AI Risks for Australian SMEs: What You Need to Know in 2026

Most Australian small businesses didn't decide to start using AI. It just turned up. Someone on the team tried ChatGPT to draft an email, a sales rep ran an AI notetaker on a call, the bookkeeper let a tool sort the receipts. It was useful and quick, and mostly invisible to whoever runs the place.

That quiet spread is exactly where the risk sits. Your team is using AI most weeks, often on free tools nobody approved, with your client data going in and no one keeping track. At the same time the rules around AI and privacy have tightened, and tenders, insurers and clients have started asking how you manage it.

This is a plain guide to the AI risks Australian SMEs face in 2026, and the practical steps you can take this month. It sticks to what's real and what to do about it.

Your team is already using AI

Start with the thing most owners get wrong. They assume their business doesn't really use AI. Then they ask around and find half the team uses it every day.

This is often called shadow AI: tools staff bring in themselves, with no approval and no oversight. Free chatbots, AI features built into apps you already pay for, browser extensions, transcription tools. None of it shows up on an invoice, so it's easy to miss.

You can't manage a risk you can't see. If you don't know which tools your team uses, you can't know what client information is going into them, where that data ends up, or whether any of it breaks a rule you're bound by. The first job isn't to ban anything. It's to find out what's actually happening.

The data risk hiding in free AI tools

Here's the part that should get your attention. When a staff member pastes client details, a contract or patient notes into a free tool, that information can leave your control. Some free tools use what you type to train their models. Once it's in, you can't pull it back out.

The numbers back this up. The Office of the Australian Information Commissioner recorded 1,113 data breaches in 2024, a 25% jump on the year before and the highest total since reporting became mandatory in 2018. In the first half of 2025, malicious attacks caused 59% of breaches and plain human error caused another 37%. Health was the most breached sector, with finance close behind.

AI makes the human error problem worse, because it hands every staff member a fast, easy way to send sensitive information somewhere new without thinking about it. The OAIC points to IBM's figure of $4.26 million as the average cost of a data breach to an Australian business. For an SME, even a small share of that can turn a good year into a bad one.

The rules changed, and they're still changing

For years most small businesses sat outside the Privacy Act. Any business turning over $3 million or less was generally exempt, which covers around 95% of Australian businesses. A lot of owners still lean on that exemption. In 2026, that's getting risky.

A few things have shifted. Health service providers, businesses that trade in personal information, and government contractors are covered by the Privacy Act no matter their size, so the exemption never applied to a clinic, an allied health practice or many finance businesses in the first place.

From 1 July 2026, anti money laundering reforms bring tens of thousands of new businesses under the Privacy Act, including many real estate, legal, accounting and conveyancing firms. It applies to the personal information they handle under those rules.

From 10 December 2026, the Privacy and Other Legislation Amendment Act brings in transparency rules for automated decisions. If your business uses a computer program or AI to make, or substantially help make, a decision that significantly affects someone, such as approving an application or screening a job candidate, you'll need to spell that out in your privacy policy.

There's also a new way to get sued. Since the middle of 2025, Australians have a direct right to take action over serious invasions of privacy. Penalties for serious or repeated breaches now reach the greater of $50 million, three times any benefit gained, or 30% of adjusted turnover. Even a privacy policy that isn't up to scratch can draw an infringement notice, and the OAIC is running a sweep of privacy policies right now to check.

The blanket removal of the $3 million exemption is still coming in a later round of reforms, expected across 2026 and 2027, though the timing isn't locked in yet. The direction is clear enough. Privacy has stopped being only a big business problem.

Where the AI rules are heading

Australia hasn't passed a single AI law, and isn't about to. The plan, set out in the National AI Plan in December 2025, is to lean on existing laws and sector regulators, backed by voluntary guidance and a new AI Safety Institute.

There's already practical guidance. The Voluntary AI Safety Standard set out ten guardrails for using AI responsibly, and in October 2025 the National AI Centre simplified it into six practical steps for safe AI governance.

These are becoming the benchmark that clients, insurers and tender panels measure you against. Following them now costs a lot less than scrambling later.

The tender and insurance squeeze

Risk doesn't only show up as a breach. It shows up as lost work and awkward questions.

More tenders, especially in government and large supply chains, now ask suppliers how they manage AI and whether they have an AI policy. If you can't answer, you can be ruled out before anyone reads the rest of your bid. A short, honest policy can be the thing that keeps you in the running.

Cyber insurers are asking sharper questions too. When renewal comes around, "we're not really sure what our staff use" is not the answer you want on the table. The same goes for a board or a major client who wants to see that you've got AI under some kind of control.

When AI gets it wrong

One more risk is easy to overlook. AI tools make things up. They state wrong facts with full confidence, invent figures and misread documents. If a staff member copies that into client advice, a quote or a report without checking, your business wears the mistake.

This one is less about data and more about quality and trust. The fix is simple and human. People stay responsible for checking AI output before it leaves the building, and your policy says so in plain words.

What a good first step looks like

You don't need a big project or a consultant on retainer to get on top of this. A practical starting point looks like this.

Find out what's in use

Ask your team, without blame, which AI tools they use and what they put into them. One honest conversation tells you more than any audit.

Write a short AI policy

One or two pages in plain English covering which tools are okay, what must never go into a public tool (client data, health information, anything confidential), and the rule that a person checks AI output before it's used. A short policy people actually follow beats a long one nobody reads.

Protect the sensitive stuff

Give your team a safer, approved way to use AI for work, so they're not reaching for random free tools with your client data in hand.

Check your privacy policy

If you're covered by the Privacy Act now, or will be soon, make sure your policy is current and, by December 2026, covers any automated decisions.

Treat it as ongoing

AI tools change month to month. A quick review each quarter keeps you ahead of it.

Where to start if you want help

If you'd rather not work through this on your own, that's what SMEC AI is here for. As an AI Adopt Program funded by the Australian Government, we run a free 20 minute AI risk discovery call.

We look at how your business uses AI and point out the risks we can see, then give you a clear next step. It's free, and there's no obligation.

You can't manage a risk you can't see. Twenty minutes is enough to start seeing it.

Frequently asked questions

Does the Privacy Act apply to my small business?

If you turn over more than $3 million, yes. If you're under that, you're generally exempt for now, unless you're a health provider, you trade in personal information, or you're a government contractor. From 1 July 2026, many real estate, legal, accounting and conveyancing businesses are also covered, for the personal information they handle under anti money laundering rules.

Is it really a problem if staff use ChatGPT?

It depends on what they put into it. Using AI to polish wording is low risk. Pasting client details, health information or confidential documents into a free tool is where data can leave your control. A short policy that draws that line solves most of it.

Do I need an AI policy to win tenders?

Increasingly, yes. Government and large clients now ask how suppliers manage AI. A short, honest policy can keep you in the running when others get ruled out.

What changes on 10 December 2026?

New transparency rules begin for automated decisions. If you use AI or software to make, or substantially help make, decisions that significantly affect people, your privacy policy must say so.