View Video

Subscribe to our Youtube Channel here

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Panel Discussion with Matt Eshleman, Steve Longenecker, Jennifer Huftalen, and Carolyn Woodard

Our experts answered your questions about where nonprofit tech is going next.

AI, Cybersecurity, Google Workspace v Microsoft Office, Gemini v Copilot or ChatGPT or another generative AI tool, AI agents, AI FOMO, data data data, safety and security of your staff, budgeting for and maintaining basic IT, not to mention fancy IT … anything else you want to know about?

We don’t have a crystal ball but we do know our way around nonprofit IT.
We’ll look back at the trends of 2025 and what we got right last January, and we’ll look ahead to make predictions for 2026.
The nonprofit tech roundtable is always one of our most popular webinars every year.

Download slides (4MB pdf)

Q&A continues on reddit at /r/NonprofitITManagement.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

Presenters:

Matthew Eshleman

As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.

Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.

Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.

He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here. Matt is happy to again be part of the nonprofit tech roundtable at Community IT and loves talking about cybersecurity and other trends.

Steve Longenecker


As Director of IT Consulting, Steve Longenecker divides his time at Community IT primarily between managing the company’s Projects Team and consulting with clients on IT planning. Steve brings a deep background in IT support and strategic IT management experience to his work with clients. His thoughtful and empathetic demeanor helps non-technical nonprofit leaders manage their IT projects and understand the Community IT partnership approach.

Steve also specializes in Information Architecture and migrations, implementations, file-sharing platforms, collaboration tools, and Google Workspace support. His knowledge of nonprofit budgeting and management styles make him an invaluable partner in technology projects.

Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts. He is a regular participant in the nonprofit tech roundtable at Community IT, drawing on his decades of experience interacting with clients on complex projects and IT management challenges.



Jennifer Huftalen


Jenny Huftalen has been providing Account Management services for Community IT’s partner organizations since 2007. Now as Director of Client Services, she is responsible for ensuring those partner organizations are receiving the right combination of IT support services that meet their organizational needs and goals.

Before joining Community IT, Jenny worked in a similar role for a best practice healthcare research and consulting firm. Jenny enjoys Community IT’s commitment to serving progressive organizations that are devoted to making a positive impact on their communities and the world at large. She earned a BA in political science from Union College, with minors in economics and history. She is joining the nonprofit tech roundtable for the first time, bringing her 18+ years of experience talking with thousands of nonprofits on what about IT keeps them up at night.



Carolyn Woodard


Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty-five years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. Every year she is thrilled to moderate this panel discussion nonprofit tech roundtable.





Full Transcript below

Reddit and chat and Q&A for Jan 2026 webinar

Resources mentioned in webinar:

AI Acceptable Use Template from Community IT:
https://communityit.com/template-acceptable-use-of-ai-tools-in-the-nonprofit-workplace/ 

Microsoft Roadmap links:

Identity:  https://learn.microsoft.com/en-us/entra/verified-id/ 

Hero Links: https://techcommunity.microsoft.com/blog/onedriveblog/simple-smart-and-secure-the-next-step-in-sharing-files-in-microsoft-365/4411655  

Google Roadmap links:

Calendar: https://workspaceupdates.googleblog.com/2025/08/pre-configured-appointment-booking-calendar.html 

Dropbox in Google: https://workspaceupdates.googleblog.com/2025/11/migrate-files-from-dropbox-to-google-drive.html 

Ransomware: https://workspaceupdates.googleblog.com/2025/09/ransomware-detection-file-restoration-google-drive.html 

Sharing expirations for folders in shared drive: https://workspaceupdates.googleblog.com/2025/11/set-sharing-expirations-files-and-folders.html 

Audience resources: 

A really interesting read from Microsoft AI CEO of Copilot data. Largest survey of conversations. Also gives you a window on what can be done with the data in these tools. https://microsoft.ai/?post_type=new  

Ai Driven Leader by Geoff Woods is a great book and talks a lot about what you shared Carolyn about using AI as your thought partner! 

Audience examples of how to share AI training/policy discussions:

“I gave an AI presentation to our leadership team with some ways to be curious and experiment, how to guide their teams to use AI wisely (human in the loop, etc), and how to live within the means of the acceptable use policy but move forward with a proactive implementation of AI. We shared ways we (the technology team) could implement some use cases like agents, etc. We went over some basic definitions too. AI slop is really good to talk about and how it can affect culture and the way we work with each other. So many great conversations!”

“We sent out a survey to everyone in the organization, asking a wide range of questions about how they’re currently using AI; hopes/dreams/concerns, etc. We got wide range of feedback, all of it helpful in gauging where we are at the moment.”

