Climate science spent fifty years building a framework for who gets hurt when systems fail. Nonprofits urgently need to borrow it, because their data, their communities, and their decisions are already inside the machine.
There is a formula that climate scientists have used for decades to make sense of catastrophe. It does not predict which hurricane will strike, or when. It predicts something more important: who will be destroyed when it does. The formula is this: risk emerges from the intersection of vulnerability, sensitivity, and the adaptive capacity a society possesses to absorb the blow. Change any one variable, and you change who survives.
Nonprofits and civil society organizations rarely appear in conversations about AI risk. That is precisely the problem. The communities they serve, people navigating housing instability, health crises, immigration systems, and child welfare, are among the most exposed populations in the country to algorithmic decision-making. And the organizations that advocate for them are, in the age of AI, more vulnerable and more sensitive to data harm than at any point in history.
The climate science framework offers a way to see this clearly, and more importantly, to act.
Risk = Vulnerability + Sensitivity minus Adaptive Capacity
Vulnerability: Nonprofits hold sensitive data on the most marginalized populations, and that data is increasingly inside AI systems making decisions about those same people.
Sensitivity: Small changes to how AI tools process client data can cascade into discriminatory outcomes. The harm is often invisible until it is already widespread.
Adaptive Capacity: The practices, policies, and literacy that allow organizations to monitor, contest, and respond to AI harm rather than silently absorb it.
Nonprofit organizations do not typically appear in conversations about artificial intelligence risk. That is a significant blind spot. The communities they serve, people navigating housing instability, health crises, immigration systems, and child welfare, face some of the most intensive algorithmic scrutiny in the country. Meanwhile, the organizations advocating for them hold data on the most vulnerable populations, often without a clear understanding of where that data goes or how it is used. The result is that nonprofits are sitting at the intersection of the people most affected by AI systems and the systems doing the affecting, yet most have not developed the frameworks or capacities to recognize this exposure, let alone respond to it.
This is not about whether AI is good or bad. That framing misses the point entirely. The real question is one borrowed from climate science, a field that has spent decades studying who gets harmed when systems fail. Three questions matter most: who is exposed, how sensitive are the systems affecting them, and what capacity exists to respond when things go wrong? That framework offers nonprofits something they urgently need. It provides a language to name the problem and a clear path to address it.
Consider what nonprofits know and what they do not know. Recent industry surveys indicate that 72 percent of nonprofits now use at least one software platform that has added AI features within the past two years. Yet fewer than one in five have reviewed the updated terms of service or data use agreements associated with those changes. That is not a failure of individual organizations. It is a structural gap in how the nonprofit sector relates to the technology vendors that now house their most sensitive information.
The data at stake is extraordinary in both scope and sensitivity. For example, an estimated 1.6 million registered nonprofits in the United States collectively hold detailed records on tens of millions of individuals. These records contain mental health information, immigration status, housing histories, domestic violence disclosures, substance use details, and criminal justice involvement. This information was gathered under conditions of trust. People in crisis shared it with organizations they believed were protecting them.
Now that data is migrating, often unknowingly, into algorithmic systems. Case management platforms have embedded machine learning features. Government agencies use algorithms to determine eligibility for benefits that nonprofits help clients navigate. Donor databases, grant management systems, and communications tools increasingly operate on infrastructure designed to feed large language models. The data nonprofits collected to serve people is becoming raw material for systems whose operators have no accountability to those people.
The financial scale amplifies the urgency. Over 300 billion dollars in government funding flows annually through nonprofits delivering human services, according to recent analysis from the Urban Institute. Most of that funding is now subject to algorithmic oversight, eligibility determination, or program evaluation systems that nonprofits have little power to audit or contest. This is not a fringe issue. It is a structural feature of how the safety net now operates.
Nonprofits are vulnerable in the precise sense that climate scientists use the term. They sit in a position where they cannot control the exposure to risk, but they experience the consequences directly.
