Your Progressive Ministry
Needs a Church AI Policy
— Here's How to Build One
That Reflects Your Values

When church leaders search for an AI policy, most of what they find are templates written for businesses, law firms, or nonprofits — documents that address data privacy and copyright but say nothing about pastoral care, sermon integrity, or children's safeguarding. Swapping in the word "congregation" for "customer" doesn't fix the problem.

A church AI policy has to do something a corporate policy never needs to: it has to answer theological questions alongside legal ones. Why are we doing this? What can AI never do that humans made in God's image uniquely can? Where does pastoral presence begin and AI assistance end?

It also has to address ministry contexts that have no corporate equivalent — the confidentiality of a counseling session, the spiritual authority of the sermon, the vulnerability of children in a faith formation setting, the trust a congregation places in its leaders. These are not edge cases to be mentioned in a footnote. They are the heart of why the church needs its own framework.

The most effective church AI policies we've studied share a common structure: a theological foundation that establishes the "why," a governance framework that names who is responsible, a data classification system that tells staff what they can and cannot do, and use-case-specific rules for each ministry area where AI is actually being used.

Let's walk through each one.

The strongest church AI policies begin not with a list of approved tools but with a theological statement about what AI is and what it is not. This matters for two reasons. First, it grounds the policy in your church's existing values rather than making it feel like an imported corporate document. Second, it gives your staff and volunteers the "why" behind every rule — which dramatically improves compliance.

The theological foundation of any Christian AI policy should address at least three convictions:

Imago Dei — Every person has dignity AI cannot replicate

Genesis 1:27 establishes that every human being is made in the image of God. This is not a pious preface to a policy — it is the operating principle. It means that no AI system can replace the worth of the people we serve, and no AI tool can substitute for the presence of a human minister who shares in that image. AI can draft a message; it cannot mourn with those who mourn. It can research a passage; it cannot be led by the Spirit as it opens the Word.

Stewardship — Tools are entrusted to us, not given to us unconditionally

Genesis 2:15 calls us to cultivate and keep what God has entrusted to us. That stewardship extends to technology. A church that uses AI carelessly — exposing member data, distributing unverified content, or bypassing the human judgment that belongs at the center of ministry — is not stewarding its tools well. A policy is an act of stewardship.

Truth-telling — We verify before we proclaim

AI tools hallucinate. That is the technical term for when an AI model produces confident, plausible, completely false information. In one documented case, an AI tool fabricated six non-existent quotations attributed to the Puritan theologian John Owen. Churches that distribute AI-generated content without verification are at risk of teaching error, misattributing quotations, and citing research that does not exist. The Christian commitment to truth — "test everything carefully" (1 Thessalonians 5:21) — is not optional when it comes to AI outputs.

Theological resources: The Vatican's Antiqua et Nova (2025), the ERLC's Evangelical Statement of Principles on AI (2019), and the Rome Call for AI Ethics offer rich theological frameworks churches can draw from regardless of denomination.

A church AI policy that only covers general "AI use" without addressing specific ministry contexts is not actionable. Your staff needs to know what is permitted and prohibited in the situations they actually face. Here are the six areas every policy should cover explicitly.

1. Sermon preparation and teaching content

This is the area where AI adoption is highest and the theological stakes are clearest. A 2025 study found that 64% of pastors now use AI for some aspect of sermon preparation. That is not inherently problematic — but it requires a framework.

The core rule is simple: AI is a research assistant and editor, not a preacher. Permitted uses include background research on biblical passages, outline brainstorming, illustration suggestions (with verification), editing a preacher-written draft, and converting a completed sermon into social media content. What the policy must prohibit is delivering AI-generated content as the product of personal prayer and study without disclosure — because that is a form of deception, and deception has no place in the pulpit.

Verification is non-negotiable. Every AI-suggested Scripture reference, every quotation, every statistic, every historical claim must be checked against a primary source before use. No exceptions.

2. Pastoral counseling and care

This is the highest-restriction area in any sound church AI policy, and for good reason.

Pastoral counseling sessions may be protected by clergy-penitent privilege under state law — a legal protection that can be waived if confidential content is disclosed to third parties, including AI vendors. When a pastor enters counseling notes into ChatGPT or uses an AI transcription tool during a care conversation, they may be unknowingly destroying the legal protection their congregant was relying on.