“Had to do a lot of retroactive training to remind folks not to just enter any and all data into AI, especially potentially sensitive or proprietary information”

“We are using Community IT’s template to help us create an acceptable use policy, but have reached out to staff and consultants with some basic guidelines while we finalize the policy.

AI questions from registration and the webinar chat/Q&A:

Q: How do we prevent AI notetaking software during Zoom calls and is it appropriate to have a policy against this technology?

A: There are configurations for this if you are the Admin for the Zoom account, or host of a meeting. If you are only participating in a meeting, your option is to tell the host you are uncomfortable with AI note-taking and ask them to stop it. The host has control – not participants – and ultimately, your “control” is to leave the meeting. I personally find AI note taking to be the area I find AI most valuable, so I’d vote against a policy prohibiting them, unless your meetings are specifically sensitive (social work zoom calls with at risk youth comes to mind).

Q: Generative AI hasn’t been super useful as it’s too formulaic. What improvements should we expect to see in the next few years?

A: Generic generative AI is certainly churning out slop right now – I think a couple of improvements we’ll see rapidly are a) the further rise of AI Agents – specialized and customizable AI tools that work on a part of your own data and do a specific thing for you. And b) I think we’ll continue to see a rise in AI consulting – either offered by the tool you are using that has integrated AI and is offering more customer service to get you to use it more – which will help the user experience by guiding you through it rather than leaving it to chance – or independent consultants/services that will offer to assist in creating the AI Agent or teaching the AI you have to help you better.

Q: How “private” are subscription AI options?

A: (answered live) I mostly use the heuristic that if it’s subscribed to with a company account, it is enterprise. If you buy it personally, I’d consider it public, but I’d give credit that at least you are buying it so we hope the business model is subscription based (not data selling based). Free personal services are the ones were we should probably assume your data is the revenue stream.

Q: How can non-profit IT integrate AI for case management? And, Is AI at a point to write a volunteer management program and if so, what is the best one to use?

A: My answer for using AI for case management or a volunteer program is going to be similar –

AI tools have so much promise. One of the most deceptive promises is that they are easy to implement and can do everything you want them to do, right away, with very little work on the part of the user.

A better way to think about AI tools is as with any other IT selection. You will need change management throughout the process. You will need leadership involvement and leadership leading. You will need to prioritize the time and staff energy to make the switch. And then you will need to do your research, experiment, do pilot programs, engage everyone who will be impacted, do training, roll out the new tool (which just happens to be an AI), do more training, take feedback, maybe re-iterate or tweak the process, the tool, the inputs, the training …

Our advice would be to network with other nonprofits who do case management or manage volunteer programs, see what they are doing with AI that works, what their experience has been. As always, talk to your funders! Have they seen an organization successfully implement an AI tool to do what you are trying to do? Lots of folks in nonprofits and philanthropy are really excited about a lot of these AI use cases, and eager to talk about them. So I guess that is also our advice, is AI implementation shouldn’t sit only with your IT team. You are going to get better outcomes if you really involve the people doing the thing, and if IT is assisting those people to use that AI safely and effectively.

Q: Do paid plan versions of Claude include extra security?

A: I’d check the terms of service (or ask an AI to check the terms of service – maybe more than one given AI is NOT a lawyer). I don’t know off the top of my head, but I’d be optimistic that it does.

File management and SharePoint questions from registration/audience:

Q: We’re interested to learn how other nonprofits approach digital file/asset management and cybersecurity for a small organization.

Q: Best practices for SharePoint structure in the world of Copilot 365 and avoiding oversharing with a distributed governance model?

A: The small organizations that Community IT works with mostly just use their main productivity platform’s regular file repository (Microsoft 365 SharePoint, Google Workspace Shared Drives) and use traditional folder hierarchies to organize files. The most organized nonprofits have some top-down organization-imposed folder structure (you need to save that kind of file HERE, not THERE) as well as a top-down organization-imposed naming convention for file and folder names. We see more sophisticated Digital Asset Management (DAM) systems at some of our larger clients, but it’s not common. FWIW – AI is making finding digital files/assets easier, even when they are disorganized, so in some ways the penalty for lack of organization is diminishing.

Q: I’ve found that it’s not clear how you transition from the Microsoft free business premium to the paid licenses in advance– can you give guidance on that?

A: It’s all handled through the license assignment. You can do it manually through the admin portal, or if you have larger groups you can do license assignments that way. The main difference will be the availability of desktop office software.

Cybersecurity questions from registration/Q&A in the webinar:

Q: What are the top 3 things that a small nonprofit needs to do for security?

