Newsletter
Donate

BetaNYC AI Policy

An AI Governance Framework Adapted from the AI Policy Template by ANB Advisory (Afua Bruce & Rose Afriyie), September 2024.

Version: 1.0 Last reviewed: May 29, 2026 Review cadence: Every six months, or as needed — whichever comes first.

How to Use This Document

This policy governs how BetaNYC adopts, uses, and develops artificial intelligence tools across the organization. BetaNYC is a civic technology nonprofit that both uses off-the-shelf AI tools and builds new tools using code and APIs, so this policy is written to cover both modes of work.

Some sections of this policy will not be relevant to every program or staff member. When in doubt, default to the principles in Section 1 and consult the Executive Director and Lab Director.

0. Questions of power, agency, and authority:

AI fundamentally changes our relationship to technology and information. Gen AI and large language models are built on unseen human labor, creativity, and are fundamentally extractive. While there is a lot of nuance between the bits, LLMs compress humanity into one flat existence. As of the mid-2020s, AI lays bare existential issues within our systems of justice, government, education, health, economics, and environment.

Here is how we are questioning the use of AI.

  1. AI is a metaphor about power: power to consume the world’s knowledge and resources. Who has the power to control that consumption, and who has the power to control the entities developing AI?
  2. We acknowledge that artificial intelligence tools and automated decision-making lay bare existential questions within our society. As we explore our use of these tools, we have deep questions on how to move forward with them. What is our agency with these tools? How can these tools be regulated to ensure safe, appropriate, and consensual use? Will these tools be developed by individuals who will follow laws and construct them to operate ethically? Will we be able to distinguish between what is human, what is synthetic, and what is a mixture of the two?

Our AI use policy seeks to create a baseline to ensure that our community, our staff, and the people we serve are clear on how we see these tools, how we use them, and how we want them to be governed in the future.

1. Overarching AI Principles

Generative AI offers a chance to help nonprofit organizations like BetaNYC in new ways. Individual tools, as well as AI systems, can affect how organizations meet their community’s needs. In a world with finite resources, nonprofit organizations need to explore all available tools to fulfill their mission to serve. However, valid concerns about AI’s potential for bias and unethical use exist. To balance these concerns and support our community service efforts, when BetaNYC uses AI, we will do so responsibly by applying the following principles:

  • Accountability and responsibility: We will hold the individuals using AI tools accountable for their decision-making based on the tools. AI tools and systems support the work our staff remains committed to.
  • Equity and access: We will use AI in ways that do not create new inequities or barriers to accessing vital services. We will maintain safeguards that promote fair access to our services.[1]
  • Fairness and non-discrimination: We will aim to use AI tools in ways that do not discriminate against the communities we serve. We will seek to use AI tools that minimize bias and ensure fair outcomes for everyone, regardless of race, gender, ethnicity, or other factors.[2]
  • Reliability and accuracy: We will use AI tools that perform as intended. We will select AI tools that consistently produce accurate outputs.
  • Transparency: We will explain when and how we use AI products when asked by our stakeholder communities.
  • Trust: We will use AI in ways that allow us to maintain trust with the community we support.
  • In service of mission: We will use AI in support of human decision-making, expertise, and creativity, and not in place of human expertise. AI tools will be selected because there is a way for them to support our mission, not just because it is a new technology.

These Overarching AI Principles support and supplement BetaNYC’s stated mission, vision, and values. We recognize that both our organization and AI technology will evolve; therefore, we will review and update this policy every six months, or as needed, whichever comes first.

2. General AI Guidelines

Specific AI tools and functions change regularly. Individual staff may want to use AI tools to support their work; others may want to experiment with developing their own tools. The following AI guidelines govern how BetaNYC can use AI, rather than constantly deciding on a case-by-case basis. Given some of the risks of AI, these guidelines also serve as a risk management tool for the organization.