Beyond the legal concern, the pastoral relationship depends on trust in a way that AI fundamentally cannot support. A 2025 study from Brown University found that AI chatbots systematically violated mental health ethics standards when used in care contexts, including mishandling crisis responses. AI cannot be a pastor. It cannot bear witness, exercise discernment, or be present in the way that incarnational ministry requires.

3. Administrative and office use

This is where AI can add the most value with the least risk — and where most churches are already operating without any framework. Email drafting, newsletter content, volunteer coordination, meeting summaries, grant proposals, scheduling, and donor acknowledgment letters are all reasonable AI-assisted tasks.

The key governance requirements here are: staff must use church-issued credentials and enterprise-tier accounts (not free personal accounts), any meeting that uses AI transcription requires participant consent and an opt-out option, and AI meeting transcription is prohibited in pastoral care conversations, HR meetings, elder board executive sessions, and legal consultations regardless of consent.

4. Children's and youth ministry

Children's ministry sits at the intersection of your highest pastoral responsibility and your most significant legal exposure. The combination demands the strictest rules in your entire policy.

The absolute prohibitions are non-negotiable: no uploading of any photo, name, story, or personal information of any minor to any AI tool; no AI-generated images of identifiable children; no child-facing AI chatbots in any ministry context; no biometric data collection on minors. These rules apply regardless of the tool's tier, the staff member's intentions, or the perceived innocuousness of the request.

The legal landscape matters here too. The FTC's amended COPPA Rule, with a compliance deadline of April 22, 2026, now treats biometric identifiers as personal information and requires separate verifiable parental consent for AI training uses — with penalties up to $53,088 per violation. This is not a risk churches can afford to take casually.

AI can absolutely help children's ministry — generating curriculum ideas, creating age-appropriate graphics, developing lesson plans — as long as no individual child's information is ever entered into the tool, and all AI-generated materials are reviewed by a qualified adult before use with children.

5. Social media and communications

AI is already transforming how churches communicate online, and for the most part that is a healthy development. The guardrails your policy needs to establish are: human review before any AI-generated content is published, disclosure labeling on AI-generated graphics and substantially AI-written posts, and absolute prohibition on deepfakes or AI-generated impersonations of church leaders.

On the deepfake concern: this is not a distant theoretical risk. AI-generated audio and video impersonating pastors and religious leaders has already been documented and used to spread misinformation and solicit fraudulent donations. Your policy should name this explicitly, specify how to report suspected impersonations, and clarify the response protocol.

For image generation, the choice of tool matters more than most churches realize. Tools that train on licensed content (Adobe Firefly is the leading example) offer commercial indemnification for generated images. Tools with less transparent training data or permissive terms that place all copyright risk on the user expose churches to liability they may not be aware of.

6. Member data and privacy

Member information — contact details, giving records, spiritual journey, family situations, prayer requests — is a sacred trust. Your AI policy needs to establish explicitly that this information receives heightened protection and that entering identifiable member data into AI tools without individual consent and appropriate enterprise-tier protections is prohibited.

Churches often assume they are exempt from data privacy regulations because they are nonprofits or religious organizations. The reality is more complex. GDPR treats religious affiliation as special-category data with default prohibition on processing. COPPA applies to any program involving children under 13. Several states — including Colorado, Delaware, New Jersey, and Oregon — have comprehensive privacy laws with no general nonprofit exemption. And HIPAA applies if your church operates a licensed counseling center or health ministry with electronic billing.

The policy does not need to be a legal treatise. But it does need to acknowledge these obligations and designate someone — ideally your AI Officer or a designated legal contact — responsible for staying current as the law evolves.

The single most actionable element of a church AI policy is a data classification system. Without it, staff are left making judgment calls about what they can and cannot enter into an AI tool — and those judgment calls will often be wrong.

A three-tier classification covers everything:

The practical power of this system is that it gives your volunteer children's worker, your social media coordinator, and your executive pastor all the same simple question to ask before they type anything into an AI tool: "What tier is this data?" If it's Red, they stop. Full stop.

One of the most common and consequential mistakes churches make is using free, personal, or consumer-tier AI accounts for church work. The distinction between consumer and enterprise tiers is not just about features — it is about data.

Consumer-tier accounts (free ChatGPT, free Gemini, free Claude, and similar) may use your inputs to train their models. They provide no data processing agreements, no contractual data protections, and no organizational controls. When a staff member uses a free personal account to draft a church email with member names in it, those names may become part of an AI training dataset.

