Published Reading time 5 min reading, 8 min reviewing Author Centered Networks

Most foundation boards approved an AI policy in 2024 or 2025 from a template they never modified. The template was usually written by a law firm or a sector association, presented as a one-pager, voted through in a single meeting, and filed. It satisfied the moment. It did not survive contact with deployment.

The problem with template policies is that they are written to satisfy auditors, not to operate the work. When the executive director sits down to actually apply the policy—to decide whether a program officer can paste a grantee’s narrative into Microsoft 365 Copilot, whether the communications lead can publish an AI-drafted blog post, whether a custom agent built on top of the grants database should be allowed to send email—the template does not answer. The staff fills in the gap with judgment. The judgment is uneven. The board does not know.

Below is a charter built from the work of deploying AI inside real foundations. It is yours to adopt verbatim, modify, or use as a starting point. The charter is offered without restriction; the only thing we ask is that you read the framing first, because the language matters more than the structure.

Why this exists

Template policies fail in deployment because they are written to satisfy auditors, not to operate the work. A real charter has to be four things at once: specific enough to enforce, flexible enough to amend, clear enough for the executive director to apply without calling counsel, and defensible enough for an outside review by funders, regulators, or an investigative reporter.

The structure below is one we have used as a starting point with several foundations. It is deliberately short—a long charter is an unread charter—and deliberately concrete. Adjust it for your context. The variables in brackets are the obvious customizations; the harder customization is the list of permitted and prohibited uses, which has to reflect your actual data classes and your actual operating model.

The charter

Adoptable charter

Artificial Intelligence Charter of [Foundation Name].

Adopted by the Board of Directors on [Date].

I. Preamble

The Board of [Foundation Name] recognizes that artificial intelligence is increasingly woven into the operating fabric of mission-driven organizations. This charter establishes the principles, boundaries, and accountability under which the staff of [Foundation Name] will deploy and operate AI in service of the mission.

II. Scope

This charter applies to all use of AI tools by [Foundation Name] staff and contractors, including but not limited to: large language models (e.g., Microsoft 365 Copilot, ChatGPT, Claude), AI-enabled productivity tools, custom AI agents, AI-assisted research tools, and AI-assisted creative tools.

III. Permitted uses

Staff may use AI tools, under the controls established by the Executive Director, for the following purposes. This list is illustrative and the Board expects the Executive Director to localize it for [Foundation Name]’s actual operations.

  • Drafting board communications and grant memos, with human review before distribution.
  • Summarizing public documents and meeting transcripts, with citation to the source material.
  • Research on public funders, grantees, and peer organizations.
  • Internal knowledge management, subject to compliance with the Foundation’s sensitivity-label policy.
  • AI-assisted training of staff on the Foundation’s own materials.

IV. Prohibited uses

Staff may not, under any circumstances, use AI tools for the following purposes.

  • AI-assisted grantmaking decisions without documented human review and explicit disclosure to the affected grantee.
  • Exposing personally identifiable information of grantees, donors, or staff to AI tools that are not governed by the Foundation’s data protection controls.
  • Drafting externally-published communications without review by the Communications lead or their designee.
  • Deploying custom AI agents that act on external systems—sending email, updating records, moving funds, or interacting with grantees—without explicit Board awareness and a documented operating envelope.

V. Governance

The Executive Director, supported by the IT or operations lead, is accountable for the day-to-day operation of this charter. The Board’s [Audit, Risk, or Governance] Committee reviews adoption and incidents quarterly. Material incidents, defined in Section VIII, are escalated to the full Board within 14 days.

VI. Review cadence

This charter is reviewed by the Board at least annually, and amended when (a) the underlying technology changes materially, (b) the [Audit, Risk, or Governance] Committee recommends, or (c) the Executive Director identifies a gap in operation. The charter is a living document; the AI environment will change faster than annual review.

VII. The kill switch

The Executive Director, the IT lead, and the Board Chair each have the authority to immediately suspend any AI tool, agent, or workflow operating under this charter. The suspension does not require advance Board approval but must be reported to the [Audit, Risk, or Governance] Committee within 72 hours, with a written account of the trigger, the action taken, and the proposed path to resolution.

VIII. Material incidents

A material incident under this charter is any of the following.

  • Any unauthorized exposure of grantee, donor, or staff personally identifiable information via an AI tool.
  • Any externally-visible output produced by AI that the Foundation cannot defend on factual grounds.
  • Any AI-driven grant recommendation that bypasses the documented review process.

IX. Signatures

Adopted by the Board of [Foundation Name] on the date below.

Board Chair
Executive Director
Date
A charter is the boundary inside which the AI operates. The technical work, the staff work, and the partner relationship are how the boundary holds.

How to amend it for your organization

This charter is written as a starting line, not a finish line. In our experience, three amendments tend to come up first.

The biggest is tightening the prohibited uses when your data classes are particularly sensitive. A healthcare-aligned foundation will add HIPAA-bound language to Section IV and will usually expand Section VIII to define protected health information as a material-incident category. A foundation that holds donor-advised funds will add language about donor confidentiality. A foundation that funds advocacy work in contested jurisdictions will add language about the protection of grantee identity.

The second is loosening the review cadence when your operations move fast. Annual review is the floor; some foundations move to semi-annual review during the first eighteen months after adoption, when the AI environment and the staff’s use of it are both changing quickly.

The third is naming committees that do not yet exist. Most foundations under one hundred million in assets under management do not have an Audit, Risk, or Governance Committee as a separately constituted body. The Executive Committee or the Governance Committee usually absorbs the responsibility. Either is fine; the charter just needs to name the actual body that will do the work. Have your general counsel review before adoption.

What it doesn’t replace

A charter is the boundary; it does not do the work. Adoption is the start of the operating posture, not the end of it. To make the charter real, you still need:

  • Operational implementation. The seven questions from Before you enable Copilot are the day-one work the charter assumes is in place. Permissions audits, sensitivity labels, conditional access, training, review loops, kill-switch readiness—none of these are charter language. They are charter prerequisites.
  • Technical enforcement. Conditional access, Microsoft Purview sensitivity labels, audit logging, and data loss prevention policies do not enforce themselves. Someone has to configure them, monitor them, and tune them. A policy without enforcement is a posture without protection.
  • Staff training. The charter is invisible to a staff member who does not know it exists. Adoption needs a communication plan, an onboarding update, and a refresher cadence.
  • A relationship with an MIP or equivalent partner. The technical layer, the audit posture, and the quarterly review are interdisciplinary work. The Managed Intelligence Provider model exists to operate it on behalf of organizations that should not be hiring an in-house AI governance team.

The charter is the easy part. The work the charter assumes is in place is the harder part. Both have to exist for either to matter.

Start a Discovery Sprint.

We adapt this charter to your foundation’s specific scale, data classes, and governance structure during a two-week Discovery Sprint. The deliverable is your own version, board-ready, signed-off internally, and paired with the operational and technical work the charter assumes.

Begin a Discovery Sprint

Request a Frontier Briefing.

A 90-minute board-level session that walks the executive committee or full board through this charter in the context of your foundation. Suitable for use as the official adoption discussion.

Request a Frontier Briefing