March 3, 2016
NEWS
February 24, 2025
- Services
Datasheet
Most nonprofits never decide to adopt AI translation. It arrives on its own. A communications lead switches on a module to clear a backlog of untranslated pages, a regional team starts running emergency updates through a chatbot, and within a quarter, machine translation is sitting in the publishing pipeline with no one having written down how it is controlled.
For an organization publishing marketing copy, that is a manageable risk.
For an organization publishing information that refugees, disaster-affected families, and people in crisis will act on, it is not.
This is the gap AI translation governance is meant to close. The capabilities to translate at scale are already shipping in Drupal and Varbase. What separates a safe deployment from a dangerous one is not the model. It is the governance configured around it.
AI translation governance is the set of policies and technical controls that keep machine-translated content accurate, accountable, and compliant before it reaches the reader. For humanitarian organizations, it means three things: a human reviews AI output before it publishes, sensitive personal data stays out of third-party AI systems, and every translation is logged for compliance with the EU AI Act and GDPR.
What Is AI Translation Governance?
AI translation governance is the framework that determines which content an AI model may translate, who signs off before it is published, where the source text is allowed to travel, and how each translation is recorded. It combines two disciplines that have matured separately.
The first is AI governance:
The practice of turning abstract principles into enforceable controls. The principles recur across the OECD AI Principles, the NIST AI Risk Management Framework, and the EU AI Act, and they come down to accountability, transparency, human oversight, and data protection.
Governance is what makes those words operational, through ownership, audit trails, access controls, and human review.
The second is translation governance:
Proactive oversight of multilingual content. Ungoverned localization tends toward fragmented workflows, inconsistent terminology, and quality that depends on whoever happens to review a given page.
Governed localization replaces that with defined standards, clear accountability, and a documented process.
The professional baseline where the two meet is content tiering:
Match the depth of human review to the sensitivity and risk of the content. Internal documentation can tolerate an AI-only workflow. Content that carries legal or safety consequences cannot.
Why Humanitarian Content Is Different
For most organizations, a translation error is a brand problem. For humanitarian organizations, it can change what happens to a person.
The risk is documented. A U.S. asylum claim was rejected after an automated tool swapped the "I" pronouns in an Afghan refugee's statement to "we," making her account appear inconsistent with her interview.
In another case, a Spanish speaker's colloquial reference to her father was rendered literally as "my boss," undermining a domestic-violence claim.
These were not exotic failures. They were ordinary machine-translation behavior meeting a context where small errors carry large consequences.
Three properties make humanitarian content uniquely demanding. The stakes are high because readers act on the content in ways that affect their safety, their health, or their legal status.
The data is sensitive, because the content often contains personal details about vulnerable people, exactly the category that data-protection law guards most closely.
The languages are hard because crisis response runs on lower-resource languages where machine translation is least reliable. Governance is the response to all three at once.
What US And EU Rules Now Require
AI translation of humanitarian content is governed by three bodies of rules: the EU AI Act, GDPR, and the humanitarian sector's own data-protection standards. They are converging on a single control, a human accountable for AI output, and they are shifting quickly, so the dates matter.
The EU AI Act is the most concrete. Its transparency obligations under Article 50 apply from 2 August 2026 and can require disclosure that content is AI-generated, including text published to inform the public on matters of public interest.
The provision worth building around is the exemption: disclosure may not be required where a human has reviewed the content and taken editorial responsibility for it before publication.
The Act treats most machine translation as limited-risk, but AI used in asylum, migration, and border contexts is classified as high-risk, so the same tool can fall into two different tiers depending on the task.
A May 2026 amendment package adjusted several deadlines, but the August 2026 transparency date remains the stable planning anchor, with pre-existing systems given until 2 December 2026 to meet machine-readable marking.
GDPR treats every translation API call as data processing. The moment content contains a name, a location, or a health detail, the organization is the data controller, the AI vendor is a processor that needs a data processing agreement, and sending that content to a provider outside the EU triggers cross-border transfer obligations. Special-category data, including health, religion, and ethnicity, carries the strictest bar, and humanitarian case content is full of it.
In the United States, the landscape is unstable. Colorado passed the first comprehensive state AI law in 2024, delayed it, then repealed and replaced it in May 2026 with a narrower disclosure statute effective January 2027.
Texas enacted an AI law that took effect in January 2026 and names the NIST AI Risk Management Framework as a safe harbor. The federal posture is deregulatory and aimed at preempting state rules.
The durable point through the churn is that NIST's Govern, Map, Measure, and Manage structure remains the working baseline that auditors and several state laws still reference.
Beneath the regulation sits the humanitarian sector's own standard.
The ICRC Handbook on Data Protection in Humanitarian Action and OCHA's data-responsibility guidance rest on a principle no statute overrides: do no harm. In humanitarian settings, even non-personal data can endanger groups, and informed consent for vulnerable populations is a baseline expectation, not a courtesy.
The Risk Is In The Workflow, Not The Model
The biggest risk in AI translation is not model accuracy. It is publishing machine output without a human being accountable for it.
This runs against how most of the market frames the problem. The translation industry sells accuracy, on the implicit promise that a better model lowers risk. In our work building multilingual platforms for organizations like UNHCR, UNICEF, and Médecins Sans Frontières, we see it differently.
A model that is correct 99 percent of the time is still unacceptable if the remaining one percent can publish, unreviewed, to someone deciding whether a route is safe or how to take a medication. No current model offers the kind of guarantee humanitarian stakes demand.
What failed in the asylum cases was not only that a tool made an error. It was that the error reached a consequential destination with no human in its path and no record of how it got there.
