What is in a good AI Policy?

Created: April 24, 2026 at 3:21 PM | Updated: June 15, 2026 | By NZ Navigator Trust

For the social sector, AI is potentially a powerful tool for fundraising, researching, grant writing, and maximising organisational impact.

To make the most of these opportunities, and avoid the pitfalls of AI, it is important to consult with your people to agree on how your organisation will use AI. This consultation will result in an AI policy for your internal (and external) use.

Core principles for an AI policy for community non-profits should feature human oversight (AI should support human decision-making, not replace it), data privacy, and ethical usage.

Essentials for a responsible AI use policy

If your non-profit hasn’t drafted a policy yet, we'd suggest you start with these essentials:

  1. Purpose and scope: what this policy is and who it’s for. Name the goal (responsible use, harm reduction, learning) and the scope - what 'AI use' includes and to whom it applies (e.g., staff, board members, contractors, and volunteers). A clear scope prevents confusion, reduces inconsistent practices, and keeps the policy from becoming irrelevant or too broad.
  2. Values and commitments: how AI use should feel and function. Values like privacy, transparency, equity, accessibility, consent, human oversight, and accountability should be included in your policy.
  3. Prompting and data-handling norms: what staff should do and avoid. Keep the guidance simple and give examples. 
    • Treat AI as a collaborator, not an authority (check sources and facts).
    • Don’t enter sensitive information (people's personal data. confidential information, legal documents, passwords, or anything you wouldn’t paste into a public website).
  4. When NOT to use AI: Include a clear 'do not use AI' list for important tasks  such as: decision-making around eligibility for services, client case notes, HR performance analysis, content representing your community without consent and context, and any task where AI could cause harm if the information is wrong.
When writing a responsible AI use policy:
Do's
  1. Do keep it simple and adaptable so staff will actually read and remember it - you can update it as needed.
  2. Do write in plain/accessible language. If staff need a lawyer to interpret the policy, it won’t shape behaviour.
  3. Do design for real roles and workflows (fundraising, programmes, finance, operations, communications), not just IT.
  4. Do build in a learning loop: how staff report issues, flag risky use-cases, and propose updates.
  5. Do involve leadership and the board early for alignment on values, risk appetite, and accountability.
Don’ts
  1. Don’t copy a template without adapting it to your data practices, applicable legislation, and community.
  2. Don’t make it overly restrictive or legally binding. Fear-based policies drive AI use underground - where staff use unapproved tools, don’t disclose AI assistance, and avoid asking questions - so risks go unreported and guidance can’t improve.
  3. Don’t treat the policy as 'done' once published—enhance it with training, plus examples and regular check-ins.

[Source: this section was based in part on a January 2026 tips and training article from Candid (a provider of non-profit resources in the USA)]. 

Equity, inclusion, and cultural safety

Organisations should ensure equity, inclusion, and cultural safety are addressed in their AI policy.  The AI policy should recognise:

  • AI systems can contain bias.
  • Content should be reviewed for fairness and inclusiveness.
  • Organisations in Aotearoa should consider Te Tiriti o Waitangi obligations and cultural safety, including impacts on Māori communities.

Here are some examples of cultural safety clauses:

"Cultural safety: All use of AI systems will uphold Te Tiriti o Waitangi and Māori Data Sovereignty by ensuring Māori data, stories and knowledge are protected as taonga and are safe guarded and protected."

"The organisation will support appropriate awareness and capability development regarding ethical and culturally appropriate use of AI."

Privacy considerations

We've already covered the use of sensitive data above, but it's worth saying again that it's important that your policy follows the requirements of the Office of the Privacy Commissioner and the New Zealand Privacy Act 2020

Charity sector - trust and transparency

The charity sector in Aotearoa New Zealand exists because of the publics 'trust'. Organisations thrive when they are transparent and can demonstrate they have good governance and integrity. You do this by sharing your AI policy on your organisation's website.

A simple AI policy structure to get you started

It can be helpful to develop your policy starting with a structure/headings to organise your policy content:

  1. Purpose
  2. Scope
  3. Definitions
  4. Guiding principles
  5. Approved uses of AI
  6. Prohibited or restricted uses
  7. Privacy and data protection
  8. Human oversight requirements
  9. Intellectual property and copyright
  10. Accessibility, equity, and cultural considerations
  11. Staff responsibilities
  12. Governance and review

We've created some starter templates that you can download and adapt for your organisation - see our CommunityNet Aotearoa resource AI policy templates.