Every Australian SME using AI needs a simple rulebook. Not a 60-page document that nobody reads. A practical policy that tells staff which AI tools they can use, what information they must not put into them, when human review is required, who approves higher-risk use cases, and what to do when something goes wrong.

The National AI Centre says that if an organisation uses AI, it should have a clear policy explaining how AI can be used, who is responsible and what rules people need to follow. It says an AI policy helps set expectations, support consistent decision-making, show governance and accountability, make reviews and audits easier, and align AI use with legal and industry obligations.1

For SMEs, the policy does not need to be complicated. It needs to be usable. This guide explains how to create an AI policy for your business and includes a starter structure you can adapt.

This is general information, not legal advice. Businesses handling sensitive, regulated or high-risk information should get legal, privacy, cyber security or industry-specific advice before relying on an AI policy.

Quick answer

An SME AI policy should answer 10 questions:

  1. Who owns AI governance in the business?
  2. Which AI tools are approved?
  3. Which AI tools are not allowed?
  4. What data can staff use with AI?
  5. What data must never go into public AI tools?
  6. Which AI uses are allowed?
  7. Which AI uses need approval?
  8. When must a human check or approve the output?
  9. How will AI use be documented and monitored?
  10. How should staff report mistakes, misuse or incidents?

If your policy answers those clearly, it will be more useful than a long document full of vague principles. You can also generate a free starter policy in minutes using the AiBorz AI Policy Generator.

Why an AI policy matters

AI is already embedded in everyday software. Staff may use it in search engines, email tools, document editors, meeting apps, CRMs, accounting systems, design tools, coding assistants and public chatbots. That means a business can have AI risk even if it has never formally launched an AI project.

The Australian Government's agency guidance on public generative AI notes that generative AI is increasingly embedded across digital infrastructure, including search engines, productivity applications and software platforms, often without explicit user notification. It also notes that restrictive policies can drive shadow usage outside organisational oversight.2

That applies to SMEs too. If a business does not provide a clear policy, staff will often make their own rules. A good AI policy helps prevent:

  • customer information being pasted into public AI tools
  • confidential business information being exposed
  • staff relying on AI hallucinations
  • AI-generated content being published without fact-checking
  • AI being used for higher-risk HR, finance, legal or customer decisions without approval
  • no one knowing which AI tools are actually being used
  • no incident pathway when something goes wrong

Step 1: Decide who owns AI governance

The first question is ownership. Someone senior needs to be accountable for AI use across the business. In a small business, that may be the founder, general manager, operations manager, finance lead or technology lead. In a larger SME, it might be a small AI governance group with representatives from operations, IT, privacy, HR and finance.

The National AI Centre's foundations guidance recommends assigning a senior leader as the overall AI governance owner with enough authority and understanding of AI capabilities and risks to oversee AI use. It also recommends making a specific person accountable for every AI system the organisation uses.3

Your policy should name:

  • the AI governance owner
  • who approves new AI tools
  • who approves higher-risk workflows
  • who maintains the AI register
  • who reviews incidents
  • who answers staff questions about AI use

Do not leave AI ownership with "everyone". That usually means no one.

Step 2: List approved and unapproved tools

Staff need to know which tools are approved for work use. Your policy should create three categories.

Approved tools

These are tools the business has reviewed and allows staff to use for defined purposes. For each approved tool, record:

  • tool name
  • approved users or teams
  • approved use cases
  • data types allowed
  • data types not allowed
  • whether business data is used to train models
  • where data is stored, if known and relevant
  • owner inside the business
  • review date

Restricted tools

These may be allowed only for low-risk tasks or only with de-identified information. For example, a public chatbot might be allowed for brainstorming generic marketing ideas, but not for customer data, HR issues, contracts or financial records.

Banned tools or banned uses

Some tools or uses should be blocked because the business has not reviewed them, cannot manage the risk, or does not have the right contractual controls. "Use common sense" is not enough.4

Step 3: Create data rules staff can understand

The most important part of an SME AI policy is the data rule. A simple traffic-light model works well.

🟢 Green data🟠 Amber data🔴 Red data
Generally allowed
Public website copy, generic marketing ideas, invented examples, non-confidential process outlines, public product information, generic email templates, publicly available research		 Approved tools only
Internal process documents, de-identified customer examples, internal knowledge base content, non-sensitive operational data, draft sales material, non-confidential meeting notes		 Never in public AI
Customer personal information, sensitive information, health records, payroll, TFNs, bank details, employee records, legal documents, confidential contracts, passwords, API keys, CRM exports, trade secrets

The OAIC says the Privacy Act applies to all uses of AI involving personal information.5 The Australian Government's guidance gives a practical baseline: do not put personal information into public generative AI tools and assume anything entered could be made public.6

Step 4: Define acceptable AI use

A policy should say what AI is allowed for, not just what is banned. Allowed low-risk uses might include:

  • brainstorming ideas
  • drafting internal emails
  • improving plain-English readability
  • summarising public information
  • creating first drafts of non-sensitive documents
  • generating checklists from non-confidential information
  • turning meeting notes into actions (appropriate meetings only)
  • creating spreadsheet formulas for non-sensitive files
  • translating or simplifying non-sensitive content, with review

business.gov.au suggests AI-generated information should be checked against a trustworthy source before being relied on.7 Your policy should encourage useful, safe AI use. A policy that only says "no" may push staff into shadow use.

