The AI Governance Gap: Why 97% of Australian Brokers Have No AI Policy – and the Audit-Ready One-Pager to Build This Quarter

A May 2026 industry analysis surfaced a number that should be uncomfortable for every principal broker in Australia: 97% of mortgage brokers have no written AI policy. Sixty-five percent have no documented AI strategy. Forty percent have zero AI governance framework — yet most are already using Quickli's Jiffi AI, Salestrekker 2.0's automation features, ScaleConnect, ChatGPT for client emails, and a half-dozen unsanctioned AI tools embedded in the daily file workflow.

This is the gap ASIC's BID review team will eventually walk into. It is the gap aggregator compliance audits are already starting to probe. And it is the gap that will determine which brokerages remain on lender panels in 18 months and which quietly lose accreditation when the next compliance cycle hits.

The good news: closing the gap does not require a 40-page policy document or a six-figure consultant engagement. It requires a one-page, audit-defensible AI use policy that any solo broker or growing firm can write in a single afternoon. This article is the framework for that one-pager.

Why the Governance Gap Matters Now

Three forces are converging to make AI governance a near-term compliance pressure point, not a future-state nice-to-have.

First, ASIC's ongoing BID review, which began its data-gathering phase in mid-2025 and is now examining file documentation from six national aggregators, has explicitly flagged "use of automated tools in product recommendation" as an area of inquiry. If a broker used an AI tool to summarise lender policy and that summary was incorrect, the file note needs to show how the broker verified the output. No policy means no defensible answer.

Second, aggregator-level audits have started asking the question directly. PLAN, AFG, Connective, Loan Market, and Outsource Financial have all introduced compliance questionnaires in the past 18 months that include questions on AI tool usage. "Do you use AI tools in your workflow?" "How do you verify AI outputs?" "Where is your AI policy?" Brokers who answer "no" to the policy question are flagged for follow-up.

Third, the practical risk is no longer theoretical. The CBA $1 billion fraud probe surfaced AI-generated payslips, AI-fabricated employment letters, and AI-manipulated bank statements. The same generative technology that creates these documents is sitting in the broker's own browser. A broker who cannot articulate where AI fits and does not fit in their file process is a broker who cannot credibly explain to ASIC how their file would detect the same fraudulent inputs.

What ASIC and Aggregators Are Actually Looking For

The mistake most brokers make is assuming the compliance bar requires a sophisticated technical framework. It does not. What ASIC and aggregators want to see is evidence that the broker has thought about AI use in the same way they think about any other commercial tool — with a written record of where it is used, where it is not used, and how outputs are verified.

In practice, this means your policy needs to answer five questions clearly:

• What AI tools are approved for use in our broker workflow?
• What broker tasks are AI tools used for, and what tasks are off-limits?
• How are AI outputs verified before they enter a client file?
• How is client data handled when AI tools are involved?
• Who in the brokerage is accountable for ongoing AI policy oversight?

That is the entire framework. Five questions, one page, ten minutes to read, twenty minutes to write. Below is how to answer each one in a way that satisfies both compliance and operational reality.

The Five-Question One-Pager

Question 1: Approved tools

List the AI tools your brokerage explicitly permits. Common entries in 2026: Quickli with Jiffi AI for policy lookup, Salestrekker 2.0 for document classification and meeting scheduling, ScaleConnect for client review automation, ChatGPT or Claude for drafting client emails and summarising lender policy documents, Copilot or Gemini if your Microsoft or Google environment includes them. The point is not to list every possible tool — it is to make a deliberate choice and document it.

Equally important: state what is not approved. If you do not want brokers in your team using consumer ChatGPT for any client-data-touching task, write that down. The aggregator audit question "are there any AI tools your team is prohibited from using?" should have a clear answer.

Question 2: Approved use cases

Be specific. "AI tools may be used to summarise lender policy documents, draft client communications, classify documents in our CRM, schedule meetings, and prepare meeting notes." Then add the limits: "AI tools may not be used to make product recommendations, to generate compliance file notes, to verify client documents as authentic, or to produce content that goes to a client without broker review."

The use-case framing matters more than the tool list. Aggregator auditors increasingly understand that brokers use multiple tools — what they want to see is that the use is bounded and the broker can articulate where AI ends and broker judgement begins.

Question 3: Output verification

This is the question most policies get wrong by being vague. Specifics: "Any AI output that informs a product recommendation is cross-checked against the lender's published policy document and the broker's aggregator policy tool before the recommendation is made. Any AI-generated client communication is reviewed and edited by the broker before sending. Any AI-classified document is opened and visually verified before the file is submitted."

The format does not need to be a separate document for each verification. A file note that says "policy summary generated by Quickli Jiffi AI; cross-checked against ANZ broker policy page, accessed 27 May 2026" is sufficient. The point is the verification step exists and is recorded.

