Your First 30 Days of AI Governance: A Practical Plan for Australian Organisations

Why 30 days is enough to get to defensible

When organisations think about AI governance they often imagine a multi-year programme requiring specialist consultants, dedicated governance teams, and sophisticated technology platforms. That is the endpoint, not the starting point. What Australian regulators currently expect of most organisations is not perfection — it is evidence of genuine, thoughtful effort. A documented AI inventory, a written policy, named accountability, and basic monitoring will distinguish your organisation from the majority that have done nothing. This plan gets you there in 30 days.

The plan is structured around the AI6 framework's six essential practices, which provide the most operationally relevant governance structure for Australian organisations right now. It is calibrated for an organisation of 20 to 500 people — the approach applies at larger scale, but will take longer.

Week 1: Visibility (Days 1–7)

Day 1–2: The AI inventory. Send a brief message to all staff asking them to list every AI tool they use for work — including tools accessed from personal accounts. Create a simple spreadsheet: tool name, primary user or team, purpose, type of data it receives. Do not judge or restrict at this stage. You need honest answers. Most organisations discover more AI in use than they expected.

Day 3–4: Risk flag each tool. Review your inventory and flag each tool for three risk factors: does it process customer or client personal information? Does it make or influence decisions that affect people (employees, customers, others)? Is it accessed via a consumer account rather than an enterprise account? High flags across all three require immediate attention.

Day 5–7: Assess your highest-risk tools. For each tool that flagged high on personal information or high-stakes decisions, answer: what data handling agreement exists with the provider? Is this tool consistent with your privacy policy? Are employees using it in ways you are comfortable with? Document your answers — this is the foundation of your risk register.

Week 2: Accountability and Policy (Days 8–14)

Day 8–9: Assign accountability. Identify one named person who is responsible for AI governance in your organisation. This does not need to be a new role — it can be an existing manager, risk officer, or operations leader. Write it down. Send a note to the relevant person and their manager confirming the responsibility. This single step satisfies the first guardrail of the Australian AI Safety Standard and addresses the most common governance gap.

Day 10–12: Write your AI use policy. One to two pages. Cover: which AI tools are approved for which purposes; what data cannot go into AI tools (at minimum: identifiable customer information, confidential business information, legally privileged material); who approves new AI tools; and what happens if someone uses AI in a way that causes harm. The policy does not need to be perfect — it needs to be honest and followed.

Day 13–14: Update your privacy policy. If you process customer personal information through AI tools, your privacy policy needs to say so. Check your existing policy for any mention of AI. If there is none, add a section describing how AI is used in your operations and what data it may process. This is required by APP 1 of the Privacy Act for covered entities, and is good practice for all organisations.

Week 3: Oversight and Transparency (Days 15–21)

Day 15–17: Identify your high-risk AI decisions. From your inventory, identify any AI that makes or significantly influences decisions about people — customers, employees, or others. These are your highest-governance-priority systems. For each, document: what the AI decides or recommends, who reviews AI recommendations before action, and what the appeals process is for people affected by AI decisions.

Day 18–21: Establish transparency mechanisms. For customer-facing AI — chatbots, automated responses, AI-generated communications — establish disclosure practices. People interacting with AI should know they are doing so. For AI used in employment decisions, employees should be informed. Write this into your AI use policy.

Week 4: Monitoring and Documentation (Days 22–30)

Day 22–25: Set up basic monitoring. For your highest-risk AI systems, establish a simple monitoring regime: who checks the tool's outputs periodically for quality and appropriateness; who is notified if an AI error causes a customer or employee complaint; and what triggers a review of the AI tool's continued use. Document this. One page per high-risk system is sufficient.

Day 26–28: Document what you have done. Compile your AI inventory, your risk assessment, your AI use policy, your privacy policy update, your accountability designation, your oversight mechanisms, and your monitoring plan. This is your AI governance documentation. Store it somewhere it can be found and updated. Review it every six months.

Day 29–30: Report to leadership. Brief your CEO, board, or relevant leadership on what you found and what you have put in place. AI governance is a board-level issue. Leadership should know the key findings from your inventory (what AI is in use, what the significant risks are) and what the organisation is doing about them. Document that you did this.