2.1 Approval to use AI tools

Does staff need approval to use or develop AI tools? No — staff may use AI tools freely for day-to-day work. However:

  • Longer AI projects must be disclosed to the Executive Director and Lab Director before substantial work begins. A “longer AI project” is any sustained effort that integrates AI into a workflow, service, or product BetaNYC delivers — as opposed to a one-off use of a chatbot to draft an email.
  • AI used for translation of any material that will be publicly disclosed must be reviewed by a human who is fluent in the target language before publication.
  • All other guidelines in this section still apply regardless of approval status.

2.2 Generating or modifying content

Use casePermitted?Disclosure
AI to generate or modify external-facing written content (blog posts, newsletters, social media, grant deliverables)YesDisclose only when AI output is published verbatim or with minimal human editing. Substantively rewritten or edited material does not require disclosure.
AI to generate or modify internal-facing written content (memos, meeting prep, internal docs, Slack drafts)YesNo disclosure required.
AI to generate or modify external-facing visual content (social graphics, website images, illustrations in reports)YesDisclosure required. AI-generated imagery must be labeled — typically in caption, alt text, or a visible mark.
AI to generate or modify internal-facing visual content (slide decks, internal diagrams, mockups)YesInformal disclosure to internal viewers (a brief note in the doc, a footer line, or a comment) is expected.

2.3 Use-case-specific guidelines

  • Meeting notes (AI notetakers / AI meeting companions): Permitted with consent from all participants — for both internal and external meetings. Staff must inform participants at the start of the meeting and offer a chance to opt out.
  • Translation: Permitted for drafting. A fluent human speaker of the target language must review any translated material before public release.
  • Research (background on individuals, peer organizations, market trends, civic data context): Permitted with source verification. If AI-generated research is shared internally or externally, the use of AI must be disclosed alongside the verified sources. (Note: research is a deliberate exception to the “no disclosure required” rule for internal written content in Section 2.2 — the higher bar reflects the source-verification risk specific to AI-generated research.)
  • Brainstorming and editing (revising human-generated drafts, ideation, structure feedback): Permitted, subject to the data-tier rules in Section 3. Tier 2 (sensitive) content may not be pasted into an AI tool without approval.
  • Analysis and prediction (e.g., analyzing 311 data, predicting attendance, summarizing constituent feedback): Permitted with methodology documentation, human verification of results, and disclosure when results inform decisions or are shared.

2.4 Wholesale use of generative AI output

Generative AI output must always be human-modified or verified before being relied upon, shared, or published. Raw AI output may not be used wholesale.

Documentation of the review should be retained with the project itself — in the relevant project folder, shared drive, or team notes/documentation. The form of documentation can be lightweight (a comment, a changelog, a short note), but every project that uses AI output should carry a record that a human reviewed it.

2.5 Contractors

All contractors and vendors working on behalf of BetaNYC must adhere to the guidelines in this policy document. References to this policy will be incorporated into contracts and statements of work, and contractors will be expected to comply with the same data-tier, disclosure, and review rules that apply to staff.

2.6 Staff training

All staff must complete:

  1. An Intro to NYC Open Data course, and
  2. An Intro to Artificial Intelligence course,

both as provided by BetaNYC.

  • Cadence: On hire, with refreshers when needed (e.g., when this policy is updated, when significant new tools are introduced, or when relevant regulations change).
  • Training resource: Internal training is being developed by BetaNYC and will be shared internally.

3. Data/IT Governance & Privacy

BetaNYC will follow all relevant industry guidelines and regulations (e.g., HIPAA standards[3]), as well as all applicable data laws and policies (e.g., GDPR, EU AI Act).

3.1 Data tiers

AI tools use a lot of data. The tools themselves are trained from different data sources, and to work inside BetaNYC, the AI tools will use BetaNYC’s data as well. It is important to know what data BetaNYC is sharing with these tools. The next subsection documents what information can be shared with less concern, and what information should be discussed before deciding whether or not to share with an AI product. Tier 1 data is considered acceptable for AI tools without approval. Before Tier 2 data is entered into any AI tool, additional approval from the Executive Director and Lab Director (jointly) must be obtained.

