Artificial intelligence tools have made their way into most workplaces.
Your staff may already be using ChatGPT or Microsoft Copilot to draft emails, summarise documents, brainstorm ideas or speed up admin tasks. They may be using Canva to create a flyer, design a social media post or edit an image. They may also be using AI features built into the apps your business already relies on every day.
That is not necessarily a bad thing. AI can help people work faster, think differently and reduce time spent on repetitive tasks. But it does raise an important question:
Does your business have any rules around how these tools should be used?
That is where an AI policy comes in.
An AI policy is one of the most practical things a small or medium business can put in place this year. It gives your team clear boundaries, helps protect sensitive information and supports safer, more confident use of AI at work.
This article is part of IQPC’s AI Governance Series, created to help Australian small and medium businesses build confidence and compliance around the responsible use of AI.
What an AI Policy Actually Is
An AI policy is a short, written document that explains how your team is allowed to use AI tools at work.
- It does not need to be long. It does not need to be full of legal language.
- It does not need to cover every possible AI scenario your business may ever face.
At its simplest, an AI policy sets out which AI tools are approved for work use, what those tools can be used for, what information can and cannot be entered into them, who staff should ask if they are unsure, and how AI-generated output should be checked before it is used.
It may include helpful tips, examples and explanations, but at its heart, it sets the rules your team must follow.
That matters, because AI use is no longer limited to one or two obvious tools. AI is now built into writing tools, design platforms, meeting assistants, search tools, customer service platforms, CRMs, email systems and productivity software.
Without a policy, staff are left to make their own judgement about what is acceptable. A policy gives them a safer framework to work within.
Why an AI Policy Matters for Your Business
The biggest risk with AI tools is not always the technology itself. It is what people unknowingly put into them.
For example, a staff member might paste a client list into a chatbot to help write an email, upload a contract to be summarised, or drop customer photos into a design tool.
Most of the time, the staff member is simply trying to be helpful or efficient. The problem is that information entered into AI tools may be stored, processed or used in ways your business does not fully control, depending on the platform, settings and account type being used.
For a small business, that can quickly create a privacy issue, a breach of client confidence, a cyber security risk or a compliance problem.
A clear AI policy helps protect three things that matter most: trust, compliance and continuity.
Trust
Your clients expect their information to be handled carefully.
If they share documents, images, financial records, contact details, project information or confidential business details with you, they expect that information to stay private.
An AI policy helps your team understand what should not be copied, uploaded, pasted or shared through AI tools unless the tool has been reviewed and approved for that purpose.
Compliance
Your privacy and cyber security obligations do not disappear because AI is involved.
For Australian businesses, this may include obligations under the Australian Privacy Principles, commonly known as the APPs, if your business is covered by the Privacy Act.
It may also include expectations under cyber security frameworks and standards such as SMB1001, particularly if your business is working toward a stronger risk and compliance position.
An AI policy helps connect day-to-day staff behaviour with those broader obligations.
Continuity
A data slip-up can create significant disruption.
The issue may need to be investigated, contained, explained to clients or reviewed internally. Systems, policies and access may need to be checked. In some situations, there may also be notification or compliance steps to work through.
A policy helps reduce the chance of that disruption happening in the first place.
Newer AI Tools Raise the Stakes
Early AI tools mostly responded to prompts. You asked a question, and the tool gave you an answer.
But newer AI tools can do more than that. Some can connect to business systems, access files, generate content, create workflows, update records, send messages or take action on your behalf.
These are sometimes described as agentic AI tools, and they create a different level of risk.
The concern is not only that information could be shared in the wrong place. It is also that a poorly set up AI tool could do something the business did not intend.
For example, it might:
- Send an email before it has been checked
- Update a record with incorrect information
- Move or rename files
- Summarise documents inaccurately
- Pull information from the wrong source
- Make recommendations based on incomplete context
- Trigger a workflow without proper approval
Your AI policy should not only explain what staff can put into AI tools. It should also explain what AI tools are allowed to do on their own, and when a human must review or approve the action first.
A simple rule is: the more sensitive the information or action, the more human oversight is needed.
What to Include in Your AI Policy
You do not need a 20-page document to get started.
A good starting policy may only be one or two pages. The aim is to give your team simple, clear rules they can understand and apply.
1. The Purpose of the Policy
Start by explaining why the policy exists.
For example:
“This policy explains how AI tools can be used safely and responsibly in our business. It is designed to help our team use AI productively while protecting client information, business data, privacy, confidentiality and trust.”
