(Version 1. June 24, 2026)
- Purpose
- Scope and Definitions
- Approval, Enablement, and Governance
- Data Privacy and Protected Information
- Intellectual Property and Copyright
- Quality, Accuracy, and Transparency
- High-Risk and Specialized Use Cases
- Values, Bias, and Equity
- Enforcement and Incident Response
- Implementation and Training
CultureSource Members and Partners,
As artificial intelligence tools evolve quickly, CultureSource has developed an organizational AI policy to guide our use of these technologies in practical, values-aligned ways. We are sharing the policy and the process we followed to develop it so that others can copy, adapt, question, and build on it.
This first finalized version is not perfect and permanent. AI is changing rapidly, and our understanding of its opportunities, risks, and responsibilities are evolving. For that reason, our policy includes regular review and revision, at least twice annually.
We open our work process to you here in a spirit of collegiality and in support of field learning. Our hope is that this offers a useful starting point, not a prescription. Please use what is helpful, change what does not fit, and share back what you learn. Reach out to anyone on our team with questions.
To develop CultureSource’s AI policy, we followed a staged process below that combined peer learning, staff dialogue, expert review, legal input, and operational planning.
- Gathered sample AI policies from a peer organization and from ChatGPT.
- Began a small pilot enterprise use of ChatGPT with four staff members.
- Combined two sample policies into a first draft policy (done by one staff member).
- Reworked the first draft over three meetings with a three-person internal AI workgroup.
- Sent the second draft to three arts and AI expert partners; feedback informed a clean third draft.
- Shared the third draft with the full staff for feedback and team discussion (see notes below).
- Shared the third draft with an attorney for legal review.
- Revised the third draft policy based on staff and attorney feedback, then finalized it as Version 1.
- Shared the finalized policy with the CultureSource board of directors and posted on CultureSource’s website.
- Next: Develop an operational plan to align with the policy, including a revision schedule.
At CultureSource we remain open to influence, and because the technology and our understanding of it will continue to change, we expect the policy to evolve. For more details on CultureSource’s principles and values, read our executive director’s statement on algorithmic perfection and artificial intelligence at CultureSource.
A Note on Staff Input: We know from our internal conversations that there is a wide range of perspectives about AI across our team. By design, our team has diverse viewpoints, which have been useful and necessary as we navigate this work. Staff questions we will need to address relate to the following:
- Assigning responsibilities and creating bandwidth for monitoring staff to contractor AI use
- Implications and ramifications of choosing to do slow, non-AI work
- Future of integration of AI into internal systems
1. PURPOSE
This policy establishes guidelines for the responsible, secure, and ethical use of Artificial Intelligence (AI) tools within CultureSource (“The Organization”). Our goal is to leverage AI to enhance productivity, service, programs, research, and operations in alignment with our mission and our commitments to equity, privacy, data sovereignty, and community trust.
Recognizing that innovation is critical to engaging contemporary culture, this policy is designed to enable the secure exploration of AI technologies while strictly mitigating legal, operational, and reputational risks.
2. SCOPE AND DEFINITIONS
This policy applies to anyone working at or on behalf of The Organization, including current staff, interns, independent contractors, consultants, and volunteers.
Definition of AI Tools: This policy governs the use of:
- Standalone generative AI applications (e.g., ChatGPT, Claude, Gemini).
- AI tools embedded within existing software ecosystems (e.g., Google Workspace AI, Microsoft Copilot, Notion AI, Zoom AI Companion, Grammarly).
- Autonomous or “Agentic” AI workflows that execute actions, make API calls, or modify data without continuous human intervention.
- Custom models fine-tuned on organizational data.
3. APPROVAL, ENABLEMENT, AND GOVERNANCE
The Approved AI Tool List
Staff may only use AI tools and embedded AI features that have been explicitly evaluated and placed on the “Approved AI Tool List” maintained by the IT/Admin team. Staff must not agree to an AI vendor’s Terms of Service on behalf of The Organization without prior administrative approval.
Enablement over Personal Accounts
The Organization provides Enterprise-tier access to specific AI tools to ensure that organizational data is isolated from public training models. Because these secure environments are provided, work-related AI tasks must occur exclusively through Organization-provided accounts. Personal AI accounts on personal devices must not be used to process organizational data or generate work product. If an approved tool is insufficient for a specific workflow, staff are encouraged to submit a new tool request for evaluation.
Cross-Border Data Processing
All AI tools must be evaluated for compliance with the data privacy laws of the jurisdictions in which The Organization operates or whose residents’ data it processes, e.g., California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
4. DATA PRIVACY AND PROTECTED INFORMATION
Prioritize inputting data that is aggregated, anonymized, or publicly accessible. Prohibited Data Inputs Staff must not input the following into any AI tool:
- Passwords or Infrastructure Details: Login credentials, server addresses, or API keys.
- Personal Identifiers (PII): Social security numbers, full dates of birth, home addresses, personal contact information, medical data, or information regarding minors.
- Financial Information: Credit card numbers, bank details, or detailed donor transaction histories.
- Sensitive Legal/Strategic Information: Confidential contracts, unannounced strategic plans, or confidential grant application details.
Record Retention and E-Discovery
AI conversation logs generated within Enterprise accounts may constitute organizational records. Staff must adhere to The Organization’s standard document retention policies regarding these logs and must periodically purge sensitive brainstorming threads that do not constitute final work product, unless otherwise instructed.
5. INTELLECTUAL PROPERTY AND COPYRIGHT
Inputting Third-Party Material
Staff must not input copyrighted third-party material (published books, proprietary research, licensed artwork) into AI tools unless they have verified that the specific license permits such computational use.
