AI Governance for Nonprofit and Healthcare Boards

Every board we are talking to right now wants to know the same thing: what is our AI policy. The honest answer is that most boards are asking the wrong question. The question is not which tool to buy. The question is what risk the board is willing to accept, what is delegated to management, and what is reserved for board oversight. That is governance work, and almost no board has done it yet.

Most boards we work with are conflating two different documents. An AI policy is a board-level artifact that sets risk tolerance, acceptable use boundaries, and the framework management must operate inside. An AI use rule is an operations document that tells staff which tools they can open, what they can paste into a prompt, and how to log it. They are not the same thing, and they should not be written by the same people.

When boards try to write the operations document, they end up legislating prompt engineering. When operations teams try to write the policy, they end up with a tool list that has no governance frame around it. The board needs both documents to exist. The board only owns one of them.

These are the decisions that are reserved for the board, regardless of sector:

• Acceptable Use Boundaries: What is the organization willing to do with AI, and what is off limits. Diagnostic support is one thing. Autonomous patient triage is another. Donor segmentation is one thing. Generative outreach to beneficiaries in crisis is another. The board draws the line.
• Data Classification and AI Access Tiers: Which categories of data (PHI, donor PII, beneficiary records, financials) can be processed by which class of AI system (public model, enterprise tenant, on-premise). The board approves the tiers. Management maps the tools to them.
• Human-in-the-Loop Requirements: Which decisions must have a qualified human in the loop before action. Clinical decisions. Hiring decisions. Beneficiary eligibility decisions. The board sets the categories where automation cannot proceed alone.
• Vendor and Model Risk Acceptance: The criteria for evaluating a vendor or model before adoption. SOC 2, BAA where applicable, data residency, training data exclusion clauses, audit logging. The board approves the criteria. Procurement applies them.

If the board meeting is debating whether the marketing team can use a specific writing tool, the board has slipped into operations. Tool selection, workflow design, prompt libraries, and specific use case approvals (within the policy frame) are management decisions. The board sets the frame. Management operates inside it. When the board crosses that line, two things happen: the board takes on operational risk it cannot manage, and management loses the authority it needs to actually run the work.

Here is the scenario every board should be planning against. An AI-driven decision causes harm. A patient is misrouted. A beneficiary is wrongly denied services. A donor is targeted in a way that causes reputational damage. Plaintiffs subpoena the board minutes. They ask one question: what was your oversight framework.

If the answer is that the board approved a tool but never set policy, never required reporting, and never reviewed risk, the directors are exposed. D and O insurance carriers are beginning to ask about AI governance frameworks. Authorizers, accreditors, and state regulators are not far behind. The board that cannot show a policy, a reporting cadence, and a documented oversight rhythm is the board that becomes a target.

If the board has set the frame, management owes the board a regular accounting of what is happening inside it. Three artifacts, every quarter:

• AI Inventory: Every AI tool in active use, the data classes it touches, the vendor, the contract status, and the human-in-the-loop posture. This is the map of the operational reality.
• Incident Log: Every reported issue, near miss, or anomaly. Most organizations have no incident reporting channel for AI yet. The board should require one.
• Risk Register: The known risks, the mitigation status, and any changes since the last report. Risks change as models change, as vendors update terms, as new use cases come online. A static register is a stale register.

For hospital and health system boards, the use cases are sharper and the stakes are higher. Clinical decision support, AI scribes, patient triage tools, and imaging algorithms each carry distinct risk profiles. The board's job is not to approve each one. It is to set the policy that determines how each one gets evaluated, who has authority to approve, and what the reporting cadence looks like.

A hospital board that has not addressed clinical AI by mid-2026 is operating without an oversight framework that other boards in the sector are building. That gap is visible to accreditors, to malpractice carriers, and to the patient safety committee that will be referenced in any incident.

Nonprofit boards face a different version of the same problem. Fundraising AI is being marketed aggressively to development teams. Beneficiary case management is being augmented with predictive analytics. Donor communications are being generated by tools that the board has not evaluated.

The exposure here is reputational and regulatory. A wealth-screening tool that gets a donor's circumstances wrong. A beneficiary algorithm that flags a family for review on biased criteria. A generative email that lands tone-deaf in a moment of community crisis. None of those are tool problems. They are governance problems that show up because no one set the policy.

If your board has not yet adopted an AI governance framework, the path forward is straightforward. Form a working group with at least one director who can read the technical material. Draft the policy at the right altitude: risk tolerance, data tiers, human-in-the-loop categories, vendor criteria. Approve it. Then require the quarterly reporting cadence and hold to it.

The boards that do this in 2026 will have a defensible record. The boards that do not will be defending their absence in front of someone who is not friendly.