Board Oversight of AI: What Directors Need to Know

Board directors often feel out of their depth on AI. It seems technical, rapid-moving, and hard to govern. But AI governance is fundamentally about risk management—and that's your job as a board member.

You don't need to understand how neural networks work. You need to ask the right questions and ensure your nonprofit is managing AI risks responsibly.

Why This Matters Now

AI adoption is happening fast, and it's creating new liability vectors. Consider what could go wrong:

• Your fundraising team uses AI to segment donors, but the model is biased and systematically excludes communities of color. That becomes a PR disaster and a values violation.
• Someone uploads sensitive donor data to ChatGPT. The data is exposed. You have a privacy breach.
• An AI tool makes a recommendation about program access, and it's wrong. A vulnerable person is denied services they need.
• You're using an AI tool that a funder hasn't approved. They find out and pull funding.

These aren't hypothetical. They're happening in nonprofits right now. Board oversight prevents them.

Your Board's Role in AI Governance

There are four key things your board needs to do:

1. Approve a Written AI Policy

This is non-negotiable. By your next board meeting, your nonprofit should have a written policy that covers:

• What AI tools are allowed and which are prohibited
• Which data can be input into AI systems and which cannot
• What transparency and disclosure rules apply
• How oversight and compliance will work

Your executive director and a cross-functional committee should draft it. Then the board approves it. See Writing an AI Policy for a detailed template.

What to ask: "Does this policy align with our mission values? Does it adequately protect donor and beneficiary privacy? Are there loopholes?"

2. Establish an AI Committee

Don't let AI governance live only with IT or the executive director. Form a cross-functional AI Committee (or AI subcommittee of your governance/risk committee) that includes:

• Someone with tech knowledge (not necessarily your IT director, could be a board member, staff member, or advisor)
• Your Chief Program Officer or a program leader
• Your compliance/legal contact (could be internal or external counsel)
• Your Executive Director

This committee should:

• Review all new AI tools before adoption (quarterly minimum)
• Audit compliance with your AI policy
• Monitor for bias and adverse outcomes
• Update the policy annually
• Report to the board twice yearly

What to ask: "Who's on this committee? Do they have the expertise and bandwidth? Is reporting to the board clear?"

3. Get Regular AI Risk Reporting

Once a year (minimum), your board should get a written report on:

• Current AI tools in use: What are we using, for what purpose, and who's using it?
• Compliance status: Are we following our own policy? Any violations?
• Risk assessment: Are there new AI risks we should be worried about?
• Outcomes and monitoring: How is the AI performing? Are there signs of bias or errors?
• Planned changes: What new tools are we evaluating? What are we discontinuing?

This doesn't need to be a 50-page document. A 2-3 page summary with an exec-level summary is fine.

What to ask: "Are we finding and fixing problems? Are there red flags? What's the biggest risk?"

4. Ask Hard Questions Before Approving New Tools

When staff want to adopt a new AI tool, the committee should ask (and report back to the board):

• What problem does this solve? Is the ROI clear? Would a non-AI solution work better?
• What data does it require? Is that data sensitive? How is privacy protected?
• Who made the tool? What's their reputation on ethics and bias? Do they publish their methodology?
• What's our liability? If something goes wrong, are we protected? What's the worst-case scenario?
• Can we audit the decisions? If the AI makes a recommendation, can we understand how? Can we appeal?
• How does it fit our values? Does this tool advance our mission or does it create tension?
• What's the cost? Financial and organizational. Is it worth it?

Red Flags: When to Pump the Brakes

As a board member, watch for these warning signs that AI is being used recklessly:

• No written policy. If your nonprofit is using AI but has no governance policy, that's a governance failure. Fix it now.
• No oversight committee. AI decisions are being made ad hoc, without central review. That's how problems fester.
• Sensitive data in public AI tools. Someone is using ChatGPT to summarize donor files or beneficiary information. That's a privacy breach waiting to happen.
• Zero human review of AI decisions. The AI recommends and staff implement without question. That's abdication of responsibility.
• No disclosure to stakeholders. You're using AI in donor targeting or program decisions, but no one tells donors or beneficiaries. That's a transparency problem.
• No monitoring for bias. The AI has been live for months and no one has checked whether it's producing fair outcomes.
• Resistance to questions. When the board asks about AI governance and staff gets defensive instead of providing clarity, that's a sign something is off.

What You Don't Need to Know (But Your Committee Should)

As a board member, you don't need to understand:

• How transformer neural networks work
• The difference between supervised and unsupervised learning
• Specific algorithms or model architectures
• Technical implementation details

Your committee needs to understand these things (or know who to ask). You need to understand:

• What data the AI uses and how privacy is protected
• Whether the AI is being used for high-stakes decisions (and if so, how humans review it)
• Whether there are known bias issues or other risks
• How compliance with your policy is being monitored
• Whether stakeholders are being informed about AI use

Board Meeting Agenda Item: AI Governance Check-In

Here's a template for a 30-minute board agenda item on AI governance:

AGENDA: AI Governance Check-In (30 minutes)

1. UPDATES (10 min)
   - Current AI tools in use (list provided in advance)
   - Any incidents or issues since last meeting
   - New tools being evaluated

2. COMMITTEE REPORT (10 min)
   - AI Committee chair briefs board on quarterly activities
   - Compliance status
   - One major issue or decision requiring board input

3. Q&A AND DISCUSSION (10 min)
   - Board asks questions
   - Committee answers or commits to follow up

Action items documented. Next check-in scheduled.

Staffing the AI Committee: Do You Need to Hire?

Not necessarily. Most nonprofits can staff the AI Committee with existing board and staff members, plus one external advisor if you lack technical expertise.

If you have no one internally with tech knowledge: Recruit one board member or advisor who has that background. This doesn't need to be a full-time hire—4 hours per month is enough.

If you plan major AI investment (building custom models, processing sensitive data at scale): Bring in a consultant or hire a part-time AI/data governance person. But this is rare for nonprofits.

Talking to Your Executive Director About AI Governance

Use this language to start the conversation:

"We want to support AI adoption because it can help us work more efficiently. But we also have a fiduciary duty to manage the risks. Let's work together to set up a governance framework that lets us innovate safely. Here's what we're asking for: [AI policy draft, committee formation, quarterly reporting]. Does your team need support to make that happen?"

Most EDs will appreciate the clarity. A few might push back, saying "governance will slow us down." It won't—it'll actually speed things up by creating clarity and preventing costly mistakes.