A: Top three items for security would be

– IT Policy Foundation (Acceptable Use, Backup & DR Plan, Incident Response, AI Adoption)

– Security Awareness Training

– Implement Phish Resistant MFA for everyone

Q: When comparing between different SSO services for a Microsoft 365 org. do you lean towards MS or okta/duo external options.

A: For SSO services we typically use EntraID if an organization is already in Microsoft 365. Third party SSO solutions like OKTA or Duo or OneLogin can be helpful if there are more sophisticated requirements such as integrating a public facing directory for a public facing web platform or knitting together multiple M365 & Google Workspace tenants.

Q: Are physical keys the only form of phishing-resistant MFA? Not sure if our team is ready to adopt physical keys as a mandated requirement quite yet, but we have authenticator apps fully adopted at the moment.

A: Physical keys are nice because you can just provide them to staff without asking them to install an app on their personal phone. Yubico has a donation program for non-profits https://www.yubico.com/why-yubico/secure-it-forward/

Microsoft has enabled “Passkey”support in Microsoft Authenticator, which is pretty easy to setup and manage: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS

General Nonprofit IT management questions from registration/audience questions:

Q: Can we be assisted with trainings?

A: Community IT does trainings for our own MSP clients but as a company we don’t have a training program. My suggestion would be to talk to your funder about your IT training needs, often funders can help or can connect you to other grantees who may have suggestions/recommendations. Check with local community colleges about tech training, and also check the free online trainings and knowledgebase available from Microsoft and Google to help customers use their tools better. I can also recommend The Human Stack online training on better managing nonprofit IT and on AI tools. The trainings are affordable and can help up-skill your team in very positive ways. https://thehumanstack.com Tech Soup has free or affordable trainings too: https://www.techsoup.org

Q: Please assume a no knowledge starting base!

A: of course! We try to meet everyone where you are at.

Q: Where does a small 501 (c) 3 nonprofit start?

A: If you mean regarding IT, looking through our free resources and attending webinars is a good start!

I know it is hard to build up an IT roadmap and priorities but it is really essential, and we have a great webinar on how to do it – it will be unique to your nonprofit so try https://communityit.com/video-design-an-it-roadmap-to-create-value/

I want to say – don’t feel like you can’t do this if you don’t have a technical background. Managing IT is like managing anything else, you find trusted helpers and get advice and then you manage it. For HR you might have to talk to a lawyer for stuff you don’t know about, for IT you might have to talk to a provider or consultant – the key is, you are the manager and you can do it! Your nonprofit is probably tackling harder and more intractable challenges in the mission you follow! IT is just hard bc it is intimidating and because some IT providers kind of make it more intimidating than it should be by using lots of jargon.

Other resources you can turn to as a small nonprofit – ask your board and your funders for help. Clearly outline where your IT challenges are. Do you need more skills internally? Prioritize training and apply for classes and certificates! Do you need a more reliable budget? Try putting in place a device management policy – replace 1/4 of your laptops every year so that none of them are more than 4 years old and they can all get all the security updates! Do you worry about security because of the work you are doing? Staff training, putting phish-proof MFA and a data retention policy in place and complying with it could be your priorities.

Q: What tools are best practice for a nonprofit that has a low budget for IT?

A: Having a low budget for IT as a nonprofit is the norm, not the exception! We’re working as a sector to change that, but unfortunately, it is the case that many nonprofits have the double punch of not having a high budget and not having a lot of tech savvy staff. Which is not a criticism – you probably have staff who are amazing at seeing a challenge in your community, fundraising, grant writing, networking, working tirelessly in the community – all the things that make a nonprofit run. It is kind of unreasonable to expect community organizers to ALSO be tech-whizzes too!

Our best practices are:

Use trusted, reliable, and well-known technologies, like Microsoft or Google, and all your other apps and tools like a CRM or productivity tool should be standard and well-used technologies. This protects your organization and gives you options of support. Customized solutions can really lock you in to higher costs and frustrations.

Secure your devices: own and manage your computers and devices, establish a replacement policy (we recommend replacing 1/4 of laptops every year so none is more than 4 years old)

Secure your accounts: train staff, use phish-proof log in authentication, and monitor accounts and licenses (don’t set it and forget it)

Secure your data: have backup and recovery, manage permissions and logins, and officially onboard and off board staff to protect accounts.

IT Governance policies are essential. Along with your employee handbook, acceptable use policies protect your organization and your staff.

Q: How can one get 365 help without having to be a full on MSP client? Is there hourly help anywhere?

A: A really good aspect of using the Microsoft 365 stack as a nonprofit – and one reason why we recommend using a well-established IT stack – is that there are lots of consultants and providers who can help with Office 365.

