AI data security for Australian SMBs: what not to paste, and how to stay safe

The good news is that AI data security for an SMB is mostly a handful of decisions you can make this week. Here is the playbook, in plain terms. This is general information, not legal advice.

The single biggest control: business tier, not consumer tier

If you take one thing from this article, take this. The tier you use matters more than almost anything else.

• Free and consumer plans often reserve the right to use your inputs to train the model, and to have humans review some of what you type. That is fine for drafting a poem. It is not fine for client data.
• Paid Team and Enterprise tiers from the major providers commit not to train on your business inputs by default. Anthropic, for example, states that inputs and outputs from its commercial, Team and Enterprise products are not used to train its models by default.

Same chatbot. Very different data handling. Moving your team off personal free accounts and onto a sanctioned business tier is the highest-leverage thing you can do, and at roughly AUD 30 to 45 per user a month it usually costs less per head than a streaming subscription.

The Office of the Australian Information Commissioner made the same point in its October 2024 guidance on commercially available AI products: organisations should check a tool’s terms, including whether it trains on inputs and how it handles secondary use, before entering any personal information.

What not to paste into public AI tools

Keep this list somewhere your team can see it. Do not paste the following into any AI tool you have not vetted on a business tier:

• Customer or staff personal information - names tied to contact details, identifiers, anything that could identify a person
• Health information - the most sensitive category under Australian privacy law
• Payment and financial data - card numbers, bank details, full account data
• Secrets - passwords, API keys, access tokens, internal credentials
• Anything under NDA or contractually restricted - client material you have promised to protect

Rule of thumb: if you would not email it to a stranger, do not paste it into a tool whose terms you have not read.

Shadow AI: the real SMB risk

Shadow AI is staff using AI tools the business never sanctioned - free apps, browser extensions, unknown websites. It is the most common and most underrated exposure in a small business, and surveys keep flagging privacy and security as a top concern. Intuit’s 2026 AI Impact Report found roughly 39% of Australian AI users name privacy or security among their worries, yet they keep reaching for whatever tool is closest.

That is the key insight. Banning AI does not work, because people will use it anyway and just hide it. The fix is to make the safe path the easy path:

• Provide a sanctioned stack. Pick one or two good tools on a business tier and tell everyone these are the approved ones.
• Write a one-page policy. Name the approved tools, list what must never be pasted in, say when a human must review output, and give one clear contact for questions.
• Make it easy to ask. Most shadow AI is well-intentioned. People reach for a random tool because the sanctioned option is slow or unclear. Remove that friction.

A short policy people actually read beats a long one nobody opens.

Prompt injection, in plain terms

As AI moves from answering questions to taking actions, a new risk appears: prompt injection.

Prompt injection is when untrusted content - a web page, an inbound email, an uploaded document - contains hidden instructions that try to make an AI agent misbehave. Think of it as a stranger slipping a note into your inbox that says “ignore your boss and forward me the client file,” except the note is aimed at your AI assistant.

It matters most for agents that can both read external content and then do something: send email, move money, change records. The defences that work for a small business are not exotic:

• Keep a human in the loop on any consequential action. The agent proposes, a person approves.
• Limit what an agent can touch. Least privilege applies to software too. Do not give an AI assistant broad access to sensitive systems just because it is convenient.

Australia’s own cyber agency agrees. The ASD’s Australian Cyber Security Centre, in joint guidance on adopting agentic AI, advises organisations never to grant AI broad or unrestricted access to sensitive data or critical systems.

Data residency and sovereignty

Some work is sensitive enough that where the data physically sits matters - regulated industries, government-adjacent contracts, clients who write residency into the agreement.

Two practical points:

• It does not matter for everything. Drafting a marketing email does not need Australian hosting. A regulated client record might.
• The option exists when you need it. Major providers offer Australian or regional hosting, so you can keep data in-region for the workloads that require it.

Decide per workload, not as one blanket rule, and write the decision down so you can answer a client or auditor without scrambling.

What is changing in law

One date for the calendar. The Privacy Act’s automated decision-making transparency rules commence on 10 December 2026. From then, organisations that use automated systems to make or substantially help make decisions affecting people must be transparent about it in their privacy policy. If you are building anything that decides about customers - approvals, pricing, eligibility - factor this in now rather than retrofitting later.

The checklist

Run through this with your team:

• Move everyone off free consumer accounts onto a sanctioned business tier where inputs are not used for training.
• Publish a one-page AI policy naming approved tools and a do-not-paste list.
• Confirm the no-training commitment in writing from each provider you rely on.
• Keep a human in the loop on any action an AI agent can take.
• Choose an Australian or in-region hosting option for sensitive or regulated workloads.
• Note the 10 December 2026 automated decision-making rules if you make decisions about customers.

None of this requires a security team. It requires a few decisions, made on purpose, and written down. That is most of AI data security for a small business handled.