Your AI policy playbook.

A short working session for you and your team, about 30 minutes. Don't just read it, fill it in. By the end you'll have four finished artefacts: a data-classification cheat-sheet, an approved-tools register, a one-page AI-use policy, and a staff one-pager. Type straight into the boxes and save as a PDF, or print it and write on it.

The plain-English brief. Your team is already using AI, so the job is to make safe use easy. Sort information into green (public, fine), amber (internal, approved tools only), and red (confidential or personal, never in a public chatbot). Approve a short list of properly configured tools. Keep a human reviewing anything customer-facing, factual, legal or financial. Disclose AI use where it materially affects people, a Privacy Act transparency obligation commences December 2026. This is a practical playbook, not legal advice.

1Data-classification cheat-sheet

Make the three tiers concrete for your business. List a few real examples of each, so people recognise them at a glance. This is the page that lives by the kettle.

Green, public (use freely in approved tools), examples: Amber, internal (approved tools only, strip identifiers), examples: Red, confidential or personal (never in a public chatbot), examples: Our one-line gut-check question:

2Approved-tools register

Keep it short and deliberate: two or three tools beats a dozen. For each, note the tier, the highest data tier it's approved for, who owns it, and the date you last checked the settings. Anything not listed is not approved.

Tool and tier	Approved for (data tier)	Owner	Last reviewed

Settings we confirmed for each (training opt-out, retention, account type):

3Your one-page AI-use policy

Drop in your specifics. These five lines are a real, defensible policy. Keep it to the decisions that matter, no lecture.

What's approved (from your register), and that anything off the list isn't: The data line (green free, amber approved tools only, red never in a public tool): The human check (who reviews and signs off the things that matter): Disclosure (when and how we tell people AI was involved): Who owns this policy, and the next review date:

4The staff one-pager

The friendly version your team keeps to hand. Same rules, plain words. This is what actually changes behaviour day to day.

Tools you can use (and for what): The green / amber / red rule, in one line each: Always get a human to check: How to ask for a new tool, and who to ask if unsure:

Your AI policy playbook.

Sent, thanks.