Your board has started asking about AI. Not “should we use it” — that question is already answered by the 12 tools your staff is quietly running. The questions now are about ethics, liability, member data, and disclosure. This post gives you the framework to answer them without either shutting down the conversation or making promises you can’t keep.
Why your board is asking about AI ethics right now — and what they’re actually worried about
The question didn’t arrive out of nowhere. ASAE devoted a pre-conference lab at its 2025 Annual Meeting to “Foundations of Ethical AI Governance in Associations” — three CAE ethics credits’ worth of signal that this is no longer an early-adopter topic. It’s a fiduciary one.
The numbers behind that signal are stark. Fewer than 10% of nonprofits and associations have a formal AI use policy, according to Whole Whale’s 2025 analysis of nonprofit AI adoption. Between 68% and 82% of nonprofit employees are actively using generative AI tools, according to the Nonprofit Learning Lab. That gap — between actual use and formal governance — is what your board sees when they look at the liability question.
The gap between actual AI use and formal governance is what your board sees when they look at the liability question.
What they’re worried about isn’t technology risk in the abstract. It’s three concrete things: what happens to member data, what the organization will say if AI-generated content misleads or offends a member, and who is specifically accountable when something goes wrong. Joy Davis, CAE and Richard E. Shermanski named the two immediate pressure points in their March 2025 piece for Associations Now (“Member Data and the Ethics of AI,” asaecenter.org): AI note-taking tools showing up in board and committee meetings without any policy framework, and the question of what members expect when decades of their behavioral data — what they read, what events they attended, how they engaged — can now power AI insights your staff didn’t have two years ago.
Your board isn’t wrong to ask. The question is whether you can answer it.
For context on where AI governance fits within the broader AI strategy for associations, see the AI for Associations resource center.
Six things to do before your next board meeting
Map what AI is already in the building
Before you write a policy, you need an accurate picture of what tools are actually running. Not what IT has approved — what staff is using. The gap between those two things is usually where the governance risk lives.
In most associations I’ve audited, the real number is somewhere between six and twelve tools in active use, most of them free-tier accounts that staff signed up for individually, outside any IT procurement process. Some of those tools are touching member data. Some are storing conversation history on vendor servers. Most of the people using them don’t know this and never asked.
The audit question is simple: which tools are in use, which of those tools touch member data or staff communication about members, and does the vendor’s data policy address what happens to that data? You cannot write a policy that governs tools you haven’t inventoried.
A common mistake is to skip this step and go straight to the policy document. You end up governing imaginary tools — the ones someone describes in a planning meeting — while the real ones run unexamined.
Separate your board’s questions into three categories
When boards talk about “AI ethics,” they’re usually running three distinct concerns together. Separating them makes each one answerable.
Data: Is member data being used to train AI models? For most free-tier tools — ChatGPT’s free tier, earlier versions of Gemini — the answer has historically been yes, by default, unless users opted out. Enterprise tiers with data processing agreements are a different matter: those contracts typically exclude customer data from model training. The practical answer for your policy is to identify which tools touch member data and confirm whether you’re operating under a data processing agreement.
Disclosure: Does your organization need to disclose when content is AI-generated? For marketing communications, FTC guidance on deceptive advertising applies — if AI-generated content is misleading about its origin, you have a compliance problem. For member communications, there’s no binding standard from ASAE yet, but member expectations are ahead of any policy that currently exists. The safe position is to disclose when content is primarily AI-generated and when AI is generating personalized content about specific members.
Oversight: Who is responsible when something goes wrong? Right now, at most associations, the honest answer is: no one specifically. That’s the gap the policy closes. The board needs a name, not an org chart.
Write a use policy, not a philosophy
The common failure mode in association AI governance is a values statement that doesn’t govern anything. It says the organization believes in “responsible AI” and “human oversight” without specifying what staff can and cannot do with the tools they’re already using.
A minimum viable policy covers four things: which tools are approved, which data categories those tools can touch, who approves requests for new tools, and what the disclosure standard is for member-facing AI-generated content. That’s not comprehensive AI governance — it’s the floor below which you have no governance at all.
A minimum viable policy covers four things: which tools are approved, which data categories those tools can touch, who approves new tools, and what the disclosure standard is.
Fast Forward’s Nonprofit AI Policy Builder (ffwd.org/nonprofit-ai-policy-builder) generates a working draft covering governance, privacy, risk management, and ethics. It’s not association-specific, but it’s a real starting point rather than a blank page. ASAE’s Association Coalition for AI, established in 2025, offers frameworks that account for the specific constraints associations operate under — member data relationships, advocacy calendar implications, chapter structures — that generic nonprofit templates miss.
Address member data specifically
This is the question your board is most likely to ask and least likely to get a clear answer on without preparation.
The specific question: is member data — demographics, engagement history, event attendance, content consumption — being used to train the AI tools your staff is running? The answer depends entirely on which tools and which tier. Free-tier tools have historically contributed usage data to model improvement. Enterprise tiers with data processing agreements have not. Most associations are running a mix of both, often without knowing which is which.
ASAE’s March 2025 framing from Davis and Shermanski is worth reading directly: “decades of collected member data can now power AI insights to enhance organizational efficiency and product development — this raises critical questions about member expectations and consent.” That framing is right. Your members gave you their data to run the membership. They did not explicitly consent to that data training a third-party language model. Whether that’s a legal problem depends on your privacy policy. Whether it’s an ethical problem depends on what your board thinks your member relationship is worth.
The policy implication: either move any tool that touches member data to an enterprise tier with a data processing agreement, or draft explicit notification language explaining what member data is used for. Both are defensible positions. Running free-tier tools on member data without a policy is not.
