Last Updated: May 2026 · By Ehtisham Saeed, RTO Marketing Specialist
If ASQA asked tomorrow how your RTO governs AI, the AI use policy is the document you would hand over. Most RTOs do not yet have one.
Generative AI is already in use across most Australian RTOs, usually before any policy exists to govern it. Staff draft marketing copy in ChatGPT, summarise documents in Copilot, and generate activity ideas in Claude, often on the organisation’s data, without a single line of written guidance. The AI use policy closes that gap. It is the difference between AI use that can be defended during a performance assessment and AI use that is a finding waiting to happen.
This guide gives you the actual structure of an RTO AI use policy, section by section, so you can build one rather than just read about why you need one. It is the practical companion to the 90-day AI adoption plan (where drafting the policy is the Phase 1 task) and sits inside the AI for RTO operations cluster.
Why an RTO Needs a Written AI Policy Now
The regulatory case for a written policy has three layers, and each one applies whether or not you think your RTO uses much AI.
For a beginner: an AI use policy is a document that tells your staff what they can and cannot do with AI tools. It exists because, without it, people make their own decisions about what to put into ChatGPT, and some of those decisions create real risk (for example, pasting a student’s personal details into a tool that trains on the input).
For an intermediate operator: the Standards for RTOs 2025, in force since 1 July 2025, shifted ASQA’s framework toward outcome-based quality and continuous self-assurance. The regulatory question is no longer “do you have a rule?” but “can you demonstrate the outcome and the evidence?” A written, followed, audited AI policy is how you demonstrate that AI use is governed rather than accidental.
For a compliance manager: ASQA has published its own AI Transparency Statement, last updated 18 March 2026, setting out how ASQA itself uses AI responsibly with humans at the centre of decision-making. That statement governs ASQA’s own use as a government agency, not a direct mandate on RTOs, but it signals the direction, and ASQA’s draft AI Principles for the sector point the same way. The Australian Government’s Policy for the Responsible Use of AI in Government, effective September 2024, gives a three-pillar model (enable and prepare, engage responsibly, evolve and integrate) that an RTO can borrow as a ready-made framework. The prudent RTO builds its policy now, aligned to that direction, rather than waiting for prescriptive rules.
The Eight Sections Every RTO AI Use Policy Needs
A workable RTO AI use policy is short, usually two to four pages, and contains eight sections. Longer policies do not get read, and a policy nobody reads is worse than a short one everyone follows.
- Purpose and scope, what the policy covers and who it applies to
- Approved tools, which AI tools are approved, conditionally approved, or prohibited
- Data classification, what data may and may not be entered into AI tools
- Prohibited uses, the specific things AI must never be used for
- Human validation, who checks AI output before it is used
- Audit trail, how AI-assisted work is recorded
- Roles and accountability, who owns and enforces the policy
- Review cycle, how often the policy is reviewed and by whom
Section by Section: What Goes in Each
. Purpose and Scope
State why the policy exists (to govern AI use in line with the 2025 Standards, the Privacy Act, and the RTO’s own quality framework) and who it binds (all staff, contractors, and any third party acting for the RTO). Make scope explicit: the policy covers AI use in marketing, administration, operations, and training and assessment support.
. Approved Tools
List the tools by name and tier. Approved tools are cleared for use within the data rules. Conditionally approved tools may be used only for specific tasks or with specific controls. Prohibited tools may not be used at all. The tier list is covered in detail below. Naming specific tools matters; a policy that says “use AI responsibly” without naming what is approved gives staff no actual guidance.
. Data Classification
This is the heart of the policy and gets its own section below. In short, it defines which categories of data may be entered into approved AI tools and which may never be.
. Prohibited Uses
Spell out what AI must not be used for. Common prohibitions for an RTO: generating assessment evidence or student work, making final assessment judgements, processing student personal information in non-approved tools, and producing marketing claims that have not been compliance-reviewed. The marketing prohibition links directly to the prohibited phrases rules, because AI can generate non-compliant marketing language as easily as a human can.
. Human Validation
State that AI output is a draft, not a finished product, and name who must review what before it is used. Marketing copy is reviewed by whoever holds marketing compliance. Operational summaries are validated by the relevant function head. Anything touching training and assessment is reviewed by a qualified trainer or assessor. The principle: a human remains accountable for every output, which mirrors the “humans at the centre” position in ASQA’s own statement.
. Audit Trail
Define how AI-assisted work is recorded: which tool was used, for what task category, what human review was applied. This does not need to be onerous; a simple log is enough. The audit trail is what converts “we use AI carefully” into evidence you can show during a performance assessment.
. Roles and Accountability
Name the AI Champion (the single accountable owner of the policy, covered in the 90-day adoption plan) and set out who approves new tools, who audits the logs, and who reports to leadership. ASQA’s own statement designates an accountable official; an RTO should do the same in proportion to its size.
. Review Cycle
State how often the policy is reviewed (annually at minimum) and what triggers an out-of-cycle review (new ASQA AI guidance, a Privacy Act amendment, a new tool, or an identified gap). Put the next review date in the document.
The Data Classification Rule
If a staff member reads only one section of the policy, it should be this one, because it is where the real risk lives.
The data classification splits everything the RTO handles into three buckets:
- Green, may be entered into approved AI tools: public information, RTO-owned non-sensitive content, draft marketing copy, public ASQA documents, general operational text with no personal or commercial sensitivity.
- Amber, may be entered only into approved tools with enterprise data protection and only with function-head approval: internal operational data, validation records, board papers, anything commercially sensitive but not personal.
