Two reports landed this spring that, read together, should change how association technology leaders talk about AI. The first, from Virtuous and Fundraising.AI, surveyed 346 nonprofits and found that 92 percent now use AI while only 7 percent report a real expansion in what their teams can accomplish.1 I wrote about that impact gap in the 92/7 piece. The second report is the one almost nobody in our world has read, and it is the more useful of the two.

The American Arbitration Association, a nonprofit that operates under no shortage of scrutiny, published a benchmark called From Principles to Practice. It surveyed 500 senior legal and executive leaders.4 The headline number is quietly devastating. Eighty-seven percent say their organization has some form of AI governance in place, and only 22 percent say that governance actually works.5 We have spent a year asking each other whether we have an AI policy. The AAA data says that was the wrong question.

Look at where the governance breaks. Only 33 percent of these organizations have a defined escalation path for when an AI system misbehaves. Only 22 percent are confident they could produce evidence of a governance decision if a regulator or auditor asked for it. And while 80 percent say IT or technology teams contribute to AI governance, just 35 percent involve legal or compliance.5 Read that last pair again. Governance has been quietly redefined as an IT chore, which is exactly how you end up with a policy that nobody can enforce and nobody can prove.

Governance is not a document. It is a property of your data.

Here is the part our sector keeps getting wrong. An AI policy is a statement of intent. Governance is the ability to answer a question after the fact: what data fed this decision, who approved the model that made it, and can I reconstruct that answer six months from now. That is not a question a PDF answers. It is a question your architecture answers, or fails to. If your member data lives in fourteen systems and your AI tools reach into each of them directly, you do not have governance. You have exposure with good intentions.

This is why I keep coming back to the warehouse as the system of record. When identity, consent, and lineage live in one governed layer, and AI tools draw from that layer instead of from the AMS directly, audit-readiness stops being a fire drill. You can answer the escalation question because the data has a single front door. The organizations that say their governance works are not the ones with the best-written policies. They are the ones who wired the policy into a place the data actually flows through.

There is a deadline attached to all of this now. The high-risk provisions of the EU AI Act reach full enforcement in August 2026, bringing obligations around risk management, technical documentation, human oversight, and the ability to produce records on demand.8 Plenty of US associations will tell themselves this is a European problem. It is not, if you have European members, European chapters, or a single high-risk use case touching an EU resident.9 The audit-readiness number (22 percent) and the enforcement date (roughly two months out) are on a collision course, and the paperwork does not write itself.

I am not arguing for governance theater. The sector does not need another fifteen-page policy nobody reads, and I am skeptical of the rush to name a Chief AI Officer at organizations that have not yet cleaned up their member tables. (Although when the AAA named a Vice President for Legal AI Governance this spring, I noticed it was a standing operational role rather than a title on a slide.7) What I am arguing is narrower. Stop measuring governance by whether the policy exists. Start measuring it by whether you can answer the audit question.

Quick takes

The American Arbitration Association did something this spring that more associations should copy. It named a Vice President for Legal AI Governance and Integration, a standing operational role rather than a committee that meets quarterly.7 Pair that with its own benchmark showing only 22 percent of governance programs actually work, and you get an organization that read its own data and staffed against the finding.

The compliance clock is louder than most US associations admit. The EU AI Act's high-risk provisions reach full enforcement in August 2026, with documentation and human-oversight obligations attached.8 If you have EU members or chapters, the question is no longer whether you have a policy. It is whether you could produce the records on a regulator's timeline.

Every AMS vendor now ships AI as table stakes, from predictive analytics to engagement scoring. That is fine. It also quietly moves member data into model pipelines you did not design, which is the consolidation story from last week wearing a different hat. The feature is free. The governance is not.

Worth a read

The 2026 Nonprofit AI Adoption Report (Virtuous and Fundraising.AI). The 92/7 number gets the headlines, but the 47 percent with no governance policy at all is the part to sit with.

From Principles to Practice (American Arbitration Association). The most honest benchmark on AI governance I have read this year, because it separates having a policy from having one that works.

AI in the Nonprofit Sector Is a Question of Governance, Not Just Technology (Nonprofit Quarterly). A non-technical framing of the same argument, useful for getting a board to care before a regulator makes them.

My prediction: within the next year, the question that actually moves budgets will not be whether you use AI. It will be whether you can reconstruct what it did. The associations that wired governance into their data layer will answer in an afternoon. Everyone else will answer with a policy, and discover that a policy is not an answer.

Quick answers

What is the difference between an AI policy and AI governance?

A policy is a written statement of how you intend to use AI. Governance is the operational capability to enforce that intent and prove it later: access controls, data lineage, escalation paths, and audit records. A recent benchmark of 500 leaders found 87 percent had a policy and only 22 percent had governance that worked, which is the whole problem in one statistic.

Where should AI governance actually live in an association's technology stack?

At the data layer, not only in a document. If identity, consent, and lineage are managed in a central governed warehouse, and AI tools draw from that layer rather than reaching into the AMS directly, you can answer questions about what data informed a given decision. Governance that lives only in a PDF cannot be enforced or audited.

Does the EU AI Act apply to a US-based association?

It can. The Act reaches organizations outside the EU when their AI systems affect people inside the EU, so US associations with European members, chapters, or high-risk use cases may fall in scope. The high-risk provisions reach full enforcement in August 2026, which makes audit-readiness a near-term concern rather than a hypothetical one.

From the Mind of Ravi Rooprai is a weekly column on association tech, data, and AI. Read the perspectives for the longer arguments behind it.

Researched with AI assistance and fact-checked against primary sources. The analysis, judgment, and writing are mine. How this column is made →