After decades of working with IT in nonprofits, I don’t recommend relying on a volunteer. Your IT will be better managed and your outcomes will be much better if you commit to paying for 365 help so that it will be consistent and have accountability.

If you are part of a local nonprofit network, ask around. Maybe there are other organizations that also need this help, and if you go in on a local consultant together that person would have enough hours that they’d take the job. Ask your funders who their other grantees use. You can also ask Tech Soup, and NTEN has local groups, so you might be able to find a part time IT support person in one of those locations. Keep asking! The more people know you are looking the better chance someone will make an awesome referral and get you the part time help you need! NTEN: https://www.nten.org

Full Transcript

Carolyn Woodard: 

Thank you everyone for joining us. We will keep letting people come into the room, but I am going to go ahead and get started because we have so much to cover today. I want to say in advance that we are not going to be able to cover everything. Welcome everyone to the Community IT Innovators webinar, the Nonprofit Tech Roundtable. It is one of our most popular webinars every year. We have a panel of our senior staff here today to talk about essential trends in nonprofit tech and what that means for nonprofits.

My name is Carolyn Woodard. I am the outreach director for Community IT and the moderator today. I am very happy to hear from our experts, but first I want to go over our learning objectives. We are going to discuss several themes today with our experts. We know nonprofits are always facing challenges, and some feel more challenging and stressful than others. There are a lot of other venues for talking about politics at the moment, funding issues, and policy changes. Today we want to acknowledge all of those challenges that are occurring. Taking that into account, we are going to move right into talking about IT and whether we can help you weather some of these storms with well-managed IT.

Today our learning objectives are to talk about what you need to know about AI as these tools become more integrated into our workplaces, how they are impacting nonprofits, and what the best practices are around using AI at nonprofits. We are going to learn about new cybersecurity attacks and prevention. We will also learn about Google Workspace and Office 365 updates and what to look for in 2026. I am happy to welcome Jennifer Huftalen to her first January roundtable. I am looking forward to hearing her weigh in with her view from hundreds of clients and prospective clients on what they are worried about in 2026 and what trends she is seeing. Now I would like to let my colleagues around our roundtable introduce themselves. Matt, would you like to go first?

Matthew Eshleman:

Great. Thank you. It is good to be here. I am not sure how many of these I have done, but I always enjoy the conversation and talking about what to expect in 2026. I actually joined as a full-time employee back in 2002, so this is my anniversary month at Community IT. Having spent 24 years here, I have definitely seen technology change, evolve, and grow over my career. I am looking forward to the conversation today. I will turn it over to Steve to introduce himself.

Steve Longenecker:

Sure. I am Steve Longenecker, the director of IT Consulting at Community IT. I have also been part of this particular webinar for many years now, and it is a fun one. I will take Matt’s cue and say that I have been at Community IT for a long time as well. I would also like to take a moment to brag about my son. He is graduating from Emory University this spring. I remember delaying my start date at Community IT because his birth was imminent and I wanted to have a few weeks at home while he was a newborn. I started about a month after he was born, and now he is graduating from college. It is unbelievable.

Carolyn Woodard:

That is amazing. Congratulations, Steve, and congratulations to your son.

Steve Longenecker:

Thank you. Jenny, do you want to go next?

Jennifer Huftalen:

Yes, sure thing. Thanks, Steve. I am Jennifer Huftalen, the director of client services at Community IT. I have been with the organization for 18 years, so I am a bit of a first-time participant but long-time listener. I have listened to many of these webinars and enjoyed working with my esteemed colleagues here over the years. I have had conversations with hundreds of organizations, both current and prospective clients, and I am really excited to be part of this discussion today.

Carolyn Woodard:

Before we begin, if you are not familiar with Community IT, I will tell you a little bit about us. We are a 100% employee-owned managed services provider. We provide outsourced IT support exclusively to nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for nonprofits. We serve nonprofits across the United States. This year marks our 25th anniversary as a company. We are technology experts and are consistently given the MSP 501 recognition for being a top managed services provider, an honor we received again in 2025. We believe we are the only MSP on the list serving nonprofits exclusively.

I want to remind everyone that for these presentations, Community IT is vendor-agnostic. We only make recommendations to our clients based on their specific business needs. We never try to place a client into a product because we get an incentive or benefit from it. However, we do consider ourselves a best-of-breed provider. It is our job to know the landscape and which tools are available, reputable, and widely used. We make recommendations based on business needs, priorities, and budget.

I am going to start with a poll, which we like to do. The question is: Do you have AI policies at your nonprofit?

The options are:

  1. I do not think so / Not sure.
  2. We are in the process of creating policies.
  3. Yes, our organization has created an AI acceptable use policy and our staff understand it.
  4. Not available.