- Red, must never be entered into any AI tool unless a full Tier 3 risk assessment has approved it: student personal information, USIs, assessment evidence, LLN results, financial data, ASQA audit responses, anything covered by the Australian Privacy Principles.
The red category is the one that protects the RTO from a Privacy Act breach. The Privacy Act 1988, after the 2024 reforms, allows penalties up to $50 million per serious breach. A staff member pasting a student’s enrolment details into a consumer-grade AI tool that trains on its input is exactly the kind of breach the policy exists to prevent. The data classification rule makes the boundary unambiguous.
The Tool Approval Tiers as Policy Language
The approved-tools section needs concrete language, not vague encouragement. A workable structure:
Approved: name the specific tools and tiers cleared for use, for example a named general-purpose tool on its enterprise or pro tier (where input is not used for training) and the AI built into the RTO’s existing software. The choice between Claude, ChatGPT, Gemini, and Copilot is covered in the Claude vs ChatGPT vs Gemini for RTOs comparison.
Conditionally approved: tools that may be used only for green-data tasks, or only by specific roles, or only with a specific control in place.
Prohibited: consumer free tiers that train on input data, and any tool not on the approved or conditional list. The default for anything not explicitly listed is “not approved until assessed,” which prevents shadow adoption of new tools without review.
How the Policy Lives in Your Quality Management System
An AI use policy that sits in someone’s inbox is not a policy. To function under the 2025 Standards, it has to live in the RTO’s Quality Management System like any other controlled document.
That means: a version number and date, a named owner, a place in the document register, a defined review cycle, and a record of staff acknowledgement. When ASQA reviews governance during a performance assessment, a policy that is version-controlled, dated, owned, and acknowledged by staff demonstrates self-assurance. A policy with no version control and no acknowledgement record demonstrates the opposite, even if the content is good.
Who Writes It, Who Signs It, Who Maintains It
The practical ownership, scaled to the size of the RTO:
- Drafts it: the AI Champion, usually someone in operations or compliance, not necessarily a technical specialist. They need to understand the RTO’s systems and ask the right questions, which is the same standard ASQA-adjacent guidance applies to AI accountability.
- Signs it: the CEO or equivalent, because a policy without leadership sign-off carries no authority.
- Maintains it: the AI Champion, on the review cycle, briefing leadership when regulatory change requires an update.
In a small RTO these can be two people. In a larger one they may be a small governance group. What matters is that the roles are named in the policy, not left implicit.
Five Mistakes That Make an AI Policy Fail an Audit
The patterns that turn a well-intentioned policy into a weak one:
- Too vague to act on. “Use AI responsibly” is not a policy. Without named tools and clear data rules, staff cannot actually comply, and ASQA cannot see governance.
- No data classification. The policy talks about approved tools but never says what data may go into them, leaving the highest-risk decision (student data) to individual judgement.
- No audit trail. The policy sets rules but creates no record that they were followed, so there is nothing to demonstrate during an assessment.
- No version control or acknowledgement. The policy exists but is not in the QMS, is undated, and staff never formally acknowledged it, so it cannot be shown as a controlled document.
- Written once and never reviewed. AI tools and ASQA guidance both move fast. A policy dated eighteen months ago with no review since signals that governance stopped after the document was written.
Frequently Asked Questions
Does ASQA require RTOs to have an AI use policy?
There is no standalone rule that says “every RTO must have an AI policy.” But the 2025 Standards require outcome-based quality and self-assurance, and AI use without a governing policy fails that expectation. ASQA’s own AI Transparency Statement and draft AI Principles signal the direction. A documented policy is the practical way to demonstrate governed AI use during a performance assessment, even though no clause names the document specifically.
How long should an RTO AI use policy be?
Two to four pages. Long enough to cover the eight sections with specific, actionable content, short enough that staff actually read it. A twenty-page policy that nobody reads governs nothing.
Can we adapt a government or generic AI policy template?
You can use the structure, but not copy it wholesale. The Australian Government’s three-pillar model (enable and prepare, engage responsibly, evolve and integrate) is a useful skeleton. The content has to be specific to your RTO’s tools, data, and training scope, because a generic template will not address student data, assessment integrity, or your actual approved tools.
What is the most important section of the policy?
The data classification rule. It is the section that prevents a Privacy Act breach by making it unambiguous which data (especially student personal information) must never be entered into an AI tool. Everything else supports it.
Who should own the AI use policy in a small RTO?
Usually the Compliance Manager or Operations Manager, acting as the AI Champion, with CEO sign-off. The owner does not need to be a technical specialist; they need to understand the RTO’s systems and maintain the policy on its review cycle.
How does the AI policy connect to assessment integrity?
The prohibited-uses section should rule out using AI to generate assessment evidence or make final assessment judgements, and the data classification should keep assessment evidence in the red category. ASQA’s Corporate Plan emphasises non-authentic student work as an integrity concern, so the policy’s treatment of assessment is one of the parts most likely to matter during a review. The broader question of what ASQA will and will not penalise is covered in our guide to ASQA and AI.
What Happens Next
The AI use policy is the foundation document. Once it exists, the rest of the 90-day AI adoption plan can run on top of it: the risk register, the pilot use cases, the staff training, and the operational rollout. Choosing the actual tools the policy will approve is covered in the Claude vs ChatGPT vs Gemini for RTOs comparison, keeping AI-generated marketing compliant connects to the prohibited phrases guide and the AI for RTO marketing workflow, and the question of regulatory penalty is answered in will ASQA penalise AI use.
Want to check whether AI-generated content has already introduced compliance risk into your public-facing marketing? RTO Scanner reviews your website copy against the phrases ASQA flags and validates your RTO code against training.gov.au in real time, free, in under five minutes.
