Why Your Tool Approval Process Is Now AI Act Compliance Evidence
When EU AI Act enforcement begins, regulators will ask how you decide which AI tools staff can use. A working tool approval process — and the evidence trail it produces — is your compliance defence.
When EU AI Act enforcement begins on 2 August 2026, the first thing a regulator will ask is "show me how you decide which AI tools your staff can use." Most UK charities do not have an answer. Here is what one looks like.
The question that closes the gap between policy and practice
Charity AI compliance work in 2026 is converging on a single question. Not "do you have a policy" or "have you done training." Those matter. They are not the test.
The test is this: how does your charity decide which AI tools your staff can use?
This is the question that connects everything else. Your AI policy is theoretical until it produces a list of approved tools. Your training is theoretical until staff know what they can and cannot use. Your governance is theoretical until trustees see the documented decisions. The tool approval process is where all four Ps of AI literacy (Purpose, Policies, People, Practice) become operational.
From 2 August 2026, when Article 4 of the EU AI Act enters supervision and enforcement, this is also where regulators will look first. Because it is the simplest, fastest, most defensible piece of evidence a charity can produce.
This article is about why the tool approval process is now compliance evidence, and what one needs to look like to be useful.
Why this is the regulator's first question
Article 4 is enforced on evidence, not intent. A charity claiming AI literacy needs to demonstrate it. Different forms of evidence are possible:
- Training records (who attended what, when)
- Policy documents (approved by trustees, current, referenced)
- Incident reports (mistakes recorded, learned from, mitigated)
- Decision documentation (specific AI decisions made deliberately)
All of these matter. None of them are easier to produce than a tool approval process.
A tool approval process produces multiple pieces of evidence simultaneously:
- The approved tools list demonstrates governance is operational, not just on paper
- The review records show structured assessment was applied
- The decision rationales show trustees or appropriate decision-makers were involved
- The training records (linked to tool-specific guidance) show literacy was role-specific
- The review cycle shows ongoing maintenance
A charity that can produce an approved tools list and the reviews behind it has demonstrated, in one document, that AI use is governed. A charity that cannot has demonstrated the opposite, regardless of what its policy says.
This is why we expect regulator inquiries to start here. It is the fastest way to distinguish a charity with operational AI governance from one with paper compliance.
What the Fireflies lawsuit tells us
The Cruz v. Fireflies.AI case (December 2025, Illinois) is exhibit A.
The plaintiff was a participant in a meeting hosted by an Illinois nonprofit. A staff member at the nonprofit had enabled Fireflies. The plaintiff alleges the meeting bot generated a voiceprint of her without consent.
The nonprofit's exposure here is not because Fireflies is uniquely problematic. It is because the nonprofit had, evidently, no documented tool approval process. If they had, the questions a proper review would have surfaced (Lens 2 on data and security, Lens 3 on consent model, Lens 1 on regulatory exposure) would have either led to rejection of the tool, or led to documented mitigations that protected the nonprofit's position.
Either outcome would have left the nonprofit better placed than it now is.
The Cruz case is a US lawsuit under Illinois state law. The relevant principle for UK charities is the same. A documented tool approval process is the difference between an AI incident being a contained operational issue and an existential reputational threat.
What a tool approval process looks like (the seven elements)
The GoodAgents [7-Lens Tool Review Framework] is one approach. Other structured methods exist. What matters is that whichever method you use produces evidence across these seven elements:
1. A defined evaluation framework. Your charity needs a structured way to evaluate AI tools that is consistent across reviews. Not "we look at it." A documented set of criteria applied the same way every time.
2. A documented review per tool. Each tool considered for use produces a record. What was evaluated, what was found, what was decided. If a tool is approved, why. If declined, why. If conditionally approved, what the conditions are.
3. A current approved tools list. A list of tools cleared for charity use, with the conditions and scope of approval. Refreshed on a defined cycle. Available to staff.
4. Trustee oversight. AI tool decisions for the charity should not sit only at operations level. Trustees do not need to review every tool; they need to see the approved list, understand the framework being applied, and have approved the policy that sets the boundaries.
5. A consent and disclosure protocol. Where tools require participant consent (meeting AI, voice processing, biometric features) or transparency disclosure (chatbots, AI-generated content), the protocol is documented and consistently applied.
6. A review cycle. Tools change. Vendors change. Regulations change. The approval is not permanent. Documented annual review of each tool, with refresh of the list as needed.
7. An incident pathway. When something goes wrong with an approved tool, there is a clear way to capture, escalate, and respond. The pathway feeds back into the approval framework so future reviews learn from past incidents.
A charity with all seven in operation has a defensible AI tool governance regime. A charity missing any of them has a gap that becomes evidence of insufficient literacy if asked.
Why this connects directly to Article 4
The Act's Article 4 standard of "sufficient level" of AI literacy is enforced on context-specific evidence. A tool approval process produces exactly that evidence.
Consider the question a regulator might ask: "What measures has your charity taken to ensure staff have a sufficient level of AI literacy?"
A charity without a tool approval process has to answer with general statements. "We have a policy. We did training. Staff understand AI." None of this is verifiable except by inspection.
A charity with a tool approval process can answer with specifics. "Here is our approved tools list. Here are the reviews behind each tool. Here are the training records for staff on each tool. Here is the incident log. Here is the trustee approval trail."
The first answer requires the regulator to take the charity's word for it. The second is documented evidence.
