By 2025 the use of generative AI tools in nonprofit operations had crossed from early-adopter territory into what most sector publications described as standard practice. A NTEN survey conducted in mid-year reported that more than seventy percent of US nonprofits with budgets over $5 million were using AI tools in at least one operational area — most commonly in donor communications, grant-application drafting, and constituent-relationship management. Among smaller organizations, adoption rates were lower but climbing.
What worked and what did not
The applications that delivered consistent value were narrow: drafting first versions of donor acknowledgments, grant LOIs, and routine communications; summarizing meeting transcripts; producing variants of email subject lines for A/B testing; and structuring unstructured data such as donor notes into searchable form. In these areas, the productivity gains for development and communications staff were measurable and significant.
The applications that failed quietly or loudly tended to be those that attempted to substitute AI for relationship work — AI-generated major-donor proposals that landed with obvious tonal flatness, AI-summarized impact reports that omitted the texture donors actually wanted, AI-mediated stewardship calls that some donors found offensive when they realized what was happening. The boundary between value-creating use and value-destroying use was, in retrospect, predictable from the relational nature of the underlying activity.
One emerging concern was the data-handling implications of using commercial AI tools with donor and constituent information. Several large national-scope tools were configured by default to retain user inputs for model training. Sector technologists spent much of the year urging organizations to read the terms of service of every AI tool used in any donor-touching workflow, and to default to enterprise plans with explicit no-training provisions where available.
Three cybersecurity incidents
The year’s most consequential operational events were three separate cybersecurity incidents at large national nonprofits. In each case, the attack vector was a combination of social engineering and exploitation of unpatched vendor software. In each case, donor and constituent records were exfiltrated. In each case, the affected organization was required to notify regulators in multiple states under varying breach-notification regimes.
The aggregate cost of the three incidents, including notification, credit-monitoring offers to affected individuals, system remediation, regulatory response, and donor-confidence repair, was estimated at over $40 million. None of the affected organizations had cybersecurity insurance coverage adequate to the actual cost. None had run a recent tabletop exercise simulating the kind of incident that occurred.
The post-incident reviews, several of which were published in redacted form, converged on a small set of recommendations: multi-factor authentication on all administrative access, mandatory phishing-awareness training reinforced quarterly, clearly defined incident-response protocols rehearsed before they were needed, vendor security requirements baked into procurement, and a designated information security officer with authority to delay or block deployment of new systems.
For mid-sized organizations, the more sobering lesson was that none of these recommendations were new. They had been circulating in sector cybersecurity guidance for at least a decade. The organizations affected by the year’s incidents had had access to the same recommendations as everyone else and had not implemented them, either because of cost, capacity constraints, or institutional priority misalignment. There was no reason to believe most other mid-sized organizations had implemented them either.
Insurance markets responded
Cyber insurance underwriters serving the nonprofit market began, in the second half of the year, to require demonstration of specific control measures as a condition of coverage at any meaningful limit. Multi-factor authentication, endpoint detection and response tooling, and documented backup-and-recovery procedures became coverage prerequisites rather than rate factors. Organizations that could not demonstrate the controls either paid much higher premiums or lost coverage entirely.