  • Tier 1: Less sensitive. This includes publicly available program names and descriptions, high-level budget information, etc., as well as internal draft documents.
    • Written and promotional text (blog drafts, newsletter copy, social media drafts)
    • Summary statistics and anonymized demographics
  • Tier 2: More sensitive. This includes personally identifiable data[4] including but not limited to: individual client or staff names, social security numbers, financial information tied to specific individuals, phone numbers, email addresses; information covered under non-disclosure agreements or other data-sharing agreements.
    • PII (names, emails, phone numbers, SSNs, individual-level financials)
    • Community member, hackathon participant, and event attendee lists
    • Grant applications (full applications, including budgets, strategy, and personnel detail)
    • Data covered by NDAs or data-sharing agreements with city agencies, partners, or funders
    • Unpublished research findings and confidential funder communications

3.2 Data management practices

Strong data management practices should be followed. Where possible, we will employ the following practices concerning user data[5]:

  • Regular reviews: We will conduct routine reviews to ensure that permissions to our organization’s data used in AI tools remain appropriate as our organization scales or roles change to prevent privilege creep — privileges over time that are not necessary for duties.
  • Division of duties: We will distribute duties so that one person does not have excessive control over AI tools and the data used by them for BetaNYC. In practice, this means that programs and operations teams, in addition to the tech team, should have a say in how data and AI tools are used at BetaNYC.
  • Principle of least privilege: We will grant users the minimum permissions necessary to perform tasks to reduce risk and prevent accidental error,[6] and ensure access changes as employment status or position changes.
  • Principle of minimization: We will collect and store the minimum amount of information needed to execute our organization’s mission. We will not collect and store information just because we can ask for it.
  • Multi-factor authentication (MFA): Where possible, we will use tools that give us the option of MFA to reduce the risks of unauthorized users receiving access to data.

3.3 AI/Data Review Committee

Regular reviews of data and AI tools will be conducted by a committee consisting of the following roles, including technical and non-technical perspectives:

  • Executive Director
  • Lab Director (CTO equivalent)
  • Chief of Staff (or their designee)

This committee will meet quarterly and will document any decisions made in this meeting in a shared project folder, with a notification to all staff via Slack and email so that decisions are visible across the organization.

3.4 Vendors

When selecting new vendors, we will ask vendors to adhere to the data governance practices outlined in this document. We will ask them to share, in writing, their data management guidelines for their products.

3.5 Key security practices

Key security practices inspired by the NIST Framework[7] that BetaNYC will adopt in the use of AI in our organization include, but are not limited to:

  • Anonymity: We will limit the use of sharing personally identifiable information in AI technologies.
  • Confidentiality: We will abide by key confidentiality policies by not inputting confidential information into AI tools. Where it is unclear, we will seek consent from those who own the data.
  • Intentional data disclosure: When we use large language models, we will make a decision about whether to opt in or out of sharing nonprofit data with the tool being adopted for the purposes of training their model.
    • For example, it may be appropriate to help train models on marketing information or information we want other nonprofit organizations to benefit from. However, it may not make sense to train models on fundraising proposals that we leverage large language models to proofread.

3.6 Transparency and accountability for AI tools BetaNYC builds

To increase transparency and accountability of AI tools used within the organization, the following information should be documented for each new AI tool developed, and this is particularly important for tools built on predictive AI:

  • Origin of data
  • Associated models and metadata
  • Overall data pipelines for audit
  • Testing metrics

This documentation should be captured in the BetaNYC AI Technical Resource, located on BetaNYC’s internal wiki / shared drive [link to internal document — to be added by Lab Director]. The Lab Director holds approval responsibility for the document.

