
The twelve questions an AI use policy has to answer
July 17, 2026
What an insurer, auditor or client reads for in an AI use policy: twelve questions that test any draft, template-started or written from scratch, before someone asks to see it.
Industries · Government & Registries
Queensland mandated the governance policy, the federal training clock is running, and the audit offices have published what they found: what a lean maritime office holds in answer is local, and it can be built to the frameworks you are marked against.
The annual report goes to Parliament with your name in it. The board pack arrives monthly, the ministerial clock runs in days, and the right to information reaches the drafts in the building. Somewhere between those deadlines, staff found the new tools: a board paper summarised here, a residents' reply drafted there, a chat history holding content your records system has never seen.
Where are you based?
Where this sits for you
The audit offices have already named the pattern across government, adoption running ahead of governance, and the frameworks have arrived with your organisation in scope: use registers, risk assessments, mandatory training, records of the AI-touched outputs. The mandates assume depth your office fills with one person wearing four hats. There is a version of this where the office meets the mandate with evidence, the training register fills with verified certificates, and the next audit finds an orderly file. It starts with knowing your position.
The Queensland Audit Office's September 2025 report found the central department holds limited visibility of AI use across government, and one of the departments examined holds no central AI inventory, with ethical risks on its own systems not effectively identified and managed. A maritime authority's audit committee reads that report knowing the agency is a smaller version of the finding.
The Audit Office of NSW found 357 AI tools running across 21 large agencies, with fewer than half holding formal AI policies and a quarter holding an AI strategy, and followed in February 2026 with a dedicated performance audit of agencies' AI governance.
AMSA, Australia's maritime safety regulator, publishes an AI transparency statement under the federal policy: no AI in external-facing decisions, a contained pilot, a governance committee and two named accountable officials. The maritime implementation of the mandate already exists in miniature, and a smaller office can read it in one sitting.
Port operators carry a second clock under the Security of Critical Infrastructure Act, Australia's critical-infrastructure security law: risk-management program obligations have been live since April 2025, AI-driven incidents sit inside mandatory cyber reporting, and AI enters the enhanced risk-management rules in 2027-28.
Annual reports tabled in Parliament, audit committees, risk registers and a legislated strategy cycle all sit with a lean office, and each obligation carries a named accountable officer with little delegable depth beneath them. The rest of this list is that fact, repeated in different uniforms.
The Queensland Audit Office publishes AI better-practice checklists agencies are measured against, and state archives treat AI prompts and outputs used for official business as public records that must be captured. The file your office cannot produce is the one living in a chatbot history on a personal account.
Correspondence with statutory clocks, estimates briefs and monthly board packs make reporting the highest-volume drafting surface in the organisation. That makes it the first place staff reach for AI, and the last place an unchecked error survives: a fabricated figure in a tabled document is a career event.
The NSW Audit Office found 357 AI tools running across 21 large agencies, with fewer than half holding formal AI policies. The public-sector incident file is already written, from a court report drafted in a public chatbot with a vulnerable child's details to a partially refunded $440,000 government report carrying fabricated citations.
Queensland mandated AI governance for departments and statutory bodies in September 2024, aligned to ISO 38507, and the federal policy requires foundational AI training for all staff within twelve months of December 2025, alongside a use-case register and impact assessments. A small authority owes the same list in substance, and it lands on staff already wearing four hats; this is the precise gap external training and advisory exists to fill.
AO7 to AO8 runs $133,602 to $156,143 plus superannuation, while ports, class societies and consulting price the same maritime, digital and governance skills higher. Small authorities cannot hire their way to AI capability, so capability has to arrive through training and external advisory.
The Opportunity
The Australian mandate stack is already specific. Queensland's AI governance policy has bound departments and statutory bodies since September 2024, the federal policy took effect in December 2025 with training and use-case registers behind it, and AMSA, Australia's maritime safety regulator, publishes a transparency statement that shows what implementation looks like inside a maritime agency. The auditors in two states have published what they measured against it.
What the frameworks ask of an individual office is local: a use register with an accountable owner per entry, a written policy, risk assessments in the framework you are marked against, training records and a review cycle. Under a written position, AI already does defined work across the office, each task with a named human check before it is relied on.
Ministerial correspondence drafts
AI drafts a first reply to a ministerial correspondence item inside its statutory clock, which gets a start on the five-day deadline, and the accountable officer reviews it against the file before it is signed and sent.
Board-pack assembly
AI assembles the monthly board pack from the program leads' sections into one document, which takes load off the highest-volume drafting surface, and a person checks the figures against the source before it goes to the board.
Use-register maintenance
AI helps compile and keep the AI use-case register the mandate requires, each entry with its accountable owner, which produces the artifact the auditor asks for, and the governance lead confirms it before the audit and risk committee sees it.
RTI search support
AI helps locate and summarise correspondence for a right-to-information request across the mailboxes and the records system, which shortens the search, and a person verifies the results against the record before release.
Estimates and question-time briefs
AI drafts estimates and question-time briefs from the underlying material, which gets the brief moving, and the officer checks each fact against the source before it is relied on.
These are the workflows the prompt library and the training stand up, under the standard the documents set.
Your World
The QAO checklist and ISO 38507
AUSThe Queensland Audit Office, the state's public auditor, publishes an AI better-practice checklist agencies are measured against, and Queensland's mandated governance policy aligns to ISO 38507.
The twelve-month training clock
AUSThe federal AI policy version 2.0, effective 15 December 2025, requires foundational AI training for all staff within twelve months and an internal use-case register with an accountable owner per use case.
FAIRA risk assessment
AUSQueensland's AI governance is supported by the Foundational Artificial Intelligence Risk Assessment framework, the instrument the ethical evaluation runs through.
Harbour regions and vessel traffic
AUSMaritime Safety Queensland runs five maritime regions with Regional Harbour Masters, aids to navigation, vessel traffic services and pollution response.
Registry turnarounds and the REG Yacht Code
A registry runs registration turnarounds across twelve time zones, holds white-list standing on the Paris and Tokyo MOUs, and is consolidating its yacht codes into a single REG Yacht Code with Cayman holding the secretariat.
The tabling deadline and estimates
The annual report must be tabled in Parliament on a statutory deadline with the figures traceable, and estimates briefs run alongside the board and audit cycle.
Board packs to the board
The monthly board pack is due to a ministerially appointed board, with program leads owing their sections against the meeting date.
RTI reaches the drafts
A right-to-information request means searching mailboxes, the eDRMS and whatever staff drafted in tools the office never sanctioned, because recordkeeping authorities treat AI prompts and outputs as public records.
One officer, four hats
In the lean office the same person wears four hats, records, information governance, procurement and something digital, with no chief data officer or AI lead beside them.
No REG-wide AI framework yet
No public AI governance framework was found for MACI, any REG member registry or the group, so the internal AI posture is exactly what an inbound enquiry would be asking about.
The Red Ensign Group
UKThe Red Ensign Group runs from the UK, the Crown Dependencies and the Overseas Territories, consolidating the Large Yacht Code and the Passenger Yacht Code into a single REG Yacht Code with Cayman holding the secretariat, and Cayman ended 2025 with 2,656 vessels and roughly 70 percent of the global superyacht new-build order book.
Singapore's registry runs AI
SGThe MPA's DocuMind and DocuMatch, launched October 2024, apply multi-modal LLM reading to insurance certificates for Singapore-registered ships, cutting processing from up to three days to minutes.
Hong Kong's electronic-certificate registry
HKHong Kong gave e-certificates and e-logbooks full legal equivalence under an amendment ordinance effective 1 August 2023, while the Hong Kong Shipping Registry held about 112 million GT at end-2025.
No registry AI position published
APACNo flag administration in the region or any other was found publishing an internal AI governance policy or AI transparency statement for its registry operations.
Coast Guard's own AI inventory
USThe US Coast Guard, the federal maritime safety regulator, issued ALCOAST 103/25 in March 2025 ordering its own AI use-case inventory, under OMB M-25-21 (3 April 2025) which retains a Chief AI Officer, an AI strategy and a public use-case inventory for every federal agency.
Mandatory algorithmic transparency standard
UKThe UK's Algorithmic Transparency Recording Standard has been mandatory for central government departments since 6 February 2024 and extends to arm's-length bodies delivering public-facing services, alongside the AI Playbook of 10 February 2025.
Where to start
The organisation's AI position in about five minutes, a document the accountable officer can bring to the audit and risk committee.
The whole office to one standard on tool use, prohibited inputs and where the records live, with certificates verifiable at southernsky.ai/verify for the training register.
The written position: AI use policy, approved-tools register, training pathway, risk read mapped to the framework that applies to you.
The organisation-wide build where the mandate covers each unit: inventory, register, assessments, checkpoints, review cycle, done with you.
Documented Work

