ISM-2074 requires every organisation to have an AI usage policy. Use this interactive builder to create one aligned to the ISM, tailored to your organisation. Copy or screenshot the result.
AI Usage Policy GeneratorCopy to Clipboard
AI Usage Policy Generator
Step 1: Organisation Details
Basic information about your organisation for the policy header.
Step 2: Approved AI Tools
Toggle on the AI tools your organisation approves for use with OFFICIAL data.
Microsoft Copilot (M365)
Enterprise, AU data residency via Azure AU East
ChatGPT Enterprise
OpenAI, pre-approved under PSPF Advisory 001-2025
Claude for Work
Anthropic, pre-approved under PSPF Advisory 001-2025
Gemini Enterprise
Google Cloud, via Vertex AI on AU region
Amazon Bedrock
AWS, Sydney region, HCF Certified
Azure OpenAI Service
Microsoft Azure, AU East region, HCF Certified
Step 3: Classification Floor
What is the maximum classification level that may be used with approved AI tools?
OFFICIAL only
AI tools may only process OFFICIAL (non-sensitive) information
Up to OFFICIAL: Sensitive
AI tools may process up to OFFICIAL: Sensitive with approved enterprise tools only
No AI for any classified material
AI tools are restricted to UNOFFICIAL information only
Step 4: Permitted Use Cases
Select which use cases are permitted with approved AI tools.
Document drafting and editing
Email composition and replies
Data analysis and visualisation
Code generation and review
Meeting summary generation
Brainstorming and ideation
Research and literature review
Translation and language support
Step 5: Prohibited Activities
These prohibitions are auto-populated based on your selections. Review and confirm.
Step 6: Incident Reporting
How should employees report AI-related security incidents?
Step 7: Review Cadence
How often will this policy be reviewed and updated?
Monthly
Recommended for organisations in early AI adoption
Quarterly
Standard cadence for most defence organisations
Six-monthly
For mature organisations with stable AI governance
Your AI Usage Policy
Key Insight
ISM-2074 requires every organisation handling government data to have an AI usage policy. This generator gives you a head start, but the policy should be reviewed by your security team and legal counsel before formal adoption. A draft policy today is infinitely better than a perfect policy next quarter.