I am going to put a link in the chat to our AI Acceptable Use Policy template, which you can download from our site. You can also find it through a search or use AI to help generate a policy. It looks like we have a great response. I am going to end the poll and share the results with you. Steve, can you see that?

Steve Longenecker:

I can see it, yes.

Carolyn Woodard:

Would you tell us about the results?

Steve Longenecker:

Sure. We had 48 responses. 19% said they do not think they have a policy. About half, 22 out of 48, said they are in the process of creating policies. 21% said that they have an AI acceptable use policy and that their staff use it. Finally, seven people said it did not apply to them.

Carolyn Woodard:

Great. I would say that tracks with what we are seeing. Jenny, do you want to weigh in? I think many nonprofits are aware that they need to have AI policies, but it is a journey getting there.

Jennifer Huftalen:

Yes, I think that is right. The majority of conversations I have been having involve organizations that are aware AI exists and know they should look into it. They know some staff are using certain tools and they want to find the time to make that an initiative, but they are not sure where to start. Many of the people I talk to are stressed because they know they should have a sense of what is going on with AI.

For the most part, I cannot say I have had many conversations with organizations that have it completely figured out. That may provide some peace of mind for those of you in the process or who are unsure. I think nobody has laid it out perfectly yet, but now is the time to start thinking about it.

Carolyn Woodard:

Even if you have a one-page document that seems vague, that is better than not having discussed it at all. Do not let the perfect be the enemy of the good. If you are having those conversations, elevating them to the board level, and putting together principles even if they are not yet full policies, that is very helpful.

We want to move on to talk about AI and nonprofits. These are talking points that come up consistently at Community IT with our clients, at conferences, and in everything we are reading. I wanted to go over them quickly and then start a discussion with our experts.

The number one thing we are hearing is to match the tools to your needs instead of finding a tool that sounds good and matching your needs to it. Start with your needs. What do you need to have automated? What is a repetitive task that could be done better by a non-human? Then find a tool that fits that need.

Beware of public tools. We hear this over and over, but try to use enterprise AI tools instead of public ones.

Have a human as the last editor. Just as you would not take an assistant’s work and put it on your website without checking it, make sure your policies require a human as the final editor on anything produced with AI.

Have a policy. As I said, a one-page philosophy is better than nothing. Use it as a starting point for conversations. This is an iterative process. A policy made six months ago may not be adequate given the pace at which AI is changing.

Be aware that AI is adding tools to the software you already have. Finally, take training seriously and commit to upscaling yourself and your staff. We believe nonprofits that become familiar and comfortable with AI will be more effective and productive, and funders will likely be interested in that progress as well.

What does this mean for your nonprofit? If you have thoughts, please put them in the chat. What are you doing with AI? What does it mean to you? Thank you to everyone sharing that they are creating policies using our template or others. Now I want to turn it over to our experts. Steve, Matt, and Jenny, do you have thoughts on AI and nonprofits? Matt, let’s start with the cybersecurity angle.

Matthew Eshleman:

From the cybersecurity perspective, organizations have a primary concern about the integrity and confidentiality of the data they hold regarding constituents, staff, and board members. Even if you do not have a formal AI adoption strategy or do not know where to start, the good news is that you can start by identifying and securing the data you already have.

Many of these AI tools have policies and permissions that follow the users to whom they are assigned. Even if you are not quite sure how a user might use these new tools, you can identify where your sensitive data is and ensure you have the right permission structure in place. When a license is assigned to a user and that AI tool begins to discover information it has access to, it will only access what it is supposed to.

You can start there even if you are not sure which tool to use. By understanding your organization’s data better—who has access and where it lives—you can get that work done regardless of the AI tool you end up adopting.

Carolyn Woodard:

I feel like for my entire career in nonprofits, people have been trying to find an easy, quick way to organize their data and share files efficiently. AI is not quite there yet. You really need to know what the permissions are. AI tools might help with the organization, but a person knows the organization and its files better than anyone. You need to be in charge of it.

Matthew Eshleman:

I would also highlight the point about matching tools to needs. AI is a powerful tool, so it is important for organizations to understand exactly what they are asking AI to do. There are stories of people using AI to code an entirely new CRM system just because they can, but just because you can does not mean you should.

While this technology is powerful, the “boring” aspects like governance, management, reporting, and interoperability still need to take precedence. Be clear about the problem you are trying to solve. You might need an AI tool, or you might just need a planning meeting to restructure your SharePoint environment.

AI capabilities are changing so fast that what you decide today will be different in three months. As an organization, you should figure out your pain points and determine if they require a technology fix or a change in process.

Carolyn Woodard:

Jenny, do you have any tales from the trenches?

