AI Governance Checklist for Australian Organisations

Why does AI governance matter even for small organisations?

AI governance sounds like something for large corporates with compliance teams. But for small businesses, not-for-profits, and professional services firms, the risks from ungoverned AI use are just as real - and often more damaging because there's no team to absorb the fallout.

This checklist is for Australian organisations that are already using AI (or planning to) and want to make sure they're doing it safely and accountably.

For a deeper look at how we approach responsible AI and governance, visit our governance page.

Section 1: What foundations do you need before adopting AI?

• We have a written AI Use Policy that defines what AI can and cannot be used for in our organisation
• The policy has been communicated to all staff
• We have identified which AI tools are approved for use (and which are not)
• We have a named person responsible for AI governance in our organisation
• Leadership/board is aware of our AI use and has approved our approach

Section 2: How do you protect data privacy when using AI?

• We have identified what categories of data staff are using with AI tools (internal documents, client data, beneficiary information, financial records)
• We have defined rules about what data can and cannot be entered into AI tools
• We have confirmed that the AI tools we use do not train on our data (this requires checking each tool's terms of service)
• Staff using AI tools with any client or beneficiary data are using an organisational account (not a personal free account)
• Our AI use complies with the Australian Privacy Act 1988

Section 3: How much human oversight do AI tools require?

• All AI-generated content that will be sent to clients, funders, or the public is reviewed by a human before sending
• AI is not used to make decisions about individuals (employment, service eligibility, financial decisions) without human review
• Staff understand they are responsible for the accuracy of any AI-assisted output they send or publish
• We do not rely on AI outputs without independent verification for high-stakes decisions

Section 4: What governance rules apply to specific AI tools?

• For Microsoft Copilot: we have reviewed what data Copilot can access in our Microsoft 365 environment and configured permissions appropriately
• For ChatGPT: staff are using ChatGPT Teams or Enterprise (not Free or personal Plus accounts) for any work-related tasks
• For workflow automation tools (Zapier, Power Automate, etc.): we have documented what each automation does and reviewed any data it handles
• For any external AI tools: we have reviewed their privacy policy and terms of service

If you need help evaluating your current tools and policies, our AI governance consulting service can guide you through this process.

Section 5: Who is accountable when AI makes a mistake?

• We keep basic records of significant AI use - particularly for client-facing outputs or compliance-related documents
• We have a process for reviewing and updating our AI governance as tools and capabilities change
• We have communicated our AI approach to key external stakeholders where appropriate (major funders, board members, clients)

How do you put this AI governance checklist into practice?

Score your organisation against each item. Items you can't tick are your governance gaps. Address them as part of a complete AI governance framework rather than one-off fixes.

Priority order for addressing gaps:

1. Data privacy items (Section 2) - highest risk, most urgent
2. Human oversight items (Section 3) - reputational and liability risk
3. Foundations (Section 1) - without a policy, everything else is hard to enforce
4. Tool-specific and accountability items (Sections 4-5) - important but less urgent than the above