Artificial intelligence is rapidly transforming how nonprofit organizations operate—from automating donor outreach to improving service delivery and analyzing program outcomes. But alongside these opportunities comes a new and evolving set of security and privacy risks that many nonprofits are not fully prepared to manage.

Why AI risk is different for nonprofits

Nonprofits occupy a unique position in the risk landscape. They routinely manage donor financial information, personally identifiable information (PII), health and social service data, and confidential program and grant records.

At the same time, many organizations lack dedicated cybersecurity teams or formal AI governance policies. This creates a gap between technology adoption and risk management, increasing exposure to both cyber threats and compliance issues.

70 to 76% of nonprofits lack a formal AI policy.

Why this matters: trust is everything

For nonprofits, a security or privacy failure is not just a technical issue—it’s a trust issue. A single incident involving donor or beneficiary data can undermine fundraising efforts, damage community relationships, weaken an organization’s reputation, and trigger legal and regulatory consequences. In a mission-driven sector, trust is one of the most valuable—and fragile—assets.

Top security risks

1. Data leakage through AI tools

AI platforms require users to input data to generate outputs. When staff unknowingly enter sensitive donor or client information into public AI tools, that data may be stored by the provider, used to train future models, and possibly exposed through integrations or breaches. Even well-meaning use—like drafting grant proposals or summarizing case notes—can result in unintended data leakage.

2. "Shadow AI" in the workplace

One of the fastest-growing risks is the rise of unsanctioned AI usage, often called “shadow AI.” Staff and volunteers may upload internal documents into AI tools, use AI for HR, finance, or case management tasks, or share sensitive data without approval. Because these tools operate outside the organization’s supervision, a nonprofit may lose visibility, control, and auditability.

3. AI-enabled cyberattacks

Cybercriminals are now using AI to make attacks more effective and harder to detect. Highly personalized phishing emails targeting donors or executives, automated social engineering campaigns, and AI-generated malware and exploit code are just some of the techniques cyber hackers are using to infiltrate systems. For nonprofits, where trust-based communication is central, these attacks can be particularly damaging.

AI-enabled cyber attacks increased 89% in 2025 year-over-year.

4. Insecure AI systems

AI tools like ChatGPT, Claude, Grok, Gemini, or Copilot are already used by many nonprofits. But AI is also increasingly embedded in popular professional platforms relied on by these organizations, such as Zoom, Adobe, QuickBooks, Docusign, Webex, Grammarly, and more.

92% of nonprofits are already using AI-enabled tools in some form accorind to the 2026 Nonprofit AI Adoption Report.

But not all AI is created equal. In the AI race, some platforms have pushed their AI tool to market with inadequate security protections, potentially exposing sensitive user data to the platform, creating an access point for hackers to the user, or risking unauthorized disclosures and breaches of the AI tools themselves.

The most pressing privacy concerns

1. Data retention and use

Large language models (LLMs) like ChatGPT and Claude, by design, collect and store the massive amount of data from users to improve the performance of their algorithms. Data may be stored indefinitely and shared across AI systems. When sensitive data is uploaded to AI, nonprofits may lose ownership and control over that data.

2. Confidentiality of donor and beneficiary data

Many nonprofits are bound by confidentiality requirements from donors and grantors as a condition of the award. Likewise, services provided to – and data collected from – beneficiaries is often subject to legal or contractual privacy requirements, particularly for healthcare, education, or legal services and services for minors or vulnerable constituencies. The failure of organizations to guard against disclosure of this data could result in a breach of contractual obligations or violation of state, federal, or international privacy laws.  

3. Bias and errors

Bias in AI is often a reflection of human bias, whether a result of its inventors, the data collected from the Internet, or user input. This bias can, in turn, be embedded in the AI output. At the same time, AI models are trained to generate a response, but not necessarily to generate an accurate response. Known as AI hallucinations, these responses may include inaccurate or artificial data that, if relied upon by the user, could impact operational authenticity. These risks are not just technical—they can undermine a nonprofit’s mission and damage credibility.

The goal is not to avoid AI, but to adopt it responsibly. 

Tips for responsible use of AI

1. Establish clear AI policies

These written policies should clearly identify approved AI tools, define prohibited uses, and enumerate data handling rules. Approved AI tools should be licensed by the organization via organizational email accounts. AI policies should restrict use of personal AI accounts on organizational devices, and AI use should be monitored and audited for accuracy. Organizations should routinely review and update policies on AI usage.

2. Protect sensitive data

Organizations should avoid entering confidential or proprietary data into public AI tools. Nonprofits should also implement data classification and retention practices, and regulate employee and volunteer access to sensitive data.  

3. Train staff, volunteers and board members

Simply adopting an AI policy is not enough. Organizations should also implement routine training for staff, volunteers, and the board of directors. Board members should be active participants not only in the development of responsible AI policies but also in adhering to them. 

Final thoughts

Artificial intelligence offers powerful opportunities for nonprofits to increase efficiency and impact. But it also introduces new layers of cybersecurity and privacy risk that cannot be ignored. Organizations that succeed will be those that move beyond experimentation and build intentional, well-governed AI strategies—balancing innovation with responsibility.

This post was written by SecureAZ, a cyber-security nonprofit that is committed to strengthening cyber resilience for Arizona's small and medium businesses through innovative security solutions, education and leadership. SecureAZ is a proud sponsor of the ASU Lodestar Center's 2026 Spring Forum: Human-centered nonprofit leadership in the age of AI.

• How volunteer leadership strategies strengthen nonprofit sustainability
• Using program evaluations to become learning organizations as a nonprofit