A practical guide to choosing an AI development partner: questions to ask, red flags, build vs buy, and data and compliance due diligence.
Start with the decision behind the decision: build, buy, or partner
Before you shortlist a single agency, decide what you are actually choosing. Building from scratch means owning the roadmap and the maintenance bill forever. Buying a finished product means fast value but someone else's priorities. A lab partner sits in between: they build with you on top of tools that already exist, so you get a custom result without inheriting a codebase your team cannot staff. Most nonprofits over-index on building because a board member volunteered to help, then quietly abandon the work eighteen months later.
The honest test is whether your problem is genuinely unique. Donor receipts, recurring giving, and match detection are solved problems, so buying or layering on a platform almost always wins. A bespoke program model, a specialized intake workflow, or an unusual data integration is where custom work earns its keep. Whitelabel layers on top of your existing stack rather than replatforming, and exposes a documented API so you can build the genuinely custom parts yourself without rebuilding the parts that already work.
The questions that actually separate good partners from bad ones
Ask who owns the model, the prompts, the training data, and the resulting code. If the answer is vague, walk. Ask how the system behaves when the AI is wrong, because it will be: a serious partner can show you fallbacks, human review steps, and escalation paths, not just a happy-path demo. Ask what happens when their lead engineer leaves, and whether you would be able to operate the thing without them. As the AI for Nonprofits Network reported, the biggest failures are rarely technical; they are unclear ownership and abandoned pilots.
Push on the boring operational questions too. Who pays for inference costs as you scale, and are they predictable? How are AI agents constrained so they cannot send a donor the wrong tax receipt or expose a record they should not? What is the support model after launch, and is it a person or a ticket queue? A good partner answers these crisply because they have been asked before. A weak one improvises, and improvisation is exactly what you cannot afford near donor money and personal data.
Do the data and compliance due diligence before you fall in love with the demo
Demos are designed to be persuasive, so treat compliance as a gate, not a footnote. Ask for current attestations, not promises: PCI DSS Level 1 for anything touching payments, SOC 2 for security controls, and HIPAA if you handle any health-adjacent data. Whitelabel publishes these through a Vanta-powered trust center, so you can verify status rather than take it on faith. Our deeper walkthrough of nonprofit AI compliance covers what each certification actually proves and the gaps an enthusiastic vendor will gloss over.
Then ask where donor data goes and who can see it. Does the partner train shared models on your supporters' information? Can you delete data on request and prove it? Is there a clear data processing agreement? Strong AI governance means logged decisions, role-based access, and the ability to show a board exactly what the system did and why. If a vendor cannot explain their data flows in plain language, assume they have not thought hard enough about them, and that the liability lands on you, not them.
When a lab partner beats DIY, and how to start small
A capable in-house developer plus a weekend of enthusiasm is not the same as a team that ships, secures, and maintains AI for nonprofits every day. DIY makes sense for low-stakes internal tools and quick experiments. A lab partner wins when the work touches donor money, sensitive records, or anything a regulator could ask about, because the cost of a quiet mistake is far higher than the cost of doing it properly. The mistakes nonprofits make here are predictable, which is why so many pilots stall before launch.
Start with a scoped pilot that has a clear owner, a real deadline, and a defined way to measure success, then expand only if it works. Building on top of an already-compliant platform lets you skip the replatforming and the security rebuild, so you spend the budget on the custom parts instead. If you are still mapping the landscape, our AI fundraising guide is a useful next read. The goal is not the most impressive partner; it is the one you can still operate confidently a year from now.
Frequently asked questions
Should a small nonprofit build custom AI or just buy a platform?
For solved problems like donation processing, recurring gifts, and matching-gift detection, buying or layering on a platform almost always wins because the work is already done and maintained. Custom builds only earn their cost when your problem is genuinely unique, like a specialized program model or unusual data integration. A lab partner lets you do the custom parts on top of proven tools instead of rebuilding everything yourself.
What compliance questions should I ask an AI development partner?
Ask for current attestations rather than promises: PCI DSS Level 1 for anything touching payments, SOC 2 for security controls, and HIPAA if you handle health-adjacent data. Then ask where donor data goes, whether they train shared models on it, and whether you can delete it on request and prove it. A trustworthy partner can show verifiable status and a clear data processing agreement.
What are the biggest red flags when choosing a nonprofit AI agency?
Vague answers about who owns the code, model, and data are the clearest warning sign. Watch for demos that only show the happy path with no fallback for when the AI is wrong, unpredictable inference costs as you scale, and support that is a ticket queue rather than a person. If you could not operate the system without their lead engineer, that dependency is a risk.