Most businesses working through SMB1001 Gold expect the technical controls: EDR, email authentication, MFA, backups. What catches them off guard is a policy requirement sitting in Domain 4 of the 2026 edition: a written policy for the responsible and secure use of AI technology. It applies at Gold, Platinum, and Diamond. If your team is targeting SMB1001 certification at Gold or above, this control is on your list whether you have an AI strategy or not.
We flagged this in our SMB1001:2026 changes guide as the control that catches businesses off guard. This post covers it properly: what the standard requires, why it exists, and how to write a policy your director can attest to with a straight face.
The standard does not ask for a vague statement that your business “uses AI responsibly”. It sets out seven areas the policy needs to cover, and a certifying director attests that the policy exists and is maintained.
Acceptable use. Which AI tools are authorised, for what work, by whom. If your answer is “whatever staff have signed up for”, you do not have a policy, you have a discovery problem. Our shadow AI audit playbook covers how to find out what is actually in use before you write the rules.
Data governance. What data can go into which tools, how it is stored and processed, and how that lines up with your privacy obligations. This is the part that matters most in practice, because the most common AI incident in an SMB is not a sophisticated attack. It is a staff member pasting client data into a free chatbot at 9pm.
Risk management. Identify and mitigate the risks AI introduces: errors and hallucinated output, bias, security vulnerabilities, and plain misuse. For a 30-person business this does not require a risk committee. It requires someone owning the question “what could go wrong with how we use these tools” and writing the answer down.
Security measures. Controls protecting AI systems and the data behind them from unauthorised access and tampering. In a Microsoft 365 environment this is Conditional Access, sensitivity labels, and DLP doing the enforcement work.
Training and awareness. Staff need to know what the policy says and why. This slots into the security awareness training you already run for the rest of the Gold control set.
Compliance. Your AI use has to comply with applicable laws and regulations. For Australian businesses that means the Privacy Act today, and for anyone touching WA government data, the PRIS Act’s automated decision-making principle from July 2026.
Regular review. The policy is a living document. AI tooling changes monthly; a policy written in 2025 that still bans “ChatGPT” by name while staff run Copilot agents is worse than no policy, because it signals nobody is watching.
The standard also points to NIST’s AI Risk Management Framework and ISO/IEC 42001 as optional structures to borrow from. They are not mandatory, and for most SMBs a two-to-four page policy mapped to the seven areas above is the right size. Borrow the thinking, not the page count.
Because the gap is real. Most Australian SMBs we assess have staff using AI tools daily, and almost none have a single written rule about it. The data exposure is happening through the front door: free-tier tools with training-data retention, personal accounts holding business prompts, browser extensions with broad permissions nobody reviewed.
A cybersecurity standard that mandates EDR and DMARC but ignores the fastest-growing data exfiltration channel in small business would not stay credible for long. SMB1001 revises annually, and the 2026 edition simply caught up with how work actually happens now.
There is a second reason. Insurers and enterprise clients have started asking about AI governance in due diligence questionnaires. A certified SMB1001 Gold business can now answer “yes, and it is part of our certification” instead of scrambling to write something the week a tender closes.
The fastest way to fail this control in spirit while passing it on paper is to download a template, change the company name, and file the PDF. The document exists. Nothing enforces it.
A policy earns its place when it is connected to enforcement. The acceptable tool list becomes a Conditional Access posture. The data rules become sensitivity labels and DLP policies that actually block the paste. The review cadence goes in the calendar with an owner’s name on it. We covered the technical half of this in our AI policy-as-code templates: the point is that the words in the policy and the configuration in your tenant should describe the same rules.
For the attesting director, this matters personally. SMB1001 Gold is director self-attested. Signing off on a policy you know is not followed is a worse position than having no certification at all.
In a typical Gold engagement we slot the AI policy into the process workstream alongside the cybersecurity policy, incident response plan, and digital asset register. The sequence that works:
First, discover. Audit what AI tools are actually in use across the business, sanctioned or not. Writing rules for an imagined environment wastes everyone’s time.
Second, decide. Pick the sanctioned tools, define the data rules per tool, and assign an owner for the policy. This is a one-hour decision meeting with the right people in the room, not a quarter-long project.
Third, write and enforce. Draft the policy against the seven areas, then push the rules into your Microsoft 365 configuration so the policy and the tenant agree.
Fourth, train and attest. Fold the policy into staff awareness training, capture the acknowledgement records, and the director attests with evidence behind every line.
Done this way, the AI policy adds days to a Gold project, not months. Done as an afterthought the week before attestation, it adds risk.
Our AI governance service covers exactly this ground: tool discovery, policy development mapped to SMB1001 and the Privacy Act, and the Microsoft 365 configuration that enforces it. For businesses already on our managed services, the AI policy work folds into the SMB1001 Gold programme. For businesses with their own IT team, we deliver the policy and enforcement design and your team runs it.
Contact us on 1300 EPIC IT and we will tell you whether your current AI use would pass the control, and what it takes to close the gap.
Yes, from Gold level upward under the 2026 edition. The control requires a written policy for the responsible and secure use of AI covering acceptable use, data governance, risk management, security measures, staff training, legal compliance, and regular review. Bronze and Silver do not require it, but writing one early makes the step to Gold smaller.
Seven things: which AI tools are authorised and for what work, what data can go into them, how AI risks like errors and misuse are managed, the security controls protecting AI systems and data, how staff are trained on the rules, how your AI use complies with applicable law, and a review cadence with a named owner. For most Perth SMBs that is a two-to-four page document backed by Microsoft 365 enforcement.
No. SMB1001 points to both as optional sources of structure, not requirements. ISO/IEC 42001 is a full management system standard built for organisations running AI at scale. An SMB pursuing Gold needs a proportionate policy mapped to the seven required areas, not a second certification project.
Yes, and a ban is itself a policy position you should document, along with how the ban is enforced and when it will be reviewed. In practice, outright bans push AI use onto personal devices and accounts where you have zero visibility. A short list of sanctioned tools with clear data rules is safer than a ban most staff quietly ignore.
One named person with the authority to approve tools and change rules, typically the operations lead, practice manager, or whoever owns the relationship with your IT provider. The owner runs the review cycle and is the escalation point when staff want a new tool approved. A policy without an owner stops being maintained within six months.
Yes. The same document supports Privacy Act reasonable steps, answers the AI governance questions now appearing in cyber insurance proposals and enterprise due diligence questionnaires, and positions you for WA’s PRIS Act obligations on automated decision-making. One policy, written properly, serves all four.