Jennifer Huftalen:

Yes, I have seen a few places where people have had success. As Matt said, it is about understanding the problem you are trying to solve. The technology may change, but your mission does not. Ensuring you are aware of your weak points is an organizational structure issue that AI cannot fix for you.

Having good governance, understanding who makes final decisions, and having clarity on which data sets you are inputting makes a big difference in how effective these tools are. I have also heard from those who have had success by engaging key stakeholders and staff members who may be nervous. Because it is so new, there is a lot of discussion about AI replacing people, and staff can be fearful.

Investing in working directly with your staff and keeping them informed about the big-picture problems is essential. Ask them for feedback on their daily pain points that a tool might fix. This helps you use AI to enhance their work rather than replace it. This also means keeping a human involved, being careful with information, and maintaining accountability for how the tool is used.

Steve Longenecker:

I will just riff on that, if you do not mind.

Carolyn Woodard:

Go for it.

Steve Longenecker:

I want to piggyback on what Jenny said about using your staff as resources. This is changing so fast that what is out this month is newer than what was available in October. It is not as simple as signing up for a standard training program.

The way to adopt this efficiently is to have discussion groups and pilot user groups where people share how they are making AI effective, safe, and compliant with governance.

I also want to react to a comment in the chat from Sarah, who mentioned that the attorneys at their organization use AI quite a bit. I live in Washington, DC, and many of my friends are attorneys. They swear that it is going to cause problems for young attorneys who were previously trained by summarizing case law. Now, a lead attorney can ask AI to do that, and it is apparently done better.

However, Sarah also noted that they currently do not allow AI for anyone other than the attorneys. That might be a reasonable decision, but my concern is that AI is one of the biggest risks for shadow IT. You cannot keep it in a box. If an HR person is trying to filter a hundred resumes for five intern spots, it is very tempting to upload those resumes into a public AI tool to find the top ten. While it is a huge time saver, there are concerns about data privacy and potential discrimination based on cues a human might notice but an AI would not.

My biggest concern is that by using a public tool, that data is no longer private. I strongly urge organizations trying to curb AI use to emphasize this risk and consider providing trusted, paid-for AI tools sooner rather than later. Even if it is a cost you are unsure of, people are going to use AI, and stopping them completely is going to be very difficult.

Carolyn Woodard:

I have heard someone say their AI policy is simply that no one is allowed to use it. However, if you look at the logs, you will likely find people are using ChatGPT anyway. You cannot keep that genie in the bottle. Furthermore, students coming out of college will be using AI for much of their work. A draconian policy might cut you off from that talent and efficiency. Having an ongoing conversation as it evolves is the most important thing.

Steve Longenecker:

Dorothy, I would say Microsoft Copilot and Gemini are both good paid tools. Miriam, regarding free tools, you have to question the business model. If you are not paying for the subscription, they are likely making money off your data. You should be very careful with free tools. Matt, do you want to add to that?

Carolyn Woodard:

I am going to turn it over to Matt for our segment on cybersecurity. Matt, please go ahead.

Matthew Eshleman:

Bridging that connection, for anyone with a Microsoft 365 subscription, if you go to https://www.google.com/search?q=copilot.microsoft.com and sign in with your Entra-ID credentials, you get a free protected version of the ChatGPT model even if you have not paid for specific Copilot licensing. The data and prompts you use are protected by Microsoft’s governance and are not used to train their models. That is a good way to start using these tools safely.

As Steve and Carolyn mentioned, a hard prohibition is very difficult to enforce. Some organizations are now authorizing five specific tools and blocking everything else.

On the cybersecurity side, bad actors are using these tools to write more effective, engaging phishing emails. We are seeing a steady increase in the sophistication of these targeted emails. In the past, we relied on misspellings or poor grammar as clues, but those are disappearing because hackers can use AI to craft professional copy. This is helping attackers work faster.

Fortunately, hackers are not necessarily using AI to create entirely new attack methods yet; they are just doing what they have always done, but better and faster. This current state will likely change as models gain more autonomy over the next few months.

Regarding incident data from 2025 across the 200 clients and 8,000 staff members we support, spam and phishing continue to increase because they are cheap and effective. However, there were bright spots. The number of compromised accounts we responded to dropped compared to the previous year. This is likely due to better training, as more staff are using our formal cybersecurity training platform. Technology alone will not solve these problems; engaged staff members are essential.

Additionally, legal actions by Microsoft’s digital crimes unit and the NGO ISAC resulted in the takedown of infrastructure used to steal identities. On the other hand, we saw an increase in virus activity detected by our endpoint security tools. This might be an example of threat actors using AI to write malicious scripts more efficiently.

