AI & Ethics
Does my church need an AI policy?
If your staff or volunteers are already using AI, your church needs a short policy now. It doesn't have to be a legal document. One page covers it: which tools are approved, what member data is allowed in them, who can use what, and a rule that a person reviews anything AI produces before it reaches the congregation. Write it the day AI use starts, not after something goes sideways.
I pastor a church and I build software, so I watch this from both chairs. The honest reason most churches don't have a policy isn't carelessness. AI showed up in the building before anyone decided to let it in. A worship leader drafts an email with ChatGPT, an admin pastes the membership list somewhere to clean up formatting, and suddenly there are decisions being made one keystroke at a time with no one having made them on purpose.
When should a church write an AI policy?
Write it the moment AI use starts, not after a mistake forces the conversation. The trigger isn't your church's size or budget. It's the first time a staff member pastes member information into a chatbot or drafts a sermon with one. If that has already happened, and at most churches it has, you're past due, and the good news is that a starter policy takes an afternoon.
I'd skip the instinct to wait until you "understand AI better" before writing anything down. You don't need to be an expert to set boundaries any more than you needed to be an electrician to decide who has keys to the building. The people on your team are capable and well-meaning, and they're making these calls right now without anything to steer by. A page of clear expectations is a gift to them. It turns a hundred small private judgments into a few shared ones, which is most of what a policy is for.
There's real concern under this. In a study of 1,306 U.S. church leaders that Pushpay commissioned from Barna Group in late 2025, data privacy was the most common worry named, with 83% saying they were concerned about it. That number tells me pastors already feel the weight here. A policy is how you turn that instinct into something your team can actually follow on a Tuesday.
What should a church AI policy include?
A starter policy answers five questions in plain language: which tools are approved, what member data may go into them, who can use AI for what, who reviews the output, and how you vet a new tool before adopting it. You can write the whole thing on one page. The goal is a document your newest volunteer could read in two minutes and know what's expected.
Here's what each piece is doing and why it earns its spot.
| What the policy covers | The question it answers | Why it matters for a church |
|---|---|---|
| Approved tools | Which AI tools may we use? | A short approved list beats a long banned one. People reach for whatever's open in a browser tab unless you've named the safe options. |
| Member data rules | What information can go into AI, and what can't? | Giving records, prayer requests, pastoral notes, and anything about minors are the lines. General-purpose chatbots are not the place for any of it. |
| Who can use what | Which roles may use AI for which tasks? | A check-in volunteer drafting a team email is fine. The same person feeding the membership list into a tool is not. Roles make that obvious. |
| Human review | Who reads AI output before it's public? | Nothing AI writes reaches the congregation, a sermon, an email, a bulletin, without a person reading it first. This is the rule that prevents the embarrassing and the wrong. |
| Tool vetting | How do we check a new tool before adopting it? | One person owns the question "where does our data actually go?" before a tool touches member records. |
The member-data row is the one churches get wrong, because business AI policies don't account for what a church holds. A marketing firm worries about trade secrets. You're holding giving histories, the prayer request someone wrote on their worst week, and the names and photos of other people's children. That's a higher bar than most templates were written for, which is why a generic template gets you the skeleton but not the spine. If you want to go deeper on where the ethical lines sit, I wrote a companion piece on whether AI on member data is ethical or surveillance.
How do I write a starter AI policy for my church?
Build it in six steps, in order, and you'll have something usable the same day. Start by listing what's already happening, then set the rules around it, then assign one owner. Don't try to write the perfect policy. Write the one your team will actually read, and revise it as you learn.
- List what AI use is already happening. Ask your staff and key volunteers, with no judgment, what tools they're using and for what. You can't write rules for a reality you can't see, and this conversation alone surfaces most of the risk.
- Name your approved tools. Pick a small set of tools you're comfortable with and say those are the ones to use. A short yes-list is easier to follow than an endless no-list.
- Draw the member-data line. Write down plainly what congregant information may never go into a general AI tool: giving records, pastoral notes, prayer requests, anything about minors. Make it specific enough that nobody has to guess.
