What AI Governance Actually Means for California Nonprofits: A Plain-Language Guide
For a California nonprofit or behavioral health organization, AI governance means knowing which AI tools your staff is using, what organizational data those tools can access, and who is responsible when something goes wrong. This guide explains what that looks like in practice and why getting clear on it now matters more than most leaders realize.
Your program director mentioned it at last week’s staff meeting. Someone on the board asked about it at the last quarterly. And there it was again in an email from a funder, tucked between compliance language you forwarded to no one in particular.
AI governance.
If you have been nodding along without being sure what it means, you are in the right place. Most nonprofit and behavioral health leaders in California are in exactly the same position. Not because they are behind. Because the term was invented by people who were not thinking about organizations like yours when they invented it.
Why “AI Governance” Sounds More Complicated Than It Is
It comes from the enterprise world, where governance can mean legal review boards, vendor approval committees, and multi-department policy cycles. That version does not apply to you.
For a nonprofit or behavioral health organization operating in California, AI governance means having a clear answer to three questions:
- What AI tools are your staff currently using at work?
- What organizational data (client records, PHI, donor information) may those tools be processing?
- Who in your organization is responsible when something goes wrong?
If you can answer those three questions with confidence, you have the foundation of an AI governance posture. Most organizations cannot. Not because of negligence. Because no one has asked the questions out loud yet.
What the Data Says About Where Most Organizations Stand
According to the IBM Cost of a Data Breach Report 2025, research conducted independently by Ponemon Institute and sponsored and published by IBM based on 600 organizations impacted by data breaches between March 2024 and February 2025, 63% of breached organizations had no AI governance policy in place or were still in the early stages of developing one.
That same report found that 20% of organizations studied experienced a security incident involving shadow AI, meaning the use of AI tools by staff without organizational approval or IT oversight. For organizations where shadow AI was pervasive, breach costs were $670,000 higher than organizations with low levels or none. The global average cost of a data breach in the same report was $4.44 million.
IBM data reflects organizations across 17 industries and 16 countries and regions. Figures reflect enterprise-scale organizations. For a nonprofit operating on grant funding, even a fraction of those costs (legal fees, notification requirements, regulatory review, and reputational impact) could end programs.
The governance gap is real. The question is whether your organization closes it before or after something happens.
What AI Governance Is Not
It is not a ban. Staff are going to use AI tools, and many of those tools genuinely help people get more done. The goal is not to eliminate AI use. It is to make sure the organization knows what is in use, what data it touches, and what the rules are.
It is not a technology purchase. You do not need new software to start. You need a conversation.
It is not a compliance audit. You do not need an external consultant or a legal review before you can take a first step. Those may come later. The first step is much simpler.
What a Realistic Starting Point Looks Like
For a nonprofit or behavioral health organization in California, a first-stage AI governance posture comes down to four things:
- Start talking about an AI policy. Ask your staff, without judgment, what AI tools they currently use at work. The goal is visibility, not discipline. You cannot govern what you cannot see.
- An AI tool inventory. Define which tools are approved for use with organizational data. Define which categories of data (PHI, donor records, case management information) may not be entered into any AI platform without IT review.
- A designated point of contact. Someone needs to own the question: “Is it okay for me to use this tool with this data?” It can be your IT contact.
- A review cadence. AI tools change quickly. Whatever you write today should be revisited in six to twelve months to reflect new tools and updated regulatory guidance.
These steps require about 90 minutes and a clear conversation with your leadership team.
At Advantage Microsystems, we walk nonprofit leaders through exactly this inventory, and the conversations are almost always the same: staff are using more tools than leadership realized, and nobody has asked the data question yet. It is one of the first things we address as part of our managed IT services for mission-driven organizations in California.
Why This Question Is Especially Urgent for Behavioral Health Organizations
Behavioral health organizations operate under HIPAA and, for substance use disorder treatment programs, under 42 CFR Part 2, one of the most stringent federal data protection standards in the country. Both require that any third-party platform processing protected health information have a signed Business Associate Agreement in place before that platform touches PHI. Cybersecurity and compliance support for behavioral health organizations has to account for both standards, not just one.
Most consumer-facing AI tools do not qualify. ChatGPT’s Free, Plus, Pro, and Business tiers are not BAA-eligible. Per OpenAI’s own Help Center, BAAs are available only to Enterprise and Edu customers with sales-managed accounts, and to API customers. Google Gemini’s consumer version similarly does not offer a BAA. When a clinician uses either of these tools to draft session notes, summarize intake records, or process case information, that use may constitute a HIPAA violation regardless of intent.
