An AI use policy tells staff what they can and cannot do with AI tools at work. Most Australian businesses do not have one. Without a policy, staff are making their own decisions about which tools to use, what data to input, and how to handle AI-generated output, often without understanding the Privacy Act implications or the cybersecurity risk. Getting a policy in place before something goes wrong is significantly easier than explaining a breach after the fact.
Why Most Businesses Already Need One
AI tools are already in use in most workplaces, whether IT knows about it or not. Staff are using personal accounts on consumer AI platforms for drafting emails, summarising documents, answering client questions, and generating reports. This is sometimes called shadow AI: AI tool use that happens outside IT governance.
The compliance problem is not the tools themselves. It is the data that goes into them. If a staff member inputs client information into an AI tool that processes data on overseas servers, the business may have disclosed personal information to an overseas third party under APP 8 of the Privacy Act 1988.
What an AI Use Policy Should Cover
Specify which AI tools are approved for work use, which require IT review before use, and which are prohibited. The key distinction is whether the tool has an enterprise data processing agreement (DPA) in place. Consumer or free-tier AI tools typically process data offshore without a DPA and may retain inputs for model training. Enterprise versions often include contractual data protection obligations and do not use customer data for training.
Define clearly what must never be entered into any AI tool, regardless of which tool it is:
- Client personal information, including names, contact details, financial data, and health information
- Passwords, API keys, credentials, or authentication tokens
- Confidential business information, including commercially sensitive contracts, pricing, and strategy documents
- Legal advice, privileged communications, or information subject to confidentiality obligations
- Any information the business could not share publicly
Staff need to understand, in plain language, that inputting client information into an AI tool that processes data offshore may constitute a disclosure under APP 8 of the Privacy Act 1988. The business remains accountable for how that information is handled, even if it is the AI vendor that causes the harm. The policy should state this directly, not bury it in legal language.
AI tools make mistakes. The policy should require that any AI-generated content used externally, including client communications, proposals, marketing material, reports, and contracts, is reviewed and verified by a staff member before it is sent or published. The business is responsible for what it puts its name on, regardless of how it was generated.
AI-generated content can create IP ambiguity, particularly in client deliverables. The policy should address whether AI-generated outputs can be used in work product, and if so, under what conditions. Where clients have specific requirements about AI use in deliverables, those requirements take precedence.
Designate clear accountability within the policy: who approves new AI tools for business use, who staff should contact when they are unsure whether something is permitted, and who handles incidents. Without a named contact, staff default to asking no one.
If a staff member believes they may have input restricted information into an AI tool, the policy must require them to report it immediately. Early detection is the difference between a manageable incident and a notifiable data breach under the Privacy Act. Staff should not wait to see if anything happens before raising it.
Before You Publish the Policy
A policy based on assumptions is less useful than one based on what is actually happening. Before finalising:
- Audit which AI tools are currently in use. Ask IT and ask staff separately, as the lists are often different.
- Identify which tools already have enterprise data processing agreements in place.
- Review your existing privacy policy to confirm it reflects current data handling practices, including any AI tool use.
- If your business operates in a regulated sector (APRA-regulated, AFSL holders, NDIS providers, health services), seek legal or privacy advice before publishing. Sector-specific obligations may require additional provisions.
Keeping the Policy Current
AI tools are evolving faster than most governance documents. Build in a review trigger from the start. The policy should be reviewed when:
- A new AI tool is adopted or an existing one is updated in a way that changes how data is handled
- A compliance framework the business operates under is updated
- An AI-related incident occurs, even a minor one
- The policy has not been reviewed in the past 12 months
How All IT Can Help
All IT helps businesses develop IT governance documentation, including AI use policies, acceptable use policies, and incident response procedures. We assess which AI tools in your environment have appropriate data processing agreements in place and flag tools that create compliance exposure before they become a problem.
If you want to start with a conversation about what AI tools your staff are currently using and what the gaps are, that is a practical first step. Talk to us about IT strategy and consulting, our cybersecurity services, or managed IT support.
Not sure what AI tools your staff are using?
All IT can audit your current AI tool usage, identify compliance gaps, and help you put the right policy in place. Monthly contracts, no lock-in.
Frequently Asked Questions
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
Read the Full Guide →
