AI has arrived in Australian workplaces whether employers are ready or not. Surveys suggest a large majority of employees now use generative AI tools at work — and a big slice do it without their manager’s knowledge. That “shadow AI” creates real risks around data, accuracy and compliance. The fix isn’t to ban AI (staff will use it anyway); it’s a clear AI use policy plus training. This guide covers the risks and what your policy should include. It fits alongside your technology & data policies.
Quick summary
- It's already happening:
Most employees use AI at work; many do so without approval (‘shadow AI’)
- Biggest risk:
Staff pasting confidential or personal data into public AI tools
- The fix:
A clear AI use policy — approved tools, what data is off-limits, human review
- The law still applies:
Privacy, confidentiality, discrimination and WHS obligations cover AI use
The 'shadow AI' problem
Recent Australian research suggests a large share of white-collar employees use generative AI at work, and a significant proportion do so without telling their manager. People use it to draft emails, summarise documents, write code and analyse data — often pasting in real work content to do so. That’s shadow AI: unmanaged, unapproved use that the business can’t see. It’s not malicious; it’s people trying to work faster. But without guardrails it quietly creates exposure.
The real risks for employers
Data leakage
Pasting client contracts, customer data or internal reports into public AI tools can send that information offshore or into model training — a privacy and confidentiality breach.
Inaccuracy
AI can produce confident, plausible answers that are simply wrong (‘hallucinations’) — risky if used in client work or decisions without checking.
Compliance & bias
Using AI in hiring or decisions can raise privacy, discrimination and (from Dec 2026) automated-decision transparency obligations.
IP & confidentiality
Inputs and outputs can blur ownership and expose confidential information or trade secrets.
Australia doesn’t yet have a dedicated workplace-AI law, but that doesn’t mean it’s a free-for-all: existing privacy, confidentiality, discrimination, consumer and work health and safety laws all apply to how AI is used. From 10 December 2026, businesses will also need to disclose the kinds of decisions they make using automated means — relevant if you use AI in HR or customer decisions (see our workplace privacy guide).
What an AI use policy should cover
Your AI use policy
-
Approved tools — which AI tools are allowed, and which are not (and why)
-
Data rules — never paste personal, confidential, customer or sensitive information into public AI tools
-
Human review — AI output must be checked by a person before it’s used or sent; the employee stays accountable
-
Disclosure — when and how to flag that AI was used (e.g. in client work or decisions)
-
Prohibited uses — high-risk areas like hiring decisions, discipline or anything with legal effect without oversight
-
Training — brief staff on the policy and the risks; make the safe path the easy path
-
Link it to your other policies — acceptable/internet use, data protection and information security
Guide it, don't ban it
Blanket bans push AI use further into the shadows. A clear policy that says which tools are fine and what data is off-limits — plus a bit of training — captures the productivity upside while cutting the risk. Review it regularly; this space is moving fast.
Used well, AI genuinely helps small teams. RosterElf offers purpose-built free AI tools for HR tasks (like drafting job descriptions and contracts) designed for Australian workplaces — a safer starting point than pasting sensitive data into a general-purpose chatbot.
Give staff a safer way to use AI. RosterElf’s free AI tools handle common HR drafting tasks for Australian businesses, and our technology & data policy templates help you set clear rules — so you get the productivity without the shadow-AI risk.
Frequently asked questions
Do we need an AI use policy for our workplace?
If your staff have internet access, they’re very likely already using AI — so yes. An AI use policy sets out which tools are approved, what data must never go into public AI tools, that outputs must be human-reviewed, and where AI must not be used. It captures the productivity benefit while managing privacy, confidentiality and accuracy risks.
What should an AI use policy include?
At a minimum: approved (and banned) AI tools; a firm rule against entering personal, confidential or customer data into public AI; mandatory human review of AI output; disclosure expectations; prohibited high-risk uses (like unchecked hiring or disciplinary decisions); staff training; and links to your acceptable-use, data-protection and information-security policies. Review it regularly as tools and laws change.
Is it legal for staff to use AI at work in Australia?
There’s no specific law banning workplace AI, but existing privacy, confidentiality, discrimination, consumer and WHS laws all apply to how it’s used. From 10 December 2026, businesses must also disclose the kinds of decisions they make using automated means. So AI use is legal but must be managed — an AI use policy is how you stay on the right side of those obligations.
What are the risks of employees using AI at work?
The main risks are data leakage (pasting confidential or personal information into public tools that may store it or send it offshore), inaccuracy (confident but wrong ‘hallucinated’ output), IP and confidentiality issues, and compliance exposure where AI informs hiring or other decisions. Unmanaged ‘shadow AI’ amplifies all of these because the business can’t see it.
What is shadow AI?
Shadow AI is employees using AI tools at work without their employer’s knowledge or approval. It’s extremely common and usually well-intentioned, but because it’s unmanaged, sensitive data can end up in public AI tools and outputs go unchecked. A clear AI use policy plus approved tools brings that usage into the light and reduces the risk.