Chances are, someone on your team is already using AI. Whether it’s drafting a social caption, summarising a meeting, or helping write a customer email, generative AI tools have quietly become part of the day-to-day for small businesses, often without anyone deciding that officially. That’s not a bad thing. Used well, AI can genuinely help a small team punch above its weight: refining content, summarising long documents, brainstorming ideas or helping with processes. The businesses getting real value from it aren’t necessarily using the most advanced tools. They’re the ones who’ve thought about how they use them, so staff can move quickly with confidence instead of guessing at what’s okay.
That’s what an AI policy is for. Not a rulebook to slow things down, but a short, practical document that tells your team what’s approved, what’s off limits, and who checks the output before it goes out under your brand. If you don’t have an AI policy for your organisation, it’s time to ask the question why?
Isn’t an AI policy just for big business?
Not anymore, and small businesses arguably have more reason to get this right early. You likely don’t have a legal or IT team to catch a mistake before it becomes a problem, and your reputation is often more personal, built on trust with a smaller, tighter-knit client base. One misstep, like a staff member pasting a client’s details into a public AI tool, or a blog post going out with a made-up statistic, can do real damage to a business.
The good news: a policy for a small business doesn’t need to be long, legalistic, or written by a lawyer to be effective. It needs to answer a handful of practical questions clearly enough that everyone on the team knows what’s expected of them. Most small businesses can draft a working version in an afternoon and there are some useful tools (or even AI) to help you craft something for your business.
The risks an AI policy helps you manage
Confidential information ending up somewhere it shouldn’t
Free and consumer versions of AI tools can retain the information you input, and in some cases use it to train future versions of the model. This isn’t hypothetical, and it isn’t limited to big business. In early 2025, a contractor working for an Australian organisation uploaded personal information, including names, contact details and health records, into an AI system while working on a government program. It was treated as a serious data spill and a notifiable data breach. The Australian Cyber Security Centre’s advice for small businesses is blunt: don’t put sensitive or proprietary information into public AI tools at all. Never. Ever. A policy is what turns that advice into something your team actually knows and follows and gives them the clarity of what they can and can’t use within the workplace.
Under the Privacy Act 1988, businesses are responsible for how they handle personal information, and that doesn’t change because an AI tool was involved. The OAIC has been explicit that it covers all uses of AI involving personal information, including free, publicly available chatbots, and recommends against entering personal or sensitive information into them at all.
Content that’s confidently wrong
AI tools can generate information that sounds authoritative but often it isn’t accurate, sometimes called “hallucination.” This has already caught out some of Australia’s most credentialled professionals, which is a useful reminder that expertise alone doesn’t prevent it, process does. In 2025, Deloitte Australia issued a partial refund to the federal government after a $440,000 report it prepared was found to contain fabricated academic references and a misquoted Federal Court judgment, later confirmed to be the result of undisclosed generative AI use. The same year, a Victorian lawyer became the first in Australia to be sanctioned for AI use, losing his ability to run his own legal practice after submitting court documents containing AI-generated citations to cases that didn’t exist. In both cases, content went out under their name without a human properly checking it first. A policy’s human review step is the simplest possible safeguard against this.
Intellectual property and copyright questions
Who owns content an AI tool generates, and can you safely use AI generated imagery in a paid campaign? These questions are still being tested in court and aren’t settled in Australia. A closely watched 2025 UK case between Getty Images and AI company, Stability AI, largely went in Stability’s favour on copyright, though the court did find limited trademark infringement where Getty’s watermark appeared in some AI generated images. It didn’t resolve the broader question of whether training AI on copyrighted material is lawful. In Australia, the Productivity Commission has recommended a three-year review period before any copyright exemptions for AI are considered.
It’s also worth remembering that while you may not explicitly ask AI to reference copyrighted material, AI is trained on existing content where permissions may or may not have been granted. As learning sources for specific content is not disclosed to the user, you may inadvertently end up infringing on copyright.