We are also seeing more compliance requirements from funders. While this feels like overhead, it pushes organizations to adopt better frameworks. We are also updating our guidance on multi-factor authentication. While you still need MFA, we now recommend phish-resistant MFA, such as Windows Hello, platform SSO on Mac, FIDO keys, or Microsoft Authenticator passkeys. These methods tie your session to your specific device so it cannot be stolen and used elsewhere.

The most common attack remains a phishing email designed to get a user to interact with a document so the attacker can steal their identity and money. This supports our recommendation to invest in security tools, educate staff, and use technology that can identify and block suspicious logins to prevent damage before it occurs.

Carolyn Woodard:

We have many cybersecurity resources on our website, including past webinars, blogs, and templates. I also want to mention that on February 25th, Matt will be back for a webinar on using AI securely. In April, we will release our annual report on the incidents we see across our thousands of users. Thank you, Matt, for the update.

I would be happy to finalize the second half of this project for you. I have applied the same level of polishing: removing all time stamps, cleaning up filler words and stutters, and updating informal phrasing like “gonna” to “going to” to maintain a professional standard for your nonprofit audience.

I wanted to do another poll. How are you feeling about your nonprofit on a scale of one to five? One represents “everything is on fire all the time,” like the “This is fine” dog meme, and five means your nonprofit seems to be handling this era pretty well. This is completely anonymous; we will not be able to see exactly how you feel about your organization.

We know there is a range. Some nonprofits are really struggling, while others are taking this moment to readdress their fundamentals. IT fundamentals are something you can certainly put effort into right now. We also want to make sure everyone is taking care of their mental health and de-stressing. Please enter your responses, and we will see what we can do to help you feel that you are not alone in this. I am going to end the poll now. Jenny, can you see the results?

Jennifer Huftalen:

Yes, I sure can.

Carolyn Woodard:

How does this track with you?

Jennifer Huftalen:

It looks like we have one person who feels like things are on fire. Thank you for being honest about that—you are in the right place. You are doing something today by being here, which is great. Another person gave it a two. Most people are in the middle; 41% chose a three. 29% are at a four, which is great to see, and 17% gave themselves a five, meaning they are handling this change very well.

This distribution is similar to what we hear when prospective clients call us. Often, they are doing a few things right but realize they “don’t know what they don’t know.” They feel they need extra guidance to continue moving forward. The good news is that just starting—by attending a webinar like this—goes a long way. Sometimes we get paralyzed when we are afraid of a topic. Cybersecurity can feel overwhelming. If you are an expert in nonprofit operations rather than technology, we would not expect you to know the answer to all of these things. However, asking these questions and understanding the fundamentals—like checking where MFA is installed on critical platforms—can significantly protect your systems.

Carolyn Woodard:

That looks great. Thank you for helping us reassure everyone. Someone in the chat mentioned that a year ago, they would have answered very differently. We are all navigating this together. At Community IT, we often say that while external factors change, the fundamentals do not. Focusing on those fundamentals goes a long way toward preventing attacks and preparing for change.

I want to take a bit of a right turn here. We are going to talk with Steve in more detail about some of the tools we are using, specifically Microsoft 365. Steve, you have some thoughts on where Microsoft is investing.

Steve Longenecker:

Yes, and this is interesting because I asked Copilot where Microsoft is investing. You can see the prompt at the bottom of the slide. I directed Copilot to the Microsoft 365 roadmap. It provided this graph, but it added a sophisticated, nuanced point: we are only evaluating the number of roadmap entries. Some products might get four entries for a minor improvement, whereas another single entry might represent a massive investment. You cannot necessarily judge investment levels solely by the number of entries.

Obviously, Copilot is getting a lot of investment, and Teams is not far behind. I would not have expected this myself, but once I thought about it, it made sense that Microsoft Purview is high on the list. Purview is Microsoft’s platform for governance, data retention, and data loss protection. With AI being able to find data anywhere, organizations want more protection, and Microsoft is responding to that.

On the next slide, I want to flag a change regarding Microsoft 365. It is notable that Microsoft is asking nonprofits to pay more for their services than they used to. The pricing is still incredibly generous, and we should not lose sight of that even if we get frustrated when features change.

The most important change for smaller nonprofits is that in July of last year, Microsoft stopped providing the ten free Microsoft 365 Business Premium licenses. This did not happen for everyone on July 1st; rather, it takes effect on each organization’s individual anniversary date. When that date occurs, Microsoft will not renew the free grant. Organizations will need to purchase discounted Business Premium licenses, which are still very affordable at approximately $36 to $72 per year.

