← Field Notes
Benchmarks & Readiness·20 May 2026·4 min read

Two in Three Australian Businesses Have Unauthorised AI Use

SAP research finds 69% of Australian firms have staff using AI without approval. The government just released a free policy template — here's why you need it.

The gap between using AI and governing it

Two-thirds of Australian businesses have employees using AI tools without formal approval. Not hypothetically — right now. SAP's Value of AI report, developed with Oxford Economics across 200 Australian executives, found 69 per cent of organisations report staff using unauthorised AI tools at least occasionally. Only 38 per cent have a designated leader responsible for AI adoption.

This isn't a technology failure. It's a governance vacuum. And it's been sitting open long enough that the federal government built a free fix.

Shadow AI isn't a headline. It's your Tuesday morning.

Shadow AI is any AI tool an employee uses without organisational approval — ChatGPT on a personal login, a free transcription app, an image generator processing client photos. A Journal of Accountancy survey found 59 per cent of workers use unapproved AI tools at work. Ninety-three per cent of executives and senior managers do it too. Three-quarters admit to pasting sensitive business data into these tools — employee details, customer information, internal documents.

For a trades business, that's a scheduler dumping the client database into ChatGPT to help with rostering. For an accounting firm, it's a graduate pasting financial statements into an AI summariser to save time on working papers. The intent isn't malicious. The exposure is real.

IBM's 2025 Cost of Data Breach Report quantified the damage: breaches involving shadow AI cost organisations US$4.63 million on average — US$670,000 more than standard incidents. Shadow AI now accounts for 20 per cent of all breaches, and 65 per cent of those involve compromised customer data. For an SME, the absolute dollar figure is smaller, but the ratio of damage to revenue is worse.

69%

Australian firms with unauthorised AI use

SAP, 200 Australian executives surveyed

+$670K

Extra cost per shadow AI breach

IBM Cost of Data Breach 2025

The governance gap is wider than you think

Deloitte's State of AI in the Enterprise 2026 report surveyed more than 3,000 C-suite leaders globally and found only 22 per cent of Australian companies have what they'd call a highly advanced governance model for AI. Meanwhile, 69 per cent are already deploying agentic AI — systems that take autonomous action, not just answer questions. The gap between capability and control is accelerating.

SAP's data shows the structural problem: just 22 per cent of Australian organisations have board-level sponsorship of AI initiatives, and the same proportion offer incentives for leaders to drive adoption. For most smaller businesses — without boards or chief technology officers — nobody owns AI governance. It sits in the gap between operations and IT and everyone assumes someone else is handling it.

Australian AI: adoption vs governance

Using agentic AI

69%

Deloitte, 2026

Have advanced AI governance

22%

47-point gap

The fix is free. It takes an afternoon.

On 11 May, the National AI Centre launched AI.gov.au — a central platform built specifically for SMEs navigating AI adoption. Among its resources: a free, 12-page AI policy template that gives any business a credible governance baseline without hiring a consultant or commissioning a custom framework.

The template covers seven principles: ethical use, clear accountability, risk assessment before deployment, quality and security standards, fairness protections, transparency (including maintaining an AI register), and human oversight for critical decisions. It comes with a companion screening tool for evaluating new AI use cases and a register template for tracking what AI your business actually uses.

The National AI Centre also published six practices for responsible AI governance: decide who is accountable, understand impacts, measure and manage risks, share essential information, test and monitor, and maintain human control. None of this requires a technology background. A business owner can download the template, customise it in an afternoon, and have something in place by the end of the week.

Three things to do this week

First: download the AI policy template from AI.gov.au and adapt it to your business. Even a basic version is better than nothing — IBM's data shows 63 per cent of organisations that experienced AI breaches had no governance policy at all. Second: ask your team what AI tools they're already using. Not as a crackdown — as a genuine inventory. You'll likely find tools that are useful and should be formally adopted. Third: pick one person who owns AI governance going forward. In a five-person trades business, that might be you. In a twenty-person accounting practice, it might be your operations manager. The point is someone's name is next to it.

The businesses that get value from AI aren't the ones with the most tools. They're the ones that know what tools are in use, who's using them, and what data goes where. That's not sophistication. It's basic operational hygiene — and now there's a free government template to get you there.

Key takeaways

SAP research (200 Australian executives) found 69% of organisations have staff using AI tools without formal approval, while only 38% have a designated AI leader.
Shadow AI breaches cost US$670,000 more than standard incidents per IBM's 2025 data. Three-quarters of shadow AI users paste sensitive business data into unapproved tools.
The National AI Centre launched AI.gov.au on 11 May 2026 with a free 12-page AI policy template and register designed specifically for SMEs — no consultant required.
The fix isn't banning AI. It's governance: designate an owner, inventory what's in use, and set clear policies. Research shows 63% of AI-related breaches hit organisations with no governance policy.

Sources

SAP Australia — Value of AI Report (October 2025)

Journal of Accountancy — Lurking in the Shadows: The Costs of Unapproved AI Tools (November 2025)

National AI Centre — AI.gov.au and Guidance for AI Adoption

Assumptions & methodology
  1. The SAP Value of AI report was published October 2025 in collaboration with Oxford Economics. It surveyed 1,600 business leaders of enterprise and midmarket businesses across eight countries, with 200 Australian executives included. The 69% figure refers to Australian organisations reporting employees using unauthorised AI tools 'at least occasionally.'
  2. The US$670,000 premium and US$4.63 million average breach cost figures are from IBM's 2025 Cost of Data Breach Report (global data). Shadow AI breaches represent 20% of all reported breaches. Australian-specific shadow AI breach costs are not separately reported; for SMEs, absolute costs are typically lower but proportional financial impact is often higher.
  3. The Journal of Accountancy survey (November 2025) found 59% of employees use unapproved AI tools and 93% of executives do likewise. The 75% figure (sharing sensitive data) is from the same survey of US-based employees. Australian employee behaviour is likely comparable given similar AI tool accessibility.
  4. Deloitte's State of AI in the Enterprise 2026 surveyed more than 3,000 director-to-C-suite leaders globally with direct AI involvement. The 22% 'highly advanced governance' figure is from the Australian subset. The 69% agentic AI adoption figure is also Australian-specific.

Next

Your AI Is Working. Your Productivity Metrics Aren't.

Read →

Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.

Not sure where your AI governance stands?

A 30-minute call can identify the gaps between what your team is already doing with AI and what needs a policy around it. Book a call to get clarity.

Book a call →