Strategyse Consulting
AI & AUTOMATION

The minimum viable AI policy.

Tim Pluples24 May 2026
5 min read

Most organisations are somewhere on a spectrum between two failure modes when it comes to AI governance.

At one end, there is no policy at all. People are using AI tools in their day-to-day work, often with no visibility from leadership, no consistency across the team, and no shared understanding of what is and is not appropriate. The risk is real, even if it has not materialised yet.

At the other end, there is a policy so comprehensive and so restrictive that it is being quietly ignored by everyone except the people who wrote it. The legal and compliance team are satisfied. The business is no better governed than it was before.

The useful question is not "how do we govern AI?" It is "what is the smallest set of guardrails that actually changes behaviour and manages the risks that matter?"

Here is what that looks like in practice.

The risks worth governing

Before writing a policy, it is worth being clear about what you are actually trying to prevent. The risks that show up most frequently in mid-market organisations are not the ones that make the headlines.

Confidential information leaving the organisation. Employees who use public AI tools for work tasks may be pasting client data, commercially sensitive information, or personal information into systems that are not subject to your data handling obligations. This is the most common and most immediate risk for most businesses.

Inaccurate outputs being treated as reliable. AI tools produce plausible-sounding content that is sometimes wrong. In low-stakes contexts this is annoying. In high-stakes contexts, such as legal, financial or regulatory matters, it can be costly. The risk is not the tool, it is the assumption that the output does not need to be checked.

Outputs being used without transparency. In some professional contexts, using AI-generated content without disclosing that fact creates legal, ethical or reputational risk. Client work and published communications are the areas where this tends to matter most.

Inconsistent use creating inconsistent outcomes. When every team member is using different tools in different ways, the quality and consistency of the work varies in ways that are hard to manage.

What the policy actually needs to cover

A minimum viable AI policy covers five things.

Approved tools. A short list of the AI tools that are approved for use in work contexts. Not every tool available, not a comprehensive market review. Just the ones that have been assessed against your data handling requirements and found to be acceptable. Everything else requires approval before use.

Data handling rules. A clear statement of what information must not be put into AI tools. Client data, personal information, confidential commercial information, and anything subject to professional privilege are the common categories. This rule needs to be concrete enough that a person knows, in a specific situation, whether they are on the right side of it.

Human review requirements. A clear statement that AI outputs used in client work, external communications, or decisions that affect people must be reviewed by a qualified human before use. This does not need to be elaborate. It just needs to be explicit.

Transparency obligations. Where your business has an obligation to disclose the use of AI in its work, whether that is contractual, regulatory or professional, the policy needs to name it. If you are not sure whether you have such obligations, this is worth checking.

How to raise a concern. A simple way for people to flag a situation they are not sure about, without it being a formal escalation. Most governance failures happen because the person closest to the risk did not know who to ask.

What to leave out

A policy that tries to cover every possible scenario ends up covering none of them well. Leave out the philosophical framing about AI's impact on the future of work. Leave out the detailed technical explanations of how large language models function. Leave out the exhaustive list of hypothetical misuse cases.

What remains should fit on one or two pages and be understandable by someone reading it quickly in between other things, because that is when it will actually be consulted.

The implementation question

A policy that is written, filed, and never mentioned again is not a policy. It is a document.

The organisations that actually change behaviour do two things. They introduce the policy in a context where it is immediately relevant, a team meeting where AI use is already being discussed, rather than as a standalone compliance exercise. And they revisit it regularly, because the tools are changing quickly and a policy written twelve months ago may not reflect how people are working today.

Governance does not have to be heavy to be effective. It just has to be clear, current and consistently applied.

Frequently asked questions

What should a minimum AI policy cover?

Five things. Approved tools, data handling rules, human review requirements, transparency obligations, and a simple way to raise a concern. Anything beyond that tends to add length without changing behaviour.

What are the most common AI risks for mid-market businesses?

Confidential information being pasted into public AI tools, AI outputs being treated as reliable without checking, AI-generated content used without disclosure where disclosure is required, and inconsistent use producing inconsistent quality.

Should AI policies ban public AI tools?

Not necessarily. A blanket ban tends to be ignored. A better approach is a short list of approved tools that meet your data handling requirements, with a clear path for assessing and adding others.

How often should the AI policy be updated?

More often than most policies. The tools and the use cases are changing quickly, and a policy written twelve months ago may not reflect how people are actually working today. Plan to revisit it regularly.

How do you actually get people to follow an AI policy?

Introduce it in a context where AI is already being discussed — a team meeting about a specific use case, not a compliance training. And keep it short enough that people will read it while doing something else, which is when it will actually be consulted.

Tim Pluples is part of the team at Strategyse Consulting. Strategyse helps Australian leadership teams set strategy, design operating models, choose the right systems, and use AI well.

Related

AI & AUTOMATION7 min read

A boring but useful AI shortlist for mid-market businesses.

Most mid-market businesses should ignore 80 percent of what they read about AI. Here are the use cases with clear payback, manageable risk, and a small lift to get started.

Read article
AI & AUTOMATION6 min read

AI for trade businesses: what is actually worth doing right now.

A practical guide to the AI and automation tools saving trade businesses real time on quoting, scheduling, follow-ups and admin. No hype, just what works.

Read article

We can sit alongside the leadership team on the ai advisory work.

Get in touchSee ai advisory