3 role-based workshop days, designed from a 12-department audit · 18 people certified, from maintenance and marine to finance and the executive team · Every participant left with a working AI setup and a reusable Skill built on a real task from their own role · Weeks later, reported publicly by the client: the team using AI more, sharing wins, and a real shift in the day to day
A twelve-department audit produced three role-based workshop days that certified eighteen people across ten departments, with the CHART quality method and the data rule embedded across the team and every certificate carrying a public verification page.
Read full engagement
2,040 indexable pages · 1,645 articles migrated · 146 member and partner listings · Over 1 million requests a month · ChatGPT reading 9,400+ pages in a single day · Cited and fetched live in ChatGPT daily
The Asia-Pacific Superyacht Association (APSA) was running a static HTML website carrying close to fifteen years of content. Southern Sky AI rebuilt it as a platform of 2,040 indexable pages, 1,645 migrated articles, a 146-listing member and partner directory, and 47 events, with structured schema.org data on every page and an llms.txt file. The site now handles over a million requests a month, is cited as a source in ChatGPT, and is read live by AI assistants every day, and in one recent day, ChatGPT's crawler alone read more than 9,400 pages.
Read full engagementReading

2026
The regulators, the obligations, and the moves that matter first.

2026
The AI management system standard, read for maritime operators.

July 17, 2026
What an insurer, auditor or client reads for in an AI use policy: twelve questions that test any draft, template-started or written from scratch, before someone asks to see it.

Written from inside your world
Kristina Agustin
Founder & Principal Digital Navigator, Southern Sky AI
20+ years in international superyacht and maritime operations. Legally trained (LLB, Graduate Diploma of Legal Practice). AI educator and consultant. ATSE Elevate Scholar 2026.
Start Here
Read your organisation's position in about five minutes. Twenty plain questions in, four readings back: the kinds of AI risk as they reach your organisation, the frameworks that already apply to you, the cost of leaving that use unmanaged, and the moves that matter most, ranked from the top.
Get your baselineQuestions
The AI Baseline Report reads your position in about five minutes, and your answers pre-fill everything that follows.
Run the Baseline