INSIGHTS - Free Me Up AI

AI Governance Checklist for Australian Organisations

Published March 2026 - 6 min read

Why AI governance matters - even for small organisations

AI governance sounds like something for large corporates with compliance teams. But for small businesses, not-for-profits, and professional services firms, the risks from ungoverned AI use are just as real - and often more damaging because there's no team to absorb the fallout.

This checklist is for Australian organisations that are already using AI (or planning to) and want to make sure they're doing it safely and accountably.

For a deeper look at how we approach responsible AI and governance, visit our governance page.

Section 1: Foundations

• We have a written AI Use Policy that defines what AI can and cannot be used for in our organisation
• The policy has been communicated to all staff
• We have identified which AI tools are approved for use (and which are not)
• We have a named person responsible for AI governance in our organisation
• Leadership/board is aware of our AI use and has approved our approach

Section 2: Data Privacy

• We have identified what categories of data staff are using with AI tools (internal documents, client data, beneficiary information, financial records)
• We have defined rules about what data can and cannot be entered into AI tools
• We have confirmed that the AI tools we use do not train on our data (this requires checking each tool's terms of service)
• Staff using AI tools with any client or beneficiary data are using an organisational account (not a personal free account)
• Our AI use complies with the Australian Privacy Act 1988

Section 3: Human Oversight

• All AI-generated content that will be sent to clients, funders, or the public is reviewed by a human before sending
• AI is not used to make decisions about individuals (employment, service eligibility, financial decisions) without human review
• Staff understand they are responsible for the accuracy of any AI-assisted output they send or publish
• We do not rely on AI outputs without independent verification for high-stakes decisions

Section 4: Tool-Specific Governance

• For Microsoft Copilot: we have reviewed what data Copilot can access in our Microsoft 365 environment and configured permissions appropriately
• For ChatGPT: staff are using ChatGPT Teams or Enterprise (not Free or personal Plus accounts) for any work-related tasks
• For workflow automation tools (Zapier, Power Automate, etc.): we have documented what each automation does and reviewed any data it handles
• For any external AI tools: we have reviewed their privacy policy and terms of service

If you need help evaluating your current tools and policies, our AI governance consulting service can guide you through this process.

Section 5: Accountability

• We keep basic records of significant AI use - particularly for client-facing outputs or compliance-related documents
• We have a process for reviewing and updating our AI governance as tools and capabilities change
• We have communicated our AI approach to key external stakeholders where appropriate (major funders, board members, clients)

How to use this checklist

Score your organisation against each item. Items you can't tick are your governance gaps.

Priority order for addressing gaps:

1. Data privacy items (Section 2) - highest risk, most urgent
2. Human oversight items (Section 3) - reputational and liability risk
3. Foundations (Section 1) - without a policy, everything else is hard to enforce
4. Tool-specific and accountability items (Sections 4-5) - important but less urgent than the above

A lightweight AI governance framework for a small organisation can be developed in one to two weeks. It doesn't need to be long - a one-page AI Use Policy and a short governance checklist like this one is sufficient for most smaller Australian organisations.

Need help building your AI governance framework?

Book a free 15-minute AI clarity call. We'll review your current AI use, identify governance gaps, and help you build a practical policy - without the corporate complexity.

Book a free 15-minute call

Related reading

• Responsible AI for Australian NFPs - What boards need to understand about responsible AI use, data privacy, and human oversight in not-for-profit organisations.
• AI Policy Template for Not-for-Profits - A free AI policy template covering acceptable use, data handling, human oversight, and board responsibilities for Australian NFPs.