This vulnerability originates from position, not from mismanagement. Nonprofits collect sensitive data because their mission requires it. They work with people navigating the most difficult circumstances in life. To help effectively, they must know details that no one else should hold. That information is gathered with the understanding that it will remain confidential, used only for care or advocacy.
The technology ecosystem has changed around that commitment. Software vendors increasingly claim the right to use client data for model training, feature development, and commercial purposes. The contracts nonprofits sign are written to benefit vendors, not the organizations themselves. When a nonprofit purchases a case management system, a donor database, or a communication platform, it is often unknowingly agreeing to terms that allow client data to feed commercial AI systems. Most do not realize this is happening. Fewer still understand what it means in practice.
This vulnerability is compounded by power imbalance. A large technology company investigating a problem has engineers, legal teams, and regulatory relationships. A nonprofit with a staff of twelve does not. When the government benefits system a nonprofit helps clients navigate produces anomalous denials, when a child welfare algorithm generates suspicious referrals, when a grant distribution platform appears to be systematically disadvantaging certain organizations, the nonprofit lacks the resources to identify the algorithmic cause, the standing to demand an explanation, and the leverage to force a correction.
For marginalized communities, this matters profoundly. The populations nonprofits serve are already disproportionately represented in algorithmically managed systems. They navigate welfare benefits, food assistance, housing programs, child protective services, criminal justice systems, and healthcare. All of these are mediated by algorithms. When those algorithms are built on historical data that reflects decades of discriminatory enforcement and over policing, the result is not neutral. The system carries the bias forward, often with greater speed and reach than human decisions ever could.
AI systems have a property that makes them particularly dangerous in nonprofit settings. They amplify small errors. A marginal bias in how a needs assessment algorithm weights demographic characteristics can systematically underserve entire communities. A child welfare risk algorithm that uses poverty as a proxy for maltreatment risk will flag poor families more frequently than wealthy ones, not because poverty causes abuse, but because the algorithm learned from historical data in which poor families were surveyed and reported more intensively. The algorithm has turned the artifact of discriminatory enforcement into a statistical pattern, then deployed it as prediction.
Real examples illustrate the stakes. In Pennsylvania, a predictive algorithm used by the Allegheny County Department of Human Services was designed to identify children at risk of maltreatment. The system used call referral frequency as a proxy for risk. Researchers found that Black and biracial families were reported for abuse and neglect at roughly 3.5 times the rate of white families. The algorithm had no explicit racial variable. It did not need one. By using the proxy that correlated most strongly with maltreatment in the data, it reliably identified Black families as higher risk. The algorithm did not create discrimination. It distilled it, automated it, and deployed it at scale.
In the Netherlands, a government fraud detection system was trained to identify benefit cheaters. The algorithm flagged dual nationals and families with lower Dutch language proficiency at dramatically higher rates. Upon investigation, it became clear that poor language skills were not a predictor of fraud. They were a predictor of paperwork mistakes. The algorithm had collapsed genuine error and intentional fraud into a single category, then learned to flag anyone who made the kinds of mistakes that come from struggling with language. Tens of thousands of families were wrongly accused.
These are not theoretical problems. They are documented cases of algorithmic systems causing direct harm to vulnerable populations, often discovered only after the damage was already widespread.
The sensitivity problem is compounded by detection lag. Research from the RAND Corporation and similar institutions suggests that more than 80 percent of AI failures go undetected during testing and are discovered only after deployment, when they are already harming real people. For nonprofits relying on government systems or vendor platforms, this means the harm reaches clients before any flag is raised. The system continues operating, the bad decisions accumulate, and the organization lacks both the tools and the authority to demand answers.
This is where the framework shifts from diagnosis to action. Adaptive capacity is the variable organizations can influence right now. It is not primarily about technology or money. It is about building the institutions and practices that allow organizations to see problems, respond to them, and contest them rather than silently absorbing the harm.
