The problem no one talks about until it's too late

Right now, your staff are almost certainly using AI tools at work. ChatGPT to draft emails. Copilot to summarise documents. Gemini to answer questions. Some of it sanctioned, some of it not — and most of it happening without any clear rules about what's acceptable and what isn't.

That's where an AI Acceptable Use Policy comes in. It's not a bureaucratic checkbox. It's the document that tells your team what they can do, what they can't, and why — before something goes wrong.

Without it, you're relying on individual judgment calls in situations employees weren't trained for. That's how client data ends up in a public AI model, how confidential information gets incorporated into a vendor's training dataset, and how your business ends up with a privacy breach it didn't see coming.

What an AI AUP actually is (and isn't)

An AI Acceptable Use Policy is a document that sets out the rules governing how artificial intelligence tools may be used within your organisation. It covers which tools are approved, what kinds of tasks they can be used for, what data can and cannot be entered into them, and what your staff's responsibilities are when using AI.

It is not a technical document written for IT. It's not a legal brief. And it's not a list of prohibitions designed to stop people from doing their jobs. A good AI AUP is practical, readable, and directly relevant to the situations your team actually encounters.

Think of it as the employment contract for your AI tools — the agreement that defines the relationship between your business, your staff, and the AI systems you use.

What an AI AUP should cover

The exact contents will vary by industry and business size, but every AI AUP should address the following:

  • Approved tools. A list of AI tools that are permitted for work use, and which tasks each is approved for. Any tool not on the list requires approval before use.
  • Prohibited uses. Specific activities that are off-limits — entering personal information about clients, patients, or employees; using AI to make final decisions about people without human review; using public AI tools for confidential work.
  • Data handling rules. Clear guidance on what kinds of information may never be entered into an AI tool — personal information, commercially sensitive data, legal privilege material, health information.
  • Verification requirements. A requirement that staff verify AI outputs before acting on them or sharing them, particularly in professional contexts.
  • Confidentiality and IP. Rules about entering third-party IP, client content, or confidential business information into AI systems.
  • Incident reporting. How staff should report an AI-related incident — including accidentally entering prohibited information into a tool.
  • Consequences. What happens if the policy is breached, so expectations are clear.

Australian Privacy Principles note: Under the APPs, your obligations around personal information don't disappear just because you're using a third-party AI tool to process it. If personal information is entered into an AI system, you remain responsible for what happens to it — including where it goes and how it's used.

Who needs one?

The short answer: if your staff use AI tools for work purposes, you need an AI AUP. That applies whether you're a five-person accounting firm or a 200-person professional services business.

The longer answer is that your need is more urgent if any of the following apply:

  • You handle personal information about clients, customers, or employees (which means the Australian Privacy Principles apply to you)
  • You work in a regulated industry — legal, financial services, healthcare, education
  • Your staff use AI tools that haven't been formally approved or assessed
  • You don't currently have any written guidance about AI use at work

If you're an APP entity — broadly, any business with an annual turnover above $3 million, plus many others regardless of turnover — you have specific legal obligations around personal information that an AI AUP helps you meet.

What happens without one

The risks aren't hypothetical. These are the situations we see in practice:

  • A staff member pastes a client's personal details into ChatGPT to draft a letter. That data is now in OpenAI's systems, potentially used to train future models, with no consent from the client and no awareness from the business.
  • A lawyer uses an AI tool to summarise a confidential client document. The tool is a free-tier consumer product, not an enterprise version — the content is processed on overseas servers with no data processing agreement in place.
  • A manager uses AI to screen job applications and makes hiring decisions based on the output. There's no record of how the AI reached its recommendations, no human review process, and no disclosure to candidates — all of which create legal exposure.

In each case, a clear AI AUP — read and understood by staff — would have prevented the problem.

How to get one in place without it becoming a shelf document

The biggest risk with any policy is that it gets written, filed, and forgotten. Here's how to avoid that:

  1. Keep it short. A policy your staff will actually read is more valuable than a comprehensive document no one opens. Aim for something that can be read in under ten minutes.
  2. Make it specific to your context. Generic templates are better than nothing, but a policy that references the actual AI tools your team uses, the kinds of data you handle, and the specific risks in your industry will be far more effective.
  3. Walk your team through it. Don't just email it out. Spend 20 minutes in a team meeting going through the key points, answering questions, and making sure everyone understands what it means for their day-to-day work.
  4. Get sign-off. Have staff acknowledge they've read and understood the policy. This creates accountability and gives you a record if something goes wrong.
  5. Review it annually. The AI landscape changes fast. Build a review date into the document so it doesn't become outdated.

The bottom line

An AI Acceptable Use Policy won't protect you from every AI-related risk — but operating without one leaves you exposed in ways that are entirely preventable. It sets expectations, protects your clients' information, and gives your staff the guidance they need to use AI tools responsibly.

It doesn't need to be long, and it doesn't need to be written by a lawyer. It needs to be clear, specific, and actually used.

Get your AI governance pack

A complete, tailored set of AI governance documents for your Australian business — ready in minutes.

Get started →