Your staff are already using AI. ChatGPT, Copilot, Gemini, whatever free tool they found last Tuesday. They’re drafting emails with it, summarising documents, maybe even feeding it customer data to “save time.” And you probably have no idea what’s going into those tools or what’s coming out.
That’s not a technology problem. It’s a policy problem. And if you’re running a small business without an AI usage policy, you’re carrying a risk you haven’t measured yet.
Here is how to fix it. Not a 40-page corporate governance document. A simple, usable AI safety policy that your team will actually follow, so you get the productivity gains without the data leaks, compliance headaches, or embarrassing mistakes.
The Problem: Two Bad Defaults
Most small business owners fall into one of two camps right now.
Camp one: the blanket ban. You’ve heard the horror stories. Samsung engineers leaking proprietary code through ChatGPT. Law firms citing fake court cases that AI invented from nothing. So you tell your team: “Don’t use it. Full stop.” They use it anyway, on their phones, on personal accounts, with zero oversight. Your ban didn’t reduce the risk. It just moved it somewhere you can’t see.
Camp two: the free-for-all. You figure AI is the future, so you let everyone experiment. No rules, no training, no approved tools list. One person is pasting client financials into a free chatbot. Another is using AI to write proposals that contain made-up statistics. Someone in accounts is running sensitive payroll questions through a tool that stores every conversation for model training. You won’t find out until something goes wrong.
Both camps end up exposed. One just doesn’t know it yet.
The Australian Cyber Security Centre has flagged AI tool usage as a growing risk area for small businesses, and most still have no formal policy in place. The tools arrived faster than the rules, and most owners are still catching up. Your team started using ChatGPT and Copilot before you had time to think about what that meant for client data or compliance.
The Reframe: A Policy Tells Your Team What They Can Do
We tend to ban or ignore things we don’t understand. That’s natural. But it’s not a strategy.
An AI usage policy isn’t about locking things down. It’s about giving your team a clear set of rules so they can use AI confidently, without worrying they’re about to cause a data breach. When people know where the lines are, they stop second-guessing and start getting value from the tools.
Your password policy is a good comparison. You don’t ban passwords. You set requirements: minimum length, no reuse across systems, multi-factor turned on. Everyone follows the same standard and your business is better protected for it.
An AI safety policy follows the same logic. You define what’s in bounds, pick the tools that meet your data handling requirements, and train the team once. A few hours of setup. Compare that to the cost of a data breach, a Privacy Act investigation, or a client finding out their financials were fed into a free chatbot.
Five Steps to Build Your AI Usage Policy
You can do this yourself, this week, without outside help.
Step 1: Audit What’s Already Being Used
Start by asking your team what they’re already using. Send a short survey or have a 10-minute conversation with each department. Ask three questions:
- What AI tools are you using right now? (Include free ones, browser extensions, built-in features like Copilot.)
- What tasks are you using them for?
- What type of information are you putting into them?
You’ll likely find more than you expected. The marketing coordinator has been using ChatGPT daily for three months. Your bookkeeper tried an AI receipt scanner back in February. Someone on the sales team signed up for an AI email writer that stores every message on servers in the US. None of them told you, not out of malice, but because nobody asked.
Step 2: Classify Your Data
Not all data carries the same risk. Split your business information into three categories:
- Public: Marketing copy, blog ideas, general research. Low risk. Fine to use with most AI tools.
- Internal: Meeting notes, project plans, non-sensitive business processes. Moderate risk. Only approved tools with decent privacy settings.
- Restricted: Client data, financial records, employee information, passwords, health data, anything covered by the Privacy Act. High risk. Never entered into public AI tools. Period.
Write these down and include real examples from your business. “Client email addresses” goes in restricted. “Brainstorming blog topic ideas” is public. When someone asks “can I put this into ChatGPT?”, they should be able to check the list and answer the question themselves.