This helps staff understand that the policy is not there to block useful tools. It is there to make sure AI is used safely.
2. Approved AI Tools
Your policy should list the AI tools your business is comfortable with.
This might include:
- Microsoft Copilot
- ChatGPT
- Canva AI tools
- Meeting summary tools
- AI features inside business software you already pay for
Be clear that anything not on the list needs to be checked before it is used for work.
3. Information That Must Not Be Entered Into AI Tools
This is one of the most important sections.
Your policy should clearly state what information must not be entered into AI tools unless the tool has been reviewed, approved and set up securely.
This may include client names and contact details, financial information, passwords, login details, and contracts.
It is also important to explain that this includes more than typed text. People often think about written prompts, but forget that files, images, screenshots, and PDFs can also contain sensitive information.
4. Acceptable Uses of AI
Your policy should give staff examples of safe, acceptable AI use.
The more specific you can be, the easier the policy is to follow. Staff should be able to quickly understand the difference between low-risk AI use and use that needs more care.
5. Human Review Requirements
AI can sound confident and still be wrong.
Your policy should make it clear that AI-generated work must be reviewed before it is used, especially if it relates to:
- Client advice
- Reports
- Proposals
- Financial information
- Legal or compliance-related content
- Technical recommendations
AI should support human work, not replace human judgement.
6. Agentic AI and Automated Actions
Your policy should include a clear rule for AI tools that can take action.
For example:
“AI tools must not send emails, update business records, move files, approve decisions, publish content or take other business actions without human review and approval, unless that use has been specifically authorised.”
This is becoming more important as AI tools move from content generation to task automation.
Even if your business is not using these tools yet, including this section helps future-proof your policy.
7. Who to Ask
Staff need a clear point of contact.
This might be a business owner, General Manager, Operations Manager, IT Manager, privacy officer, Managed Service Provider or nominated AI governance contact.
The policy should make it easy for staff to ask questions before they take a risk.
For example:
“If you are unsure whether an AI tool or use case is allowed, ask [name/role] before using it.”
This is simple, but important. If staff do not know who to ask, they are more likely to guess.
8. Review and Updates
AI tools change quickly, so your policy needs to be reviewed regularly.
A good starting point is every six to twelve months, or sooner if the business starts using a new AI tool, existing software introduces new AI features, privacy or compliance requirements change, a client or supplier asks about AI use, or your business experiences a data or security incident.
The policy should also name who is responsible for reviewing it.
Keep It Simple and Keep It Current
The best AI policy is one your team will actually read and follow.
That means it should be short, clear, practical, written in plain English, easy to find, shared with all staff, discussed in team meetings and reviewed regularly.
A short conversation at a team meeting can often do more good than a long policy document no one opens.
When you introduce the policy, explain why it matters. You might say:
“We are not banning AI. We are making sure we use it safely, protect client information and keep our business covered.”
That framing matters.
The goal is not to make people scared of AI. The goal is to help them use it properly.
We Are Here to Help
Getting an AI policy started does not have to be complicated.
For most small and medium businesses, the first step is simply understanding how AI is already being used, what data may be involved and where clear rules are needed.
IQPC can help you create a practical AI policy that suits the way your business works.
We can also help you review approved tools, assess data security risks, consider compliance requirements and make sure your AI policy connects with your broader IT and cyber security position.
If your team is already using AI, now is the time to put clear rules around it.
Book a call with IQPC to talk through your AI policy, AI governance and business IT risk position.
AI Governance Series Overview
This article is part of our AI Governance Series, created to help Australian small and medium businesses build confidence and compliance around the responsible use of AI.
Part 1: AI Governance 101, What It Means for Your Business
This article introduces AI governance in plain terms and explains how policy, compliance and oversight work together, anchored to the Australian Privacy Principles and SMB1001.
Part 2: Creating an AI Policy
This article shows how to set out your business’s intent, rules and responsibilities for using AI tools safely, in partnership with your Managed Service Provider.
Part 3: Staying Compliant with AI
This article explains your privacy obligations and how Microsoft Purview, including AI Data Security Posture Management, can give you a clearer view of how AI tools are using your business data.
Part 4: Training Your Team to Use AI Safely
This article turns your policy into everyday habits, so the people using AI know what to share, what to check and when to ask.
Part 5: Keeping Your AI Governance Current
This article helps you keep pace as AI tools evolve, with simple review routines and a watch for unapproved shadow AI.
Together, these articles will help your business adopt AI with confidence, stay compliant and protect the trust your clients place in you.