That is a workflow failure, not a model failure.
The governable surface, then, is not the model. There are two things the model never touches.
The first is the publishing workflow: can machine output reach the public without a named person approving it?
The second is the data path: where does the source text physically go when it is translated?
Image
An organization that controls those two things is defensible under every framework above, whatever model it uses and however good that model becomes. An organization that chases model quality while leaving auto-publish on and sensitive data flowing to a public API has optimized the thing that matters least.
This is not only our position. Drupal's 2026 AI roadmap frames the initiative's goal as making every AI-assisted change governed, auditable, and reversible, and treats Drupal's existing content controls, its workflows, revisions, permissions, and moderation as the foundation that makes AI trustworthy in the first place.
We have a direct stake in that work. Vardot maintains and leads the Content Publishing Track in Drupal CMS, the part of the platform where these editorial workflows live. We are not only configuring these controls for clients. We help build them upstream.
How To Govern AI Translation In Drupal
Governing AI translation in Drupal comes down to six controls, all of which map to functionality already shipping in Drupal and, pre-assembled, in Varbase. They are ordered by how much risk each poses relative to the effort it takes.
1. Never auto-publish. AI translation in Drupal runs on the AI module, which connects to more than 48 providers and was in production on nearly 14,000 sites by April 2026. Its AI Translate submodule generates per-language translations from the standard Translate tab. The governance, though, comes from Drupal core. Use the Content Moderation and Workflows modules to require a Needs Review state, and configure AI translations to be created as unpublished drafts rather than inheriting the source's published status. This single setting is what lets you rely on the EU AI Act's editorial-responsibility exemption.
2. Set the data boundary by content type. Apply content tiering in practice. For anything carrying personal or sensitive data about vulnerable people, route translation to a self-hosted model, using Drupal's Ollama provider, so the text never leaves your server, or to a data-sovereign provider with the right certifications. Reserve hosted public APIs for genuinely public, non-personal information, and minimize even then.
3. Turn on the audit trail. Enable AI request and response logging through the AI Observability submodule, alongside Drupal's native revision history. For any published translation, you should be able to produce the source text, the model used, the human reviewer, and the timestamp. That record is your evidence under both NIST and the AI Act.
4. Enforce sign-off with roles. Use Drupal's permission system so staff can draft with AI assistance,e while only designated reviewers can publish. Scope it by language or region, so a reviewer in Amman or Nairobi can approve in their own language without creating a central bottleneck.
5. Govern terminology with a glossary. Lock protection, medical, and legal terms to approved renderings using provider-level glossary support, such as DeepL or Google Cloud Translation. This is where consistency on high-stakes vocabulary is enforced, rather than left to each model's guess.
6. Label and assign responsibility. Add an AI disclosure indicator to AI-assisted public content, and ensure that a named person holds editorial responsibility for each published translation.
Varbase ships this stack as a starting point: multilingual components, provider-agnostic AI configuration, moderation workflows, and accessibility defaults built for right-to-left languages such as Arabic and Farsi. The value is not a new capability. It is that the governed configuration is the default state, not something assembled under a deadline.
What Is Coming In Drupal's Governance Roadmap
The six controls above are available today, and the governance layer is set to deepen. Drupal's 2026 AI roadmap names advanced governance and AI oversight as a dedicated focus, on the premise that workflows, revisions, and moderation were built for human-scale publishing and now have to hold up against large volumes of automated change.
The planned work is directional rather than shipping, but it points to where governance is heading. It includes grouping AI edits into reviewable batches instead of thousands of isolated changes, branch-based versioning so AI edits live separately and can be merged or discarded without overwriting human work, versioning and rollback extended to configuration and not just content, and audit trails that tie each AI action to its source context, the model or agent involved, and the human reviewer, with high-volume logs shipped to external observability platforms rather than stored in Drupal itself. For a humanitarian team, the direction matters: the same review-and-rollback discipline you apply to translation today is being built into the platform for AI changes of every kind.
Where To Start
AI translation extends what a small team can do across many languages on a limited budget. Used without governance, it is also a documented source of harm to the exact people humanitarian organizations exist to protect. The resolution is not to avoid the technology. It is to place it inside a workflow that keeps a human in the path and the sensitive data inside your walls.
If you are weighing how to bring AI translation into a humanitarian or nonprofit platform without inheriting the risk, that is the work we do, both for international organizations and in the Drupal CMS Content Publishing Track itself.
AI translation governance is the framework of policies and technical controls that keep machine-translated content accurate, accountable, and compliant before publication. It decides which content AI may translate, who reviews it, where the data is allowed to travel, and how each translation is logged. In high-stakes contexts it centers on keeping a human accountable for every published translation.
Yes. The Drupal AI module's AI Translate submodule generates one-click, per-language translations through OpenAI, Anthropic, self-hosted Ollama, and more than 48 providers, directly from a node's Translate tab. The module was in production on nearly 14,000 sites by 2026. Its own documentation recommends that machine output be reviewed by a human before publishing.
Use Drupal core's Content Moderation and Workflows modules to require a Needs Review state, and configure AI translations to be created as unpublished drafts rather than inheriting the source's published status. Leave any auto-accept option switched off. This forces a human sign-off before any AI-translated content goes live.
Yes. The EU AI Act's transparency rules under Article 50 apply from 2 August 2026 and can require disclosure that text is AI-generated, unless a human reviews it and takes editorial responsibility. AI used in asylum, migration, or border contexts is separately classified as high-risk and carries stricter obligations.
Join the conversation +
People Also Viewed
July 5, 2020
November 1, 2020