CTF Challenge #2: Is Your Business Deploying AI Legally? Take the Governance Quiz
Difficulty: Intermediate | Reading time: 10 minutes | Product tie-in: AI Governance Policy Pack ($97)
TL;DR
- Most SMBs are already using AI tools — and most have zero governance policies around them
- This quiz tests your knowledge of AI risk, liability, and compliance obligations for Australian businesses
- By 2026, the EU AI Act affects any AI system used by businesses that serve EU customers — including Australian ones [1]
- Each question maps to a real governance gap the lil.business AI Governance Policy Pack addresses
Why This Matters More Than You Think
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Your staff are already using AI. ChatGPT for client emails. AI writing tools for proposals. Automated chatbots on your website. AI-assisted hiring filters.
Each of these creates legal exposure you probably haven't thought about yet.
The challenge: most governance frameworks were written by lawyers for enterprises. Nothing exists for th
Free Resource
Free AI Governance Checklist
Assess your organisation's AI risk posture in 10 minutes. Covers transparency, bias, data governance, and ISO 42001 alignment.
Download Free Checklist →That's what this quiz is for — to identify exactly which governance gaps you have.
The Quiz: 6 Questions, Real Scenarios
Question 1: The AI-Generated Proposal Problem
Your business uses an AI writing assistant to draft client proposals. The AI occasionally hallucinates figures — it once wrote "certified to ISO 27001" when your company is not. A client relies on this claim and signs a $200K contract.
Who bears liability?
A) The AI vendor — their tool produced the false output
B) Your business — you are responsible for all representations made to clients
C) The employee who used the tool — they should have checked
D) No one — AI hallucinations are a known limitation and create no legal liability
Question 2: The EU AI Act Scope Problem
Your Australian accounting firm uses an AI tool that automates credit risk scoring for small business loan referrals. You serve a small number of European clients.
Does the EU AI Act apply to you?
A) No — you are an Australian business operating under Australian law
B) No — the EU AI Act only applies to EU-based AI developers
C) Potentially yes — if the AI output affects people in the EU, the Act may apply regardless of where your business is incorporated
D) Only if your annual revenue exceeds €50 million
Question 3: The Employee Monitoring Problem
You implement an AI tool that monitors employee email and flags "productivity issues" to management. You don't tell employees this is happening.
Under Australian law, what is the likely outcome?
A) This is permitted — employers have the right to monitor company systems
B) This likely violates the Privacy Act 1988 — covert monitoring of personal communications requires specific legal grounds, and employees have a reasonable expectation of notice
C) This is fine as long as it's in the employment contract somewhere
D) Monitoring is only regulated if the employee is a contractor, not a full-time employee
Question 4: The Biometric Data Problem
Your retail stores install an AI-powered "loss prevention" system that captures and analyses customer faces to flag known shoplifters. The system stores biometric data on a US server.
What Australian law is most relevant here?
A) Competition and Consumer Act — this is a commercial practice issue
B) Privacy Act 1988 — biometric data is sensitive information with specific handling obligations, and offshore storage triggers data transfer obligations
C) There is no specific Australian law covering biometric data for retail use
D) Criminal Code Act — facial recognition is only regulated in law enforcement contexts
Question 5: The AI Hiring Filter Problem
You use an AI recruitment tool to screen CVs. You later discover the tool was trained on historical data and consistently ranks female applicants lower than male applicants for technical roles.
As the business deploying the tool, what is your exposure?
A) None — the AI vendor is responsible for bias in their training data
B) Potential liability under the Sex Discrimination Act 1984 — you are responsible for discrimination that occurs through tools you deploy, regardless of the tool's origin
C) Only exposed if an unsuccessful applicant can prove they were specifically disadvantaged
D) No exposure — AI-assisted decisions are not covered by discrimination law yet
Question 6: The AI Policy Documentation Problem
An enterprise client asks you to provide your AI governance policy before proceeding with a contract. You don't have one.
What is the likely commercial outcome?
A) The client proceeds anyway — AI governance policies are a nice-to-have, not a requirement
B) The deal stalls or falls through — AI governance documentation is increasingly a procurement requirement, especially for regulated industries [2]
C) You can provide a one-page summary in 10 minutes and the client will accept it
D) Enterprise clients never actually read governance documents — it's a box-tick exercise
The Answers
Answer 1: B — Your business bears liability
This is the most misunderstood aspect of AI deployment. You are responsible for every representation made to a client, regardless of what tool generated it. AI vendors specifically disclaim liability for output accuracy in their terms of service. Your governance policy must include an output review requirement before client-facing use.
Governance gap: No AI output review policy.
Answer 2: C — Potentially yes
The EU AI Act has extraterritorial reach. If your AI system's output affects individuals in the EU (clients, job applicants, loan recipients), the Act may apply to you regardless of where your business is based. Credit risk scoring AI sits in the "high risk" category under the Act and faces specific requirements [1].
