10. The Charity Governance Code and AI: What Actually Changed
- TSAI
- Jun 18
- 6 min read

The Charity Governance Code was refreshed in November 2025. It was the most significant update since the Code was first published, and it changed more than most trustees realise.
This post explains what actually changed, what it means in practice for charities of different sizes, and — critically — what "good enough" looks like. Because the gap between "we haven't thought about this" and "we're meeting the standard" is smaller than you'd expect.
The headline changes
The 2025 Code moved from seven principles to eight, with a new Foundation Principle that makes explicit what was previously assumed: trustees must understand their legal duties, commit to learning, and always act in the charity's best interests.
The previous "Decision making, risk and control" principle was split into two separate principles — "Decision Making" and "Managing Resources and Risks." This wasn't cosmetic. It created space for a more detailed treatment of risk management, including digital and data governance.
"Diversity" became "Equity, Diversity and Inclusion," elevated to a standalone principle with stronger expectations around board-level EDI planning.
"Integrity" and "Openness and Accountability" merged into "Ethics and Culture," shifting emphasis from structures to behaviours — how boards work together, not just what policies they have.
And, most importantly for this series, the Code now explicitly recommends that charities have a policy for the use of technology and AI tools.
One structural change that affects smaller charities directly: the Code is now unified. The previous version had separate tracks for larger and smaller organisations. The 2025 version is scalable — one set of principles, applicable to all sizes using the "apply or explain" approach. This means the AI policy recommendation applies to every charity that adopts the Code, not just large ones.
What the Code actually says about AI
The Code doesn't devote pages to AI. It doesn't prescribe specific tools, processes, or governance structures. What it does is place technology and AI within the broader principle of managing resources and risks, and recommends that charities consider how they use AI and have appropriate policies in place.
This is deliberate. The Code is aspirational and principles-based — described by the Good Governance Institute as "evolution not revolution." It doesn't mandate specific actions. It sets out what good governance looks like and asks boards to either demonstrate they're meeting the standard or explain why they've taken a different approach.
For AI, this means:
The Code expects boards to be aware that AI tools are being used in their charity. Given that 88% of charities now use AI but only 3% of trustees know about it (as we explored in an earlier episode), most boards have a gap to close here.
The Code expects charities to have considered the risks. Not just data protection — though that's part of it — but reputational risk, accuracy risk, and the broader risk of technology adoption without governance.
The Code expects a policy to exist. Not necessarily a long or complex one — but something that demonstrates the board has considered the topic and put a framework in place.
What the Code does not expect: that every trustee understands how AI works, that the charity has an AI strategy, or that the board micromanages which tools staff use. Governance is about oversight, not operations.
What "good enough" looks like
For a small charity, meeting the Code's AI expectations requires four things. None of them is expensive or complex.
A policy exists. One page is enough. Name the approved tools, set data boundaries (our Green/Amber/Red framework from Episode 1), require human review of outputs, and name someone to report concerns to. If you've followed this series, you can write this in twenty minutes.
The board has discussed AI. This doesn't need to be a standing agenda item. One substantive conversation — "here's what staff are using, here's our policy, here's how we're managing the risk" — is sufficient. Minute it. That documented discussion is your evidence of compliance.
Technology appears on the risk register. Not a separate AI risk register. A line in your existing risk register that acknowledges technology use is being considered and managed. Something like: "Staff use AI tools for administrative tasks. Governed by AI policy [date]. Next review [date]."
The policy is reviewed periodically. The AI landscape is moving fast. A policy written in January 2025 may not cover tools or risks that emerged by December 2025. Annual review is the minimum; six-monthly is better for the next year or two while the technology and regulatory landscape stabilise.
That's it. Four things. For most small charities, the total time investment is under two hours.
What "good enough" doesn't look like
It doesn't look like a technology strategy document. The Code isn't asking small charities to develop an AI strategy — it's asking them to govern what's already happening.
It doesn't look like a trustee who's done an AI course and now wants to lead a digital transformation. The board's role is oversight, not implementation. Operational decisions about which tools to use and how to use them belong with the staff team.
It doesn't look like a dedicated AI subcommittee, a technology governance working group, or a digital officer appointment. These may be appropriate for larger charities. For a charity with a turnover under £500,000, they're disproportionate.
And it absolutely doesn't look like ignoring the topic because it feels too technical. The Plinth guide for trustees put this well: "Trustees who avoid the topic are not being cautious — they are failing to fulfil their governance duty." The Code doesn't ask you to be a technology expert. It asks you to govern effectively. On AI, that means knowing what's happening and ensuring a framework exists.
The broader picture: why the Code changed now
The AI recommendation didn't appear in isolation. The 2025 refresh reflects a wider recognition that governance must keep pace with how charities actually operate.
Boards now need to consider digital governance alongside financial, legal, and reputational governance. The Governance and Compliance Magazine framed it as: trustees must now oversee digital strategy, cybersecurity, and the ethical use of data and AI as strategic risks that affect trust and integrity.
The Charity Commission hasn't issued dedicated AI guidance and has indicated it doesn't plan to. But CC3 — The Essential Trustee — makes clear that trustees must make informed decisions, exercise reasonable care and skill, and act in the charity's best interests. These existing duties apply to AI decisions just as they apply to financial or staffing decisions.
The ICO's AI guidance is being updated following the Data (Use and Access) Act 2025, with a statutory code of practice on AI and automated decision-making in development. When that code arrives, charities will need to assess whether their AI use falls within its scope. Having a policy and a board-level conversation already in place means you're prepared, not scrambling.
Tying the series together
Over ten episodes, this series has covered the landscape of AI in the charity sector. We've looked at policy, grant reporting, trustee responsibilities, data protection, the skills gap, starting from zero, building the business case, what adoption actually looks like, and why equity matters.
Every episode has been grounded in the same evidence base — primarily the Charity Digital Skills Reports, ICO guidance, NCVO resources, the Charity Governance Code, and academic research on nonprofit technology adoption. And every episode has been designed to provide practical value at zero cost.
The thread running through all of it is this: AI is already happening in your charity. The question isn't whether to use it. The question is whether to use it well — with permission, with governance, with structure, and with an honest reckoning about who benefits and who gets left behind.
The Charity Governance Code now says this is a board-level responsibility. I agree. But I'd go further: it's a sector-level responsibility. Every funder, every infrastructure body, every consultancy (including ours), and every charity leader has a role in ensuring that AI adoption improves the sector rather than just accelerates it.
If this series has been useful, I'd ask two things. First, share it — with a colleague, a trustee, a CVS contact. The sector moves forward through people helping each other, not through top-down mandates. Second, take one step this week. Publish a policy. Try one task. Talk to your board. Start the free audit. Whatever your starting point, start.
Less admin. More mission. That's what this has always been about.