Key Takeaways
- Artificial Intelligence (AI) governance is becoming a fiduciary, cybersecurity and compliance priority for private foundations managing sensitive data.
- Foundations should document approved AI use, restrict confidential data in public platforms and require human review for grants and financial reporting.
- Board oversight, staff training and vendor risk management help foundations address operational, reputational and data security risks tied to AI adoption.
Artificial Intelligence (AI) is no longer something private foundations can view as a future consideration. It is already embedded in many platforms and applications foundations use every day. From research tools and document drafting assistance to workflow automation and analytical support, AI capabilities are increasingly becoming part of normal business operations, often without foundations fully realizing the extent of their use.
For private foundations, the conversation around AI should not begin with whether the technology will be used. In many cases, it already is. The more important question is whether the foundation has established the governance, oversight and accountability necessary to ensure AI is being used responsibly and securely.
Much like cybersecurity several years ago, AI governance is quickly becoming an operational and fiduciary issue rather than simply a technology discussion.
Why AI Governance Matters
Private foundations routinely manage highly sensitive information, including donor records, grantee applications, investment information, internal deliberations and compliance-related data. AI tools, particularly publicly available or externally hosted platforms, may create unintended exposure risks if personnel input confidential or proprietary information into those systems without appropriate safeguards.
At the same time, AI-generated outputs may create reliability and compliance concerns if foundations overly rely on automated summaries, recommendations or analytical conclusions without adequate human oversight.
The foundations that navigate emerging technologies most effectively are rarely the ones that move the fastest. They are the ones that establish clear expectations, defined oversight responsibilities and practical controls before problems occur.
AI Usage May Already Exist Within Your Foundation
One of the challenges foundations face is that AI adoption can occur informally. Employees may independently utilize AI-enabled features within common software applications or publicly available tools to assist with drafting communications, summarizing information, preparing research or analyzing data.
In many foundations, leadership may not yet have full visibility into:
- What AI tools are currently being used
- What types of data may be entered into those systems
- Whether those tools retain or train on submitted information
- How AI-generated outputs are reviewed before being relied upon
- Which decisions should always require human evaluation and approval
This lack of visibility can create operational, compliance, reputational and cybersecurity risks that may not become apparent until after an issue arises.
Key Components of an AI Governance Policy
An AI governance framework does not need to be overly complex. However, it should be proportionate to the size and operations of the foundation. At a minimum, foundations should consider policies that:
- Define approved and prohibited AI use cases
- Require documented human review and approval for decisions involving grants, compliance or financial reporting
- Restrict the use of confidential or sensitive information within public AI platforms
- Establish oversight responsibilities and escalation procedures
- Incorporate cybersecurity and vendor risk management considerations
- Require documentation of AI-assisted processes and decision-making
- Provide staff training regarding responsible AI usage
- Include periodic review procedures as technology and regulations evolve
As with cybersecurity preparedness, the foundations best positioned to manage AI-related risks are often the ones that identify their gaps early and address them proactively.
Governance Is Becoming Part of Fiduciary Oversight
Boards of directors and trustees are increasingly expected to understand how emerging technologies may impact organizational risk, compliance and operations.
That does not mean foundation leadership must become technical experts in AI systems. It does mean they should ask informed governance questions, including:
- Do we know where AI is currently being used?
- Have we established acceptable use expectations?
- Are sensitive data protections clearly defined?
- Who is responsible for oversight and monitoring?
- Are employees receiving appropriate guidance and training?
These are governance discussions, not simply technology discussions.
A Practical Starting Point
For many foundations, the first step is not implementing advanced AI systems. It is establishing visibility and governance around the tools already being used within the foundation.
A practical initial approach may include:
- Identifying existing AI usage across departments
- Evaluating current data protection risks
- Developing an acceptable use policy
- Defining oversight responsibilities
- Implementing staff training and awareness procedures
- Periodically reviewing evolving regulatory and operational risks
Foundations do not need to eliminate innovation to manage risk responsibly. The objective is to ensure emerging technologies are adopted thoughtfully, transparently and in a manner consistent with the foundation’s fiduciary responsibilities and operational objectives.
We Can Help
PKF O’Connor Davies assists private foundations with evaluating and strengthening governance, risk management and cybersecurity practices related to emerging technologies, including Artificial Intelligence. Our multidisciplinary teams provide advisory services involving AI governance framework development, cybersecurity and privacy risk assessments, policy and control design, vendor and technology risk evaluations and governance consulting tailored to the operational needs of foundations. Whether your foundation is beginning to evaluate AI usage or looking to formalize oversight and controls, we can help organizations adopt practical and responsible approaches that align with their fiduciary and operational responsibilities.
Contact Us
We welcome the opportunity to answer any questions you may have related to this topic or any other accounting, audit, tax or advisory matters relative to private foundations. Please call 212.286.2600 or email any of the Private Foundation Services team members below:
- Thomas F. Blaney, CPA, CFE
Partner
Co-Director of Foundation Services
tblaney@pkfod.com - Joseph Ali, CPA
Partner
jali@pkfod.com
Scott Brown, CPA
Partner
sbrown@pkfod.com - Anan Samara, EA
Partner
asamara@pkfod.com - Christopher D. Petermann, CPA
Partner
Co-Director of Foundation Services
cpetermann@pkfod.com
Elizabeth Gousse Ballotte
Partner
eballotte@pkfod.com
Michael R. Koenecke, CPA
Partner
mkoenecke@pkfod.com