Governance gap: No AI use case risk classification or extraterritorial compliance assessment.
Answer 3: B — Likely a Privacy Act violation
The Privacy Act 1988 requires transparency about how personal information is collected and used. Covert AI monitoring of employee communications, even on company systems, creates significant legal exposure. Some states also have specific workplace surveillance legislation (e.g. NSW Workplace Surveillance Act 2005).
Governance gap: No employee AI monitoring disclosure policy.
Answer 4: B — Privacy Act, biometric data, and offshore storage
Biometric information is "sensitive information" under the Privacy Act with stricter handling obligations. Offshore storage to the US triggers the cross-border disclosure provisions of Australian Privacy Principle 8. You need consent, a data impact assessment, and contractual protections with the vendor.
Governance gap: No biometric data handling policy and no vendor data transfer assessment.
Answer 5: B — Sex Discrimination Act exposure
The principle is clear: deploying a discriminatory tool makes you the discriminating party. The Fair Work Commission has already ruled on AI-assisted adverse actions. The fact that you didn't design the bias is not a defence if you deployed the tool without auditing it [3].
Governance gap: No AI procurement bias assessment or audit requirement.
Answer 6: B — The deal stalls or falls through
Gartner research shows that by 2026, 60% of large organisations will require AI governance documentation from vendors and service providers as a procurement condition [2]. This is already happening in financial services, government, and healthcare. Not having a policy is a commercial risk, not just a compliance risk.
Governance gap: No documented AI governance policy at all.
ISO 42001 AI Governance Pack — Coming Soon
Policy templates, risk assessment frameworks, and implementation guidance for organisations deploying AI systems. Join the waitlist for early access.
Join the Waitlist →Your Score
6/6 — You've thought about this deeply. You may still have gaps in documentation, but you understand the landscape.
4–5/6 — Partial awareness. You know some risks but have blind spots that could become expensive.
0–3/6 — Significant exposure. Every AI tool your business uses right now is unmanaged. This is fixable.
What a Real AI Governance Policy Covers
A proper AI governance policy for an SMB doesn't need to be 80 pages. It needs to cover:
- AI use case register — what tools are in use, what data they touch
- Risk classification — which uses are low/medium/high risk
- Output review requirements — when must a human verify AI output before use
- Employee monitoring disclosure — what staff must be told
- Vendor assessment — what to check before deploying a new AI tool
- Bias and fairness obligations — especially for hiring and customer-facing AI
- Cross-border data transfer — where is your AI data going
The lil.business AI Governance Policy Pack for SMBs gives you all of this in ready-to-use policy templates, built for Australian legal context, sized for businesses without a legal team.
$97 — Get the AI Governance Policy Pack
FAQ
Australia does not yet have a standalone AI Act, but existing laws (Privacy Act 1988, Sex Discrimination Act, Australian Consumer Law) apply to AI deployments. The Australian Government's AI Safety Standards consultation process is ongoing, and regulatory clarity is coming. Acting now puts you ahead of compliance requirements rather than scrambling to retrofit.
The EU AI Act is the world's first comprehensive AI regulation, in force from 2024 with full obligations phased in by 2027. It has extraterritorial scope — if your AI system's outputs affect people in the EU, obligations may apply regardless of where your business is incorporated. Australian businesses serving European markets or using EU-based AI platforms need to understand their exposure.
A simple AI governance policy for an SMB can be built in a day using a purpose-built template. The core requirement is completing an AI use case register (what tools are deployed, for what purpose, touching what data), then applying risk tiers. The lil.business AI Governance Policy Pack is designed to be implemented in an afternoon.
The risks are legal (discrimination liability, privacy breaches), commercial (losing contracts with enterprise clients who require governance docs), and reputational (an AI-related incident without documented controls looks negligent). The cost of documentation is low compared to the cost of a single incident without it.
References
[1] European Parliament, "EU AI Act: First Regulation on Artificial Intelligence," European Parliament, 2024. [Online]. Available: https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence
[2] Gartner, "Predicts 2026: AI Governance and Risk Management," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/documents/ai-governance-2026
[3] Australian Human Rights Commission, "Using Artificial Intelligence in the Workplace," AHRC, 2024. [Online]. Available: https://humanrights.gov.au/our-work/employers/using-ai-workplace
[4] Office of the Australian Information Commissioner, "Privacy and AI," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/guidance-and-advice/privacy-and-ai
[5] Department of Industry, Science and Resources, "AI Safety Standards Consultation," Australian Government, 2025. [Online]. Available: https://www.industry.gov.au/science-technology-and-innovation/artificial-intelligence
No AI governance policy yet? The lil.business AI Governance Policy Pack for SMBs gives you ready-to-use templates built for Australian law — $97, instant download.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.