We are seeing clients receive these notices now. If you do not notice the change and the subscription does not renew, staff assigned to those licenses could suddenly lose email services. If that happens, you would just need to buy the discounted licenses and reassign them. As long as you do it within 30 days, no data is lost, though there would be a service interruption. We encourage our clients to pay annually rather than monthly to simplify credit card reconciliation. It is a trend: it is becoming a bit more expensive to be a Microsoft customer as a nonprofit.

Carolyn Woodard:

I will share the slides on the website so you can look at the roadmap in more detail later.

Steve Longenecker:

As I was rummaging through the roadmap myself, I noticed that identity work is becoming more foundational. At the end of the day, how do you really prove who you are in a cyber world? There are efforts to interface with government entities as a source of truth, but it remains a challenge. If you lose your physical key fob and you are a small nonprofit, you can call someone you know to get a new one. In a large enterprise, that is a significant hurdle.

Regarding Google, my summary is that they are also investing heavily, but they are primarily focused on AI and Gemini. Gemini is a state-of-the-art model. If you are a Google customer and you want to use AI, you should probably start with Gemini. It is a great model and a relatively safe place to build your team’s skills because, within Google Workspace, Google does not sell your data. If you use Gemini as a consumer with a personal account, those protections do not apply.

Otherwise, investment in the rest of the Workspace platform has slowed slightly. However, they have improved their native migration tools, including a Beta for migrating Dropbox to Google Drive. If you are paying for Dropbox, you might be able to save money by moving those files into Google Drive. I also want to highlight that Google updated their appointment scheduling tool, which is similar to Microsoft Bookings. If you are trying to find time to meet with others, this is a great tool.

Carolyn Woodard:

Thank you, Steve. There is so much to cover. I want to reassure everyone asking questions in the chat and Q&A that I will add those answers to the transcript on the website. Now, let’s move to some Q&A.

Rich asked for examples of how nonprofits use paid versions of Copilot and Gemini. I personally use Gemini through our enterprise account. I especially like “Gems,” which allow you to set a specific persona. You do not have to repeat your prompt every time; it remembers that we are a nonprofit IT company with a specific audience. Does anyone else want to weigh in?

Steve Longenecker:

It is very good at summarizing documents and drafting content. Jenny and I were recently drafting a security notification for clients. I wrote a draft and sent it to leadership. Jenny sent it back an hour later with changes that made it much better. When I complimented her, she admitted she used Copilot to polish it. It is excellent for getting started or refining a draft.

Some tools have a reputation for being poor at generating slide decks, but if you give Gemini or Claude a Word document or a PDF and ask for a 20-slide deck, it gives you a much better starting point than a blank screen.

Carolyn Woodard:

I have also heard of people using it for Socratic questioning. You can ask the AI to question you about your goals for a document, which helps you become a better writer.

Jennifer Huftalen:

I would echo that. It is very good at taking a message and breaking it down. You can ask it to be more concise, friendlier, or to use a lighter touch. However, I should mention a cautionary tale. A friend of mine asked an AI for references, and two of the four were completely made up. When challenged, the AI admitted the error. Even with these great tools, a human must verify the information before it goes out to your constituents.

Carolyn Woodard:

Community IT has started a midweek podcast with short segments on AI every Tuesday. If you have use cases or news to share, please send them our way.

We have time for one more quick question regarding SharePoint structures and avoiding oversharing. Steve, how do we briefly handle file organization?

Steve Longenecker:

In the past, if a library was restricted to the Finance department, it was considered secure. However, if a staff member shared a subfolder using an “Everyone” link, anyone in the organization who found that link could access it. Copilot is very good at finding those files. If a user asks a question, Copilot may surface a document from that “hidden” subfolder because the permissions technically allow it.

To fix this, you must change your practices. Do not use “Everyone” links unless you truly mean it. You can use tools to list and examine your problem areas—usually Finance, HR, or Leadership libraries. There is no shortcut; you have to examine those situations before making that data available to Copilot or Gemini.

Carolyn Woodard:

We are going to continue this conversation on Reddit at r/nonprofitITmanagement. To wrap up, we covered AI basics, cybersecurity updates, and Google/Microsoft changes. Most importantly, we want you to understand that other nonprofits are worrying about the same things you are. You are not alone.

Matt will be back next month, on February 25th, to discuss how to use AI tools safely. We will go into more depth about the difference between public tools and private enterprise tools. Please don’t forget to take our survey as you exit for a chance to win a $25 gift certificate. Thank you, Jenny, Steve, and Matt for sharing your expertise.

As advocates for using technology transparently to work smarter, we’re practicing what we recommend. This transcript was edited lightly with the assistance of AI for clarity, and is not a verbatim transcript. The content was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.

Photo by Nellie Adamyan on Unsplash