AI governance for charity trustees: what changed

Somewhere in your charity, someone is already using AI. The 2025 Charity Digital Skills Report found 76% of charities now using AI tools, up from 61% the year before — most commonly for administration, grant fundraising and communications. The same report found that only 22% had reviewed their governance to give trustees better oversight of AI, and only 23% had updated their risk registers. The distance between those numbers is the point: adoption is running well ahead of oversight, and the oversight is the board's job.

Nothing about AI suspends your duties as a trustee, and nothing in those duties prevents your charity using it. What changed in November 2025 is that the sector's benchmark for good governance now says so in terms: the revised Charity Governance Code lists "a policy for the use of technology and AI tools" among the evidence a well-governed charity can show. This playbook covers what your existing duties already required, what the updated Code adds, and what proportionate governance looks like for a board with no technology committee and no appetite for one. For the wider sector picture, see our page on AI governance for charities.

Key takeaways

• Your existing CC3 duties already govern AI: acting in the charity's best interests, the duty of prudence (avoiding "undue risk" to assets, beneficiaries or reputation) and acting with reasonable care and skill.
• The Charity Commission has said it will apply existing guidance to new technology rather than write AI-specific rules — and that decision-making must not be delegated to AI.
• The revised Charity Governance Code (November 2025) lists "a policy for the use of technology and AI tools" as suggested evidence under Principle 6, Managing resources and risks.
• The Fundraising Regulator's December 2025 guidance makes trustees "ultimately accountable" for AI used in fundraising, with a human check on accuracy, fairness and legality before AI content is used.
• Proportionate beats elaborate: a short policy, a named owner, a register of tools in use, clear data rules and human sign-off cover most of the risk at small-charity scale.

Your duties already covered this — the Commission has said so

The Charity Commission's core guidance, CC3, The essential trustee, sets out six duties. Three of them do almost all of the work on AI. You must act in your charity's best interests. You must manage its resources responsibly — which CC3 describes as the duty of prudence, requiring you to "avoid exposing the charity's assets, beneficiaries or reputation to undue risk". And you must act with reasonable care and skill, "making use of your skills and experience and taking advice when necessary". None of those duties mentions technology. All three reach it, because they are written around judgement and outcomes, not tools.

The Commission has confirmed this is how it sees the position. Its April 2024 blog on charities and artificial intelligence says it does not currently plan AI-specific guidance, preferring to apply existing guidance to new technologies as they emerge — the same approach it took with cryptocurrency. Two expectations in that post matter for boards. First: "Trustees remain responsible for decision making so given the consequences if incorrect advice is relied upon, it is vital this process is not delegated to AI." Second, the Commission expects human oversight to be in place to prevent material errors, noting that the human touch is central to how charities work with their beneficiaries.

This mirrors the wider UK position: there is no AI statute for charities to comply with, only existing duties applied by existing regulators — and the practical response is to build your own evidence against them, which we set out in how to build an AI governance framework. A trustee does not need to understand how a language model works any more than they need to be an accountant to oversee the accounts. Care and skill means asking competent questions and taking advice where the board lacks it.

Where AI is arriving in charities, and why the risks are different

The Charity Digital Skills Report maps where AI has landed. The top organisational uses in 2025 were administration and project management (48%), grant fundraising (36% — rising to 43% of small charities) and communications and fundraising (34%, almost double the year before). In practice that means appeal copy and supporter emails, first-draft grant bids, donor analytics and segmentation, and — the use trustees should watch most closely — triage of service-user enquiries.

Three features make the charity risk profile different from a company's.

Beneficiary data is the most sensitive data there is. Charities routinely hold information about health, disability, immigration status, debt and abuse — special category data under UK GDPR. Pasting case notes into a free public chatbot is a disclosure to a third party, and the ICO's guidance on AI and data protection applies in full. Where a tool starts making significant decisions about people — triaging who gets a service first, for instance — the new Articles 22A–22D of the UK GDPR, in force since 5 February 2026, preserve the right to human review and to contest the decision.

Funders and donors are owed accuracy. A fabricated statistic in a grant bid is a misrepresentation to a funder; an AI-invented detail in an appeal misleads donors. The Fundraising Regulator's December 2025 guidance on AI in fundraising is direct: trustees are "ultimately accountable" for their charity's AI use in fundraising, transparency should be risk-based — "the greater the risk of misleading donors, the more transparent you should be" — and a person should check the accuracy, fairness and legality of AI-generated content before it is used.

