← The Capability Edge
Edition29 June 2026· 6 min read

NGOs have the most to gain from AI, and the most to lose

I spent a good part of last week in a room with several NGOs, brought in to teach them AI. We got to the tools. But the question that kept surfacing was not how to write a better prompt. It was simpler and harder than th

I spent a good part of last week in a room with several NGOs, brought in to teach them AI. We got to the tools. But the question that kept surfacing was not how to write a better prompt. It was simpler and harder than that: once we put our data into one of these systems, who actually has it now? These are organisations holding some of the most sensitive information there is, about refugees, survivors, people in detention, and you could feel them weighing a trade they had not quite been given the words for. That is what I want to think about this week.

A few of the things I read last week:

  • 92% of nonprofits already use AI, but only 7% report a real gain in what their organisation can do, and 47% have no AI governance policy at all. (Virtuous & Fundraising.AI, 2026)
  • Two-thirds of international NGOs expect to strike a new partnership with a for-profit company in the months ahead, often for tools and money they cannot raise themselves. (The New Humanitarian, 2026)
  • In 2022 a cyber-attack on the Red Cross exposed data on 515,000 highly vulnerable people and forced it to shut down the programme that reunites families separated by war. (ICRC; Al Jazeera)
  • The UN's World Food Programme signed a five-year, $45m deal with Palantir in 2019; privacy groups warned the data it holds on 90 million people could be re-identified even with the names stripped out. (The New Humanitarian; Privacy International)
  • For a stretched nonprofit team, AI is saving an estimated 15 to 20 hours a week on admin. (Virtuous & Fundraising.AI, 2026)

The gain here is real. So is the price, and I am not sure we have been clear enough with these organisations about the second part.

The gain is real. So is the price.

Let me start with the gain, because it is not small and I do not want to wave it away. NGOs are time-poor and mission-rich. A team that gets 15 to 20 hours a week back from admin can put those hours into the people they exist to serve. For a small charity running on goodwill and too little money, that is a genuine change in what they can do, and I have watched it land in a room and lift everyone in it.

The price is quieter, and it is paid in something other than money. Most NGOs cannot fund their own infrastructure, so they run on donated cloud credits and free tiers from a handful of very large companies. That generosity is real and it keeps a lot of good work alive. But the same arrangement means the sector's most sensitive data, the records of who is fleeing what and who is hiding from whom, increasingly sits inside systems the organisation does not own and cannot fully see into. We talk about this as efficiency. We rarely talk about it as dependency, which is also what it is.

And the stakes are not abstract. When the Red Cross was breached in 2022, the data exposed belonged to 515,000 people separated from their families by conflict, disaster and migration, and the attack forced the programme reuniting those families to go dark. For a bank a breach is a cost. For an organisation holding the only record of where a missing child might be, it is the harm it exists to prevent. The more of that data we move into tools built and run elsewhere, the more of that risk we take on without quite deciding to.

Whose goals are these tools built for?

This is where I keep landing. An NGO and the company whose platform it leans on do not share the same goals, the same principles, or the same people to answer to. The World Food Programme's $45m deal with Palantir is the example everyone reaches for, and fairly: privacy groups pointed out that even data stripped of names can often be matched back to real people, and that tracking the movements of vulnerable populations is exactly the kind of power you do not want in the wrong hands. Several of the firms NGOs now depend on are also turning toward defence and war work. A platform answers to its shareholders. A humanitarian answers to the person in front of them, and to a duty to do no harm. Those are not the same duty, and the gap between them does not disappear because the tool is useful.

There is a fair argument on the other side, and the people I work with feel it keenly. When you are underfunded and stretched, sovereignty can sound like a luxury. Refuse the free, powerful tool and you serve fewer people, more slowly, while a colleague who said yes moves faster. Purism has a cost too, and it is paid by the people waiting for help. I take that seriously. But the answer is not to refuse the tools, and it is not to take them on trust either. It is to know what you are handing over, keep control of the parts that matter, and be able to walk away. The gain only counts if the people in your files are safer for it, not more exposed.

If you work in L&D, HR, or transformation

If you support a mission-driven organisation, I think this is ours to carry, and it does not look like a training problem, which is why it slips by. So a few plain things this week. Before you adopt anything, ask where the data lives and who can read it, and write the answer down. If you are one of the 47% with no AI governance policy, a short one beats none, and it can fit on a single page. Name a person who owns the beneficiary data, the way you would name someone to own a budget. And keep an exit: if a tool you depend on changed its terms or its owners tomorrow, could you leave with your data intact? None of this needs a big platform. It needs a few clear decisions made on purpose.

The provocation

So, the question I would leave you with is this. The hours AI gives back to a stretched NGO are real, and worth having. But if getting them means the records of the most vulnerable people you serve now sit somewhere you cannot see and cannot leave, what exactly have you won? Pick one dataset this week, the most sensitive one you hold, and find out where it actually goes when AI touches it. If you cannot answer that, that is the place to start.

Your move

See where your organisation actually stands.

The free VERIFY capability scan scores you across the six moves in ten minutes.

Get the playbook