Question 4: Client data handling

Spell out what client data is allowed in what tool. Most consumer AI tools (free-tier ChatGPT, free Gemini) train on user inputs by default. Most paid enterprise tiers (ChatGPT Team or Enterprise, Gemini for Workspace, Claude for Work) do not. If your brokerage uses any AI tool with client-identifying information, the tier must be the enterprise tier, and the policy must say so.

If your brokerage uses consumer-tier AI for any task, the policy must specify that client-identifying information is removed before the prompt is entered. This is not a theoretical concern. The OAIC has previously sanctioned organisations for inadvertent data exposure via consumer AI tools, and the broker channel is increasingly visible to the regulator.

Question 5: Accountability

Name the person. In a solo brokerage, this is you. In a firm, this is one named principal or compliance lead. The role is responsible for reviewing the AI policy at least quarterly, updating the approved tool list when new tools are adopted or retired, and being the point of contact for the team when an AI use case is uncertain.

The accountability question is the one ASIC and aggregator auditors care about most, because it answers the unstated next question: "Who do we call if something goes wrong?" A policy with no named owner is a policy that does not exist in practice.

Practical Steps for Implementation

Once the one-pager is written, the implementation work is short.

Save it as a PDF in the same folder where your other compliance documents live. Print one copy and have it physically signed by every broker and support staff member who uses any AI tool. Add a line item to your weekly team huddle: "Any new AI tools introduced this week?" — and update the policy if the answer is yes.

Add a one-line acknowledgement to your CRM file note template: "AI tools used in this file: [Y/N]. If Y, output verification method: [text]." This is the single most important operational change. It creates the documentation trail that retrospective compliance review needs to find.

Set a calendar reminder for the first business day of each quarter to review the policy. AI tool capabilities are changing fast — Quickli, Salestrekker, and ScaleConnect all push significant feature updates two to four times a year, and your policy should reflect what those tools actually do, not what they did 12 months ago.

Risks and Blind Spots

The most common blind spot is third-party AI use buried in tools brokers do not think of as "AI." Microsoft Outlook now drafts replies using Copilot by default in many enterprise tiers. Google Workspace summarises emails. Aggregator software includes AI-powered policy lookup. CRM tools auto-generate file notes. If your policy lists only the brokerage's deliberate AI tools and does not address the AI quietly running in the background of every other tool, your policy is incomplete.

The fix is a single line in the policy: "Where AI features are embedded in our core business tools (CRM, email, aggregator platform), broker review of outputs remains the default before any output enters a client file or client communication."

A second blind spot is the assumption that the policy needs to be sophisticated to be respected. Aggregator auditors are not looking for ISO-27001-level documentation. They are looking for evidence of considered judgement. A one-page policy that is clearly thought through and consistently applied carries more weight than a 30-page document that was downloaded from a template site and never read.

Opportunities for the Proactive Broker

Brokers who close this gap early benefit in three ways beyond compliance.

First, the policy itself becomes a referral-partner asset. Sharing the one-pager with conveyancers, accountants, and financial planners — many of whom face the same governance gap in their own profession — positions your brokerage as the strategic, modern, compliance-aware operator in their network. This is the kind of business credibility marketing money cannot easily buy.

Second, AI policy work surfaces operational improvements. Walking through the "approved use cases" question forces a brokerage to look at which AI tools are actually pulling weight and which are noise. Most brokerages discover that they are paying for two or three overlapping AI tools and using a fraction of the features.

Third, the documentation discipline transfers. A brokerage that has done the work on AI policy finds it easier to do the next round of compliance work — cybersecurity policy, AML/CTF refresh, BID file improvements — because the muscle of "write the policy, sign it, file it, review it quarterly" is now built.

Conclusion

The 97% gap is not a technology problem. It is a documentation problem, and it can be closed in a single working afternoon. The brokers who close it now buy themselves margin against the next ASIC review, the next aggregator audit, and the next AI tool that quietly enters their workflow without them noticing. The brokers who do not close it will eventually be asked the question — by an auditor, a regulator, or a client whose file went wrong — and will not have a defensible answer. Write the one-pager this quarter. The cost is two hours and a PDF. The value is the structural credibility that takes years to rebuild once it is lost.

Broker Action Checklist

• Block 90 minutes this week to draft the five-question one-pager
• List every AI tool currently in use across the brokerage (including the embedded ones)
• Confirm enterprise-tier subscriptions where client data is involved
• Add the "AI tools used" line item to your CRM file note template
• Have every broker and support staff member sign the policy
• Set a quarterly calendar reminder for policy review
• Share the policy with your top five referral partners as a credibility signal