3.7 Minimizing bias in BetaNYC’s data

Understanding that data can introduce bias into AI tools, BetaNYC will work to minimize bias in its own data. We will do this by:

  • Validating the source and accuracy of data
  • Ensuring informed consent for data collection
  • Considering how individual data sources could be combined to reveal personally identifiable information
  • Ensuring completeness of datasets
  • Developing mitigation strategies for incomplete and/or inaccurate datasets
  • Securing and protecting data

3.8 Securing data and systems

Recognizing that the security of our data sources matters, we will also engage in best practices to secure our data and systems. These practices include:

  • Setting up strong data encryption protocols
  • Establishing user authentication systems
  • Conducting regular security audits

3.9 Incident response: unintended sensitive data in generative AI tools, hallucinations, and inaccurate output

If AI tools begin to hallucinate with constituents or partners, or if it is discovered that an inaccurate output from an AI tool led to bad decisions about operations or in materials provided to stakeholders:

  • If unapproved sensitive (Tier 2) data is put into generative AI tools, staff should inform their supervisor immediately.
  • The AI/Data Review Committee should be notified within 24 hours.
  • If an error is deemed to be a reputational and/or operational risk, the committee will post a note to our website at beta.nyc.

3.10 Privacy-enhancing technology

Inspired by the NIST Framework[8], we will support the development of privacy-enhancing technology. Practices we will adopt in the use of AI in our organization include:

  • De-identification
    • Data collection practices will require the minimum amount of PII needed to achieve our mission and satisfy our agreements.
    • We will store data in our database in a way that minimizes harm in the event of a breach.
    • We will anonymize or de-identify any data that we may handle in the course of our work, stripping away identifiable information and ensuring data cannot be traced back to specific individuals.
  • Aggregation
    • We will present data from our database in aggregate when possible.
    • We will ensure we have the proper consent from users (constituents/consumers/anyone providing data) in place if deviations from an aggregate summary standard are needed.

4. AI Tool Analysis and Development

We recognize that selecting or developing AI tools requires us to consider how the tool can positively impact our organization, the level of effort required to implement the product, and how the product will fit into our current workflows.

4.1 Key preferences

  • In selecting AI products to use internally, we will prefer tools that allow us to opt out of having our data used in the product’s training data.
  • We will prefer tools that have worked with nonprofits or other community members and constituents.
  • Consistent with BetaNYC’s civic-tech ethos, we will prefer open-source AI products where viable, and use commercial products when open-source options do not adequately meet our needs.

4.2 Licenses and financial costs for tools

  • We will provide licenses for our teams when it will increase privacy, accuracy, and data controls, contingent upon available financial resources.
  • Financial approval for licenses:
    • The Lab Director approves licenses below an established threshold.
    • The Executive Director approves licenses at or above that threshold.
    • The threshold will be set jointly by the Executive Director and Lab Director and documented in BetaNYC’s financial procedures.
  • Personal email addresses are not permissible for AI tools used in BetaNYC work. All AI tool accounts must be created with BetaNYC email addresses to ensure organizational control over access when staff transitions occur.

4.3 Decisions about AI adoption (organization-wide)

For decisions about AI adoption, we will observe the following protocols:

  • Ensure adequate review and testing. Before adopting consumer-facing tools, we will set a deadline for when we will decide on adoption and rollout to our constituents. We will involve community members, as appropriate, and current staff who previously engaged in the task we are leveraging AI for, to ensure functionality and reliability.
  • Set adoption goals or at least one key performance indicator (KPI) for AI adoption. KPIs are measurable criteria that are set for a specific objective that we can point to so that will help us assess how our use of AI can be evaluated for effectiveness.
  • Monitor errors and wins to adjust our behavior. We will monitor and document how often the AI tools produce errors and depending on frequency and severity, will decide to provide additional training, change how we use the tool, or discontinue use of the tool. We will share wins with the broader team to support transferable uses across the organization.

