Establish AI Usage Policy for Systems Access
Organisations must create and maintain a policy for using AI in general-purpose settings.
Plain language
This control is about creating and maintaining a policy for how your organisation uses artificial intelligence (AI) in everyday business settings. It's important because without clear guidelines, AI could be used in ways that compromise privacy or security, leading to data breaches or misuse of information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
A general-purpose artificial intelligence usage policy is developed, implemented and maintained.
Why it matters
Without a clear AI policy, organisations risk data misuse and non-compliance, potentially causing reputational damage and financial loss.
Operational notes
Define approved AI tools and prohibited inputs (e.g. credentials, classified data). Review policy quarterly and train staff on safe use for systems access.
Implementation tips
- Managers should create an AI usage policy by consulting with staff and stakeholders who work with AI. They can do this by organising a workshop to discuss the ethical and practical implications of AI use in their work environment.
- The IT team should ensure the AI systems conform to the established policy. They can verify this by running checks and simulations to see that AI outputs align with organisational values and security standards.
- HR should train all employees on the AI policy, ensuring they understand the do's and don'ts. They can hold regular sessions or workshops where these policies and relevant scenarios are explained in simple terms.
- Compliance officers should regularly review and update the AI policy as new technologies and threats emerge. They might schedule periodic reviews and incorporate feedback from recent AI incidents.
- Procurement staff, when purchasing AI solutions, should ensure that vendors comply with the organisation’s AI policy. They can achieve this by including policy compliance clauses in vendor contracts and scrutinising product specifications.
Audit / evidence tips
-
Aska copy of the AI usage policy: Request the official document that outlines how AI can be used within the organisation
Goodwould be a well-documented policy that is detailed, up-to-date, and accessible to all staff
-
Askto see training materials or records: Request documentation showing how employees are informed about the AI policy
Goodincludes detailed training records and includes feedback for improvement
-
Askevidence of compliance checks: Request reports showing how the IT team has monitored AI systems for policy compliance
Goodwould show routine checks and logs with corrective actions for any issues found
-
Askrecent AI policy review notes: Request documentation from recent policy reviews and updates
Goodshows a regular review process, with notes on changes made
-
Askto review vendor contracts: Request to see the contracts of vendors providing AI solutions
Goodindicates clauses that bind vendors to follow the organisation's AI policy
Cross-framework mappings
How ISM-2074 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-2074 requires an organisation to develop, implement and maintain a general-purpose artificial intelligence usage policy | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-2074 requires a general-purpose AI usage policy that sets expectations and constraints for using AI tools | |
| extension Depends on (2) expand_less | ||
| Annex A 5.4 | ISM-2074 requires an organisation to have a documented and maintained policy governing general-purpose AI usage | |
| Annex A 5.36 | ISM-2074 requires an organisation to develop, implement and maintain a general-purpose AI usage policy | |
| link Related (1) expand_less | ||
| Annex A 5.10 | Annex A 5.10 requires organisations to set and implement acceptable use rules for information and assets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.