A congregation's board approves a volunteer security team. A pastor signs an insurance application. A synagogue installs cameras at one entrance but not another. A mosque hires a guard for Friday prayers but not for the youth program on Wednesday night. Each of those is a decision. Each of those is also, in plain legal terms, evidence. When something goes wrong, a plaintiff's attorney does not ask whether the congregation tried — they ask whether the congregation's decisions were reasonable in light of foreseeable risk. That is the entire frame.
This post walks through how that frame works in Arizona, what the recent court rulings actually say, what the major faith-institution insurance carriers now require, and where a well-meaning church, synagogue, or mosque most commonly steps into legal exposure without realizing it. The data behind the threat environment we covered separately in our 2026 places-of-worship piece. This post is about what changes the moment a leadership team is on notice — and they are.
None of this is legal advice. It is operator-consultant guidance from people who build and audit faith-institution security programs in Arizona. Treat it as a starting framework, then put your own counsel on it.
The negligent-security framework, in five elements
In Arizona, a plaintiff alleging negligent security against a property owner has to prove five elements: (1) the defendant owned or controlled the property; (2) the defendant owed the plaintiff a duty of care; (3) the security in place was inadequate; (4) the criminal attack was foreseeable based on prior incidents or surrounding-area crime patterns; and (5) the inadequate security was a proximate cause of the injury (Smith Green Law, 2024; AZ Premises Law, 2024).
The element doing the most work in a faith-institution case is foreseeability. Property owners are not required to prevent every conceivable crime. They are required to take reasonable steps against foreseeable ones. Foreseeability is established with prior incidents on the property, area crime statistics, complaints to leadership, and — increasingly — published threat data for the institution's category.
That last point matters more in 2026 than it did even three years ago. The FBI's 2024 hate crime report logged 2,942 religion-based hate crime offenses, including 1,938 anti-Jewish incidents (a record), 228 anti-Muslim, and 142 anti-Sikh (FBI UCR, 2024 release; ADL, October 2025). The ADL's 2024 Audit recorded 9,354 antisemitic incidents in the U.S. — the highest number since the ADL began tracking 46 years ago, with assaults up 21% to 196, vandalism up 20% to 2,606, and a wave of bomb threats including more than 100 sent to synagogues over two days in January 2024 (ADL, April 2025). That data is on public record. A plaintiff's attorney does not have to teach a jury that synagogues are being targeted in 2026; the FBI and ADL already have.
"Foreseeability" in 2026 is no longer a question of whether a specific congregation has been attacked before. With FBI and ADL data showing record-level targeting of religious institutions, every faith-institution board in the country is effectively on constructive notice. Decisions about security become defensible — or indefensible — against that backdrop.
What the court rulings are actually saying
Faith-institution liability litigation in the last several years clusters into three buckets: failure to screen and supervise (typically involving children), failure to protect against an attack the institution should have anticipated, and failure to maintain promised security measures. A few representative cases:
Sutherland Springs (First Baptist Church, TX)
The 2017 mass shooting at First Baptist Church of Sutherland Springs killed 26 and injured 22. The litigation that followed was against the federal government for the U.S. Air Force's failure to report the shooter's criminal history into the NICS background-check system, not against the church. A federal judge initially found the Air Force 60% responsible and ordered $230 million in damages in 2022. In April 2023, the DOJ reached a tentative settlement of approximately $144.5 million covering more than 75 plaintiffs (DOJ press release, April 2023; CBS News, NPR coverage). Sutherland Springs reset expectations about where institutional responsibility runs and how far liability can travel up the chain — including all the way to federal background-check failures.
Tennessee — Brentwood church (volunteer supervision)
A Tennessee suit against a Brentwood church alleged that the institution failed to adequately screen and supervise a volunteer who sexually assaulted a 3-year-old child on church property (Ponce Law summary, 2024). This is the more common shape of faith-institution liability: not an active shooter, but a failure of screening, supervision, or background-check process for the volunteers who have access to children and vulnerable members. The legal frame is "negligent supervision," and it does not require any active criminal threat to the building — just a foreseeable risk created by the institution's own staffing decisions.
Negligent-security verdicts generally
For context on what juries are now willing to award in negligent-security cases against any defendant, a 2024 verdict produced $21.25 million, including $1.25 million in punitive damages, in a single fatal-shooting case against a security company (Beasley Allen, 2024). Those numbers are not faith-institution-specific, but they are the comparable awards a faith-institution case will be benchmarked against.
The Arizona statutes that actually run the analysis
Three Arizona-specific pieces of law matter most for a board sitting on a security decision in 2026.
A.R.S. § 12-982 — Arizona Volunteer Protection Act
Under Arizona's volunteer protection statute, a volunteer for a nonprofit, hospital, or government entity is generally immune from civil liability for acts or omissions resulting in damages — provided the volunteer acted in good faith, within the scope of their official duties, and the harm was not the result of willful, wanton, or grossly negligent conduct (Provident Lawyers, summary of A.R.S. § 12-982). That immunity protects the volunteer. It does not protect the institution. A congregation that relies on volunteer security cannot use the statute to shield itself from a negligent-supervision, negligent-training, or negligent-retention claim. The institution still owes a duty of care.
Liability waivers in Arizona
Arizona courts recognize liability waivers but interpret them narrowly. The Arizona Supreme Court has held that whether a waiver applies in a given situation is a factual question that, in many cases, goes to a jury rather than being resolved as a matter of law (CHDB Law, 2024). The practical implication: a waiver signed by a member or volunteer is not a get-out-of-court card. Vague or overly broad language is routinely set aside, and a plaintiff who can show the institution breached its duty of care will often defeat the waiver.
