本文目前仅提供英文版本。
AI Governance for Australian SMEs: What You Actually Need to Do
If you have fewer than 200 staff and you're using AI tools, your governance obligations are real but manageable. Privacy Act, ACCC consumer law, AI6 basics, and a practical action list — without the enterprise overhead.
Key Takeaways
The Privacy Act applies to most Australian businesses — if your annual turnover is above AUD $3 million, or you handle health information, employee records, or credit-related data, the Australian Privacy Principles apply to your AI tools regardless of business size.
ACCC consumer law applies if your AI-powered communications, pricing, or recommendations mislead customers — Australian Consumer Law does not have an exemption for algorithmic outputs. If your AI produces a misleading product claim, you are responsible.
AI6 is designed for organisations of all sizes — the National AI Centre's implementation guidance explicitly addresses SME adoption. You don't need a GRC team to implement the six essential practices at a baseline level.
The most common SME AI governance failure is using consumer AI tools — free ChatGPT, consumer Gemini — with client data. This creates Privacy Act risk. Enterprise or business plans with appropriate data processing agreements are a minimal requirement.
A one-page AI use policy, an AI tool register (a spreadsheet will do), and a named responsible person covers a significant portion of baseline AI6 requirements for a small business.
The AI6 framework, NAIC policy template, AI screening tool, and AI system register template are all free at industry.gov.au — a small business can implement a defensible baseline with no external consultant.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
What actually applies to you
Most AI governance content is written for enterprise. This guide is written for Australian businesses with under 200 staff — the ones for whom a full GRC program is not realistic, but doing nothing is also not an option.
The starting point is understanding what actually applies. Three frameworks matter most for Australian SMEs using AI tools:
Privacy Act 1988 and the APPs: Applies to you if your annual turnover exceeds AUD $3 million, or if you handle health information, employee records, credit-related data, or other sensitive personal information categories. If you are in scope, the Australian Privacy Principles govern every AI system you use that processes personal information — which includes your CRM, your email marketing platform, your hiring tools, and your customer-facing AI features.
Australian Consumer Law: Applies to all businesses regardless of size. If your AI-generated product descriptions, pricing decisions, or customer communications mislead a consumer, Australian Consumer Law applies. There is no algorithmic exemption — you are responsible for what your AI says to customers on your behalf.
AI6 framework: Released by the National AI Centre in October 2025, this replaces the earlier Voluntary AI Safety Standard. It is voluntary guidance, but it represents the government's clearest statement of what reasonable AI governance looks like for Australian businesses. Regulators will reference it when assessing your conduct.
The most important thing to fix first
If you are currently using free consumer AI tools — the free tier of ChatGPT, personal Gemini, or similar — with any client, customer, or employee data, that is your most urgent issue. Consumer AI tools may use your inputs to train models and are accessible to the provider in ways that business or enterprise plans are not. Entering a client name, a customer's contact details, or an employee's performance notes into a free consumer AI tool creates a real Privacy Act risk — not a theoretical one.
The fix is straightforward: either upgrade to a business or enterprise plan for the tools your team uses most, or establish a clear policy that no personal data enters consumer AI tools. Both require a decision and communication to your staff — neither requires a consultant.
The minimal viable governance setup for an SME
You do not need to implement everything in AI6 to have defensible governance. Here is a practical baseline for a small Australian business:
Named responsibility: Decide who in your business is responsible for AI governance questions — likely the business owner, operations manager, or whoever manages IT. Write it down.
AI tool register: A spreadsheet listing every AI tool your business uses, what it is used for, whether it processes personal data, and whether you have a business account with appropriate terms. The NAIC provides a free template.
AI use policy: A one-page document telling staff which tools are approved, what data they can and cannot enter, and what they must do before acting on AI outputs. The NAIC provides a free policy template at industry.gov.au.
Privacy check: Review your privacy policy to ensure it accurately describes how you use AI — especially if AI assists in any customer-facing decisions. From December 2026, if AI significantly influences decisions about individual customers, your privacy policy must say so.
That is genuinely enough for a small business to demonstrate a reasonable baseline of AI governance. It takes a few hours to set up, not weeks. And it creates a foundation you can build on as your AI use grows.
What the ACCC is watching
The ACCC has specifically flagged AI-enabled misleading conduct as a priority enforcement area. Common risks for small businesses include: AI-generated product descriptions that overstate performance; AI-powered pricing that creates false urgency or misleading comparisons; AI chatbots that make representations the business cannot back up; and personalisation algorithms that show different customers materially different pricing without disclosure. You do not need to be large to be in the ACCC's sights — the consumer law obligation is universal.