AI strategy consulting

AI Use AI at Work? Beware, You Are Risking More Than You Think

Jun 13, 2025By Ryan Flanagan
Ryan Flanagan

TL;DR
If your team is using ChatGPT, Gemini, or Microsoft Copilot at work—even casually—you’re already exposed to legal, ethical, and reputational risks. Australia is moving fast on AI regulation, and ISO/IEC 42001 is now the clearest way to bring your AI use under control. An internal audit is the first step to prepare.

AI isn’t just coming to your workplace. It’s already there.

Wonder how the intern with no financial analysis experience is delivering sector specific deep research on valuation and industry mechanics in a day? No...you're just happy you have saved $200K on analyst! But, what’s happening on your shared drive, in your inbox, and across your browser tabs right now? Do not know do you? Used Copilot to draft a weekly wrap? Used ChatGPT to build your slide back for the weekly management meeting? Nailed out a market assessment with Claude? 

Employees are already using generative AI tools to rewrite emails, summarise PDFs, clean up notes, and prepare documents.

No formal strategy. No policy. No oversight.

The problem is, every time one of those tools is used at work, the organisation becomes accountable. Accountable for what data was entered. Accountable for the output. Accountable for any harm, bias, breach, or unintended use that follows.

That’s not trying to scare you - but it should (my own dash).

That’s what regulators are now building policy around.

Regulation is Starting to Get Codified

In 2024, the Australian Government confirmed it will introduce targeted laws to address high-risk AI systems, enforce transparency, and align with global best practice. This includes mandatory protections when AI is used in ways that affect people like hiring decisions, customer service, financial advice, or legal interpretation.

But you don’t have to wait for the legislation to get moving.

Clients are already asking what controls you have in place. Risk committees are flagging exposure. Staff are unsure what’s allowed. And once something goes wrong, an offensive answer, a privacy breach, an AI-generated error in a report (a personal report for high risk indviduals authored by an LLM) the question isn’t

“Who clicked send?”

It’s: “What do you have in place to stop this?”

Most companies don’t have one. That’s where ISO/IEC 42001 comes in.
This new international standard isn’t for AI builders. It’s for AI users, especially organisations relying on large language models (LLMs) like ChatGPT, Claude, Gemini, and Copilot.

ISO 42001 sets out how to manage the risks, data handling, ethical safeguards, and governance responsibilities involved in using AI at work. And it does so in a structured, auditable way that gives boards, regulators, and staff confidence that you're not winging it.

Here’s what it helps uncover:

  • Where AI tools are being used without approval, policy, or visibility
  • Whether staff are pasting sensitive information into unregulated systems
  • How biased or incorrect outputs could affect decision-making or clients
  • Whether your AI use is breaching privacy laws—without you realising it

If your business is using these tools—and most are—it’s only a matter of time before something slips through that could have been prevented.

Ignorance won’t be a defence.

Internal audits are your first line of protection.

You don’t need a full AI strategy to start fixing the problem. You need a clear understanding of what’s already happening in your organisation.

That’s what an internal audit aligned to ISO 42001 delivers.

It shows you:

  • Where AI use is happening across teams, systems, and processes
  • What risks are currently unmanaged (or unknown)
  • How to build clear, defensible policies and controls that meet the standard
  • What immediate changes will reduce exposure, protect data, and prepare you for incoming regulation

AI use doesn’t start with policy it often starts with a staff member under deadline.

But AI compliance does start with policy. And if you don’t know where your risks are, you can’t manage them.

AI adoption isn’t a tech initiative anymore. It’s a governance issue. It touches privacy, ethics, legal risk, public trust, and operational reputation.

Regulators are watching. Clients are asking. And ISO 42001 gives you a way to answer with confidence.

But the first step isn’t a framework. It’s an audit.

Book your ISO 42001 Internal Audit

We’ll help you:

  • Uncover hidden AI risks across your business
  • Understand what’s needed to align with ISO standards
  • Build trust with regulators, boards, and staff before the rules arrive