This is also why the Tool Approval Process is the central layer in the [4Ps Framework]. It is the operational point where Purpose meets Practice. Without it, the framework remains conceptual.
What this connects to elsewhere in the cluster
The tool approval process is not a standalone compliance artefact. It is the connection point for everything else.
Connects upward to the [4Ps Framework]: Tool approval lives inside the Policies pillar. The framework's review feeds the Practice pillar by producing decisions to operationalise. The process makes the framework real.
Connects to the [EU AI Act for UK Charities] pillar: Article 4 enforcement evidence, Article 50 transparency considerations (does this tool require disclosure?), and Annex III high-risk classification (does the intended use case fall into a regulated category?) all run through the tool approval process.
Connects to the [Trustees and Boards briefing]: trustees do not approve individual tools, but they approve the framework, the policy, and the named oversight. The tool approval list is the document trustees should see annually.
Connects to [Role-Specific Training]: approved tools list defines the training scope. Training on tools that are not on the approved list is wasted effort. Training on approved tools is targeted and Article 4-aligned.
Connects to the [Tool Review Agent]: the operational tool that makes consistent, structured review feasible at the scale most UK charities need. The agent produces the evidence the framework requires.
The point is that a tool approval process is not a separate workstream. It is the throat of the funnel. Everything else feeds in or out of it.
What "starting" looks like for a charity with nothing in place
Most UK charities have nothing in place. The pattern is familiar:
- An AI policy exists in draft or has been written but not formally adopted
- Some training has happened, generic, attendance not centrally tracked
- Tools have entered the charity bottom-up; no list exists
- Trustees have not been briefed
- No incidents have been recorded (because no reporting pathway exists, not because nothing has happened)
For a charity in this position, building a tool approval process in twelve weeks is achievable. The sequence we use with clients:
Week 1: tool audit. Identify every AI tool in use. Official and unofficial. List ten or so common tools that staff are most likely to be using and ask in confidence. Free tier ChatGPT use is the most underreported.
Weeks 2 to 3: framework selection. Adopt a structured review framework. The [7-Lens Tool Review Framework] is one option. Adapt to your charity's specific concerns.
Weeks 3 to 5: structured review of the inventory. Apply the framework to the tools already in use. Some will be approved (with conditions). Some will be conditionally approved (with documented mitigations). Some will be declined and use will need to stop.
Weeks 5 to 6: trustee approval. Brief trustees, present the approved list, get formal approval of the framework and the list. Set the annual review cycle.
Weeks 6 to 10: communicate to staff. Approved tools list shared. Training adjusted to focus on approved tools. Unapproved tool use stops. Consent protocols issued.
Weeks 10 to 12: ongoing operation. Tool review process active. New tools go through it before adoption. Incidents reported. List maintained.
Beyond week 12, the work becomes maintenance. Quarterly check-ins. Annual full review.
That is the twelve-week pathway from no governance to defensible governance, in time for the Article 4 enforcement deadline.
What charities are already doing this well
A small number of UK charities have built proper AI tool approval processes. We see them across the work GoodAgents does. Some patterns from those that have done it well:
- The approved tools list is short. Five to ten tools, not twenty-five.
- Trustees see the list annually as a standing governance item.
- The list is paired with a "not approved" list explaining why specific tools are not in use. This is useful when staff ask about a tool they read about online.
- The list is paired with use-case-specific guidance, not just tool-by-tool approval. "Approved for fundraising copy" is more useful than just "approved."
- Incident reporting is anonymous and lightweight. Staff report near-misses because the cost is low.
What these charities have in common is that they treat AI tool governance the same way they treat data protection: a structured, documented, repeatable process that produces evidence by operating, not by being written.
The honest read
A tool approval process is not the most interesting part of AI literacy. The 4Ps Framework, the role-specific training, the strategic AI policy, the high-risk audit work: all of that is more visible. The tool approval process is unglamorous administrative work.
It is also the part regulators and funders will ask about first because it is the easiest to verify.
The charities that come out of 2026 in the strongest position will be the ones that did the unglamorous work in 2025 and early 2026. The tool approval process is exactly that work. Not exciting. Not strategic. Just structured and present.
If you would like help building a tool approval process for your charity, [book a call]. The [Tool Review Agent] does the heavy lifting on individual tool reviews. The [7-Lens Framework blog] gives you the methodology. The [4Ps Framework] gives you the conceptual structure. The tool approval process is where they all meet.
The Cruz v. Fireflies.AI case happened to a nonprofit that did not have one. Your charity has twelve weeks to put one in place. Either is achievable. Only one is comfortable.
This article connects multiple components of the GoodAgents AI Literacy methodology. For the underlying framework, see the 4Ps. For tool-by-tool review methodology, see the 7-Lens framework. For automated review at scale, see the Tool Review Agent. For the regulatory context, see the EU AI Act for UK Charities pillar. All are available through GoodAgents.network.
Similar Posts
Forget prompting tutorials. Every person on your charity payroll needs to understand four things about AI before they use it for anything. The plain-language briefing for staff who never had the training.
Twenty-eight per cent of charity boards admit poor digital skills. Most have had no briefing on AI. With Article 4 enforcement weeks away, this is the plain-English briefing your trustees should have had a year ago.
Two-hour ChatGPT masterclasses are the default in the charity sector — and the most common reason AI literacy fails to land. Why generic doesn't work and what role-specific training looks like.