This AI governance checklist for charity trustees should do three things: make the board decide which AI uses are permitted, require evidence for data, fundraising and beneficiary controls, and record who owns review, escalation, human sign-off and incident response.
Use it as a board paper, not as a technology project. It deepens the sector position set out in our AI governance for charities page and the related article on AI governance for charity trustees, which explains why the 2025 Charity Governance Code has made the evidence question harder to ignore.
Key takeaways
- Charity AI governance starts from existing trustee duties: best interests, responsible resource management, reasonable care and skill, and accountability to the charity's purposes.
- The Charity Commission's AI position is practical: trustees remain responsible for decisions, so material judgement should not be delegated to an AI system.
- The 2025 Charity Governance Code names "a policy for the use of technology and AI tools" as evidence under Principle 6, Managing resources and risks.
- The 2025 Charity Digital Skills Report found charity AI use running ahead of formal oversight, including risk-register and governance updates.
- The right checklist leaves evidence: an inventory, a policy, data rules, fundraising checks, human review, risk-register entries and minutes that show board judgement.
Who this applies to
This checklist is for trustee boards in England and Wales that already have staff, volunteers or suppliers using AI for administration, grant drafting, fundraising, communications, research, supporter analysis or service triage. It is also useful where the board suspects AI use but has not yet asked for an inventory.
It is not a ban on AI. The Charity Commission's core trustee guidance, CC3a, The essential trustee, is framed around judgement, not tools. Trustees must act in the charity's best interests, manage resources responsibly, act with reasonable care and skill, and ensure the charity is accountable. AI falls inside those duties whenever it affects money, data, reputation, beneficiaries or public trust.
The trigger for board attention is not the model name. It is the use case. A tool drafting a neutral internal agenda is different from a tool reading beneficiary notes, scoring grant eligibility or writing a donor appeal. The board's job is to set the boundary, approve the evidence it expects, and make sure someone reports exceptions back to trustees.
What trustees need to decide
The trustee board should make five decisions before adopting or expanding AI use.
- Which uses are allowed. Low-risk drafting and summarisation may be permitted with human checking. Uses involving beneficiary data, donor profiling, eligibility, safeguarding or complaints need a higher approval route.
- Which uses are prohibited. A bright line helps staff and volunteers. For example: no identifiable beneficiary, service-user or donor data in public tools unless the tool has been assessed for that purpose.
- Who approves new tools. A named owner should check the supplier, data terms, use case, risk rating and review date before a tool moves from trial to routine use.
- Where human sign-off is mandatory. The Charity Commission's April 2024 AI post says decision-making remains with trustees. The operational rule should be simple: AI may assist a person, but it should not be the final decision-maker on a person's access to help, a public claim, a fundraising message or a regulatory submission.
- What evidence comes to the board. Trustees should see a short report: tools in use, incidents, high-risk uses, data-protection checks, fundraising checks, policy breaches and actions taken since the last meeting.
The board does not need to understand every model architecture. It does need to know where AI enters the charity, what it can affect, and what proof exists that controls are working. For wider policy design, link this checklist to your UK AI policy rather than leaving it as a stand-alone note.
AI governance checklist for charity trustees
Take this checklist to the next trustee meeting and minute the answer to each point.
| Check | Board question | Evidence trustees should ask for |
|---|---|---|
| Inventory | Where is AI already being used by staff, volunteers, trustees and suppliers? | Tool register with use case, owner, data type, supplier and review date |
| Purpose | Does each use support the charity's purposes and best interests? | Short rationale in the register or board paper |
| Data | Does the tool process personal, special-category, beneficiary or donor data? | Data-protection screen, DPIA where needed, supplier terms and retention notes |
| Fundraising | Could AI-generated material mislead donors, funders or grant makers? | Human review log for accuracy, fairness, source checking and disclosure decisions |
| Decisions about people | Could the tool influence eligibility, priority, safeguarding, complaints or case handling? | Human decision record, override route and appeal or complaint route |
| Transparency | Do affected people need to be told AI is involved? | Approved disclosure wording and a record of where it appears |
| Risk register | Is AI recorded as an operational, data, fundraising or reputational risk? | Risk-register entry with owner, rating, controls and review cadence |
| Incidents | What happens if a tool exposes data, invents a claim or makes an unfair recommendation? | Incident route, escalation owner and draft communications line |
| Review | When will trustees revisit the policy and the live inventory? | Board calendar item, dated action log and minutes |
Treat "not applicable" as an answer that needs evidence. A charity with no beneficiary data in AI tools should be able to show the inventory and staff instruction that make that statement true.
