As we looked at our AI use, the perspectives of our colleagues and clients, the work we do now and the work we anticipate doing in the future, we felt it important to both create a clear permission structure and guardrails around AI use at our firm and ensure that our values are well represented in how we leverage these new incredible tools. We also felt that it was important to share those values and how they align with our use and our perspectives around AI. As our clients look for guidance, use-cases and high value opportunities with this technology, we want to share what we’ve been working on in those areas and how our values relate to this technology.

First, we think it’s important to acknowledge the myriad of risks of AI – the risks to our planet, our economy, our society and neighbors and the potential existential risks AI poses for all of us. We see and share the same news around the individuals and companies largely shaping this future and we share many of the same concerns. We also believe that opting out of that discussion and the underlying technology is not wise, and understanding how these tools work allow us to continue to deliver our mission more fully while also doing our part to mitigate some of the risks of this technology.

When we sat down to write CTG’s AI Use Policy 12 months ago, we started from a different place: What do we owe the organizations we serve and the communities they serve when it comes to how we use these tools? The answer to that has shaped our policies and practices and we hope that by sharing that process, it builds trust and creates openness for the work that follows. As we reflect upon the last 12 months of AI use

We use AI. Here’s how.

Let’s start with the obvious: CTG uses AI in its work. Our team uses it to support our deliverables, to draft and refine documentation, to accelerate research, to brainstorm approaches to complex problems, to support code development and debugging and to synthesize large volumes of information. These are real, practical applications that help us work more effectively.

We don’t use AI as a shortcut. We use it the way a skilled tradesperson uses a power tool, it makes certain work faster and more precise, but only in the hands of someone who already knows what they’re doing. Using a table saw doesn’t make you a carpenter.

We also understand the limits of our own skills, what AI is capable of and what is hype vs. reality. We share best practices around context management, prompting strategies, and tooling. We encourage our staff to incorporate AI into their existing workflows, we don’t mandate usage or focus on “tokenmaxing” to drive arbitrary productivity goals.

We believe these distinctions matter because nonprofit technology space serves organizations whose work directly affects real human lives. CDFIs making lending decisions. Health organizations managing patient services. Foundations distributing resources to underserved communities. The margin for error is real, and the consequences of getting it wrong land on the people with the least room to absorb them.

The commitments we make to our clients

There are three core elements of our internal policies and practices that we believe are genuinely forward-looking positions that align with our long-standing values. These are not entirely novel concepts, but we are focused bringing them to the table and operationalizing them in this changing technology landscape.

1. Client data does not train AI models

CTG has made a firm and organizational commitment: client information shared with us will not be used to train AI models. Not ours, not our vendors’, not anyone’s. We have reviewed all of our vendor agreements for language that gives overly broad data access or explicitly outlines training LLM’s with our (or our client’s) data.

This isn’t just a sentence in a policy document. It’s an evaluation criterion that governs every tool we consider adopting. Before any AI-powered software enters our workflow, we require written confirmation that user and customer data is excluded from model training. If a vendor can’t provide that assurance, or if their terms allow data sharing with third parties that train models, we walk away.

We think every technology services firm working with nonprofits should make this commitment. The data our clients share with us often describes vulnerable communities: their financial circumstances, their health conditions, their housing situations. That information deserves protection that goes beyond compliance.

2. Expertise comes before the tool.

Our policy requires that anyone using AI to support their work must have documented expertise in the domain where they’re applying it. This is a meaningful constraint and we mean it literally.

The logic is straightforward: if you can’t evaluate the quality of an AI’s output, you can’t use it responsibly. An admin can use AI to help understand code (but not write or deploy it), but a senior developer must review it before it’s ever deployed to any environment. A consultant can use AI to draft a summary, but someone who understands the source material must validate it.

This is our answer to the industry’s “human in the loop” talking point, which often amounts to a human who rubber-stamps output they don’t fully understand. We’re not interested in a human in the loop. We’re interested in a qualified human with accountability for the result.

3. Bias vigilance is not optional.

AI systems reflect the data they were trained on, and that data reflects a society with deep structural inequities. When you’re building technology for organizations that serve communities affected by those very inequities, and we are, the risk isn’t theoretical.

Our policy requires heightened scrutiny of AI outputs in any work that touches underserved or marginalized populations. If an AI output reflects harmful bias or could contribute to discriminatory outcomes, our team is trained and expected to catch it, flag it, and reject it. This isn’t just a line in a policy, – every single staff member at CTG has completed coursework around AI ethics.

What we’ve learned about governance that works

Writing a policy is one thing. Making it functional across a team of professionals with different roles, different tools, and different clients is another. Here’s what we’ve found works.

• Classify before you prompt. Our policy is grounded in a core understanding of where sensitive information lives and what is and is not acceptable context for use with AI. Every team member is expected to know which tools and data is acceptable for use before they open an AI tool. We are also working to operationalize this by integrating “safe” information with our LLMs to make the right approach the easy approach. This sounds basic. It has prevented more problems than any other single measure.
• Draw a clear line between embedded and standalone tools. AI features built into software we already use, carry different risk profiles than standalone tools accessed independently. We evaluate them differently, approve them differently, and monitor them differently. Most policies we’ve seen don’t make this distinction, and it creates confusion.
• Govern the agentic layer explicitly. AI coding agents or other AI-assisted automation that can autonomously create, modify, or delete code and data across multiple files or systems a fundamentally different category of tool than a chatbot that suggests autocomplete. Our policy requires that agentic AI sessions are actively monitored by a qualified developer at all times, and that these tools never run against production or shared environments. The industry hasn’t fully caught up to the governance implications of agentic AI, and we’d encourage every organization to start thinking about it now.
• Make transparency the default. Broadly disclose our AI use. We don’t wait for clients to ask, every kick-off and introduction will outline how we use AI in our work. Clients are always free to ask to what level AI was used to create or manage a deliverable. Clients appreciate knowing how their work is being done. The organizations that hide AI involvement are creating a trust deficit they’ll eventually have to repay.
• Respect your clients’ policies alongside your own. Some of our clients have their own AI restrictions. Our team is expected to understand and follow those requirements. When a client’s policy is more restrictive than ours, the client’s policy governs.

We’re always ready to have a conversation

This technology is incredibly powerful and improving rapidly and the pressure to adopt and maximize their usage is real. However, the clients we work with and the communities they serve don’t deserve to be anyone’s beta test.

We wrote this policy because we believe the organizations serving those communities deserve technology partners who have thought carefully about how AI fits into their work, how the technology landscape is shifting and who are willing to put those conclusions in writing, attach their names to them, and be held accountable.

If you’re a nonprofit or social impact organization evaluating your own approach to AI, whether internally or through your technology partners, we’d encourage you to ask hard questions: Where does my data go? Who reviews the outputs? What happens when something goes wrong? What’s the commitment, and what’s just the marketing?

We’re always happy to share what we’ve learned. Reach out – we’ll buy the coffee.