Arizona DPS licensing for security personnel
If a congregation hires a guard from a private security firm in Arizona, that firm must be licensed as a security agency under A.R.S. Title 32, Chapter 26, and individual guards must hold current AZ DPS guard cards (armed cards if armed). A congregation cannot delegate its duty of care to a vendor that is not legally authorized to do the work. Verifying licensing takes 90 seconds on the AZ DPS public database. (We'll publish a deeper post on this regulatory framework shortly; in the meantime, see our services overview for what licensed coverage actually includes.)
What the major faith-institution insurance carriers now require
Insurance is where the security program quietly gets enforced. Two carriers dominate the U.S. faith-institution market: Church Mutual and Brotherhood Mutual. Both have published, public guidance on armed and unarmed security teams.
Church Mutual requires that any armed security team — paid or volunteer — be reviewed by its underwriting department. The institution has to complete a supplemental survey and submit its written policies and procedures before coverage applies. Church Mutual's own guidance recommends that "only highly trained individuals be allowed to carry a weapon as part of a formalized security team" (Church Mutual, "Armed Security and Your Insurance Coverage," public resource). A congregation that stands up a volunteer armed team without notifying the carrier is creating an insurance exposure that may not survive the first claim.
Brotherhood Mutual, the second-largest faith-institution insurer, publishes a Safety Library with detailed guidance on volunteer screening, child-protection protocols, security team formation, and incident response. The carrier's underlying expectation, common across the industry, is that the institution can produce written policies, training records, and incident logs on request. The carrier rarely mandates a specific posture — but the existence of a written, followed program is what keeps a policy in force and a claim defensible.
State-level changes are also tightening the frame. In California, SB 1454 (effective January 1, 2025) removed the historical exemption that allowed houses of worship to run volunteer security teams outside the state's formal private-security regulation. Faith-based organizations with identifiable security personnel — armed or uniformed — are now generally subject to oversight by California's Bureau of Security and Investigative Services, including BSIS licensing, a qualified-manager exam, DOJ and FBI fingerprint checks, and a $1 million-per-occurrence liability policy if operating as a Private Patrol Operator (ChurchWest, 2025). Arizona has not adopted the same regime, but California has historically been the state that other state legislatures look to for templates.
Where faith institutions most commonly create legal exposure
From the auditor's seat, a few patterns repeat across every denomination.
Volunteer security teams with no written program
A pastor, rabbi, or imam puts together a team of "the guys who carry" and calls it security. There is no written policy, no training documentation, no incident protocol, and no carrier notification. The volunteers are well-intentioned. The institution is exposed in three directions at once: insurance coverage may be void on a claim, the institution loses negligent-training/supervision defenses, and the volunteers themselves may lose the A.R.S. § 12-982 immunity if their conduct is later argued to be grossly negligent because it was untrained.
Cameras and access controls that are documented but not maintained
An institution installs cameras at the main entrance and publishes a "secure facility" message. A side door is propped open every Wednesday night for youth group. A plaintiff's attorney will compare what the institution said it did against what it actually did, and a documented gap is a gift to the other side. The rule is simple: do not promise what is not maintained.
Background checks performed once and never updated
Many institutions run a one-time background check at the time of volunteer onboarding, then never repeat it. Best-practice carriers and most plaintiffs' bar standards now expect re-screening on a defined cadence (typically every 3–5 years) for any volunteer with access to children, money, or restricted areas.
Ad-hoc armed coverage on high-attendance days
Bringing in a friend with a CCW to "stand near the door" for High Holy Days, Easter, or Ramadan looks like a reasonable step. Without a written team policy, training records, carrier notification, and a chain-of-command document, it is exactly the kind of arrangement that gets pulled apart in a deposition. If the institution is going to use armed coverage at all, do it formally.
No formal incident reporting
An attempted break-in, a vandalism event, a verbal threat at a service — each of these is data. Logging them in writing creates a record that supports either "we took reasonable steps in response" or, if leadership ignored them, the plaintiff's foreseeability argument. The choice between those two outcomes is made the day the incident occurs, not the day the suit is filed.
What this means for you
If you sit on a board of governors, an elders' council, or a mosque committee, the question is not whether your congregation needs security. The FBI and ADL data answered that question. The question is whether your security decisions — staffing posture, written policies, training records, carrier notification, incident logs — can be defended against a foreseeability argument built from public data your congregation cannot un-know.
Three actions every faith institution in Arizona should take this quarter:
- Write the program down. Whatever you currently do — usher team, volunteer security, hired guards, cameras — document it. Posts, roles, response protocols, training, screening, incident reporting. A written, followed program is the single biggest factor separating defensible from indefensible in a negligent-security claim.
- Notify your insurance carrier and confirm coverage. Especially if any of your security personnel are armed, even occasionally. Get the carrier's underwriting acknowledgment in writing. Update your policy if needed.
- Run a CISA Houses of Worship self-assessment. It is free, it is the federal benchmark, and a completed self-assessment is itself evidence of a reasonable, good-faith security posture (CISA Houses of Worship Security Self-Assessment, 2024 update). Save the output to the congregation's records.
For deeper background on the threat environment driving this, see our 2026 places-of-worship security overview. For how the same negligent-security analysis applies to schools, see our piece on armed security in K-12 schools. For the underlying cost-of-incident math that informs insurance and board-level decisions, see the real cost of a workplace security incident in Arizona.
Faith-institution liability in 2026 is driven by what is on the public record — FBI hate-crime data, ADL audits, CISA guidance — and what the institution can show it did in response. The most defensible posture is not the largest or the most expensive. It is the one that is written down, trained, carrier-approved, and consistently followed.
