Most Australian businesses are using AI without formal guidelines. Staff are using ChatGPT, Microsoft Copilot, and dozens of other AI tools to draft emails, analyse data, generate reports, and interact with customers. In many cases, management does not have a clear picture of what tools are being used or what data is being shared.
This is not a hypothetical risk. It is a governance gap that exposes businesses to data breaches, Privacy Act violations, intellectual property loss, and reputational damage. The fix is straightforward: an AI usage policy that gives your team clear rules about what is acceptable and what is not.
This guide provides a practical framework for building an AI usage policy that suits Australian businesses. It is not a legal template you can copy and paste. It is a structured approach that you can adapt to your organisation's size, industry, and AI use. For context on the regulatory landscape driving the need for these policies, see our Privacy Act and AI compliance hub.
Privacy Act compliance. The Privacy Act 1988, together with its upcoming amendments, requires organisations to control how personal information is collected, used, and disclosed. If your staff are entering customer data into AI tools without guidelines, you are likely breaching your obligations. The December 2026 automated decision-making provisions will make this even more critical.
Data protection. Many free-tier AI tools use input data for model training. If a staff member pastes a client's financial records into a free version of an AI tool, that data may be used to train the model and could surface in responses to other users. A policy prevents this by specifying which tools are approved and what data can be shared.
Quality control. AI tools generate convincing but sometimes inaccurate outputs. Without a policy requiring human review, your business might send incorrect information to clients, file inaccurate reports, or make decisions based on hallucinated data.
Intellectual property protection. Proprietary processes, client lists, pricing strategies, and trade secrets can all be compromised if entered into external AI tools. A policy establishes clear boundaries around what constitutes confidential information and how it must be handled.
Regulatory readiness. The OAIC, the Australian Signals Directorate, and industry regulators are increasingly asking businesses about their AI governance practices. Having a documented policy demonstrates due diligence and positions your business favourably in the event of a regulatory inquiry or client audit.
An effective AI usage policy for an Australian business should cover seven core areas. Below is a detailed breakdown of what each section should contain. Adapt the specifics to your organisation's size, industry, and level of AI use.
State the purpose of the policy (to govern responsible AI use across the organisation)
Define who the policy applies to (all employees, contractors, and third-party partners)
Reference relevant legislation (Privacy Act 1988, Australian Consumer Law, industry-specific regulations)
State when the policy takes effect and the review schedule
List all AI tools approved for use in the organisation, organised by function (e.g. content generation, data analysis, customer service)
Specify the approved version or tier for each tool (e.g. enterprise vs. free tier)
Document the data handling characteristics of each tool (where data is processed, whether it is used for model training)
Establish a process for requesting approval of new AI tools before use
Name the person or team responsible for maintaining the approved tools list
Define data classification tiers: Public, Internal, Confidential, Restricted
Specify which data tiers can be used with which AI tools
Prohibit entering Restricted data (client financials, health records, personal identification numbers) into any external AI tool
Require anonymisation or de-identification of personal information before AI processing where possible
Reference the organisation's data retention and deletion policies as they apply to AI interactions
Entering client personal information into public or free-tier AI tools
Using AI to make decisions about individuals (hiring, credit, insurance) without human review
Generating legal, medical, or financial advice and presenting it to clients without professional review
Using AI outputs in regulatory filings or compliance documentation without verification
Sharing proprietary business information, trade secrets, or confidential strategies with AI tools
Using AI-generated content without disclosing AI involvement where required by law or contract
Require human review of all AI-generated content before it is shared externally
Establish fact-checking protocols for AI outputs that include claims, statistics, or legal references
Define which decisions require mandatory human review (and cannot be delegated to AI)
Document the escalation path when AI outputs appear incorrect, biased, or inappropriate
Maintain logs of AI-assisted decisions for audit and compliance purposes
All staff must complete AI usage policy training within 30 days of the policy taking effect or their start date
Annual refresher training is mandatory for all staff who use AI tools
Training must cover: the policy itself, practical examples, data classification, incident reporting, and Privacy Act obligations
New AI tool onboarding must include tool-specific training before the tool is used with business data
Training completion must be recorded and auditable
Define what constitutes an AI incident (data leak, biased output, system error, policy violation, security breach)
Establish a clear reporting pathway (who to contact, what information to provide, expected response time)
Require immediate reporting of any suspected data breach involving AI, in line with the Notifiable Data Breaches scheme
Document the investigation and resolution process for AI incidents
Commit to a no-blame approach for good-faith incident reporting
Writing the policy is only half the job. Getting your team to follow it is what actually reduces risk. Here are five practical tips for successful implementation.
Before writing the policy, run a workshop with key staff to understand how AI is actually being used. You will almost certainly discover AI use you did not know about. This audit informs the policy and ensures it addresses real practices, not theoretical risks.
A policy that staff cannot understand is a policy they will not follow. Write in plain language. Avoid legal jargon unless you are quoting legislation directly. If you need to include technical terms, define them in a glossary section.
The most frequently referenced part of the policy will be the approved tools list. Make it a standalone document or an appendix that can be updated without revising the entire policy. Consider pinning it to your internal communication channel.
Staff using AI tools daily will encounter edge cases the policy does not cover. Create a simple mechanism for flagging questions and suggesting updates. A shared channel or regular review meeting works well for this.
A policy that is not enforced is worse than no policy at all, because it creates a false sense of compliance. If you publish the policy, you need to follow through on the training, monitoring, and consequences outlined in it.
Public
Examples: Marketing copy, published blog content, public-facing FAQs
Rule: Can be used with any approved AI tool
Internal
Examples: Internal meeting notes, project plans, general business correspondence
Rule: Can be used with approved enterprise AI tools only
Confidential
Examples: Client contact details, financial reports, employee records
Rule: Can only be used with approved tools that have data processing agreements in place. Must be anonymised where possible
Restricted
Examples: Tax file numbers, health records, credit card details, passwords
Rule: Must never be entered into any AI tool under any circumstances
Need a tailored AI usage policy for your business? Our AI governance service includes custom policy development, data classification frameworks, staff training, and ongoing compliance support. We build policies that are practical, enforceable, and aligned with Australian regulations.
Get a tailored AI policyFor a small business (under 20 staff), an effective AI usage policy can be 3 to 5 pages. For mid-size businesses with more complex AI use, 8 to 12 pages is typical. The key is that the policy must be readable and practical. A 50-page document that nobody reads provides less protection than a 5-page document that every staff member understands and follows.
A standalone AI usage policy is recommended. While AI overlaps with IT, it raises unique issues around data privacy, automated decision-making, intellectual property, and regulatory compliance that deserve dedicated attention. A standalone policy is also easier to update as AI regulations evolve, which they are doing rapidly in Australia.
At minimum, review your AI usage policy quarterly. The AI landscape is changing fast, both in terms of available tools and regulatory requirements. You should also trigger a review whenever you adopt a new AI tool, when new regulations are announced, after any AI-related incident, or when your business model or data handling practices change significantly.
Your policy should include a clear consequences section that aligns with your existing HR disciplinary framework. Consequences should be proportionate to the severity of the breach. A staff member who accidentally uses an unapproved tool is different from someone who deliberately feeds client data into a public AI platform. The policy should also make clear that reporting potential violations is encouraged, not punished.