Artificial intelligence is already inside most charities.
It is drafting fundraising appeals, summarising case notes, screening applicants, and responding to enquiries often without ever appearing on a board agenda.
That is the real governance challenge.
The technology is rarely the problem. The problem is whether the right oversight, accountability and judgement are in place to use it well. AI is not, fundamentally, an IT matter to be delegated downwards. It touches a charity’s data, money, people, beneficiaries, and reputation. That makes it a board-level responsibility.
Trustees do not need to understand how an AI model works. But they do need to be confident that someone in the organisation is asking the right questions, and that the answers are written down. Here are five questions trustees should be putting on the agenda.
Well-governed organisations already know the answers – and have them documented, proportionate, and reviewed.
1. Do we actually know where AI is already being used?
If you do not have a clear answer, you do not yet have control. AI features are now embedded in mainstream tools:
- your CRM
- your email
- your design software
- your case management system
Staff are also using free public tools on their own initiative, often with good intentions and no guidance.
The first task is visibility. A trustee cannot govern what the organisation cannot see. Asking for a simple inventory of where AI is in use, sanctioned or not, is the single most useful starting point, and it often surfaces surprises.
2. What happens to the data we put into these tools?
This is where the sharpest risks sit for a charity. Beneficiary data, donor records, safeguarding information and employee details are exactly the kind of sensitive material that should never be casually pasted into a public AI tool, where it may be stored, processed elsewhere, or used to train future models.
Data Protection Impact Assessments (DPIAs) are often required where new technologies create high risk to individuals. It’s a specific mechanism trustees can ask to see.
Under UK GDPR, the charity remains accountable for that data regardless of which tool processed it. Trustees should expect clear answers on what data may be used with which tools, where it goes, and who has checked the supplier’s terms. “We assumed it was fine” is not a defensible position if something goes wrong.
If trustees cannot answer these questions, they are carrying unknown and unmanaged risk.
3. If an AI tool gets something badly wrong, who answers for it and to whom?
AI systems make mistakes confidently. They can produce inaccurate information, biased outputs, or decisions that disadvantage particular groups. If that happens in a fundraising claim, a grant decision, or a service touching vulnerable people, the consequences are real.
Accountability cannot sit with a tool. It sits with trustees.
Here charities face something most commercial organisations do not: two regulators. A serious data breach or harm can engage both the Information Commissioner’s Office and the Charity Commission, with separate reporting expectations and separate consequences. Serious incident reporting to the Commission is a trustee duty, not an optional courtesy. The board should know who would make that call, how quickly, and on what basis, before an incident, not during one.
4. Have we drawn the line where human judgement is non-negotiable?
Efficiency is the honest appeal of AI, and for a resource-stretched charity that is no small thing. But some decisions should never be handed to a machine, however helpful it seems. Decisions about an individual’s care, eligibility, safeguarding or wellbeing carry a duty of human judgement and accountability that cannot be delegated to a tool.
Trustees do not need to design these boundaries themselves. They do need to be assured that the boundaries exist, are written down, and are understood by the people doing the work.
The question is simply: where have we decided a human must always decide?
If that line is not written down, it does not exist.
5. Would our donors and beneficiaries be comfortable if they knew?
Because eventually, they may.
A charity runs on trust. Supporters give because they believe in your mission and your integrity; beneficiaries engage because they feel respected and safe. AI used clumsily in a heartfelt appeal, in a relationship that is meant to feel personal, in a service built on dignity, can quietly erode that trust in ways that are hard to win back.
This is not an argument against using AI. It is an argument for using it transparently and in keeping with your values. A useful test for any proposed use: would we be comfortable explaining it openly to the people it affects? If the answer is no, that is worth pausing on.
Moving Forward Responsibly
The board’s role is not to fear AI or to ban it. It is to make sure the charity adopts it with the same care, accountability and judgement applied everywhere else.
None of these questions requires technical expertise. They require what trustees already do well: asking for clarity, expecting accountability, and protecting the organisation’s mission.
A charity does not need an AI specialist to govern AI responsibly. It needs the right questions on the agenda and honest answers on the record.
How we can help
Durrant Riley Advisory supports charities to adopt AI with confidence and control through practical governance, proportionate risk management, and clear accountability.
If these questions are not yet on your board agenda, there is likely unseen risk.
That is where we help.