Enterprise-tier accounts (ChatGPT Team or Enterprise, Microsoft 365 Copilot with Enterprise Data Protection, Claude for Work, and similar) contractually prohibit training on your data, provide Data Processing Agreements, offer organizational access controls, and often include audit logs. They cost more. They are worth it for any use involving non-public church data.

Your policy needs to state this clearly: free and personal AI accounts are prohibited for any church-related work involving internal or member data. Staff must use only approved enterprise accounts accessed through church-issued credentials.

A well-designed church AI policy establishes clear disclosure standards — not as a bureaucratic requirement but as an expression of the church's commitment to honesty with its congregation.

The standard most churches are converging on distinguishes three categories:

• Always disclose: When AI has substantially contributed to a sermon, teaching, graphic, or communication, the congregation deserves to know. The disclosure does not need to be lengthy or self-flagellating — something like "AI assisted in research and drafting; I developed and prayed through this message" is honest and sufficient.
• Disclosure recommended: Social media posts substantially drafted by AI, AI-generated study guides, and AI-translated content benefit from a brief note but are lower stakes than pulpit content.
• No disclosure needed: Grammar checking, spell-check, basic autocomplete, and accessibility captioning of human-authored content do not require disclosure — they are tools in the same category as word processors.
• Never acceptable regardless of disclosure: AI-generated prayers presented as the pastor's own, AI voice or video of leaders saying things they did not say, and fabricated testimonies presented as real.

The underlying principle is simple: your congregation trusts you. Don't give them a reason not to.

A policy without ownership is a document. A policy with clear ownership is a system.

Every church AI policy needs to name at minimum one person as AI Officer — the individual responsible for day-to-day implementation, tool approvals, staff training, incident response, and the annual policy review. In a small church, this is often the executive or administrative pastor. In a larger church with a technology team, it may be a dedicated role.

The AI Officer is not a technical gatekeeper. They are a ministry leader who understands both the policy's principles and the church's ministry context. Their job is to make it easy for staff to do the right thing and clear when something crosses a line.

For tool approvals, every AI tool used for non-public church data should go through a vetting process before staff start using it. The key questions: Does the vendor offer a Data Processing Agreement? Does the DPA prohibit training on church data? What security certifications does the vendor hold? Is the tool COPPA-compliant for children's ministry use? Is there a clear data deletion process?

This vetting should produce a living Approved Tools List — updated at least quarterly — that tells staff exactly which tools they can use, for what purposes, and with what data tier. Maintaining this list is one of the AI Officer's most practically valuable contributions.

This is not a question of best practices versus reality. These are real scenarios churches are navigating right now without a policy framework:

• Clergy-penitent privilege waiver. A pastor uses an AI transcription tool during a counseling session. Courts have not yet ruled definitively on AI vendors and privilege, but third-party disclosure doctrine — the same doctrine that destroyed attorney-client privilege in documented cases involving AI tools — applies equally to clergy-penitent relationships. One session recorded by an AI tool may be enough to waive the privilege for that conversation.
• COPPA violations in children's ministry. A volunteer uploads a photo of children to generate a curriculum graphic. The amended COPPA Rule, effective April 2026, treats this as a potential violation with penalties up to $53,088 per incident. The church, not the volunteer, is liable.
• Hallucinated content from the pulpit. A pastor uses AI to research a sermon illustration, verifies nothing, and cites a study that does not exist. The congregation trusts what they hear from the pulpit. When the error is discovered, the reputational damage is real.
• Deepfake impersonation. An AI-generated video of your senior pastor circulates on social media, appearing to endorse a product or make statements he never made. Without a protocol, the church has no coordinated response.
• Insurance gaps. The church's cyber-liability policy was written before generative AI existed. A data breach involving an AI vendor falls into a coverage gap nobody knew was there. Church Mutual and Brotherhood Mutual have both flagged AI-related risks in recent guidance but have not yet published definitive AI coverage riders.

None of these scenarios require malicious intent. They require only the absence of a policy — which is where 73% of churches currently sit.

Writing an AI policy from a blank page — one that is theologically grounded, legally aware, and actually usable by your staff — takes significant time and expertise most churches don't have on hand. That's why we built the Church AI Policy Bundle.