These figures do not fully capture informal staff use, workarounds, or quiet experimentation within the organization. That pace creates a simple problem: practice is moving faster than governance. A Joseph Rowntree Foundation study focused on grassroots and non-profit organizations found that 73% of surveyed organizations do not have AI policies or guidelines in place (Ibison et al., 2024).

For civil society, this gap is not merely a paperwork issue; it cuts directly into confidentiality, safeguarding, accuracy, bias, and reputational trust. When a staff member pastes sensitive case details into a public AI tool, or publishes content built on a confident but inaccurate output, the organization does not simply lose efficiency; it risks the very people it exists to serve. The real question is no longer whether civil society organizations should use AI, because they already are. The more urgent question is how CSOs can build internal AI policies that protect people, uphold mission values, and still allow staff to work effectively. AI currently informs CSOs’ practices; however, the rules that govern its effective and ethical utilization often do not exist within these organizations.

For West African CSOs, this pressure can feel sharper. Digital maturity varies widely; many teams rely on cloud tools because infrastructure and budgets are tight, and civic work can be politically sensitive. TechSoup's (with cooperation from WACSI) Mapping insights point to a hard reality: many civil society organizations want to use AI, but 39% do not know how to ensure data privacy and security, and only 8% report having a policy in place for using AI.

This article offers a practical, human-centered, design-thinking approach to developing an AI policy that staff can understand and follow. It complements Hive Mind’s more detailed six-part guide by giving CSOs a faster way into the conversation. It gives an analysis of what to prioritize, what risks to manage, and how to translate responsible AI principles into everyday organizational practice. It focuses on the core areas CSOs need to address: data management, security, staff use of AI tools, risk mitigation, compliance with national regulations, and alignment with organizational values.

Minimum Viable AI Policy

A Minimum Viable AI Policy (MVAP) is not the final policy, but the first policy that works. It focuses on weekly staff decisions, not board statements approved once and never revisited. It accepts something many organizations avoid saying out loud: AI for social change only scales when social protection scales with it.

An internal AI policy is not a document, but a blueprint and decision-making system that gives an organization clarity on AI practice in real work. It is a series of design choices that shape how AI is adopted, used, monitored, and improved. At its core, the policy should be guided by human dignity, prevention of unfair harm, respect for people’s agency, accountability, and responsible innovation. In civil society, these are not abstract ideals; they sit behind safeguarding, confidentiality, and the credibility that keeps communities, partners, and funders engaged.

For CSOs, the first MVAP should begin with people and use: how staff engage with AI, how sensitive data is protected, and how AI-supported work remains safe, secure, and trusted. From there, it can evolve into a fuller governance framework covering risk assessment, procurement, accountability, monitoring, and alignment with organizational values.

AI Policy by Design: The Six-Step Design Thinking Method for AI Policy

A good AI policy should not begin with abstract rules. It should begin with how people work, the tools they already use, the risks they face, and the safeguards they need. The six-step method below uses design thinking to turn AI policy from a static document into a practical guide for responsible use.

Step 1: Map Real Use Cases, Not Imaginary Ones

This is the first key step to building a robust policy framework; skip it, and you will design a policy for an organization that does not exist. This step sits in the Discover and Define space of the Double Diamond (Design Council, n.d.) presented in the image below. It answers the question, “Who are we designing for and what are we trying to achieve?” See your staff, volunteers, and key stakeholders as end users, and treat your AI policy as your minimum viable policy (MVAP).

In practical terms, start where the real work is. Identify the AI tools people use or want to use, and the tasks they use them for. In many CSOs, AI supports communications drafting, translation, proposal writing, reporting, monitoring, research summarizing, and administrative support. Capture the tool used, the data it touches, who benefits, and what could go wrong.

You cannot govern what you have not mapped. Without that clarity, the policy becomes a document staff bypass in silence

Fig 1: “The Double Diamond”, Design Council. (n.d.). The Double Diamond. https://www.designcouncil.org.uk/resources/the-double-diamond/

Step 2: Identify People at Risk

Here you ask: “Who is the most at risk from our organization’s use of AI tools?” In civil society, that question is rarely neutral. Those at risk may include survivors, minors, vulnerable groups, staff, activists, whistleblowers, and community members. If harm is plausible, policy must add friction; in West African contexts, that friction protects both the organization and the community.

One practical way to protect people at risk is to classify AI data use into three levels: open use, restricted use, and prohibited use. Public information may support AI-assisted work; sensitive data should only be used in anonymised or summarised form, and high-risk data, such as names, locations, survivor case files, health details, legal status, or whistleblower information, should never be entered into public AI tools.

Step 3: Classify Data and Set Red Lines

Red lines mean boundaries and limits. After mapping use cases, classify your data in plain terms: public, internal, confidential, and highly sensitive. Public data may include approved website content, published reports, public campaign materials, and open research. Then define what must never go into public AI tools, such as identifiable beneficiary information, case notes, safeguarding reports, medical or legal details, security information, and whistleblowing content. If your policy is vague on red lines, staff will fill the gap with guesswork, and guesswork is where harm grows.

Step 4: Threat Model the Workflow

This is not about threat modelling the workforce; it is about threat modelling how work is done and where AI sits inside that work. Identify what could threaten your organization and the people it serves (Tabassi, 2023): data exposure, bias, inaccurate outputs, weak access controls, and unclear vendor practices.