Controls, evidence and owners
The checklist is only useful if it leaves artefacts a trustee can inspect. The table below gives a proportionate evidence set for most small and medium-sized charities.
| Control | Minimum evidence | Usual owner |
|---|---|---|
| Technology and AI policy | Board-approved policy that says approved tools, banned uses, data rules, human checks and review dates | Trustee board, with CEO or senior manager |
| AI tool register | List of tools, use cases, owners, suppliers, data types, risk rating and next review date | Operations lead or digital lead |
| Data-protection screen | Record of whether personal data is used, whether a DPIA is required, and whether supplier terms permit the use | Data protection lead or senior manager |
| Fundraising quality check | Log showing who checked AI-assisted fundraising content for accuracy, fairness and lawful use before publication | Fundraising lead |
| Human review for significant decisions | Case note or workflow record showing a named person made the decision and could override the AI output | Service lead or safeguarding lead |
| Board assurance report | One-page summary of new tools, incidents, breaches, high-risk uses and overdue reviews | CEO or company secretary equivalent |
| Incident route | Named escalation route for data exposure, harmful output, misleading material or beneficiary impact | CEO, chair or safeguarding lead |
The board should approve the policy and then ask for the register. Many charities do the reverse in practice, because the inventory reveals what the policy has to govern. Either sequence is acceptable if the minutes show trustees understood the current use, set a boundary and named an owner.
How it maps to the Code, regulators and frameworks
This is the trustee translation layer. It connects the board's checklist to the external references a funder, auditor, regulator or journalist may ask about.
| Reference point | What it means for trustees | Evidence to keep |
|---|---|---|
| Charity Commission trustee duties | AI use must be consistent with charitable purposes, best interests, prudent resource management and reasonable care and skill | Board minutes, risk entry, approval rationale, advice taken where needed |
| Charity Commission AI position | Trustees remain responsible for decisions and should keep human oversight where AI creates material risk | Human sign-off record, escalation route, review of AI-assisted decisions |
| Charity Governance Code 2025 | Principle 6 includes a technology and AI tools policy as suggested evidence of good governance | Board-approved policy, annual review date, risk-register link |
| Fundraising Regulator AI guidance | AI-assisted fundraising needs human checks for accuracy, fairness, lawfulness and donor trust | Review log, source notes, disclosure decision, supplier checks |
| ICO AI and data-protection guidance | Personal data use needs lawful basis, fairness, transparency, security, accountability and a DPIA where risk requires one | DPIA, privacy information, processor terms, retention rule, data minimisation record |
| NIST AI RMF | Govern, map, measure and manage can be used as a simple control loop for AI uses | Inventory, risk rating, measures, review actions and residual-risk decision |
| ISO/IEC 42001 | For larger charities, the AI management-system logic can help turn policies, controls and review into a repeatable operating model | Internal management-system map, control owner list and assurance cycle |
The Charity Governance Code is not a statute, and the checklist should not pretend it is. Its value is evidential. If trustees can show the policy, the register, the risk entry and the human review trail, they can explain how they applied the Code and their legal duties in a proportionate way. For a fuller cross-sector structure, see our guide to an AI governance framework for UK boards.
Common mistakes, then the next step
Starting with the policy template. A policy written before the inventory usually misses the real use cases. Ask what staff and volunteers already use, then write the rules around that evidence.
Treating fundraising as low risk because it is "just content". The Fundraising Regulator's AI guidance focuses on accuracy, fairness, legality and donor trust. A fabricated case study, unsupported impact claim or undisclosed automated segmentation decision can damage trust quickly.
Putting personal data into tools before checking the terms. The ICO's AI and data-protection guidance should be read before any tool touches beneficiary, donor, volunteer or staff data. Public chatbot use is often the first control failure, because it feels informal.
Delegating the problem to one "AI trustee". A named lead helps, but the board still owns the decision. The lead can prepare the register and questions; trustees as a board approve the boundary and accept or reject the residual risk.
Reporting activity, not evidence. "We have an AI policy" is not assurance. A trustee should ask what changed after the last review, whether any breach occurred, which tool is overdue for review, and what decision needs board approval today.
Ignoring the adoption gap. The 2025 Charity Digital Skills Report reported that 76% of charities were using AI tools, while much smaller shares had reviewed governance or updated risk registers. That gap is the checklist's purpose: make actual use visible before it becomes an incident.
For a light first pass, complete the Board AI Scorecard and take the output to the next trustee meeting. If you need a policy draft, use the AI policy generator and adapt it around your live inventory. If the board wants an evidence-led review of current tools, data, fundraising and decision points, the AI governance diagnostic maps the charity's actual use against trustee duties, the 2025 Code and the controls above.
Last reviewed: 18 June 2026.
Sources: Charity Commission, CC3a The essential trustee · Charity Commission, charities and artificial intelligence · Charity Governance Code 2025 · Fundraising Regulator, using AI in fundraising · ICO, guidance on AI and data protection · NIST AI Risk Management Framework · Charity Digital Skills Report 2025
