An AI policy is one to two pages that answers six questions: who the policy covers, which tools are approved, what data can and cannot go into them, when a human must review AI output, what happens when something goes wrong and who owns the rules. That’s the whole job. Not forty pages of legal boilerplate. If your team touches AI at all, and your people are already using AI, this page is how everyone knows the rules of the pool.
Why does your business need one now?
AI use in Australian business has grown twelvefold since 2021-22. The Jobs and Skills Australia capacity study found many workers are already using AI tools independently, without their employer’s knowledge or approval. That’s shadow AI, and it isn’t a discipline problem. It’s a nobody-wrote-the-rules problem.
The cost of not writing them is documented. IBM’s 2025 Cost of a Data Breach Report found 63% of breached organisations had no AI policy or were still drafting one, and one in five security incidents involved unsanctioned AI use. Closer to home, two dates matter. From 10 December 2026, businesses using automated decision-making that significantly affects individuals must disclose it in their privacy policy. And the OAIC runs its first compliance sweep this year. A written AI policy is the natural first step to both.
Guardrails first. The policy is where the guardrails get written down.
What should be in an AI policy?
Six sections. Plain language in every one of them, because a policy your team can’t read is a policy your team won’t follow.
- 1. Purpose and scope. Who the policy covers (staff, contractors, volunteers) and which laws sit behind it. In Australia that’s the Privacy Act and Australian Consumer Law for most businesses.
- 2. Approved tools. The tools your business has said yes to, which account tier (business accounts protect your data in ways free ones don’t) and how someone proposes a new tool. Give the yes a pathway or people will stop asking.
- 3. Data rules. What can go into AI tools and what never does. Client records, personal information, financials and anything commercially sensitive sit on the never list for free-tier tools. This section does the heaviest lifting in the whole policy.
- 4. Human review and disclosure. When a human must check AI output before it goes anywhere external, and when you tell clients or staff that AI was involved. Quietly is not a disclosure setting.
- 5. When something goes wrong. Who gets told, how fast and what triggers the Notifiable Data Breaches scheme. Two sentences and a name beat a flowchart nobody opens under pressure.
- 6. Ownership and review. One named owner, a review date every quarter and the training that brings the policy off the page. Practical Training is what separates a policy from a drawer document.
Why do most AI policies fail?
Three mistakes account for nearly all of it.
- Written once and shelved. AI tools change quarterly. A policy with no review date was accurate for about ninety days and nobody noticed when it stopped being.
- Borrowed from a bigger company. Most free templates online were written for enterprises with legal, compliance and IT departments. A ten-person business inherits forty pages of obligations it can’t meet, so the policy gets ignored on day one.
- No training behind it. IBM found that even among organisations with a policy, 61% lacked the follow-through to make it real. A policy nobody was trained on is a document, not a practice.
Where do you start? Not with a blank page.
Two good starting points exist, and I’ll point you to both.
The National AI Centre published a free AI policy template and AI register template as part of its AI6 guidance in October 2025, available from industry.gov.au. It’s solid, it’s Australian and it’s the official reference. If you want the standards-aligned baseline, start there.
If you want the version built for the organisations I actually work with, I’ve written one: a board-ready AI policy templatewith scaled versions for small businesses, mid-size teams, not-for-profits and member associations. It maps to AI6 and it’s written in the plain language this article keeps banging on about.
Either way, writing the policy is the Guardrails move from my GIST framework: decide what you’ll never do before you decide what you’ll do next. Teams that write the guardrails first make every later decision faster.
What to do on Monday morning
- Download a starting template. The National AI Centre’s or mine. Blank pages kill more policies than bad drafting does.
- Book ninety minutes with the person who’ll own it. Draft the six answers on one page. Rough is fine; written beats perfect.
- Circulate it for two weeks of comments, then publish it with a review date in the diary. A policy your team wrote with you is a policy your team follows.
And if you want the bigger picture before you write a word, start with what AI governance actually is. The policy is the artefact. Governance is the practice that keeps it alive.
Start without the blank page.
A board-ready AI policy template with scaled versions for small businesses, mid-size teams, not-for-profits and member associations. It maps to AI6 and it's written in plain language.
Get the AI policy template →Questions people ask
How long should an AI policy be?
One to two pages for most small and mid-size businesses. If it runs past five, nobody reads it, and an unread policy protects nobody.
Do we need a lawyer to write an AI policy?
Not to start. The six sections above are operational rules, not legal drafting. A legal review is worth it once you have a draft if you're in a regulated sector, handle health information or the Privacy Act applies to you (broadly, turnover above $3 million).
How often should an AI policy be reviewed?
Look at it quarterly, formally review it every six months or whenever your approved tools change. The tools will not wait for your annual planning cycle.
Does a sole trader need an AI policy?
Yes, the shortest version there is: your data rules and your disclosure line. Half a page that says what never goes into AI tools and when you tell clients AI was involved. Your future self and your biggest client will both thank you.
Human-led. AI-leveraged. My philosophy, my business, this article. The Augmented Workforce in action.
Drafted with Ada, my AI collaborator. Reviewed, shaped and signed off by me. How I work with AI· Tracy Sheen CSP
