Every board I've worked with in the past three years has spent more time approving the annual budget than approving its AI use policy. That ratio is wrong. The budget is a one-year financial commitment. The AI use policy governs how every staff member, every contractor, and every committee member in the organisation handles data, content, and decision-making for the entire AI era. It's a higher-stakes document than the budget. It's also the document most boards spend least time on.

Here's why that matters, and what a board should actually be approving.

What the AI use policy actually governs

A real AI use policy is not a one-page statement that "the organisation supports the responsible use of AI." That's a press release. A real policy is an operational document that tells every person in the organisation:

  • Which specific AI tools they are permitted to use, and through which accounts
  • What types of data they may submit to those tools, and what types they may not
  • What review process applies to AI-generated content before it leaves the organisation
  • What happens when something goes wrong, and who they tell
  • How the policy itself is reviewed and updated as the technology changes

That document is the difference between an organisation that benefits from AI safely and an organisation that has staff doing whatever they want with member data, no idea what's actually happening, and exposure under the Privacy Act 1988.

The four sections that matter most

If your board is reviewing an AI use policy this quarter, the four sections to interrogate hardest are:

1. The approved tools list

This is the simplest section and the most important. It names the specific AI tools the organisation has approved for use, and the specific accounts (enterprise versus personal) through which they must be accessed. Without an approved tools list, the policy is theoretical. With one, every staff member knows exactly what they may use and exactly what they may not.

The board's question: is this list current, and who is responsible for keeping it current?

2. The data tier framework

Not all data is the same. The policy must define data tiers — typically four — and which tier of AI tool may be used for each. The most common framework:

  • Tier 1 — Public information: any approved AI tool
  • Tier 2 — Internal information (financial data, board papers, staff information): enterprise tools only
  • Tier 3 — Member personal information: enterprise tools only, never consumer tools
  • Tier 4 — Sensitive personal information (health, financial, disciplinary): CEO approval required, with documented legal advice

The board's question: has every staff member been trained on which tier their daily work involves?

3. The review process

AI-generated content is not the same as human-written content. It hallucinates. It drifts from established positions. It produces fluent-sounding language that may be factually incorrect. The policy must define the review process required before AI output leaves the organisation — and that process must be proportionate to risk.

The board's question: are review processes proportionate to the risk of the content, and are they actually being followed, not just documented?

4. The incident response process

Something will go wrong. Either someone will paste member data into a consumer AI tool, or an AI-generated document will go out with a factual error, or a vendor will suffer a data breach. The policy must specify what happens next — who is told, in what timeframe, with what documentation, and whether the Notifiable Data Breaches scheme applies.

The board's question: does this policy describe how we'd respond to an AI incident, or just what we'd like to prevent?

Why this is governance work, not management work

Some boards push back on AI policy review with the reasonable observation that it's an operational matter that should sit with the CEO. That's half right. The implementation is the CEO's responsibility. The policy itself is the board's responsibility, because the policy commits the organisation to a particular standard of conduct and creates the framework against which the CEO will be held accountable.

A board that hasn't approved a current AI use policy has, by default, approved unmanaged AI use across the organisation.

If your association has an AI use policy approved before May 2024, it's almost certainly out of date. The AI landscape has moved. The tools have changed. The legal environment has changed. The policy that was adequate two years ago is no longer adequate.

What to do this quarter

If your board hasn't reviewed the AI use policy in the past 12 months, this quarter is when to do it. The work involved is roughly:

  1. CEO commissions an audit of current AI use across the organisation — formal and informal
  2. Draft policy updated against current tool landscape and current legal obligations
  3. Legal review (not a junior lawyer — someone with AI and Privacy Act experience)
  4. Board AI governance briefing (one hour, focused on the questions in this article)
  5. Formal board approval, with policy added to the governance calendar for annual review

Total board time required: roughly two hours over a single board meeting. The protection that two hours buys is substantial. The alternative — unmanaged AI use across the organisation, with no formal board-approved framework — is the risk position most associations are currently in, whether they know it or not.

The budget runs the financial year. The AI use policy runs the era. Spend accordingly.