In climate science, adaptive capacity is a precise inventory. It asks what infrastructure an organization has, what governance systems are in place, what institutional memory exists, and what capacity exists to reorganize when conditions change. Nonprofits can build the equivalent inventory for AI. The work begins now, in six concrete directions.
The work starts with a basic operational fact that most nonprofits lack. Every organization needs a clear map of which systems hold its client data, what those systems do with that data, whether AI features have been added or are planned, and what the terms of service actually say.
This is not optional due diligence. It is the foundation for everything else. An organization cannot protect what it does not know it has. The recommended approach is to schedule a full inventory across all software, including case management systems, donor databases, email platforms, communication tools, accounting software, and human resources systems. For each one, ask the same questions. Does it contain client data? Has AI been added to it? When was the last time anyone reviewed the privacy terms? Who in the organization is responsible for knowing the answer to these questions?
Many nonprofits will discover that this information is not centralized anywhere. That gap must be addressed first. Create a simple spreadsheet or database that lists every software system in use, what data each one touches, whether it processes AI, when contracts renew, and who manages the relationship. This inventory becomes the basis for every other decision.
Adaptive capacity requires people who can detect problems. This means program staff, not just information technology departments.
Benefits navigators work with welfare systems every day. They see when the same case gets denied repeatedly without explanation. Case managers interact with child welfare algorithms. They notice patterns, inconsistencies, and outputs that seem wrong. Housing counselors understand the housing market. They recognize when an algorithm’s recommendations are missing obvious context. These people are the distributed early warning system.
A nonprofit does not need to train staff to build algorithms. It needs to train staff to recognize when something has changed, when outputs seem systematically biased against certain clients, and when a system is producing results that violate the organization’s commitment to fairness.
In practice, this means basic training for frontline staff on how algorithms work, what they can and cannot do, what kinds of bias can hide in automated systems, and what to do when something seems wrong. This training should be mandatory for anyone who makes decisions affected by algorithmic systems or works with clients who encounter them.
It also means creating a clear pathway for staff to report concerns about an algorithmic system without fear of retaliation or dismissal. If a case manager notices a pattern and raises it, that observation should be taken seriously, investigated promptly, and connected directly to leadership.
Nonprofits should have clear written policies specifying how AI tools may and may not be used in decisions affecting the people they serve.
Such a policy should specify which decisions may never be delegated to an algorithm. In a housing nonprofit, decisions about eviction prevention or eligibility for emergency assistance require human judgment and community knowledge. These decisions matter too much to be left to algorithms alone. The policy should also require human review at defined thresholds. If an algorithm recommends something consequential, a person needs to understand why and be able to explain it.
The policy should establish clear processes for clients to contest automated decisions. If someone is denied a benefit, turned down for a housing program, or flagged by a welfare system because of an algorithmic score, they need a simple way to appeal it, have it reviewed by a human, and demand an explanation they can understand.
Nonprofits should commit to transparency. Clients should know what algorithmic systems affect their services. If an organization uses AI to make decisions about care, benefits, or program participation, that fact should be communicated clearly. It should not be buried in legal language.
These policies are not bureaucratic overhead. They are the institutional scaffolding of accountability. They codify what the organization believes and commit it publicly to acting on those beliefs.
Nonprofits currently purchase software under contracts that give vendors extraordinarily broad latitude to use client data for purposes far removed from the service they contracted for. This needs to change, and the change begins with contracts.
Before signing with any vendor, ask explicit questions. Will my data be used to train your AI models? Will it be shared with third parties? Can I audit your practices? If you breach my data, what happens? Can I delete all my data if we part ways, or am I locked in?
Most nonprofits will find these conversations difficult. Vendor contracts are written by corporate legal teams for corporate benefit. Small organizations lack leverage. This is where collective action becomes essential. Sector wide purchasing coalitions give smaller nonprofits bargaining power they do not have individually. When twenty nonprofits approach a vendor together, demanding data agreements that protect their clients, the vendor begins to listen.
Funders have leverage too. When grantmakers require grantees to meet minimum vendor accountability standards, compliance becomes part of doing business across the sector.