Step 3: Create an Approved Tools List
Pick two or three AI tools your business will officially support. Choose them based on:
- Data handling: Does the tool store your inputs? Does it use them for training? Enterprise versions of ChatGPT and Copilot offer data protection that free tiers don’t.
- Location: Where are the servers? If you’re handling Australian client data, you need to know whether it’s leaving the country.
- Authentication: Does it support single sign-on or multi-factor authentication?
Put the approved list in writing. Anything not on the list needs sign-off before use. You can add more later, but check them first.
Step 4: Set Usage Rules
Keep these short. One page, plain English, five areas:
- Data entry: “Never paste restricted data into any AI tool. If you’re unsure, ask before you paste.”
- Output verification: Read everything the AI writes before you send it to a client. AI makes things up. Check every fact, figure, and citation.
- Client disclosure: “If AI was used to produce something for a client, disclose it when required by the contract or relationship.”
- Account management: “Use your work account for approved AI tools. Don’t use personal accounts for business tasks.”
- Incident reporting: “If you accidentally put restricted data into an AI tool, report it to within 24 hours. No penalties for honest mistakes. Penalties for hiding them.”
That incident reporting rule is the most important one on the list. If people fear getting fired for a mistake, they’ll hide it. You’ll find out about the data leak three months later, from a client. Build a culture where your team reports problems the same day, and you’ll catch issues while they’re still fixable.
Step 5: Train Once, Review Quarterly
Run a 30-minute training session. Walk through the approved tools, the data categories, and the five rules. Use real examples from your business, not abstract scenarios.
Then put a quarterly review in the calendar. The tool you approved in January might have changed its privacy terms by April. OpenAI updated their data usage policies three times in 2024 alone. Fifteen minutes every three months keeps your approved list accurate and gives the team a chance to raise questions about new tools they’ve come across.
Implementation: What to Do This Week
Don’t wait for the perfect version. Get a working draft in front of your team this week and improve it over time.
Here’s a realistic schedule:
Monday: Send your team the three-question audit. Give them until Wednesday to respond.
Wednesday: Review the responses. Categorise the tools into approved, needs-review, and banned. Draft your data classification with five specific examples for each category.
Thursday: Write the one-page usage rules. Keep it plain English. No legal jargon.
Friday: Run a 30-minute team meeting. Walk through the policy. Answer questions. Send the final document by end of day.
Five days. One working AI safety policy. You’ll refine it over time, but by Friday your team has clear rules and you’ve closed the gap that most small businesses are still ignoring.
Frequently Asked Questions
Yes. It only takes one person pasting client data into a free AI tool to create a real problem. Five employees or fifty, the exposure is the same. A short, simple policy takes an hour to write and protects you from day one.
You can try, but it rarely works. Staff use AI on personal devices and accounts anyway. A ban pushes usage underground where you have zero visibility. A policy with approved tools and clear boundaries gives you control without losing the productivity benefits.
Data leakage. When team members input client information, financial data, or personal details into AI tools that store or train on that data, you lose control of where it ends up. Under the Australian Privacy Act, you’re responsible for how personal information is handled. This applies to third-party AI tools too.
Review it quarterly. AI tools change their terms and features frequently. A quarterly check (15 minutes is enough) ensures your approved tools list is current and your rules still match the technology your team is using.
Treat it like any data incident. Document what was entered, which tool was used, and when it happened. Check the tool’s data retention and deletion options. If personal information was involved, assess whether you have a notifiable data breach under the Privacy Act. The priority is speed: the faster you act, the more options you have.
Set the Rules Now
Your team is already using AI whether you’ve approved it or not. A few hours this week gives you a policy that protects your client data, keeps you on the right side of the Privacy Act, and lets your team use these tools without the risk.
Stop guessing. Write the rules, train your people, and review every quarter. If you want help working out which tools are safe for your business or building a policy that fits your setup, talk to the team at SixFive.
Stop Guessing, Start Growing
Don’t leave your digital success to chance. Get a clear, actionable plan that aligns your technology with your business goals.
Book a no-obligation, 15-minute discovery call