Output Ownership and Legal Unpredictability
(Note: As of May 2026, the US Copyright Office has generally held that purely AI-generated works are not copyrightable, though works with substantial human authorship may be. This is rapidly evolving law.) Staff cannot assume copyright protection for AI-generated text, audio, or visual outputs. Staff must consult the Legal/Admin team before relying on copyright protection for any proprietary organizational asset (e.g., logos, core manifestos, published research) that involves significant AI generation.
Contractor Reciprocity
Independent contractors handling organizational data must agree to an “AI Acceptable Use” clause. Furthermore, contractors must disclose to The Organization if deliverables are substantially AI-generated and provide a representation that their use of AI does not infringe upon third-party intellectual property.
Model Training and Data Sovereignty
To maintain strict data sovereignty, any use of organizational data or archived collections to train, fine-tune, or build custom AI agents requires explicit approval from the Executive Director and a legal review of the vendor’s model training terms.
6. QUALITY, ACCURACY, AND TRANSPARENCY
Tiered Verification Standards
AI outputs often contain hallucinations, plausible inaccuracies, or outdated information. Staff are fully accountable for the accuracy of their final work product. AI-assisted work must be verified according to the following matrix:
| Output Type | Verification Standard |
|---|---|
| Internal Brainstorming/Ideation | Light review for tone and obvious errors. |
| Internal Communications/Memos | Review for accuracy; spot-check key facts. |
| External Communications/Social | Full fact-check with cited sources; secondary human reviewer required. |
| Financial/Legal/Grant Materials | Cross-check against internal source systems; domain expert review. |
| Published/Public Content | Full editorial review process; legal review if IP-sensitive. |
Content Labeling and Disclosure
Staff must clearly label AI-generated or substantially AI-assisted content when published externally—particularly in public-facing creative works, grant applications, and donor communications where authenticity expectations are paramount.
Meeting Transcription vs. Recording
The legal threshold for AI transcription is strict.
- Recording: All meeting participants must be notified before any recording begins.
- Transcription: Activating a live AI transcription bot (or uploading a recording to an AI tool later) requires affirmative, documented consent from all external participants to comply with varying state wiretapping statutes.
7. HIGH-RISK AND SPECIALIZED USE CASES
Agentic AI and Autonomous Workflows
AI tools that take autonomous actions on behalf of The Organization (e.g., sending emails, modifying databases, making purchases, or interacting with external APIs) carry significant operational risk. No autonomous AI agent may be deployed without an explicit human-in-the-loop approval mechanism and comprehensive audit logging.
Code and Infrastructure Generation
AI-generated or AI-assisted code, infrastructure definitions (e.g., Terraform), database queries, and CI/CD configurations must undergo the exact same peer review, open-source license checking, and security testing as human-authored code. AI must never be used to write or modify security-critical components (authentication, encryption, access controls) without an explicit security audit.
Human Resources and Employment Decisions
To strictly avoid algorithmic bias and comply with emerging employment laws (e.g., NYC Local Law 144, EU AI Act, EEOC guidelines), AI tools must not be used to autonomously screen resumes, rank candidates, evaluate staff performance, or determine compensation.
8. VALUES, BIAS, AND EQUITY
Mitigating Bias
AI systems often perpetuate historical biases, favoring prominent demographics while minimizing niche or marginalized perspectives. Staff must actively review AI outputs for biased language or assumptions regarding race, ethnicity, gender, disability, or socioeconomic status, ensuring diverse perspectives remain central to our programmatic and operational processes.
Accessibility Standards
Content generated by AI for public consumption (including alt-text, closed captions, and translations) is prone to descriptive errors and must be human-reviewed to ensure it meets WCAG 2.1 AA accessibility standards.
Environmental Impact
The Organization recognizes the significant environmental costs (carbon footprint, water usage) associated with large language models. When evaluating new AI vendors for the Approved List, the IT/Admin team will review publicly available sustainability disclosures and heavily weight vendors with verifiable environmental commitments.
9. ENFORCEMENT AND INCIDENT RESPONSE
Tiered Consequences
Violations of this policy will be addressed through graduated consequences based on severity and intent:
- Tier 1 (Inadvertent error, low-risk data, self-reported): Mandatory retraining and coaching.
- Tier 2 (Negligence, repeated misuse, moderate-risk data): Written warning and temporary suspension of Enterprise AI access.
- Tier 3 (Willful violation, uploading protected PII, shadow IT deployment): Immediate escalation, permanent loss of access, and potential disciplinary action up to termination.
(Note: Self-reporting a data spill is treated as a mitigating factor. Staff are encouraged to report mistakes immediately without fear of reprisal.)
Incident Response Protocol
If protected or confidential information is inadvertently inputted into an unapproved AI tool:
- The staff member must notify their supervisor immediately.
- The supervisor must notify the IT/Admin team within 24 hours.
- IT/Admin will initiate the mitigation workflow (e.g., submitting a formal data deletion request to the vendor, documenting the breach, and determining if affected external parties must be notified).
10. IMPLEMENTATION AND TRAINING
AI Literacy Baseline
Effective AI use requires foundational literacy. All staff will undergo mandatory AI onboarding training to understand prompt formulation, data processing risks, hallucination identification, and security basics. An annual refresher course is required.
Policy Review Cadence
Due to the rapid evolution of this technology, this policy will be formally reviewed on a semi-annual basis. Emergency interim updates may be triggered by major regulatory shifts, significant AI security incidents, or the adoption of fundamentally new AI paradigms (e.g., agent-to-agent communication).
More on AI from CultureSource

On Algorithmic Perfection and Artificial Intelligence at CultureSource

Research Summit 2026: Starting at the Foundation

What does the CultureSource Staff Think about AI?

Hot Topics in Tech: Implementation of an AI Chat Bot

Hot Topics in Tech: Consensus Building using In/Tension Modeling