This is not a theoretical risk. In March 2025, the U.S. Department of Health and Human Services, Office for Civil Rights, reached a Corrective Action Plan agreement with a Texas-based behavioral health organization over impermissible PHI disclosures and failure to conduct a thorough security risk assessment, two of the most common gaps OCR pursues. (Source: HHS OCR Corrective Action Plan, Deer Oaks: The Behavioral Health Solution, signed March 19, 2025.)
For behavioral health organizations in California, AI governance is not optional. It is the difference between staff using AI safely and an OCR enforcement inquiry.
The Step That Takes Five Minutes
You do not need to solve AI governance this week. You need to know where you stand before you decide what to address first.
The IT Readiness Assessment from Advantage Microsystems was built specifically for non-technical nonprofit and behavioral health leaders in California. It takes five minutes. It asks the right questions: not about your hardware specs, but about your policies, your data, and your team’s current habits. The results give you a clear picture of where your organization is exposed and where it is not.
Take the free IT Readiness Assessment, built for nonprofit leaders, no tech background required:
https://advantagemicro.net/nonprofit-assessment-alliance/
And if you are ready to talk, skip the line and schedule your AI consultation today: https://link.advantagemicro.net/widget/booking/4MRlfCxpCeXCvqKBPDAR
Questions About AI Governance for Nonprofits: Answered by Advantage Microsystems
AI governance refers to the policies, decisions, and oversight structures that determine how AI tools are used within your organization: what is permitted, what data may be used with AI platforms, and who is accountable when questions arise. According to the IBM Cost of a Data Breach Report 2025, 63% of breached organizations had no AI governance policy in place, and organizations with pervasive shadow AI faced breach costs $670,000 higher than those with low levels or none. Any California nonprofit or behavioral health organization that handles donor data, client records, or protected health information should have a basic AI governance posture in place. (IBM data based on Ponemon Institute research of 600 breached organizations, March 2024 to February 2025.)
An AI policy is one component of AI governance: a written document that defines the rules for staff AI tool use. AI governance is the broader posture, covering the policy, the person responsible for questions, the tool inventory, and the ongoing review process. For most nonprofits, both look very similar in practice. The most important thing is that something exists in written form that staff can reference and leadership has approved.
It depends on what data they are entering. For general writing tasks that do not involve client records, donor information, or protected health information, many AI tools are reasonable to use. But if staff are entering PHI (session notes, intake records, case summaries) into a consumer AI tool, that use likely violates HIPAA. ChatGPT’s Free, Plus, Pro, and Business tiers are not covered by a Business Associate Agreement, per OpenAI’s own Help Center. At Advantage Microsystems, we help California nonprofits and behavioral health organizations build an AI policy that answers exactly this question for their staff, before a violation happens.
HIPAA requires that any third-party platform processing protected health information have a signed Business Associate Agreement with your organization before it handles PHI. OpenAI’s consumer tiers (ChatGPT Free, Plus, Pro, and Business) are not BAA-eligible; per OpenAI’s Help Center, BAAs are available only to ChatGPT Enterprise and Edu customers with sales-managed accounts, and to API customers. If staff at a behavioral health organization enter client records, session notes, or intake information into these tools, that use may constitute a HIPAA violation. In March 2025, HHS OCR reached a corrective action agreement with a Texas behavioral health organization over impermissible PHI disclosures, underscoring that enforcement is active in this space.
CalAIM restructures how Medi-Cal delivers services, with significant technology implications for behavioral health organizations participating in Enhanced Care Management (ECM) and Community Supports. Requirements include EHR compatibility, data reporting, and coordination with managed care plans. Advantage Microsystems works directly with California behavioral health organizations on CalAIM readiness.
Shadow AI refers to the use of AI tools by staff without organizational approval or IT oversight. According to the IBM Cost of a Data Breach Report 2025, 20% of organizations studied experienced a security incident involving shadow AI, and for those with high levels of shadow AI in use, breach costs were $670,000 higher than organizations with low levels or none. For a nonprofit or behavioral health organization, shadow AI is particularly risky because the data employees handle (client records, PHI, case notes, donor information) is exactly the category most likely to be exposed when an ungoverned AI tool is involved. (IBM data based on Ponemon Institute research; figures reflect enterprise-scale organizations across 17 industries.)
At Advantage Microsystems, we work with nonprofit and behavioral health organizations across California to help leadership understand where AI tool use is already happening, what data is at risk, and what a practical governance plan looks like for their specific size and mission. We have supported organizations through exactly this conversation, from visibility to policy to staff training, and we know the difference between what a 30-person nonprofit needs and what the enterprise playbooks assume. Reach us directly to schedule a conversation.
