guideline they tell staff: "AI can shape clay; only a pastor decides what to make."

The data question — the part most articles skip

When you paste something into a chatbot, you're sending that content to a third party. For a nonprofit, that can implicate donor confidentiality, beneficiary privacy, HIPAA (for health-adjacent orgs), FERPA (for education), and sometimes state-level privacy laws. The safe baseline:

• Use an enterprise-tier account. Free consumer tools often train on your inputs by default. Paid business plans typically don't — but read the contract.
• Enable zero-retention where offered. Most enterprise providers let you turn off prompt and response storage.
• Sign a data-processing agreement. If the vendor won't sign one, that's information.
• Don't paste sensitive identifiers. SSNs, full DOBs, addresses, medical info, financial account numbers — strip them out before they hit the prompt.
• For protected health information, get a BAA. Some major AI vendors will sign one; some won't. Don't assume.

A starter AI policy for a 5–50 person nonprofit

You don't need a 40-page policy document. You need one page everyone reads. The essentials:

• Approved tools. Name them. "Staff may use [X] and [Y] with their work accounts. No other AI tools without IT approval."
• What never goes in. A short list: SSNs, dates of birth, beneficiary medical information, donor giving history beyond what's already public, anything marked confidential.
• Always disclose AI-generated public content. When AI substantively wrote something the public will see, say so.
• Verify facts and dates. AI hallucinates grant deadlines, statute citations, and historical events. Check before publishing.
• A human signs off on outbound messages. No automated agent sends emails or texts to donors or beneficiaries without a person approving.
• An incident path. If a staff member realizes they pasted something sensitive, they tell the operations lead immediately. No blame — just speed.

The biases worth knowing about

AI systems trained on the internet absorb the internet's biases. For mission-driven organizations especially, that matters. If you use AI to screen, summarize, or evaluate descriptions of people, watch for systematic patterns — by name, race, language, geography. A quick way to test: take a sample output, swap the identifying details to a different demographic, and see if the answer changes. When in doubt, keep a person in the loop on anything that touches who-gets-what.

If you're just starting

You don't need a strategy document; you need a 90-day experiment. Pick one workflow your team genuinely dreads — drafting newsletters, transcribing meetings, processing volunteer applications — and apply AI to that one thing with the policy above. Measure the time saved. Decide if it was worth it. Then pick the next one.

If you'd like help thinking through which workflows to start with, or want to put AI behind your own data without sending it to a vendor, our AI service is built for exactly this. The first call is free, and we'll tell you when AI isn't the right answer too.