AI governance is knowing who decides, who checks and who answers when AI touches your business. Not paperwork. Not a forty-page policy nobody reads. In practice it covers four things: the decisions AI is allowed near, the data it can and cannot touch, what you disclose to the people affected and how often you review the lot. If your organisation uses AI, and your people are already using AI whether it’s declared or not, governance is how you stay in charge.
Why is this landing on every board agenda now?
Because adoption sprinted ahead and the rules stayed home.
AI use in Australian business jumped from 1% in 2021-22 to 12% in 2024-25, according to the Australian Bureau of Statistics. Among large businesses it’s 35%, up from 9% over the same period. Deloitte’s 2026 State of AI in the Enterprise report found only 22% of Australian companies have an advanced governance model for AI. The gap between those numbers is the agenda item.
The cost of the gap comes in numbers boards understand. IBM’s 2025 Cost of a Data Breach Report found 63% of organisations that experienced a breach had no AI governance policy or were still writing one. Breaches involving shadow AI, staff using tools nobody approved, cost an average of USD $4.63 million. That’s not a technology problem. That’s a who-decided-nobody problem.
Regulation is moving too, in a very Australian way. There’s no standalone AI Act; the National AI Plan released in December 2025 confirmed existing law does the work. The Privacy Act, Australian Consumer Law, anti-discrimination law. One date worth circling: from 10 December 2026, businesses using automated decision-making that significantly affects individuals must disclose it in their privacy policy. The Australian Institute of Company Directors has already flagged AI readiness as a director obligation. The question stopped being whether governance is your job. It’s whose name goes next to it.
Governance is reading the rip before you swim. Boards that do it choose their conditions. Boards that don’t get chosen by them.
What does AI governance actually cover?
Four things, and none of them needs a committee.
- Decisions. Which calls can AI make alone, which need a human, and which it never goes near. Pricing a quote is different from shortlisting a job applicant.
- Data. What goes into AI tools, what never does and where it lives. Client records and free-tier chatbots don’t mix.
- Disclosure. Who gets told AI was involved. Your clients, your staff, the people your decisions affect. Quietly is not a disclosure setting.
- Review. How often you look at the lot. AI tools change quarterly. A set-and-forget policy expires faster than the milk.
A ten-person business can cover all four in two pages. What it can’t do without is an owner: someone senior enough to say no. Governance without an owner is a document in a drawer.
The four questions every leadership team must answer
This is the job my GIST framework does. Four questions, asked in order, because the order is the point.
- Guardrails. What will we never do? Guardrails first, always. Without values and ethics, we fly blind.
- Intent. Why are we doing this at all? If the honest answer is because everyone else is, stop here.
- Strategy. What’s the plan, built from the intelligence already in the room? Your people know where the friction is. Ask them before you ask a vendor.
- Practical Training. How do our people build the habit? A policy without training behind it is the drawer document again.
I’ve watched this sequence play out around board tables from national member associationsto regional economic programs. The organisations that start with guardrails move faster later, not slower. They’ve already decided what no looks like, so every yes is quicker.
What does AI6 ask of Australian businesses?
AI6, the Guidance for AI Adoption published by the National AI Centre in October 2025, is now Australia’s primary voluntary reference for doing this well. It replaced the Voluntary AI Safety Standard, and if you did work against the old ten guardrails you don’t start again; that work folds in.
Six practices: decide accountability, understand impacts, measure and manage risks, share essential information, test and monitor, maintain human control.
Read that last one again. Maintain human control. The national guidance landed exactly where this whole conversation starts: Human-led. AI-leveraged. The standards caught up to the principle.
What to do on Monday morning
Here’s the state of play: 43% of Australian SMEs reported some AI adoption in the December 2025 to February 2026 quarter, but only 5% say they’re getting AI’s full value. The distance between using AI and governing it is where the risk lives, and closing it takes three moves, not a transformation program.
- Name the owner. One person, senior enough to say no, with governance in their actual job description.
- Write the four answers down. Decisions, data, disclosure, review. One page beats forty; forty never gets read.
- Put a review date in the diary. Quarterly. The tools will have changed by then, and so should the page.
If the blank page is the hurdle, I’ve built the starting point: a board-ready AI policy template written for Australian organisations, with versions scaled for small business, mid-size teams, not-for-profits and member associations. And when you’re ready to write yours properly, the companion piece walks through it section by section.
The starting point is already written.
A board-ready AI policy template built for Australian organisations. Free, fill-in-the-blanks, scaled versions for small business through to member associations.
Get the AI policy template →Questions people ask
What is the difference between AI governance and an AI policy?
Governance is the whole practice: decisions, data, disclosure, review and a named owner. A policy is the written record of the rules. You can have a policy without governance; that's the document in the drawer. Governance is what makes the policy live.
Do small businesses need AI governance?
Yes, scaled to size. Two pages and an owner beats forty pages and a committee. If AI touches your client work, your money or decisions about people, the rules need writing down.
What is AI6?
Australia's voluntary guidance for AI adoption, published by the National AI Centre in October 2025. Six practices, from deciding accountability through to maintaining human control. It replaced the Voluntary AI Safety Standard, and earlier guardrail work folds in rather than starting over.
Who should own AI governance in an organisation?
Someone senior enough to say no. In a small business that's usually the owner or general manager. In larger organisations, a named executive who reports to the board on it, not a working group. Shared ownership is no ownership.
Human-led. AI-leveraged. My philosophy, my business, this article. The Augmented Workforce in action.
Drafted with Ada, my AI collaborator. Reviewed, shaped and signed off by me. How I work with AI· Tracy Sheen CSP
