AI Compliance for NGOs: How the EU AI Act Changes Nonprofit Work
How Nonprofits Should Control AI Use Before 2 August 2026
A few days ago, an NGO contacted me with a question: what should they do about the AI Act if they are not a technology company, but already use AI in their daily work?
I am publishing my reply.
Dear Mr. ***,
In your situation, I would not recommend treating the AI Act as a law that applies only to large technology companies. That is a common mistake.
Yes, your organisation does not develop its own AI system. However, if you use AI in your work — for example, to prepare texts, translations, social media content, grant applications, educational materials, volunteer selection, or to process incoming requests — you may still qualify as a deployer. In other words, you may be regarded as an organisation that uses an AI system under its own responsibility.
For an NGO, this is particularly important.
First, your organisation probably faces the same reality as many NGOs: limited budgets, small teams, and too many urgent tasks. That is why AI can look very attractive. It can help you prepare grant applications faster, translate documents, draft publications, respond to people, create presentations, and automate routine work.
But this is exactly why you need to be especially careful. AI should not become an «invisible employee» whom nobody supervises.
Second, NGOs often work with vulnerable groups: refugees, migrants, children, elderly people, people with low income, victims of violence, or individuals who depend on accurate information on important matters. An AI mistake in this context is not just a badly written text. It can become incorrect advice, a lost opportunity, a denial of assistance, or a serious loss of trust in your organisation.
That is why simply telling staff to “use AI carefully” is no longer enough.
I would recommend that you adopt an internal AI policy. This policy should describe which AI tools your organisation uses, who is allowed to use them, what data must not be uploaded into AI systems, who reviews the output, and in which cases the use of AI must be specifically recorded.
I would also recommend appointing a person within the organisation who is responsible for AI governance. This does not necessarily have to be a newly hired employee. However, there should be someone who understands where AI is being used in the organisation, what risks arise, who checks the materials, and where evidence of such review is kept.
Separately, I would conduct a short training session for employees and volunteers.
They need to understand a few basic rules: sensitive personal data must not be uploaded without a proper legal basis; AI-generated text must not be published without review. AI must not be used for decisions that may affect a person’s access to assistance, services, education, work, or another important opportunity without a separate risk assessment.
All texts created or substantially prepared with the help of AI should be reviewed by a human. This is especially important for legal information, social guidance, educational materials, public statements, materials intended for vulnerable groups, or texts concerning matters of public interest.
And here, it is important to be precise: it is not enough to say, «we checked it». It is better to record who reviewed the material, when it was reviewed, which sources were used, and what changes were made after the AI output was produced.
The same applies to images, audio, and video. If your organisation uses AI-generated or AI-manipulated visual, audio, or video content, especially in public communications, you should think about labelling and transparency in advance. In certain cases, the AI Act requires disclosure that content has been artificially generated or manipulated. For an NGO, this is not only a legal issue, but also a matter of trust.
I would pay special attention to grant applications. Many NGOs already use AI to prepare applications for subsidies and grants. In itself, this is not necessarily prohibited. However, you need to understand exactly how AI was used: did it only help structure the text, translate material, suggest wording, or did it effectively generate the substance of the application?
If a donor or grant provider requires disclosure of AI use, this should be done. If there is no such requirement, I would still recommend having an internal protocol: who prepared the application, which AI tool was used, for which part of the work, who checked the facts, the budget, the impact data, the legal statements, and the final version.
For an organisation with ANBI status, this is particularly important from a reputational perspective. An NGO exists on the basis of trust: the trust of society, donors, partners, the state, and the people it serves. Coming under the attention of a regulator because of chaotic AI use is not only a sanctions risk. It is also a risk of losing public trust.
You should also separately assess whether any of your AI use falls into the high-risk category. Not every use of AI by an NGO is high-risk. For example, using AI to draft a social media post is usually not the same as using AI to assess a person.
However, the risk becomes much higher if AI helps select candidates for employment or volunteer positions, allocate assistance, assess requests, prioritise cases, or influence access to education, social support, housing, consultation, or another important service.
In such cases, you need more than just a manual check. You need proper control: competent human oversight, monitoring of the system’s operation, clear instructions, log retention, and the ability to demonstrate why a particular decision was made.
As a minimum, I would recommend that your organisation:
prepare an AI inventory — a list of all AI tools used by the organisation
adopt an internal AI policy
appoint a person responsible for AI governance
train employees and volunteers
prohibit the upload of sensitive data without a separate legal basis
introduce mandatory human review for public-facing materials
keep a log of AI use in sensitive processes
separately assess high-risk scenarios
establish rules for labelling AI-generated content
retain evidence of review for at least six months, and for important processes, preferably longer
My main advice is this: do not ban AI, but put it under control.
NGOs value AI because it saves time. That is understandable. But after the AI Act, the key question will be different: can your organisation prove that it controls the process?
If the answer is «no», then the problem is not AI. The problem is the absence of governance.
Regards,
Dzhamal Statsenko
Legal and regulatory framework to attach to the letter
Regulation (EU) 2024/1689 — Artificial Intelligence Act
Article 3 AI Act — Definitions
Article 4 AI Act — AI literacy
Article 6 AI Act and Annex III — High-risk AI systems
Article 26 AI Act — Obligations of deployers of high-risk AI systems
Article 27 AI Act — Fundamental Rights Impact Assessment
Article 50 AI Act — Transparency obligations
Code of Practice on Transparency of AI-Generated Content



