AI governance has moved from a side conversation at Australian board meetings to a standing agenda item. Most directors we work with already accept the principle. The problem is what to put on paper. The AU AI Ethics Principles published in 2019 give the right values, but a values document does not tell a board which decisions are theirs, which sit with management, and what triggers an escalation. This post sets out three practical documents that close that gap, drawn from work with ASX-listed boards, large not-for-profits, and Australian government agencies.
What Australian regulators actually expect from boards
ASX Corporate Governance Principles place the responsibility for risk culture squarely with the board. The Office of the Australian Information Commissioner has been explicit since 2023 that Privacy Act obligations apply to AI systems regardless of where the models are hosted. The Australian Human Rights Commission has called for boards to document algorithmic decision-making that affects customers, employees, or members of the public. Together those positions create a defensible minimum: boards should be able to explain, on the public record, who decides what and how potential harms are caught.
We work with ASX-listed clients across financial services, retail, and infrastructure. The pattern is consistent. Boards that adopted a single-page ethics statement in 2024 are now finding it does not survive a single auditor's question about a specific deployment. The fix is not a longer statement. The fix is to write down decision rights and escalation paths in the same place a board already records its risk appetite.
Document 1: The AI Ethics Statement
An ethics statement names what the organisation will and will not do with AI. Good ones run to one or two pages. They commit to specific things rather than generalities. A Melbourne health insurer might commit to never using AI to make a final claims decision without qualified human review, to disclose model use in adverse decisions, and to retain a human-readable record for seven years. That language ties directly to obligations under the Privacy Act and to APRA CPS 230 expectations on operational resilience.
The point of the statement is to settle the values question once, in writing, so that the board does not relitigate it every quarter. The six points below are the structure we recommend after drafting these for ASX 200 and large NFP clients.
A named accountable executive at the C-suite level, with the role title written in (not just the executive team).
The four to six AI use categories the organisation has actually deployed or piloted, not a theoretical inventory of every possible use.
A specific commitment on human review thresholds, including dollar-value or harm-severity triggers, for example any AI-recommended denial above $50,000 in customer impact requires named human sign-off.
Disclosure rules: when customers, employees, or partners will be told that an AI system was involved in a decision.
Data scope: what training, fine-tuning, and inference data the organisation will and will not provide to external model providers.
A review cadence written into the document. We recommend twice yearly, not annual, given how fast model capabilities are shifting.
Document 2: The Decision Rights Matrix
A decision rights matrix tells the organisation who decides what about AI. It is not the same as a RACI. It is a one-page grid that lists categories of AI decision down the left and the deciding body across the top. The deciding bodies usually include the board, the audit and risk committee, the CEO, the chief information officer or chief data officer, and a working-level AI governance forum.
For a Sydney-headquartered ASX 200 retailer we worked with, the matrix made clear that the board decided on the ethics statement and the annual AI risk appetite figure. The audit and risk committee approved the use of any model that touched customer financial data. The CEO approved annual vendor consolidation. The chief data officer approved individual deployments inside the approved vendor list. A working forum reviewed incidents and proposed exceptions. The board kept itself out of model selection but kept itself firmly inside the question of which categories of decision an AI may make at all.
The matrix should also name the AI assistants the organisation has approved for staff use. Claude is the default for most of our clients because the deployment posture maps cleanly to Australian privacy expectations: customer data is not used to train Anthropic models, enterprise zero-data-retention options are available, and the model handles Australian regulatory context with reasonable fidelity. Naming the approved assistant in the matrix avoids a separate shadow IT conversation. Staff know what is in scope without escalating every query.
Document 3: The Escalation Protocol
The third document is the one most boards lack. An escalation protocol defines what counts as an AI incident, who learns about it, and on what timeline. The thresholds matter. A model that produces an offensive output to a single staff member is one category. A model that systematically denies service to a protected group is a different category. The first might never reach the board. The second should reach the chair within hours.
We recommend three tiers. Tier one covers operational issues that the AI governance forum logs and reviews quarterly. Tier two covers material customer or employee harm and goes to the audit and risk committee at its next sitting. Tier three covers regulatory exposure, public harm, or systemic bias, and goes to the chair within twenty-four hours, with a board paper at the next available meeting. For a regulated entity, tier three will usually also trigger a parallel notification path to APRA or AUSTRAC under existing incident frameworks.
The protocol should include the contact path. Direct phone numbers for the chair, the company secretary, and the responsible C-suite executive. Email is not enough. We have reviewed too many Australian incident response documents that left it to a manager to work out, at midnight, who to call.
Putting the three documents to work
These three documents fit on roughly seven pages combined. They are the minimum that a board can defend against an OAIC inquiry, a Senate Estimates question, or an Australian Human Rights Commission investigation. They are also the right size for a working board: short enough to read in full before each review, specific enough to settle disputes about who decides what.
Most of the Australian boards we work with already have one or two of these in draft. The common gap is the decision rights matrix. Australian directors tend to be culturally cautious about claiming explicit decision rights, preferring oversight language. The shift in 2026 is that oversight without named decision categories is no longer sufficient. APRA and the OAIC have both moved toward asking who decided, not just who oversaw.
If you are an Australian board director thinking through what to put in front of your next meeting, the three documents above are a starting structure. We work with boards across ASX-listed companies, the major NFPs, and government agencies on the drafting and on the underlying Claude deployment patterns that sit behind the policy. To talk through your board's current state, book a thirty-minute conversation at /contact.