Until federal policies are settled, it’s worth treating it with caution rather than assuming it’s fine, and your policy should say so.
Falling behind on your compliance obligations
Regulation in this space is moving quickly. The National AI Centre’s Guidance for AI Adoption, released in October 2025, sets out six essential practices for responsible AI governance that Australian organisations are encouraged to follow. Separately, from 10 December 2026, new transparency obligations under the Privacy Act will require businesses covered by the Act to disclose in their privacy policy where they use AI or automated systems to make decisions that could significantly affect someone, such as credit, insurance, or employment decisions. Having a policy in place now means you’re not scrambling to catch up later, and it gives you a head start if these obligations end up applying to you.
What a policy also does: makes AI easier to say yes to
It’s easy to read a list of risks like that and conclude the safest move is to avoid AI altogether. Without a policy, staff use AI tools anyway, quietly, inconsistently, and without anyone checking how. A policy doesn’t restrict AI use so much as make it safe to say yes to it. Once your team knows exactly what’s approved and what isn’t, they can use AI to draft faster, summarise more, and free up time for the work that actually needs a person, without you wondering what’s going on behind the scenes.
What to include in your AI policy
You don’t need a 40-page document and you can start simply and evolve. A practical AI policy for a small business should cover:
- Approved tools – A clear list of which AI tools your team is permitted to use for work purposes, and which ones aren’t approved.
Worth knowing: not all AI tools treat your data the same way, and it’s not always obvious from the sign-up screen.
Turned on unless you opt out: Most free and personal paid plans (ChatGPT Plus, Claude Pro, Gemini Advanced). In these models, your conversations are used to train future versions of the model unless you manually go into settings and turn this off.
Turned off unless you opt in: Business and enterprise tiers (ChatGPT Team/Enterprise, Claude for Work, Gemini via Google Workspace), and API access. Generally speaking, these providers typically exclude your data from training by default, as a contractual term, rather than a setting you have to remember to flip. These settings do change over time as providers update their policies, so it’s worth checking the current settings directly with the provider rather than relying on what was true last time you looked.
- What can and can’t be entered into AI tools – Set out plainly what information is off limits, such as client data, financial information, unpublished content, or anything covered by a confidentiality agreement.
- Human review requirements – A rule that AI-generated content, whether it’s a blog post, an email, or a set of numbers, is checked by a person before it goes out under your brand, or is used in decision-making.
- Accuracy and fact checking – A requirement to verify any facts, figures, or claims generated by AI before publishing.
- Disclosure expectations – Where relevant, whether and how you’ll let clients or customers know AI has been used, for example in content creation or customer service.
- Intellectual property and ownership – Guidance on how your business handles ownership and usage rights for AI generated content and imagery.
- An accountable person – Someone in the business responsible for keeping the policy up to date and answering questions about it.
- A review date – Given how quickly this space is changing, your policy should be reviewed at least annually, if not more often.
Getting started
You don’t need to solve every scenario on day one. Start by having an honest conversation with your team about what AI tools they’re already using, then build your policy around your actual working practices rather than a generic template pulled from the internet. Most small businesses can get a first working version down in a single sitting and refine it as you go.
The businesses that get ahead here won’t be the ones with the most sophisticated AI tools. They’ll be the ones who’ve thought through how to use them responsibly, and who can show clients and staff that they take it seriously, while still getting the genuine productivity benefits AI has to offer.
- National AI Centre’s own AI policy guide and template (PDF, released October 2025) – a ready-to-adapt policy skeleton with example wording, built specifically to align with the government’s current AI adoption guidance.
- The National AI Centre’s Create an AI policy page – a shorter, web-based walkthrough of what a policy should cover, useful as a lighter-touch companion to the PDF above.
- The Community of Directors has a simple framework guide
- Employment Hero also published a recent guide that sets out the basics