Build a disclosure standard for AI-generated content
If your newsletter is partly written by AI, do you have to say so? The honest answer right now is: it depends on how AI-generated it is and what claims it makes.
FTC guidance on deceptive advertising applies to association communications. If an AI-generated member communication is misleading — about the source, about personalization that isn’t actually personalized, about recommendations that reflect algorithm outputs rather than human curation — you have a compliance exposure. ASAE has not yet issued a binding disclosure standard for member communications. But member expectations are ahead of policy.
The practical standard: disclose when content is primarily AI-generated, disclose when AI is making personalized recommendations to or about specific members, and do not use AI to impersonate a named staff member or volunteer voice without their review and approval.
What the board actually wants here isn’t a rule that stops AI use. It’s a standard they can point to if a member asks why their newsletter reads differently than it used to.
Assign ownership before the board meeting, not during it
The single most useful thing you can do before the board asks about AI governance is name the person who owns it. Not a committee. A person.
The options: your existing IT director or communications director, if AI governance falls within their current accountability. A data privacy officer, if your organization has one. An outside advisor, if the expertise doesn’t exist internally. What matters is that the board gets a name, not an org chart section.
The questions that name needs to be able to answer: Who reviews requests for new AI tools before they’re deployed? Who handles a member complaint about AI-generated content? Who monitors member communications generated or influenced by AI for bias or error? Who schedules and runs the annual policy review?
Boards that ask “who is responsible for AI governance?” and receive “it depends on the use case” as an answer will escalate the question. Boards that receive a name — and a defined scope — can move forward.
This kind of digital governance question sits alongside the broader operational structure of your digital presence. If you’re still building that foundation, the association website design work often surfaces the same data and governance gaps the AI policy conversation will later expose.
Four things most AI governance guides skip
AI note-taking in member spaces is a live problem right now, not a future risk. Staff and volunteers are running AI meeting summarizers in board and committee settings without any policy framework. ASAE’s 2025 article names this directly. The governance question isn’t whether to permit it — it’s whether the organization has established explicit confidentiality expectations for those meetings, whether volunteers know their discussions may be summarized by an AI tool, and whether that summary is stored on a vendor server you don’t control.
Vendor AI is not the same as your AI. When your AMS vendor adds AI-powered member segmentation or engagement scoring to the platform you already run, their privacy policy governs what happens to member data — not yours. You did not choose to deploy AI; it was added to infrastructure you already had under a contract you signed before the feature existed. Before your board asks whether the association’s AI use is governed, you need to know which AI is already running under vendor agreements.
Bias in member communications is a governance question, not a technology problem. If your AI tool segments or prioritizes member outreach — deciding which members see which content, which renewal reminders go to which segments — those decisions embed assumptions. Assumptions that can produce differential outcomes across member cohorts based on geography, membership tier, or engagement history. This is the kind of thing that generates a complaint to the board rather than to staff.
The policy you write today needs a review date built in. AI capabilities are changing fast enough that a governance document written in 2026 will be partially obsolete by 2027. Build a review trigger into the document from the start: an annual review minimum, plus a review when a new category of AI tool is adopted, when ASAE issues significant updated guidance, or when a vendor adds AI features to a platform that already has access to member data.
If you’re ready to assess where your association stands across these dimensions, the AI Readiness Audit is where to start. It covers the governance gaps, the data exposure questions, and the board-facing framework your marketing and communications team needs to answer the questions that are already on the agenda.
Frequently Asked Questions
What should an association AI policy include?
A minimum viable association AI policy covers: an approved tools list, data categories those tools are permitted to access, the approval process for new AI tool requests, the disclosure standard for member-facing AI-generated content, and the named person or role responsible for AI governance oversight. More comprehensive policies add bias monitoring requirements, vendor AI audit procedures, and a scheduled review cycle.
Does an association have to disclose when content is AI-generated?
There is no binding association-specific disclosure requirement as of 2026. FTC guidance on deceptive advertising applies if AI-generated content misleads about its origin or nature. The practical standard: disclose when content is primarily AI-generated, when AI is generating personalized content about specific members, and when AI is producing content under a named staff member’s byline without their substantive review.
Can associations use member data to train AI models?
This depends on the tools in use and the tier of service. Free-tier AI tools have historically used data for model improvement unless users opt out. Enterprise tiers with data processing agreements exclude customer data from training. Associations should audit which tools touch member data and confirm whether those tools operate under a data processing agreement. Using member data for AI training without explicit disclosure raises consent questions boards are right to ask about.
How do associations prevent bias in AI-generated member communications?
Prevention starts with knowing which member-facing decisions AI is influencing: content segmentation, renewal reminders, event recommendations, email personalization. For each, identify the data inputs the AI is using and whether those inputs could produce differential outcomes across member cohorts defined by geography, membership tier, or engagement history. Build human review into any AI process that targets specific member groups rather than the full membership.
What board governance questions should associations ask about AI?
The National Association of Corporate Directors identifies four categories: Does the board have adequate expertise to oversee AI use? Is there budget for monitoring and auditing AI tools? Have AI vendors been evaluated for responsible practices? Has the organization’s insurance coverage been reviewed for AI-related risk? The association-specific addition: Who is the named responsible party for AI governance, and what authority do they have to require or refuse specific tool adoptions?
How often should an association review its AI policy?
At minimum, annually. Also review when the organization adopts a new category of AI tool, when ASAE issues significant updated guidance, when a vendor that has access to member data adds or modifies AI features in their platform, and when a member or staff complaint surfaces a gap in the existing policy. The review should include checking whether the approved tools list reflects current use and whether the disclosure standard still matches member expectations and regulatory guidance.