4. What Your Board Needs to Know About AI in 2026

This is written for charity trustees — but if you're a CEO or operations manager reading this first, feel free to forward it to your board. That's what it's for.

Where the sector stands right now

AI tools are being used in 88% of UK charities. That figure comes from the 2026 Charity Digital Skills survey, and it's risen sharply — from 61% in 2024 to 76% in 2025 to where we are now.

In most charities, this usage is informal. Individual staff members have found that AI helps them draft communications, structure reports, and handle admin faster. In many organisations, there's no policy, no shared approach, and the board hasn't been briefed. The staff aren't hiding it — it simply hasn't come up.

This matters for trustees because the governance landscape shifted in late 2025 in ways that make AI a board-level responsibility.

What changed

Two developments moved AI from "operational detail" to "governance agenda item."

First, the Charity Governance Code was refreshed in November 2025. This was the most significant update since 2017. Among several changes, the revised Code now explicitly recommends that charities establish a policy for the use of technology and AI tools. It also split the previous "decision-making, risk and control" principle into two — "Decision Making" and "Managing Resources and Risks" — with digital and data governance explicitly included in the latter.

The Code is aspirational, not regulatory. No one will fine you for not following it. But it sets the expected standard of good governance, and charities that adopt it are expected to either apply each principle or explain why they've taken a different approach. If your board hasn't discussed AI, you can't do either.

Second, the Charity Commission's guidance — The Essential Trustee — makes clear that trustees must make informed decisions. While the Commission hasn't issued specific AI guidance (and has said it doesn't anticipate doing so), it expects trustees to apply their existing duties to new technologies. If staff are using AI and the board doesn't know, that's an informed-decision gap.

What trustees need to decide

You don't need to become an AI expert. You need to be confident that three questions have been answered.

Question 1: Does the charity have an AI policy?

NCVO's position, in 2025, is that charities should "enable responsible use rather than prohibit all use." This is important because the instinctive response of a risk-averse board is often to ban AI. But bans are unenforceable — staff will use tools on personal devices regardless — and they prevent the charity from capturing genuine efficiency benefits.

An effective AI policy for a small charity doesn't need to be long. A page is enough. It should cover: which tools are approved for use, what types of data can and cannot be entered into them, who reviews AI-generated content before it goes external, and what staff should do if something goes wrong.

If your charity already has a policy, ask when it was last reviewed. AI tools and the regulatory landscape are changing fast — a policy written in early 2025 may already be out of date.

Question 2: Is beneficiary data protected?

This is the risk area where trustees have the clearest legal responsibility. Under UK GDPR, the charity is the data controller. If staff are entering personal data — beneficiary names, case notes, contact details — into a third-party AI tool, the charity has a data protection obligation regardless of whether the board authorised it.

The practical question for trustees isn't "do we understand AI?" — it's "do we know what data our staff are putting into these tools?" If the answer is "we're not sure," the first step is straightforward: ask. A brief conversation with staff about which tools they're using and what they're entering will tell you whether you have a problem or whether — as is the case in most charities — AI use is limited to low-risk tasks like drafting communications and summarising public documents.

The ICO's AI guidance is currently being updated following the Data (Use and Access) Act 2025, and a statutory code of practice on AI and automated decision-making is expected. Trustees should be aware that the regulatory framework is developing, even if it hasn't landed yet.

Question 3: Are we missing an opportunity?

Governance isn't only about risk — it's about stewardship. If AI tools can recover the equivalent of a part-time role in staff time through administrative efficiencies, and the charity isn't using them, that's a resource question the board should be asking about.

The employer National Insurance increase in April 2025 added significant costs across the sector. Budgets are tighter than they've been in years. Trustees have a duty to ensure resources are managed well, and that includes making informed decisions about tools that could help the charity do more with less.

This doesn't mean the board should be prescribing which AI tools to use. That's an operational decision. But the board should be satisfied that the executive has considered AI, has a view on where it could help, and is managing any associated risks. That's what governance looks like in practice.

What "good" looks like for a small charity board

For a charity with an income under £500,000, the Governance Code's AI recommendation doesn't require a lengthy policy or a dedicated committee. It requires evidence that the board has considered the topic.

In practical terms, that looks like:

An AI policy exists, even a brief one. It names the approved tools, sets data boundaries, and requires human review of outputs. (We covered how to write one in the previous post in this series.)

AI has appeared on a board agenda at least once. It doesn't need to be a standing item — but the board should have had a conversation, and that conversation should be minuted.

The board knows what tools staff are using. Not in technical detail — just the basics. "Staff use ChatGPT for drafting communications and reports. No personal data is inputted. Outputs are reviewed before use." That's enough.

The risk register includes technology. Not a separate AI risk register — just an acknowledgement within your existing risk management that technology use (including AI) is being considered. One line is sufficient.

What "good" doesn't look like

It doesn't look like a trustee who's done a personal AI course and now wants to overhaul operations. It doesn't look like a fifteen-page strategy document. It doesn't look like a special AI subcommittee.

And it absolutely doesn't look like ignoring the topic because it feels too technical. The Governance Code doesn't ask trustees to be technology experts. It asks them to govern effectively. On AI, that means knowing what's happening, ensuring a policy is in place, and being satisfied that risks are being managed. That's within every trustee's capability.

If you're a trustee reading this: raise AI at your next board meeting. Ask the CEO or operations lead three questions. Does the charity have an AI policy? What tools are staff using? Is any personal data being entered into them? The answers will tell you whether you're in good shape or whether there's work to do.

If you're a CEO or operations manager who's been meaning to brief your board: send them this post. It's written to be forwarded.

And if you want a ready-made trustee briefing document, complete with a governance checklist, board discussion prompts, and a policy template — that's what Module 4 of the Third Sector AI Toolkit provides. You can also start with our free AI Readiness Audit to get a clear picture of where your organisation stands before your next board meeting.