The charities leaning on AI hardest have the least governance capacity. Small charities lead the sector on AI-assisted grant fundraising, yet only 37% of them are developing an AI policy against 68% of large charities. NCVO's guidance on AI for small charities is sensible reading here precisely because it treats AI as something a small organisation can use well — provided someone is accountable for how.

What the 2025 Charity Governance Code actually says

The revised Charity Governance Code was published on 3 November 2025, restructured around eight principles. The wording that matters for this article sits under Principle 6, Managing resources and risks. In its list of suggested evidence and assurance — alongside a reserves policy, a fundraising policy, a whistleblowing policy and a board-approved risk register — the Code now includes: "A policy for the use of technology and AI tools." The same principle expects the board to ensure the charity complies with data protection law and to keep major and emerging risks under regular review.

Be precise about what that is and is not. The Code is voluntary and operates on an apply-or-explain basis; a technology and AI policy is suggested evidence of good governance, not a statutory requirement. But the Code is the sector's reference point for what good looks like — funders, auditors and the Commission all lean on it — so a board without such a policy should be ready to explain what it does instead. For most boards, writing the policy is less work than constructing the explanation.

A control set a small charity can actually run

Most charities cannot staff an AI committee, and the Code does not ask them to. The Code's own framing is that policies and practices should be tailored to the charity's size and complexity. For a board that meets six times a year with no technology specialist, five controls are proportionate:

1. A one-to-two-page policy. Which tools are approved, which uses are prohibited, who approves new tools, and when AI use is disclosed. Our AI policy generator produces a draft sized to your charity that the board can amend and adopt.
2. A named owner. One trustee or the CEO holds AI oversight as part of an existing role. A name in the minutes, not a new committee.
3. A register of tools in use. Ask staff and volunteers what they already use before writing rules — unsanctioned use is the norm, and you cannot govern tools you do not know about.
4. Data rules with one bright line. No identifiable beneficiary or donor information goes into any tool that has not been assessed for it, and anything touching service-user data gets a data protection impact assessment first.
5. Human sign-off. No AI-drafted content reaches donors, funders or the public unchecked, and no decision about a person — triage, eligibility, prioritisation — is made by AI alone.

Add a line to the risk register, owned and reviewed at each meeting cycle. The whole set costs hours, not budget, and it generates exactly the evidence the Code asks boards to show.

A checklist for your next trustee meeting

• Where is AI already used in our charity — including unofficially?
• Has any beneficiary, service-user or donor data been put into an external AI tool? Under what safeguards?
• Do we have a technology and AI policy, as the 2025 Code suggests? Who owns it?
• Is AI on the risk register, with an owner and a review date?
• Who checks AI-drafted fundraising and grant material before it goes out, and would that check satisfy the Fundraising Regulator's guidance?
• Are any decisions about people automated, and can those people get human review?
• What would we say publicly, within 24 hours, if an AI tool mishandled beneficiary data?

If the answers are thin, our free Board AI Scorecard turns these questions into a structured assessment you can table at the meeting.

The asymmetry trustees should price in

A charity's most valuable asset does not appear in its accounts. Donors give, funders grant, volunteers turn up and beneficiaries confide because they trust the organisation — which is why the duty of prudence names reputation explicitly. AI's gains and its failures are not symmetrical. The gains are incremental: hours saved on drafting, bids submitted faster. The failures are step-changes: beneficiary case notes surfacing in a tool's training data, an appeal built on an invented story, a vulnerable person triaged away from help by a system nobody supervised. Six in ten charities told the Digital Skills Report they were worried about the implications of AI use. The instinct is sound — but the right response is governance, not abstinence, and the worst position of all is the current sector default: heavy use, thin oversight.

November 2025 did not change your duties. It named the evidence. A policy, an owner, a tool register, data rules and a human check — a competent board can stand all five up within one trustee cycle — and each is something you can show when a funder, regulator or journalist asks how your charity governs AI.

Last reviewed: 12 June 2026.

---

If your board wants an outside eye on this, our AI governance diagnostic (from £3,950) maps your charity's actual AI use against your duties and the 2025 Code, leaving you with the evidence set above. Start with the free Board AI Scorecard, or read how we work with the sector on our AI governance for charities page.