Insights · Foundations
How to write an AI policy your nonprofit's staff will actually follow.
The test of an AI policy isn't whether counsel approves it. It's whether a program coordinator, mid-task on a Tuesday, can answer "can I use this tool for this?" in under a minute.
By the ETTE AI practice team · Published July 6, 2026
Plenty of nonprofits now have an AI policy. Far fewer have one that changes behavior. The common failure mode is a document written to be defensible rather than usable: three pages of principles ("we embrace innovation responsibly"), a blanket caution about confidential data, and no answer to the only question staff actually have — which tools, for which work, with which data?
We call this failing the hallway test. If a staff member stops you in the hallway and asks "can I paste this board memo into ChatGPT to tighten it up?" and your policy doesn't produce a yes-or-no answer in under a minute, the policy will be ignored — not out of defiance, but because deadline pressure always outruns ambiguity.
What a usable AI policy contains
A policy that passes the hallway test has five short sections. None of them require legal prose.
- Approved tools, by name and account type. "Claude for Work under the org account: approved. Personal free-tier accounts: not for work content." Naming tools feels risky — the list will change — but a named list staff can follow beats an abstract standard they can't. Review it quarterly.
- Data rules in three buckets. Green: public or already-published content — use freely. Yellow: internal drafts, unpublished plans — approved tools only. Red: donor and client PII, health and financial records, anything under NDA or grant confidentiality — never enters any AI tool without an explicit review. Three buckets are memorable; a data-classification matrix is not.
- A human-review rule. Nothing AI-assisted goes to a donor, member, client, or the public without a person reviewing it and taking ownership. This single sentence prevents most reputational incidents — and it echoes what a Tier 3 engineer told our own team during ETTE's internal AI Champions program: "Always review everything — your work has to look consistent and professional."
- A named owner and a fast lane for questions. One person (or a two-person pair) answers use-case questions within one business day, and unusual requests get a quick yes/no/needs-review rather than a committee. The owner also keeps the approved list current.
- What happens when something goes wrong. A no-blame reporting path: if sensitive data ends up in the wrong tool, staff report it the same day, and the response is containment, not punishment. Policies that punish honesty produce silence, and silence is the real risk.
What to leave out
Resist the urge to legislate the future. Provisions about AI models you don't use, hypothetical agentic scenarios, or productivity quotas date the document instantly and bury the rules people need. A nonprofit AI policy should fit on two pages. Everything longer is a sign the policy is doing work that belongs in the operating model — use-case intake, pilot design, and measurement live there, not in the AUP.
Rollout matters as much as text
A policy announced by email is a policy unread. What works: a 30-minute all-staff session walking through the three data buckets with real examples from your organization's own work, a one-page quick-reference posted where staff actually look, and a standing invitation to bring edge cases to the owner. When ETTE introduced its own AI usage policy at the kickoff of its internal Champions cohort, the policy came bundled with tool access and live demonstrations — rules and capability arrived together, which is why the rules stuck.
Next Step