4.4 Decisions about AI adoption (tools BetaNYC builds)

For decisions about AI adoption in tools BetaNYC builds, we will observe the following protocols:

  • Ensure real-time review. Before launching consumer-facing tools, we will pilot them with experts to ensure functionality and reliability. For example, if we use AI to automate responses to frequently asked questions on our site, we will pilot with customer support to review answer choices for a period of time to monitor error, hallucination, or bias before minimizing human involvement in fielding questions.
  • Make it easy to transition to humans. All tools that serve a customer support function will be designed to “fail safely,” seamlessly transitioning to human intervention, or a queue for human follow-up, when necessary.
  • Set adoption goals or key performance indicators (KPIs) for AI adoption. KPIs are measurable criteria that are set for a specific objective that we can point to so that we can assess how our use of AI can be evaluated for effectiveness.
  • Monitor errors and correct them. We will develop the infrastructure to monitor error rates associated with our use of AI and recovery plans for issues such as hallucination, which is crucial for maintaining trust with our stakeholders and constituents.
  • Establish data quality validation. In instances when we use predictive AI, we will validate data quality to ensure that internal and external consumers understand the accuracy of predictions.

We will strategically leverage both open-source and commercial products to maximize cost-effectiveness, impact, and to prevent duplication of efforts — with a stated preference for open-source where it can meet the need.

4.5 Cloud Infrastructure, Development, Security, and Operations

For AI-related decisions for our Cloud Infrastructure and Development, Security, and Operations, we will observe the following practices:

  • Self-hosted for sensitive data; cloud as needed. For programs using sensitive data, we will use self-hosted Large Language Models (LLMs) and self-hosted infrastructure, keeping models and data within our controlled environment whenever feasible. For non-sensitive workloads where in-house computing resources are limited or intense computing capabilities are required, we will use cloud platforms. Cloud-based AI solutions allow us to enhance efficiency by handling tasks that free up staff time, allowing us to focus on more mission-aligned activities.
  • Practices to support responsible AI within our technical stack:
    • Focusing on data hygiene through regular accuracy checks
    • Curating and strategically labeling data directly related to AI training goals
    • Allowing time for testing and fine-tuning of LLMs
  • Skilled team to support AI maintenance. We will assemble and maintain a skilled team to support AI maintenance with security in mind. We will integrate a diversity of roles internally, and, when needed, supplement them with external contractors or vendors, to ensure seamless AI delivery. Prioritizing security from the start allows us to have a collaborative environment, embedding security throughout the development lifecycle rather than treating it as an afterthought. By automating security testing with cloud-based tools, we can ensure continuous monitoring by identifying and addressing vulnerabilities early while maintaining a more secure codebase.

About this template

This policy is adapted from the AI Policy Template authored by Afua Bruce and Rose Afriyie for the ANB Advisory Group (September 2024), supported by NTEN. ANB Advisory Group is a consulting firm that supports a responsible tech ecosystem (anbadvisory.com). NTEN connects people who put technology to work for social change (nten.org).

Notes

  1. The USDA has developed a framework for use of AI in public benefit administration. Here they mention key principles that can be found in section 1.4 with equity and access being one of the core principles lifted up for this example: https://www.fns.usda.gov/framework-artificial-intelligence-public-benefit
  2. This principle is adapted from the Microsoft AI principles.
  3. The HIPAA Journal states that “however, organizations that are required to comply with the HIPAA are not permitted to use [generative AI] tools in connection with any ePHI unless the tools have undergone a security review and there is a signed [BAA]. ChatGPT (not API) is not HIPAA compliant as per OpenAI web site.”
  4. The National Institute of Standards and Technology defines personally identifiable information (PII) as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
  5. FrontEgg focuses on securing end-users access experience through granular, multi-tenant authentication. They have written about MFA, the Principle of Least Privilege, and Regular Reviews, and we have modified their language for this practice.
  6. Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.” They have written at length about Just In Time Privilege and its relationship with the principle of least privilege.
  7. NIST has long been a leader in the privacy domain. Their values are excerpted and adapted for the nonprofit use case from pg. 17 of their Artificial Intelligence Risk Management Framework (AI RMF 1.0).
  8. NIST has long been a leader in the privacy domain. Their section on PET considerations is excerpted from pg. 17 and adapted for the nonprofit use case from their Artificial Intelligence Risk Management Framework (AI RMF 1.0).