here is a version of this conversation that plays out in almost every leadership team I speak with. The CEO or Executive Director says something like: "We're not really using AI yet. We're still figuring out our approach before we commit to anything."
Then I ask a few questions: Does your communications team use any writing tools? Does anyone on staff use Grammarly, Notion AI, or Canva's AI features? Has anyone drafted a report or a social post in ChatGPT? Does your CRM, your project management tool, or your email platform have AI features that are switched on by default?
By the time we've worked through the list, it becomes clear that the organisation is already using AI. In at least four or five different ways, across multiple teams, without a formal policy, without data governance, and without anyone in leadership having made a deliberate decision about any of it.
This is the reality of AI adoption in most organisations right now. It is not a future event. It is a current state. And the gap between "we're figuring out our approach" and "this is already happening without us" is where organisational risk quietly accumulates.
Leaders are accustomed to being the decision point for significant operational changes. A new technology platform goes through procurement. A new vendor relationship requires sign-off. A strategic shift gets debated at board level.
AI adoption does not work this way, particularly for the consumer-facing AI tools that are already embedded in daily workflows. These tools are cheap or free, accessible from any personal device, and indistinguishable in their interface from the productivity tools your team has always used. No procurement process catches them. No IT security review flags them unless you are specifically looking. No one submits an expense claim for a ChatGPT subscription.
The decision your team is making — right now, individually, informally — is not "should we use AI?" It is "which AI tool should I use for this task, and what should I put into it?"
In the absence of a policy, each person is making that decision based on their own risk tolerance, their own understanding of data privacy, and their own interpretation of what the organisation's standards require. That is not a governance framework. It is a lottery.
Let me be precise about the categories of risk, because they are not all equal in urgency.
Data protection and confidentiality. When staff use consumer AI tools, free accounts on public platforms, to draft content containing organisational data, that data is frequently used to improve the AI model. Depending on the platform, it may also be reviewed by human staff for quality assurance purposes. For an NGO that handles beneficiary data, or a B Corp working with commercially sensitive partner information, this is not a theoretical risk. It is an active one.
Under GDPR, the organisation, not the individual employee, bears responsibility for how personal data is processed. If a staff member uploads identifiable beneficiary information to an ungoverned AI tool, and that data is subsequently mishandled, the organisation's accountability does not depend on whether leadership knew it was happening.
They are responsible regardless.
Reputational integrity. AI tools generate content based on patterns learned from vast training datasets. They do not know your organisation's specific context, your commitments to particular stakeholder groups, your historical positions on sensitive issues, or the nuances of the communities you serve. Content generated without that context can misrepresent, oversimplify, or inadvertently conflict with positions your organisation has publicly taken.
In a commercial organisation, a tone-deaf piece of AI-generated content is an embarrassing correction. In a purpose-driven organisation whose credibility depends on authentic relationships with communities and funders, it can be significantly more damaging.
Intellectual property. The content your communications team produces — your impact narratives, your programme frameworks, your methodologies, your messaging — is organisational intellectual property. When that content is processed through ungoverned AI tools, the IP protections that govern it become unclear. This is a developing area of law, but the uncertainty itself is a risk that most purpose-driven organisations have not yet assessed.
Before deciding what your AI governance framework should look like, it helps to get honest about where you currently are. Three questions:
1. Do you know which AI tools are currently being used in your organisation, by whom, and for what?
If the answer is "not really," you have a visibility problem. You cannot govern what you cannot see. A practical first step is a simple, anonymous staff survey; not to call people out, but to understand the actual landscape of AI use across your organisation.
2. Do you have a written policy for AI use in communications?
Not a general technology policy, a specific communications AI policy. If the answer is no, or "we have something, but it's vague," your team is operating without clear guidance. In the absence of explicit policy, staff default to informal norms and individual judgment, which means your risk profile varies by person.
3. Do you know what data your approved AI tools process, and where it goes?
Most leaders have not reviewed the data processing terms of the AI tools their teams use. This is understandable. These terms are complex and frequently updated. But it is important. The difference between an enterprise AI account with data processing agreements and a free consumer account is not just about features. It is about accountability, data residency, and the legal basis for processing organisational information.
AI governance does not need to be elaborate to be effective. The organisations that handle this best are not necessarily the ones with the most sophisticated policies. They are the ones that have made clear, practical decisions and communicated them consistently.
The essentials:
A written communications AI policy that covers approved tools, prohibited uses, data handling requirements, and content review expectations. It should be short enough to be read, specific enough to be followed, and reviewed at least annually.
Approved enterprise accounts for the AI tools your team uses most frequently. Enterprise accounts provide data governance, access controls, and audit trails that free accounts do not. They are not expensive relative to the risk they mitigate.
Clear guidance on content types. Not all content carries the same risk. Drafting a social media post about an upcoming event is categorically different from drafting a board report that includes financial projections. Your policy should reflect that distinction.
A review requirement for AI-assisted content. All AI-assisted content should go through the standard editorial review process before publication to ensure maintaining the quality controls and accountability structures that protect your organisation's integrity.
Training and communication. The policy is only useful if your team knows it exists and understands what it means for their daily work. A practical, focused team session is usually sufficient.
Here is the thing about AI governance that often gets lost in conversations focused on risk: the goal is enablement rather than restriction.
The organisations that govern AI well are not the ones that have slowed down AI adoption. They are the ones that have made AI adoption sustainable, so that their teams can use these tools confidently, consistently, and at full speed, without the organisation absorbing hidden risk with every piece of content produced.
The question is not whether your organisation will use AI. That decision, in most cases, has already been made; just not by you.
The question is whether you will build the infrastructure that makes it safe, strategic, and genuinely valuable. Or whether you will continue to let it happen informally, and deal with the consequences when they eventually surface.
Alive Communication designs AI governance frameworks as a core component of every Communication Operating System. If your organisation is ready to bring structure, safety, and strategic value to its AI adoption, book a strategy call to explore where to start.
