The Challenge: Nonprofits operate under tremendous pressure while pursuing extensive mission-critical goals. With limited resources for technology and training, staff are impeded by repetitive yet necessary tasks, such as email management, reporting, and volunteer coordination.
The Opportunity: AI agents can be the "impact multiplier" that mission-driven organizations need. They act as autonomous digital staff, handling high-touch workflows like personalized donor communications and grant proposals.
The Caveat: To trust these powerful new agents with sensitive stakeholder data, such as donors’ or beneficiaries’ personally identifiable information (PII) or financial details, nonprofits must ground their AI strategy in a strong security framework. By securing the identities and actions of AI agents, nonprofits can unlock massive efficiency gains while avoiding preventable risks like identity debt, prompt injection, or over privileged access.
Securing AI Agents and Staying in Control
Understanding the caveat is the first step toward securing your mission. Here are some considerations to be mindful of:
- AI agents should be securely connected to apps and data.
- Your stakeholders should have control over the actions AI agents can perform and the data they can access.
- Humans should confirm critical agent actions.
- Unmanaged AI agents should be identified before they can lead to a breach.
- Every AI agent, script, and service account should be treated as an identity.
By treating agents as non-human identities similar to employees, you can enjoy the speed of AI without the "insider threat" risk.
How Can AI Agents Empower Your Team?
Building an AI agent or even an AI strategy can be a substantial undertaking, especially when your team is resource constrained. But AI investments can have numerous dividends. Earlier in 2025, the nonprofit Sage Future tasked four AI models with raising money for Helen Keller International. Director Sage Adam Binksmith shared that the experiment is a useful illustration of agents’ current capabilities and the rate at which they’re improving. Even if it’s just a work in progress, the benefits of AI strategies may be huge.
The Center for Effective Philanthropy’s AI with Purpose 2025 report indicates that “90 percent of nonprofits express at least some degree of interest in increasing their organization’s use of AI.” Foundations and nonprofits report using AI for:
- Internal productivity: 63%
- Communications: 84%
- Development and fundraising: 61%
Earlier this year, our Okta for Good team conducted a focused assessment, Scaling nonprofit missions safely in the AI era, interviewing 20+ nonprofit leaders, tech funders, and AI experts across our ecosystem. The study determined that AI’s core value is creating extra staff capacity. While AI maturity may vary, AI’s potential to add value is acknowledged widely across the industry.
How Can AI Agents Create Extra Staff Capacity?
AI agents can help your team automate manual or repetitive work and boost productivity. Here are some key examples:
- Automating mundane tasks, such as scheduling, data entry, and frequent internal inquiries, allowing your team to dedicate more time to high-touch, impactful work.
- Handling requests from stakeholders, like frequently asked questions or service information, helping you reach those who need you the most, no matter where or when.
- Offering strategic insights in real time by quickly processing large volumes of data and providing predictive models. This analysis can influence your service delivery and maximize your impact.
Now, let’s dive into more examples.
AI use cases for nonprofits
| Area | What type of agent could I build? | What can it do? | Without an identity solution |
|---|---|---|---|
| Fundraising and donor relations | Personalized Donor Agent: Drafts personalized thank-you notes, schedules follow-up calls based on giving history, and processes instant donor acknowledgments. | This agent can strengthen donor loyalty and increase retention rates. Your donor relations team can use the saved time to add a personal touch to each communication. | Identity debt: Many agents rely on static, long-lived API keys that are rarely rotated, creating a persistent "secret sprawl" that attackers can harvest. For example, if a fundraising agent uses a permanent API key to access your donor database and that is stolen from an insecure script, attackers would have an invisible backdoor to sensitive financial records. |
| Operations | Volunteer Manager Agent: Automates volunteer onboarding, coordinates shift schedules, sends reminders, and manages sign-up forms. | This agent can reduce administrative burden and improve volunteer experience, building a strong community pipeline. | Machine speed exploitation: An agent can leak or delete data 100x faster than a human. In seconds, a compromised volunteer manager agent could be coerced into bulk emailing a phishing link to your entire volunteer database or deleting years of historical shift data. |
| Program and service delivery | Grant Research Agent: Searches for relevant grant opportunities based on mission criteria, pulls deadlines, and helps outline proposals. | This agent can accelerate funding acquisition and expand research capacity, empowering your current development team. | Prompt injection: Bad actors can use social engineering agents to hide malicious instructions in donor emails or grant text, allowing them to hijack an agent’s logic and bypass security rules. |
| Internal efficiency | Reporting Agent: Gathers data from multiple systems (CRM, finance, service metrics) and automatically generates real-time performance dashboards for board members. | This agent can save hours of manual reporting time and enable faster strategic responses when you need to share data with your board or other stakeholders quickly and accurately. | Over-privileged access: To be helpful, agents are often given "super-admin" rights. This creates a massive blast radius if the agent is compromised. For example, a grant research agent with "read-all" access could inadvertently pull and summarize sensitive board meeting minutes or employee salary data when tricked by a malicious prompt. |
Why Identity Is a Crucial Part of AI Agent Security
Auth0 for AI Agents
Auth0 focuses on the agent's identity and its interactions with external users, tools, and sensitive data. Auth0 for AI Agents offers:
- The secure login framework so the user can authenticate before the agent acts on their behalf, for example, a donor logging into a personalized portal managed by an agent.
- Token Vault, our feature that integrates your apps and AI agents with third-party tools like Google Calendar or Dropbox. It securely handles access and refresh tokens, and helps ensure tokens are scoped and time-bound.
- Fine-Grained Authorization (FGA) for RAG, so when an agent shares information or documents with a user, it only retrieves those that the user is actually authorized to see.
- A "human-in-the-loop" approval step for high-risk actions, known as Asynchronous Authorization. The agent initiates the action, for example, sending a major update to your communities, but the authorized staff member must give explicit consent before it proceeds.
Okta for AI Agents
Okta helps secure and govern internal agents with the same rigor applied to employees. This approach helps secure the agent’s identity, transforming AI agents from potential insider threats into a trusted part of your team. Using Okta allows you to:
- Detect and discover: Utilize Identity Security Posture Management (ISPM) to automatically discover unmanaged AI agents, proactively identifying and remediating risky configurations before they lead to a breach.
- Provision and register: Treat every AI agent and service account as an identity. Assign each AI agent a human owner, apply base-level security policies, and centralize management of agents in Universal Directory.
- Authorize and protect: Control what agents can do by enforcing least-privilege access to tools and data. Use Okta to standardize agent authentication for consistency and security, to prevent helpful AI agents from becoming insider threats.
- Govern and monitor: Continuously monitor agent activity and detect threats in real time with Okta Identity Governance. Validate permissions and instantly revoke access if an agent acts suspiciously.
Innovation Without Sacrificing Security
The combination of powerful AI agents and robust identity security provides nonprofits with a responsible path to innovation. With Auth0 and Okta, you don't have to choose between speed and safety — you can have both. We offer free and discounted products to validated nonprofits to help make this possible. Confirm your eligibility today and start securing your AI agents.
- Learn more about Okta for Good’s benefits
- Apply for Auth0 for Nonprofits
- If you need technical or implementation support, apply for one of our pro bono programs.