AI Policy Template for Australian Businesses: What to Include

A short, written AI use policy is the cheapest, fastest enablement intervention available — and the most commonly skipped. Without one, cautious staff stay out of the tools, legal and risk functions block progress by default, and incidents become ambiguous rather than clear-cut. This article lays out a practical AI policy template for Australian businesses, with the specific clauses that matter under the Privacy Act and the Voluntary AI Safety Standard.

It is written for owners, COOs, and operations leaders in 20 to 500 staff Australian businesses. It is not legal advice — get your policy reviewed by your own counsel — but it is a practical starting point.

Why a written policy matters

Three quiet costs of not having one:

1. Slow adoption. In every organisation we have worked with, between 20 and 50 percent of staff say they have held back from using AI tools because they were not sure what was allowed. A short policy unblocks them in a week.
2. Inconsistent decisions. Without a policy, every edge case becomes an executive question. Productivity is lost both in asking and in waiting.
3. Weak incident response. When something does go wrong — a confidential document pasted into a consumer chatbot, say — without a policy there is no clear basis for action. With one, the response is straightforward.

The policy is not paperwork for its own sake. It is the operating manual for daily decisions.

The Australian regulatory frame

Two reference points to anchor against:

The Voluntary AI Safety Standard (DISR, 2024). Ten guardrails covering accountability, risk management, data governance, transparency, human oversight, contestability, and so on. Voluntary today, but the practical baseline most boards and auditors are now using.

The Privacy Act 1988 and the Australian Privacy Principles. AI use that involves personal information is in scope. APP 6 (use and disclosure), APP 8 (cross-border disclosure) and APP 11 (security) are particularly relevant. Tranche 2 reforms continue to land, so expect this to tighten.

Other context depending on sector: industry codes (banking, health, legal, education), ASIC and APRA expectations for regulated entities, and emerging procurement requirements from government and large customers.

For the broader programme context, see the pillar on AI enablement for teams.

The template — section by section

A workable policy fits in two to four pages and covers eight sections.

1. Purpose and scope

Two short paragraphs. What the policy is for, who it applies to (employees, contractors, third parties acting for the business), and which tools and activities are covered.

Avoid over-broad scope. A policy that tries to cover every conceivable AI use becomes unusable.

2. Principles

A short list. Five is plenty:

• AI is used to augment our people, not replace judgement on consequential decisions.
• We protect personal information and client-confidential information at all times.
• We are transparent with customers and colleagues about material AI use.
• We test before we trust.
• A human reviews AI output before it goes to a customer or is used for a consequential decision.

These principles do most of the heavy lifting in edge cases.

3. Approved tools

List the tools the business has approved, with brief notes on which use cases each is suitable for. Include the data classification each can handle.

For example:

• Microsoft Copilot (M365) — approved for internal documents, including those containing personal information of customers and staff. Do not paste health information or credit card data.
• Claude.ai (team workspace) — approved for general drafting and analysis. Do not paste personal information or commercially confidential third-party data.
• ChatGPT consumer (chat.openai.com) — not approved. Use the enterprise workspace instead.

This single section unblocks more staff than any other.

4. Data classification and handling

Define three to four data classes and what can go into AI tools at each level. A simple version:

• Public. Anything in the public domain. Fine for any approved tool.
• Internal. Non-sensitive business information. Fine for approved tools.
• Confidential. Commercial-sensitive, client-confidential, personal information. Only enterprise-tier approved tools.
• Restricted. Health information, financial account details, legal privilege. Approved tools only after consultation with the data owner.

Tie this to the existing information-handling framework if you have one.

5. Prohibited uses

Specific. No long lists of platitudes. For example:

• Do not use AI to make final hiring, firing, promotion or disciplinary decisions.
• Do not use AI to generate or send communications to customers without human review.
• Do not paste raw customer personal information into unapproved tools.
• Do not pass off AI-generated client deliverables as wholly your own work where the agreement requires disclosure.
• Do not use AI to circumvent existing approval or compliance processes.

6. Disclosure

When and how to disclose AI use to customers, colleagues, or partners. The default in our recommended template:

"Disclose material AI use when (a) the customer or recipient might reasonably want to know, (b) it is required by a contract or regulation, or (c) the output would be misleading without disclosure."

Provide one or two example phrasings staff can copy.

7. Incident response

A short paragraph. If staff suspect a policy breach — a confidential document pasted into an unapproved tool, a hallucinated output sent to a client, a bias concern raised — how do they raise it? Name the person or mailbox. Promise a no-blame initial response.

This section will get used. Make it obvious.

8. Review and ownership

Name the policy owner. State the review cadence (every six months recommended, plus on material change). Note the version and approval date.

Implementation

Drafting the policy is the easy part. Three implementation steps:

1. Brief managers in person before publishing. They will be the first asked questions. Equip them.
2. Run a 30-minute all-staff session on launch. Walk through the headline rules. Take questions.
3. Embed in onboarding. Every new starter signs the policy in week one.

Tie the rollout into the broader change management plan and the AI champions network.

A worked example

A Melbourne accounting firm of 90 staff drafted a three-page policy in February 2026 over two two-hour workshops with operations, IT and a senior partner. Legal reviewed and returned changes within five business days. Total elapsed time from draft to signed policy: 18 days.

Pre-policy, AI active usage was 28 percent. Six weeks after publication, with no other intervention, active usage had risen to 51 percent. The single biggest unblocker, per a staff survey, was clarity on which client information could go into which tool.

Total external consulting cost for the policy work: approximately $6,000.

Common mistakes

• Lifting a US or UK template wholesale. They are not aligned with Privacy Act language or Australian sectoral norms. Adapt, do not copy.
• Writing for lawyers, not staff. A policy staff cannot understand cannot guide behaviour.
• Listing every conceivable risk. The policy becomes a swamp. Keep the principal risks; address edge cases through training and champions.
• No version history. A policy without dates and version numbers becomes unmanageable.
• One-off publication. Policies decay. Six-monthly review with named owner is non-negotiable.

What to do next

Block out two two-hour workshops this month — one to draft, one to refine. Bring operations, IT, legal and one practitioner from a high-AI-use function. The pillar on AI enablement for teams covers where the policy fits in the broader enablement programme.