Step 5: Define prohibited AI use

Prohibited use should be clear and specific. For most SMEs, staff should not use AI to:

  • make final employment decisions
  • screen candidates without approval and bias controls
  • approve payroll or change pay conditions
  • provide legal, financial, medical or safety advice to customers
  • make final credit, refund, warranty or compensation decisions
  • upload personal, sensitive or confidential data to public AI tools
  • generate misleading reviews, testimonials or customer communications
  • impersonate customers, staff or suppliers
  • bypass security controls
  • submit AI-generated work externally without required review or disclosure
  • use unapproved AI tools for company data

The policy should say AI must not be used to avoid human accountability. Staff remain responsible for content they create, share or use.6

Step 6: Set approval rules for higher-risk AI use

Not every AI use needs the same approval process. Use a simple three-tier model:

Risk levelApproval neededExamples
Low-riskPolicy default — no special approvalBrainstorming, editing non-sensitive text, drafting generic templates, summarising public material
Medium-riskManager or AI governance owner approvalInternal knowledge assistants, customer email drafts, CRM note summarisation, meeting summary tools
High-riskRisk assessment + approved tool + human oversight + monitoringCustomer-facing chatbots, finance/payroll/HR/legal workflows, agentic AI with system access

The National AI Centre's screening questions help businesses check what level of control they need before investing in an AI use case.8

Step 7: Require human review where it matters

AI output should not be treated as correct just because it sounds confident. Require human review for:

  • customer-facing content
  • numbers, calculations and reports
  • legal, finance, HR, payroll and compliance material
  • anything involving personal or sensitive information
  • responses to complaints or disputes
  • pricing, quotes or contractual commitments
  • safety-related content
  • any content published externally under the business name

The ACSC warns that AI systems can hallucinate and recommends verifying AI outputs and involving a human in high-stakes operations.9

Step 8: Add privacy, security and confidentiality rules

Your policy should cover:

  • not entering passwords, API keys or credentials into AI tools
  • not entering customer or employee personal information into public AI tools
  • using approved business accounts, not personal accounts, for work AI use
  • access controls for AI tools connected to business systems
  • data retention settings where available
  • whether business data is used for model training
  • vendor terms and privacy settings
  • approved storage locations
  • incident reporting

Step 9: Include customer transparency rules

Customers do not need to know every time AI helped write an internal note. But they should not be misled when AI materially affects their experience. Disclosure is important where:

  • a customer is interacting with a chatbot rather than a person
  • AI makes or materially influences a customer outcome
  • AI-generated content could be mistaken for human advice
  • AI is used to process customer information in ways they would not reasonably expect

Step 10: Create an AI register

An AI policy says what the rules are. An AI register shows what is actually being used. For each AI tool or workflow, record: tool name, business owner, approved users, use case, data used, risk level, human approval point, vendor, review date. For SMEs, this can be a simple spreadsheet at first.4

Step 11: Define incident reporting

Examples of AI incidents include: personal information pasted into a public AI tool, confidential information uploaded to an unapproved tool, AI-generated false information sent to a customer, or biased/harmful output discovered. The incident process should say: stop the workflow, notify the AI governance owner, record what happened, assess impacts, correct or withdraw affected output, and update controls.9

Step 12: Train staff and review the policy

A policy only works if staff understand it. Training should cover approved tools, data rules, safe vs unsafe prompts, verification, approval rules and incident reporting. Review every six months and after any major incident, new tool rollout or high-risk workflow launch.10

Starter AI policy structure for an SME

Below is a practical structure you can adapt. It is not a legal template.

  1. Purpose — how the business uses AI safely and responsibly
  2. Scope — applies to all employees, contractors, public and business AI tools
  3. AI governance owner — who is accountable for approvals, register, incidents and policy
  4. Approved tools — list of approved tools and permitted uses in the AI register
  5. Data rules — green/amber/red traffic-light model
  6. Prohibited information — what must never go into public AI tools
  7. Acceptable use — allowed low-risk tasks
  8. Higher-risk use — requires approval, risk assessment and controls
  9. Human review — when staff must check AI output before using or sharing
  10. Customer transparency — when customers must be told about AI use
  11. AI register — record of approved tools, owners, use cases and reviews
  12. Incidents and misuse — how to report and respond

Get started today: The free AiBorz AI Policy Generator creates a custom starter policy from 8 questions about your industry, staff, systems and data. For a comprehensive governance pack with an approved tools register, data classification guide, risk assessments, incident response process and human review SOPs, the AI Readiness & Risk Audit ($3,500 + GST) includes the full policy pack.

References

  1. National AI Centre, "AI Adoption Guidance for Australian Business," 2024-2026. csiro.au/national-ai-centre
  2. Digital Transformation Agency, "Generative AI guidance for Australian Government staff," and public equivalents. dta.gov.au
  3. National AI Centre, "Foundations of AI Governance," 2024-2026.
  4. National AI Centre, "AI Systems Register Guidance," 2024-2026.
  5. Office of the Australian Information Commissioner, "Guidance on privacy and generative AI," October 2023 and subsequent updates. oaic.gov.au
  6. Australian Government, "Generative AI guidance for Australian Public Service staff," 2024-2026.
  7. business.gov.au, "Artificial intelligence in business," Australian Government. business.gov.au
  8. National AI Centre, "AI Use Case Screening Questions," 2024-2026.
  9. Australian Cyber Security Centre, "Artificial Intelligence for Small Business," December 2024. cyber.gov.au
  10. National AI Centre, "AI Governance Records and Monitoring," 2024-2026.