Last Updated on 05/06/2026 by Damin Murdock and Nohra Chalouhi
AI is no longer a future-facing issue for Australian businesses. It is already being used in marketing, customer service, recruitment, document review, data analysis and internal decision-making. That creates commercial opportunity, but also legal risk. Your business should therefore adopt clear AI policies now, not only to improve efficiency, but to demonstrate governance, accountability and reasonable care.
AI Governance & Risk Management Framework
An AI governance and risk management framework should comprehensively identify what AI tools your business may use, what uses are prohibited, who is responsible for oversight, and when legal, privacy or security review is required. This is especially important if your business is an “APP entity” under the “Australian Privacy Principles” (APP) found in Schedule 1 of the Privacy Act 1988 (Cth) (the Act). Under s 6C of the Act, this definition includes “organisations” such as companies, partnerships, unincorporated associations or trusts, unless an exclusion applies, such as the small business operator exemption in s 6D of the Act which is defined as a business with $3 million or less in annual turnover. APP entities must maintain a clearly expressed and up-to-date privacy policy under APP 1.3 and 1.4, outlining how the business manages the personal information of its clients. From 10 December 2026, new APP 1.7 will also require privacy policies to disclose the particulars of certain substantially automated decisions. A governance framework helps show that the business has taken reasonable steps to manage foreseeable AI risks in satisfaction of a duty of care that, while not yet fully addressed by the Courts, is likely to eventually arise.
2) AI Content & Marketing Substantiation Policy
Businesses should also adopt an AI content and marketing substantiation policy to avoid “AI washing”. AI washing occurs when a business exaggerates or misrepresents the extent, sophistication or reliability of its AI use. Claims such as “AI-powered”, “bias-free”, “fully automated”, “accurate” or “compliant” should be reviewed and substantiated before publication. Otherwise, the business may risk breaching the misleading or deceptive conduct provisions in section 18 of the Australian Consumer Law, under Schedule 2 to the Competition and Consumer Act 2010 (Cth).
AI Training & Competency Policy
A policy is only useful if staff understand it. An AI training and competency policy should therefore be adopted to explain how employees may use AI safely, including rules on privacy, confidentiality, hallucinations, bias, cybersecurity and human oversight. Training should be role-specific: marketing, HR, engineering and legal teams face different AI risks. Competency attestations and periodic refreshers can help demonstrate that the business has taken organisational steps to prevent predictable misuse.
Data Breach Response Policy
Finally, businesses should update their Data Breach Response Policy to expressly cover AI incidents. Under APP 11, APP entities must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. The Notifiable Data Breaches scheme in Pt IIIC of the Privacy Act also requires notification to affected individuals and the OAIC where an eligible data breach is likely to result in serious harm. AI-specific risks include prompt leakage, vendor compromise, model inversion, wrong-recipient disclosure and unsafe chatbot outputs. A clear response plan assists with containment, assessment, notification and post-incident improvement.
How Leo Lawyers Can Help
The legal requirements and ethical quandaries surrounding the use of AI by businesses are becoming increasingly complex. Staying ahead of the curve with effective and comprehensive policies to define, mitigate and tackle the risks is therefore of the utmost importance.
Need expert legal advice? Feel free to contact Damin Murdock at Leo Lawyers via our website, on (02) 8201 0051 or at office@leolawyers.com.au. Further, if you liked this article, please subscribe to our newsletter via our Website, and subscribe to our YouTube, LinkedIn, Facebook and Instagram. If you liked this article or video, please also give us a favourable Google Review.
DISCLAIMER: This is not legal advice and is general information only. You should not rely upon the information contained in this article and if you require specific legal advice, please contact us.
Damin Murdock (J.D | LL.M | BACS - Finance) has over 17 years of experience as a commercial lawyer. He helps businesses navigate construction and technology law. Damin has held several big leadership roles, including serving as a director of a national law firm and the Chief Legal Officer for Lawpath.
He has personally helped more than 2,000 startups and small businesses. With over 300 five-star reviews, his clients clearly value his practical advice and simple way of explaining things. Damin has also hosted over 100 webinars that thousands of people have watched to get reliable legal help.
