What actually applies to you
Most AI governance content is written for enterprise. This guide is written for Australian businesses with under 200 staff — the ones for whom a full GRC program is not realistic, but doing nothing is also not an option.
The starting point is understanding what actually applies. Three frameworks matter most for Australian SMEs using AI tools:
Privacy Act 1988 and the APPs: Applies to you if your annual turnover exceeds AUD $3 million, or if you handle health information, employee records, credit-related data, or other sensitive personal information categories. If you are in scope, the Australian Privacy Principles govern every AI system you use that processes personal information — which includes your CRM, your email marketing platform, your hiring tools, and your customer-facing AI features.
Australian Consumer Law: Applies to all businesses regardless of size. If your AI-generated product descriptions, pricing decisions, or customer communications mislead a consumer, Australian Consumer Law applies. There is no algorithmic exemption — you are responsible for what your AI says to customers on your behalf.
AI6 framework: Released by the National AI Centre in October 2025, this replaces the earlier Voluntary AI Safety Standard. It is voluntary guidance, but it represents the government's clearest statement of what reasonable AI governance looks like for Australian businesses. Regulators will reference it when assessing your conduct.
The most important thing to fix first
If you are currently using free consumer AI tools — the free tier of ChatGPT, personal Gemini, or similar — with any client, customer, or employee data, that is your most urgent issue. Consumer AI tools may use your inputs to train models and are accessible to the provider in ways that business or enterprise plans are not. Entering a client name, a customer's contact details, or an employee's performance notes into a free consumer AI tool creates a real Privacy Act risk — not a theoretical one.
The fix is straightforward: either upgrade to a business or enterprise plan for the tools your team uses most, or establish a clear policy that no personal data enters consumer AI tools. Both require a decision and communication to your staff — neither requires a consultant.
The minimal viable governance setup for an SME
You do not need to implement everything in AI6 to have defensible governance. Here is a practical baseline for a small Australian business:
Named responsibility: Decide who in your business is responsible for AI governance questions — likely the business owner, operations manager, or whoever manages IT. Write it down.
AI tool register: A spreadsheet listing every AI tool your business uses, what it is used for, whether it processes personal data, and whether you have a business account with appropriate terms. The NAIC provides a free template.
AI use policy: A one-page document telling staff which tools are approved, what data they can and cannot enter, and what they must do before acting on AI outputs. The NAIC provides a free policy template at industry.gov.au.
Privacy check: Review your privacy policy to ensure it accurately describes how you use AI — especially if AI assists in any customer-facing decisions. From December 2026, if AI significantly influences decisions about individual customers, your privacy policy must say so.
That is genuinely enough for a small business to demonstrate a reasonable baseline of AI governance. It takes a few hours to set up, not weeks. And it creates a foundation you can build on as your AI use grows.
What the ACCC is watching
The ACCC has specifically flagged AI-enabled misleading conduct as a priority enforcement area. Common risks for small businesses include: AI-generated product descriptions that overstate performance; AI-powered pricing that creates false urgency or misleading comparisons; AI chatbots that make representations the business cannot back up; and personalisation algorithms that show different customers materially different pricing without disclosure. You do not need to be large to be in the ACCC's sights — the consumer law obligation is universal.
