1300 688 648 Get In Touch
BackView All
View All Services

Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance

AI policy template for Australian businesses — how to write an acceptable use policy for AI tools in the workplace

Your staff are already using AI tools. Copilot, ChatGPT, Claude, Gemini, and dozens of niche AI products have become standard in professional workplaces. The problem is that most Australian businesses have no written policy governing how those tools should be used, what data employees can enter into them, or who is responsible when something goes wrong.

Why Does Your Business Need an AI Policy?

Most businesses need an AI policy because their staff are already using AI tools, often without guardrails. Without a written policy, you have no way to enforce standards, demonstrate compliance, or protect client data. In 2026, the absence of an AI policy is increasingly a governance gap, not just an oversight.

Studies consistently show that the majority of knowledge workers have used AI tools at work, whether or not their employer has approved it. Employees are summarising meeting notes, drafting client emails, and reviewing documents using tools that may be sending data to third-party servers overseas.

What Is Changing in Australian Law Around AI?

Australian employers are facing a growing compliance environment around AI. Several frameworks are either already in force or coming into effect within the next 12 months.

NSW Digital Work Systems Act (February 2026)

NSW employers must ensure the safety of digital work systems, which explicitly includes AI algorithms used in the workplace. A written AI policy is part of demonstrating that you have taken reasonable steps to manage risk.

APS AI Policy v2.0 (Mandatory from 15 June 2026)

The Australian Public Service is requiring all federal agencies to appoint AI accountability officials and conduct risk assessments. Private sector organisations that contract with government should treat this as a strong signal of where expectations are heading.

Privacy Act ADM Obligations (from 10 December 2026)

The Privacy Act amendments require businesses that use AI for automated decisions affecting individuals to disclose what AI is doing and what data it processes. If your business uses AI to screen applications or generate risk assessments, you will need documented processes in place.

APRA Guidance for Financial Services

APRA has made clear that boards of financial services organisations are expected to have AI governance frameworks in place. This is already an expectation for organisations under APRA supervision, not a future requirement.

What Should an AI Policy Cover?

A good AI policy covers seven to eight core areas: approved tools, data handling rules, content review responsibilities, disclosure standards, client-facing use, vendor assessment, incident response, and an annual review process. A clear, practical policy of three to five pages is more likely to be read and followed than a 40-page document.

Which AI Tools Are Approved for Use?

Your policy should list the AI tools your business has reviewed and approved. It should also be explicit that tools not on the approved list require sign-off before use. Common approved tools for professional services firms include Microsoft Copilot (deployed via your Microsoft 365 tenant), ChatGPT Enterprise, and any industry-specific AI tools reviewed by your IT team.

What Data Can and Cannot Be Entered Into AI Tools?

This is the highest-risk area for most businesses. Otto IT recommends a simple rule for clients: if you would not post it publicly, do not put it into an AI tool you have not fully reviewed. Prohibited data categories should include:

  • Client personally identifiable information (names, contact details, financial data)
  • Confidential client documents or correspondence
  • Internal financial information, pricing, or commercial strategy
  • Employee personal information or HR records
  • Any data subject to a confidentiality agreement or legal privilege

Who Is Responsible for Reviewing AI-Generated Content?

AI tools make mistakes. They hallucinate facts, misquote sources, and generate content that sounds authoritative but is incorrect. Your policy should make clear that all AI-generated content must be reviewed by a qualified human before use. No AI tool can take responsibility for the advice your business provides.

How Should AI-Generated Work Be Disclosed?

Disclosure expectations around AI use are evolving. At minimum, Otto IT recommends that any document substantially drafted by AI be reviewed and signed off by a named employee who takes ownership of its accuracy.

What Rules Apply to Client-Facing AI Use?

Client-facing use of AI carries specific risks. Your policy should specify that AI-generated client communications must be reviewed and edited before sending. AI meeting assistants that transcribe conversations with clients may require client consent under Australian privacy law.

How Should You Assess Vendor AI Policies?

Before approving any new AI tool, review:

  • Where data is stored and processed (onshore vs offshore)
  • Whether data is used to train the vendor’s AI models and whether there is an opt-out
  • The vendor’s data retention and deletion policies
  • Their security certifications and incident notification commitments

What Happens When Something Goes Wrong?