Keep the language simple, but do not keep it shallow. If you cannot name the risks, you cannot control them. This is where risk-tier logic helps. Organizations should classify AI use cases as low, medium, or high risk and set clear rules for each. Low-risk tasks may use approved tools with basic checks; medium-risk tasks require approved tools and human review; high-risk tasks should not use public AI tools, but controlled processes with approval, sign-off, and records.

Step 5: Write Policy Controls That Match Risk

An organization’s AI policy is not one-size-fits-all. Once risks are identified, write controls that match them. These controls should state approved, restricted, and banned tools; when human review is required; what data can be used; when staff must pause or escalate; and what must be recorded for higher-risk uses. Approved tools may include writing assistants such as Grammarly, enterprise co-creation tools such as Microsoft Copilot or Gemini for Workspace, and collaboration or design tools that help staff draft, summarize, translate, organize, or design low-risk information. No tool should receive sensitive data, safeguarding records or information unless the organization has formally cleared such use.

Step 6: Test and Iterate

Pilot with one team, evaluate what works and what does not, and pay attention to where staff struggled or bypassed the process. Update after incidents and lessons learned. Remember: the goal is not to build for people; it is to build with end users in mind. Policies must align with ethical, national, and international expectations, but they also need to work in real life, because usability is what keeps policy alive.

A policy that cannot be used in practice will not be followed in practice. The most effective AI policies are those that staff can understand, trust, and apply consistently.

The AI Policy Guide

This AI policy guide below is not a fixed template, but a practical structure that organizations can adapt to their context, risks, duties, and mission. It should help staff understand what AI tools they may use, what data they must protect, when human review is required, and who is accountable when things go wrong.

1. Scope and definition: Define what counts as an AI tool, including chatbots, writing assistants, transcription tools, translation tools, predictive analysis systems, image generators, and AI features built into workplace software. Then state who the policy applies to: staff, volunteers, contractors, consultants, board members, and partners using AI on behalf of the organization.

2. Acceptable, restricted, and prohibited use: Set clear boundaries. Acceptable use may include drafting, summarizing, translation, research support, and administrative tasks with non-sensitive information. Restricted use should require approval or human review for public communications, safeguarding content, grant claims, or program decisions. Prohibited use should include uploading identifiable beneficiary data to public AI tools, generating deceptive content, or using AI for automated service decisions.

3. Data management, confidentiality, and security: State what data can and cannot be entered into AI tools. Cover data classification, anonymisation, retention, storage, approved tools, access controls, and basic security requirements such as work accounts, passwords, and multi-factor authentication.

4. Human review, accountability, and incident response: Require human review where AI outputs could affect people, reputation, safeguarding, legal duties, or compliance. State who reviews and signs off on different uses, and define AI incidents such as data disclosure, harmful outputs, false information, security breaches, or sensitive use of unapproved tools.

5. Compliance, procurement, and vendor governance: Connect the policy to data protection laws, confidentiality duties, safeguarding standards, funder requirements, and sector obligations. Before adopting AI tools, assess how vendors handle data, retention, deletion, model training, breach notification, and data location.

6. Staff capability, culture, and mission alignment: An AI policy only works when people understand it. Staff need guidance on safe use, prompt hygiene, fact-checking, source verification, and responsible judgement. Its use should protect dignity, respect consent, preserve agency, and align with the organization’s mission. To make this practical, organizations should run regular staff workshops and refresher training on approved tools, prohibited data, human review, escalation, and responsible AI use in everyday work.

Conclusion

In developing an organization’s AI policy framework, CSOs should start small: develop the first policy iteration, pilot it, and improve it. Legitimacy in civil society rests on trust, and AI governance is now part of how that trust is protected. In West Africa, the task is not to slow innovation, but to make sure AI use strengthens safety, accountability, and social protection. AI should be treated as a tool, not as evidence or authority.

Your Feedback Matters

What did you think of this text? Take 30 seconds to share your feedback and help us create meaningful content for civil society!


About the Author

Bolutito Ayobami Iyanda is a law, policy, and AI governance professional working at the intersection of technology, ethics, and human-centred innovation. She specialises in responsible AI, digital governance, and inclusive policy design, helping organisations build trustworthy, accountable AI systems that protect rights and improve public services.

References

Amar, Z., & Ramsay, N. (2025). Charity Digital Skills Report 2025. Charity Digital Skills Report. https://charitydigitalskills.co.uk/wp-content/uploads/2025/07/Charity-Digital-Skills-Report-2025.pdf

Design Council. (n.d.). The Double Diamond. https://www.designcouncil.org.uk/resources/the-double-diamond/

Ibison, Y., Guler, G., Remfry, E., Kherroubi Garcia, I., Barrow, N., & Duarte, T. (2024, July 8). Grassroots and non-profit perspectives on generative AI. Joseph Rowntree Foundation. https://www.jrf.org.uk/ai-for-public-good/grassroots-and-non-profit-perspectives-on-generative-ai

Tabassi, E. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0) (NIST AI 100-1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.AI.100-1

West Africa Civil Society Institute. (2023). Landscape mapping of civil society digital security in West Africa: Abridged version. https://wacsi.org/wp-content/uploads/2023/09/Landscape-Mapping-of-Civil-Society-Digital-Security-in-West-Africa-Abridged-version-V2.pdf

Disclaimers

This piece of resource has been created as part of the AI for Social Change project within TechSoup's Digital Activism Program, with support from Google.org.

AI tools are evolving rapidly, and while we do our best to ensure the validity of the content we provide, sometimes some elements may no longer be up to date. If you notice that a piece of information is outdated, please let us know at content@techsoup.org.