At a minimum, nonprofits should demand the following terms in every software contract. They need explicit language prohibiting the use of client data for model training without written consent. They need audit rights allowing them to review how their data is used. They need prompt breach notification if something goes wrong. And they need the ability to export or delete all their data when the relationship ends.
The most important early warning system for algorithmic harm is the community experiencing it. Structured feedback mechanisms allow organizations to detect problems as people encounter them, not after they surface in investigations or lawsuits.
This means regular listening sessions with clients specifically designed to understand their experience with algorithmic systems. It means client advisory structures where program participants sit at the table making decisions about technology. It means anonymous reporting channels where people can flag concerns without fear of retaliation. And it means taking that feedback seriously and investigating it thoroughly.
This is not creating new work. It is redirecting work that nonprofits should already be doing. The sector is supposed to center the voices of those it serves. Making that explicit about AI is alignment, not burden.
When clients describe a pattern of denials that started after a benefits system change, that is data. When they describe a housing algorithm that seems to be systematically excluding families from their neighborhood, that is a warning sign. When they describe feeling stereotyped or misjudged by an automated system, they are describing the lived experience of organizational algorithmic vulnerability in real time. The signals are available. Organizations need only the structures to receive them.
Individual organizations cannot solve systemic problems alone. Adaptive capacity at scale requires advocacy for the regulatory infrastructure that makes AI systems accountable to public interest.
Organizations that work on housing, health, immigration, or criminal justice are already advocating in spaces where AI is shaping outcomes. A housing nonprofit is already fighting for policy change in housing. An immigration legal organization is already engaged in advocacy. Making AI accountability explicit in those conversations is not a detour. It is the same work, just with sharper focus.
Advocacy objectives should include algorithmic impact assessments for government systems, data portability rights so that clients own their own information, meaningful consent requirements rather than buried clauses, and civil society representation in AI governance processes. The work is urgent because the systems are already deployed.
None of this requires inventing new concepts. Nonprofit leaders already understand accountability and governance. They already work with vulnerable populations. They already navigate complex regulations. Adaptive capacity simply applies those existing disciplines to the AI question.
The hard part is recognizing that this work is essential, not optional. The harder part is committing resources to it when budgets are constrained, missions are urgent, and there are always ten more pressing things to do.
The evidence is clear. Nonprofits that have started this work report a clearer understanding of their technology landscape, staff who are more confident in flagging problems, and leadership that sleeps better at night because they actually know what they are accountable for. The work pays for itself in reduced risk and clearer relationships with the communities served.
Start with the inventory. An organization cannot protect what it does not know it has. Once it knows what it has, it can make intentional choices about that information. It can negotiate with vendors. It can train its staff. It can build policies that actually reflect its values rather than merely accepting whatever the software company describes as standard practice.
The communities nonprofits serve did not choose to be inside algorithmic systems. They were placed there by decisions made by governments, platforms, and vendors operating at scales they cannot contest alone. But organizations can contest those decisions. When a nonprofit builds the capacity to see the problem, name it, and respond to it, it is no longer powerless. It becomes essential infrastructure for a more accountable AI ecosystem.
The equation is not complicated. Risk emerges from vulnerability and sensitivity, reduced by adaptive capacity. The hard part is having the honesty to measure all three and the courage to do something about each one.
That is how adaptation begins. Not as a technical overhaul, but as a series of deliberate choices about responsibility, transparency, and care in a system that is only becoming more complex.
Author: Samuel Osei-Amponsah
Comments
Curious if there are existing sector coalitions doing the vendor accountability work already, or if this is still mostly theoretical. Would hate to reinvent something that exists.
1 week agoThis is the framing I’ve been missing. We’ve been treating our AI vendor questions as IT compliance checkboxes when they’re actually mission-critical risk management. Forwarding this to our whole leadership team.
1 week agoWow, this is an interesting take on the impact of AI and non-profits!
1 week ago