JDCS
Get in touch
Start a conversation Or call 0418 858 937

jdcs.au · Mid North Coast, NSW

Lesson 3 of 5 · 8 min

Choosing and configuring approved tools.

A policy that says "use AI safely" and stops there leaves everyone guessing. The fix is to name the tools you've approved and set them up properly, so the safe path is the easy path. You don't need a big stack. A short, well-configured list beats a sprawling one nobody understands. Here's how to choose, how to configure, and how to keep a register that does the remembering for you.

Free versus business tiers

The single most useful distinction to understand is consumer versus business. The free, personal versions of the big tools are fine for green-tier, throwaway tasks. But for anything touching your real work, a paid business or team tier matters, and not just for the extra features. Business and team tiers are typically contractually set not to train their models on the content you put in, and they add the admin controls, retention settings and account oversight a business needs. The exact terms differ by vendor and change over time, so treat that as the question to verify rather than a promise to take on faith. As a rule of thumb: personal plan for personal-grade tasks, business tier the moment real work or amber data is involved.

The settings to check, whatever the tool

The big assistants, ChatGPT, Claude, Microsoft Copilot and Google Gemini, all have privacy and data controls, and they move around, so don't memorise menus. Memorise what to look for. If Copilot is the one you're leaning towards, our Microsoft 365 Copilot course goes deeper on setting it up. Before you approve a tool, find and set these:

  • Training opt-out. Whether your conversations are used to train or improve the model, and how to turn that off. On many consumer plans it's on by default with a toggle in settings; on business tiers it's commonly off by design. Confirm where the tool you've picked actually stands.
  • Data retention and history. How long chats are kept, whether you can turn history off, and whether there's a "temporary" or no-history mode for sensitive one-offs. Shorter retention is safer.
  • Account type and admin controls. Are people on a managed business account you control, or personal logins you don't? A managed account lets you set policy once for everyone, which is the whole point.
  • Where the data goes. For sensitive work, it's worth knowing the broad picture: is this a cloud service, and on what terms? Some setups keep data within tighter boundaries than others. You don't need to be an engineer, just to ask the question before red-tier data is ever in play.

Set these once, write down what you chose, and you've done the configuration work that most businesses skip entirely.

Keep the list short and deliberate

Resist the urge to approve everything. Two or three well-understood tools, set up correctly, will cover the vast majority of what a small business needs, and they're far easier to govern and train people on than a dozen. For each tool, be clear about what it's approved for: which data tier, and which kinds of task. A general assistant might be approved for green and amber writing and research. A tool built into software you already trust might be approved for more. Anything not on the list is, by default, not approved, and adding to the list is a deliberate decision, not a free-for-all.

The approved-tools register

This is the artefact that ties it together, and it's just a simple table. For each tool you record: the tool and tier, what data tier it's approved for, who owns it, the key settings you've confirmed, and the date you last reviewed it. That last column matters more than it looks, because these products change their terms and defaults, so a register that's never revisited slowly drifts out of date. A quick review every few months keeps it honest.

The register does three jobs at once. It tells your team exactly what's allowed, so they stop guessing. It's your evidence that you chose tools deliberately and checked the settings, which is the kind of record the National AI Centre's guidance is asking for. And it surfaces shadow tools fast, because anything in use that isn't on the register is a conversation waiting to happen. We give you a ready-to-fill register in the playbook so you can have version one done in an afternoon.

The takeaway: approve a short, deliberate list of tools rather than everything. Use business or team tiers for real work, since they're typically contractually set not to train on your data and give you admin controls. Whatever the tool, check the training opt-out, data retention, account type and where data goes, then write down what you set. Keep an approved-tools register, tool, tier, approved data tier, owner, settings and last-reviewed date, and revisit it every few months. Next up: keeping a human in the loop, and when you have to disclose AI use.
Quick check

A few quick questions to lock it in. No marks recorded, just for you.

Q1.What should you check before approving a tool for sensitive work?

The data, retention and training controls are what actually keep your information yours, so check them and prefer a business tier for anything sensitive.

Q2.Why prefer a business or team tier over a free consumer plan for real work?

Business and team tiers are generally contractually set not to train on your content and add the admin and retention controls a small business needs.

Q3.What does an approved-tools register give you?

The register is the single source of truth: which tools are approved, for which data tier, who owns each, and when it was last reviewed.

Pick up anywhere

Save your progress

Pop your email in and we'll send you a link to pick up where you left off, on any device. No account needed.

Just for the link to your progress. No spam, and I never share your details.