Skip to content
arrow_back
ISM-2074
search
ISM-2074 policy ASD Information Security Manual (ISM)

Establish AI Usage Policy for Systems Access

Organisations must create and maintain a policy for using AI in general-purpose settings.

Preventative NC OS P ASD Information Security ManualGuidelines for personnel securitypolicygovernancepolicy compliance
record_voice_over

Plain language

This control is about creating and maintaining a policy for how your organisation uses artificial intelligence (AI) in everyday business settings. It's important because without clear guidelines, AI could be used in ways that compromise privacy or security, leading to data breaches or misuse of information.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2025

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for personnel security

Section

Access to systems and their resources

Topic

General-purpose Artificial Intelligence Usage Policy

Official control statement

A general-purpose artificial intelligence usage policy is developed, implemented and maintained.
policy ASD Information Security Manual (ISM) ISM-2074
priority_high

Why it matters

Without a clear AI policy, organisations risk data misuse and non-compliance, potentially causing reputational damage and financial loss.

settings

Operational notes

Define approved AI tools and prohibited inputs (e.g. credentials, classified data). Review policy quarterly and train staff on safe use for systems access.

build

Implementation tips

  • Managers should create an AI usage policy by consulting with staff and stakeholders who work with AI. They can do this by organising a workshop to discuss the ethical and practical implications of AI use in their work environment.
  • The IT team should ensure the AI systems conform to the established policy. They can verify this by running checks and simulations to see that AI outputs align with organisational values and security standards.
  • HR should train all employees on the AI policy, ensuring they understand the do's and don'ts. They can hold regular sessions or workshops where these policies and relevant scenarios are explained in simple terms.
  • Compliance officers should regularly review and update the AI policy as new technologies and threats emerge. They might schedule periodic reviews and incorporate feedback from recent AI incidents.
  • Procurement staff, when purchasing AI solutions, should ensure that vendors comply with the organisation’s AI policy. They can achieve this by including policy compliance clauses in vendor contracts and scrutinising product specifications.
fact_check

Audit / evidence tips

  • AskA copy of the AI usage policy: Request the official document that outlines how AI can be used within the organisation GoodWould be a well-documented policy that is detailed, up-to-date, and accessible to all staff
  • AskTo see training materials or records: Request documentation showing how employees are informed about the AI policy GoodIncludes detailed training records and includes feedback for improvement
  • AskEvidence of compliance checks: Request reports showing how the IT team has monitored AI systems for policy compliance GoodWould show routine checks and logs with corrective actions for any issues found
  • AskRecent AI policy review notes: Request documentation from recent policy reviews and updates GoodShows a regular review process, with notes on changes made
  • AskTo review vendor contracts: Request to see the contracts of vendors providing AI solutions GoodIndicates clauses that bind vendors to follow the organisation's AI policy
link

Cross-framework mappings

How ISM-2074 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 5.1 ISM-2074 requires an organisation to develop, implement and maintain a general-purpose artificial intelligence usage policy
handshake Supports (1) expand_less
Annex A 5.15 ISM-2074 requires a general-purpose AI usage policy that sets expectations and constraints for using AI tools
extension Depends on (2) expand_less
Annex A 5.4 ISM-2074 requires an organisation to have a documented and maintained policy governing general-purpose AI usage
Annex A 5.36 ISM-2074 requires an organisation to develop, implement and maintain a general-purpose AI usage policy
link Related (1) expand_less
Annex A 5.10 Annex A 5.10 requires organisations to set and implement acceptable use rules for information and assets

ISO 42001

Control Notes Details
sync_alt Partially overlaps (1) expand_less
Annex A 9.2 Annex A 9.2 requires documenting processes for responsible AI use, broader than ISM-2074's policy focus

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls