I just finished a conversation with a long-time client who was keen to show off their new toy – a Claude.ai account their organisation had recently set up.
They’d been exploring what it could do and had just discovered something that genuinely impressed them. “Claude – can you see my email?” Yes. “Can you look through a specific folder, find all the emails with attached invoices, and compile the amounts into a single spreadsheet?” Yes – it was already running.
They told me this in the way you tell someone about a magic trick. “So cool!” Delighted, as they should be – that’s a genuinely useful capability that would have taken several hours to do manually.
I responded with something that was, apparently, mildly alarmed. Not dramatically – just a beat of “you did what?”
That beat was enough. A few minutes later they came back, a little more thoughtful: they’d just saved several hours of work but were now considering unplugging their computer from the internet. “Claude is very friendly” they said, “but I’m now worried he’s actually evil”.
I want to be clear – my client didn’t do anything wrong. They did something completely normal. They got a new tool, explored what it could do and found it impressive. That is exactly what curious, engaged professionals do. The mild alarm in my response wasn’t about their behaviour. It was the immediate reflex of someone who spends a lot of time thinking about what happens AFTER “yes, it can do that”.
Who else can see those emails? Where does that spreadsheet live? What are the data retention settings on the platform? Does your privacy policy cover this use? Do your staff know what they can and can’t ask the tool to do?
The question isn’t whether the AI can do it – it clearly can. The question is whether anyone in your organisation has thought through what happens when it does. AI governance in Australia is becoming a conversation organisations can no longer put off, and the data suggests most haven’t started it yet.
What Australians are actually using AI for
Anthropic published research last month on how Australians actually use Claude. The report is worth a read if you run an organisation of any size.
Australia is among the leading per capita adopters of Claude globally – usage is more than four times higher than our working-age population would predict, placing us seventh in the world. That’s worth noting for a country that has traditionally positioned itself as a technology fast follower.
More relevant to this conversation is what Australians are actually using AI for. Coding tasks, the use case most people imagine when they think about AI at work, are significantly below the global average. What fills the gap is management tasks, workplace correspondence, business documents and financial guidance. In other words, Australian professionals are using AI tools to help make decisions, draft communications, handle financial information and manage their organisations – not as a novelty, but as part of how they work.
The instinct is right. The governance, in most organisations, hasn’t kept pace.
What AI governance in Australia actually means for small organisations
The word governance tends to make people glaze over, so I want to be specific about what I mean here. I’m not talking about a 40-page policy document or an enterprise risk framework. I’m talking about answers to a small number of practical questions that every organisation using AI tools should be able to answer.
What data is going into the tool, and who owns it? Most AI platforms are clear about this in their terms of service, but most staff haven’t read them and most executives haven’t either.
What can staff use the tool for, and what’s off-limits? An informal “yes we have Claude now, use it” is not a policy. It’s an open invitation for well-intentioned people to make decisions the organisation hasn’t thought through yet.
What happens if something goes wrong? If a staff member accidentally shares confidential client information with an AI tool, does your organisation have any process for identifying and responding to that?
These aren’t questions that require a lawyer or a lengthy review process. They do require a couple of hours, the right people in a room and someone willing to ask them.
Why risk-averse organisations face a different problem
The Anthropic Australia report has one finding worth sitting with separately. The Australian Capital Territory – Australia’s public sector heartland – significantly underperforms on AI adoption. The report points to barriers within government workforces as the likely explanation, which makes sense given the ACT’s workforce composition and the security and procurement constraints that come with it.
That instinct toward caution is understandable. However, the realistic choice for most organisations isn’t between “use AI with governance” and “don’t use AI.” It’s between “use AI with governance” and “staff use AI anyway, without it.” The tools are affordable, accessible and genuinely useful. People are going to try them. It’s better to have a governance conversation now than after something goes wrong.
Where to start
If your organisation has AI tools in use – whether formally procured or otherwise – and you haven’t had a governance conversation yet, here’s a practical starting point:
- Ask your team what they’re actually using. The answers may surprise you.
- Then look at the terms of service for those tools, specifically around data handling and retention.
- Then have a conversation about what’s appropriate for your context: what data, what tasks, what decisions.
That conversation doesn’t need to be alarming. It can be exactly what my client’s call was this week – curious, practical and genuinely delighted at what these tools can do. The governance just needs to be part of the same conversation, not an afterthought six months later.
For more on how Australian organisations are approaching AI tools and what actually delivers results, see Most Businesses Are Using AI. Most Aren’t Getting Much Back and AI Innovation for Business: Beyond the Hype.
If you’d like help thinking through what AI governance looks like for your specific organisation, get in touch. It’s one of the more useful conversations I’m having at the moment.
Do smaller organisations really need an AI governance policy?
If your staff are using AI tools, whether the organisation has purchased them or not, then yes. A governance policy doesn’t need to be complex. It needs to answer three questions: what data can go into the tool, what tasks are appropriate, and what happens if something goes wrong.
What is the risk of not having an AI governance framework?
The main risks are data privacy breaches, accidental sharing of confidential information and decisions being made with AI assistance in ways that aren’t visible to the organisation. Most of these risks are manageable with a simple, clearly communicated policy.
How long does it take to put basic AI governance in place?
For an SME, a first governance conversation can happen in about two hours. The goal isn’t perfection – it’s having a shared understanding of appropriate use before a problem arises, rather than after.