Your policy should include a simple incident response process covering: confidential data entered into an unapproved tool, AI-generated content that is incorrect or harmful, and client concerns about AI involvement in delivered work. The process should include who to notify and what remediation steps apply.

AI Policy Template for Australian Businesses

The following template gives you a starting point. Adapt the language to suit your business size, industry, and existing policies.

Section 1: Purpose and Scope

State why the policy exists, which employees it applies to, and which AI tools and systems it covers.

Section 2: Approved AI Tools

List approved tools by name. Specify the approval process for adding new tools. State that unapproved tools must not be used for work purposes until reviewed.

Section 3: Data Handling Rules

Define prohibited data categories clearly. State that employees must not enter client PII, confidential documents, or commercially sensitive information into any AI tool without explicit approval.

Section 4: Content Review and Accountability

Require human review of all AI-generated content before use. Name the role or team responsible for sign-off on client documents, marketing material, code, and internal communications.

Section 5: Disclosure Standards

Specify when AI use must be disclosed internally and to clients. Reference any industry body or regulatory requirements that apply to your sector.

Section 6: Client-Facing AI Use

Set rules for AI tools used in client meetings, communications, and deliverables. Address meeting transcription consent. Require human review of all client-facing outputs.

Section 7: Vendor Assessment Process

Require a documented review of any new AI vendor’s data handling, privacy practices, and governance policies before approval. Name the team responsible for this review.

Section 8: Incident Reporting

Define what constitutes an AI-related incident. Provide a clear reporting path including who to contact and within what timeframe. Link to your existing data breach and incident response procedures.

Section 9: Training and Awareness

Commit to staff training on this policy and on responsible AI use. Specify the frequency of refresher training.

Section 10: Review and Ownership

Name the policy owner and the review cycle (annually at minimum). Document version history.

What Happens If You Have No AI Policy?

Businesses without an AI policy are not in a neutral position. They are actively exposed to data breaches, professional liability claims, and compliance failures. The most common failures Otto IT sees include:

  • Employees entering client PII into consumer AI tools that use data for model training
  • AI-generated content sent to clients without review, containing factual errors
  • Meeting transcription tools recording conversations with clients who have not consented
  • No documented process when an employee raises concerns about AI output

How to Get Your AI Policy in Place

  1. Conduct a quick audit of which AI tools your staff are currently using.
  2. Identify your highest-risk use cases, including client-facing work and regulated activities.
  3. Draft a short initial policy using the template above.
  4. Get sign-off from leadership and legal counsel if available.
  5. Communicate the policy to staff and record their acknowledgement.
  6. Schedule the first annual review before the policy is six months old.

Otto IT recommends treating your first AI policy as version 1.0 rather than a finished product. If you want a conversation about what the right approach looks like for your specific business, get in touch with the Otto IT team or book a call directly.

Frequently Asked Questions

Does my business legally need an AI policy in Australia?

There is no single law requiring every Australian business to have an AI policy. However, multiple frameworks are creating compliance obligations that a written policy helps you meet, including the NSW Digital Work Systems Act, Privacy Act ADM amendments from December 2026, and APRA guidance for financial services.

What is the difference between an AI policy and an AI governance framework?

An AI policy is a shorter, practical document that tells employees what they can and cannot do with AI tools. An AI governance framework is a broader set of structures, roles, and risk assessment processes. Most small to medium businesses should start with an AI policy and build toward a governance framework as their AI use matures.

How long should an AI policy be?

For most small and medium businesses, three to five pages is sufficient to cover the key areas clearly. The goal is a document that employees will actually read, understand, and follow.

Can we use a generic AI policy template?

A generic template is a useful starting point. You will need to adapt it to your business context, including the specific AI tools you use, the regulatory environment for your industry, and any existing policies it needs to integrate with.

What should we do if an employee accidentally puts client data into an AI tool?

Treat it as a potential data incident. Document what data was entered and which tool was used. Review the vendor’s data handling policies to understand the actual risk. If there is a genuine risk of harm, assess whether you have a notifiable data breach under the Privacy Act and report internally to your privacy officer.

Disclaimer: This article is general information only and does not constitute legal advice. For advice specific to your situation, please consult a qualified legal professional.

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More