Human in the loop, and disclosure.

Two rules carry most of the weight in a good AI policy. First: a person checks anything that matters before it goes out. Second: you're honest with people when AI shapes a decision about them. Get these right and you've covered the heart of what the Australian guidance, and plain decency, are asking for. Let's take them in turn.

The human-in-the-loop rule

AI is a brilliant drafter and a confident liar in roughly equal measure. It will produce a polished quote with a wrong number in it, a friendly client reply that misstates your policy, or a summary that quietly drops the one clause that mattered, all delivered with total assurance. The rule that handles this is simple and it's the backbone of your policy: keep a human reviewing and signing off anything customer-facing, factual, legal or financial before it leaves the building.

In practice that means a real person reads the AI's output, checks the facts and figures, makes sure it sounds like you, and takes ownership of it. The AI did the first draft and saved you twenty minutes. The human did the judgement and carries the responsibility. That division is the whole game.

• Always review: client emails and proposals, quotes and invoices, anything with a number, a date or a legal point, public posts, and any decision that affects a person.
• Lighter touch is fine: private brainstorms, rough internal notes, reformatting your own text, a first draft you're going to rework anyway. Low stakes, low risk.

The line to give your team: the more it matters, the more a human checks it. Confidence from the tool is never a substitute for a person who's read it.

When you must tell people AI was involved

Disclosure is the other half, and it's where the December 2026 Privacy Act change comes in. The transparency obligation, commencing then, means that where automated processing, AI included, materially influences a decision that significantly affects someone, you'll need to disclose that in your privacy policy. So this isn't just good manners, it's becoming an explicit expectation.

You don't need to slap a label on every AI-touched email. The trigger is material influence on something that matters to a person. Some clear cases:

• A chatbot or AI assistant a customer is talking to. People should know they're dealing with an automated system, not a person, especially if it's handling their query or request.
• Automated assessments or scoring. Screening job applicants, scoring someone for a service or price, assessing an application: if AI is materially shaping the outcome, that's exactly what the transparency obligation is about.
• Content or decisions presented as human when they're not. Passing off AI output as a person's considered work, where that matters to the recipient, erodes trust fast.

And where it's genuinely incidental, AI helping you tidy the wording of an email you wrote and stand behind, a disclosure on every message would be noise. Use judgement, and lean towards telling people whenever AI is doing something they'd reasonably want to know about.

Doing automated decisions fairly

When AI does help make a decision about someone, three habits keep you on the right side of both the guidance and your customers:

• A person stays accountable. There's a named human who owns the outcome, not "the system decided". This is the human-oversight guardrail in plain terms.
• You can explain it. You're able to give a clear, plain-English account of how the decision was reached. If you can't explain it, you shouldn't be automating it.
• There's a way to query it. The person affected can ask a question, get a human to look again, or appeal. A decision with no recourse is the kind that turns into a complaint.

Write a single plain disclosure line you can reuse, something like: "We use AI tools to help with parts of this, and a member of our team reviews the result." Honest, unfussy, and it does the job. We give you a few worded options in the playbook.