- Assign access by role. Decide who can use AI for what. Most churches keep member data, giving, and notes scoped to specific staff and out of everyone else's reach. Tie it to the roles you already have.
- Require a human in the loop. Make it a rule that a person reviews anything AI drafts before it reaches the congregation. The AI can write the first pass. A human ships it.
- Pick one owner and a review date. Name the person who vets new tools and revisits the policy, and set a date to look at it again. AI moves fast enough that a once-a-year glance keeps you honest.
That's the whole thing. You can hand it to your board as a one-pager and refine it from there. The point of writing it down isn't to bind people. It frees them from guessing.
Can volunteers use AI with church data?
Only under limits you set in advance. Most churches let volunteers use approved tools for their own tasks, like drafting a team email or summarizing a meeting, while keeping member data, giving records, and pastoral notes restricted to specific staff roles and out of general-purpose AI entirely. The dividing line is whose information is involved rather than whether the person is paid.
This is where role-based thinking does real work. A greeter writing a welcome message with an approved tool is using AI the way you'd want. That same greeter pasting the new-visitor list into a chatbot to "organize it" is the exact thing your policy exists to prevent, and the difference comes down to the data involved rather than who the volunteer is. When the rules are tied to roles people already understand, you don't have to relitigate it every time someone gets a clever idea. The structure decides for you.
This connects to a broader point about who handles what at your church. The same instinct that keeps you from overloading one volunteer across too many ministries applies to data access. Scope it to the role, and both the person and the information are better protected.
Is a free AI policy template enough for a church?
A template gives you a useful outline, but most are written for businesses and miss what makes a church a church. They cover intellectual property and brand voice. They don't cover giving records, prayer requests, pastoral notes, or the children who pass through your check-in line. Use a template for the structure, then add the rules that protect the things only a church holds.
The gap to close is the member-data section. A business template will tell you not to paste confidential company information into public AI. For a church, that single line needs to become specific: congregant data stays inside tools that keep it scoped to your church alone and never train an outside model on it. If a tool can't promise both of those things, your members' records don't belong in it. That one addition turns a generic document into something fit for the trust people place in you when they hand over their giving, their kids, and their prayers.
This is the one place I'll mention what I'm building. The reason I made Scout the way I did is that the safest AI policy is a tooling decision as much as a paperwork one. Scout reads participation across serving, giving, groups, forms, prayer, and check-ins, and it surfaces a change to a staff member who decides what to do. Each church's data is sealed off from every other church, access follows roles, and congregant data never trains a model. A good policy still matters. The easiest way to keep member data out of the wrong place is to give your team a tool that was built to hold it correctly in the first place.
Frequently asked questions
Does my church need an AI policy? If anyone on your staff or volunteer team is already using AI for sermons, comms, member data, or admin work, yes. You don't need a legal document. You need one page that says what tools are approved, what member data may go into them, who can use what, and that a person reviews anything AI produces before it reaches the congregation.
What should a church AI policy include? Cover five things: which tools are approved, what member data is allowed in them and what is off-limits, who on the team may use AI for what, the rule that a human reviews all AI output before it goes public, and how you vet a new tool before adopting it. One page is enough to start.
When should a church write an AI policy? Write it the moment AI use starts, not after something goes wrong. The trigger isn't church size, it's the first time a staff member pastes member information into a chatbot or drafts a sermon with one. If that has already happened at your church, you're past due, and a short policy is quick to stand up.
Can volunteers use AI with church data? Only under clear limits you set in advance. Most churches restrict member data, giving records, and pastoral notes to specific staff roles and keep that information out of general-purpose AI tools entirely. Volunteers can use approved tools for their own tasks, like drafting a team email, without touching anyone's private records.
Is a free AI policy template enough for a church? A template is a fine starting outline, but most are written for businesses and miss what makes a church different: giving records, prayer requests, pastoral notes, and minors at check-in. Take a template's structure, then add the rule that congregant data stays inside tools that keep it scoped to your church and never train on it.
Nic Moore is a pastor and the founder of Scout. I wrote my own church's AI rules on a single page before I'd let any tool near our giving records, and I keep that page short on purpose.