The company secretary is the most governance-critical role in your organisation. They maintain the statutory registers, prepare the board minutes, track ASIC obligations, manage resolutions, and ensure the directors have what they need to discharge their duties properly.
They are also, right now, quietly using AI to do it.
Most boards don't know. And almost none have asked the question that matters: what governance framework sits around how our company secretary uses AI?
This isn't a technology story. It's a governance story — and the gap between AI adoption and board oversight is where liability lives.
Company secretaries are pragmatic professionals. When a tool saves time without introducing obvious risk, they use it. And AI tools — particularly large language models and AI writing assistants — save significant time on the tasks that consume most of a company secretary's week.
Drafting board minutes from meeting notes takes hours. AI can produce a working draft in minutes from a transcript or bullet-point summary. Preparing routine resolutions, notices, and director consent letters — tasks that require precision but follow predictable structures — are natural fits for AI assistance. Researching compliance requirements, summarising regulatory updates, checking disclosure obligations against changing rules: all of this is being done with AI tools in company secretaries' offices right now.
A 2025 survey by the Governance Institute of Australia found that over 60% of company secretaries had used AI tools at least once in the past 12 months for governance-related work. More than 30% used AI tools weekly. Fewer than 15% said their organisation had a formal policy governing that use.
The adoption curve has been steep. The governance curve has barely moved.
The tools in use are not exotic. They are the same consumer and enterprise AI platforms being used across every function in a modern business.
Large language models (ChatGPT, Claude, Gemini) are being used to draft minutes, prepare notices of meeting, generate consent letters, summarise long regulatory documents, and draft agenda items. These are used via web interfaces, often without any enterprise data controls, on documents that include confidential board discussions and personal information about directors and officeholders.
AI writing assistants embedded in Microsoft 365 (Copilot) and Google Workspace are increasingly used directly within document workflows — meaning AI is touching draft resolutions, board packs, and statutory registers inside the document environment itself.
Compliance research tools with AI capabilities are used to track ASIC changes, interpret regulatory updates, and assess compliance obligations for specific entity types.
AI-native entity management platforms like EntityFlo have AI built into the governance workflow itself — drafting documents from live entity data, monitoring compliance in real time, and surfacing issues across the portfolio automatically.
The critical difference between the first three categories and the last is governance by design. EntityFlo's AI works within a controlled, auditable environment where every action is logged and the data it uses is structured and verified. Consumer AI tools and generic office assistants operate without those controls — and that's where the governance gap lives.
Here is the core irony: the person responsible for your organisation's governance framework is using technology that your governance framework doesn't cover.
Consider what happens when a company secretary uses an uncontrolled AI tool to draft board minutes. The AI ingests the meeting notes — which contain confidential board deliberations, material non-public information, strategic discussions, and personal information about directors. Where does that information go? Who has access to it? Is it being used to train the model? Is it stored offshore? Is it subject to Australian privacy law?
Most company secretaries don't know the answers to those questions. Most boards have never asked them.
The liability exposure is real. Under the Privacy Act 1988, disclosure of personal information to a third party — including an AI model operator — without appropriate consent or contractual protections is a potential breach. Under the Corporations Act, directors have a duty to act in good faith and in the best interests of the company; a director who later discovers that confidential board discussions were exposed to an uncontrolled AI service has a legitimate grievance about how their information was handled.
Then there is the accuracy risk. AI tools hallucinate. They produce plausible-sounding text that is factually incorrect, and they do so without flagging uncertainty in a way that non-expert reviewers reliably catch. A company secretary under time pressure, reviewing an AI-generated board minute against their own imperfect notes, may not catch every error. An incorrect minute — particularly one that misrecords a board decision, a director's disclosed interest, or a resolution that was and wasn't passed — is a governance record with legal consequences.
None of this means AI tools should be banned from company secretarial work. It means the governance framework around those tools needs to exist before the tools do — or, since adoption has already happened, now.
A functional AI governance policy for the company secretary's function is not a long document. It is a precise one. It needs to answer several specific questions.
Approved tools and data classification rules
Which AI tools are approved for which categories of work? Consumer AI tools (ChatGPT, Claude via web interface) should not be used with confidential board information, personal data of directors and officeholders, or material non-public information. Enterprise tools with appropriate data processing agreements may be approved for different categories. AI-native governance platforms with purpose-built controls are the appropriate environment for AI-assisted governance work.
Review requirements and accuracy obligations
Every AI-generated governance document — minutes, resolutions, notices — must be reviewed by a qualified person before execution. The policy should specify that the reviewing person takes professional responsibility for the document's accuracy; AI assistance does not transfer liability to the tool.
Audit trail requirements
Where AI tools are used, the audit trail should reflect it. This is not about liability avoidance — it is about transparency. A board pack prepared with AI assistance should be no less reliable than one prepared without it; but the preparation process should be documented.
Incident response
What happens when an AI tool produces a materially incorrect governance record that wasn't caught in review? The policy needs an incident response pathway: who is notified, how the record is corrected, whether the error needs to be disclosed.
Annual review cadence
AI tools evolve rapidly. A policy written for the tools available in 2025 will be inadequate by 2027. Build in a mandatory annual review with the company secretary, the risk function, and the board's audit and risk committee.
Directors don't need to become AI experts. But they do need to ask the right questions — and right now, most boards aren't asking them at all.
"What AI tools does our company secretary currently use in their governance workflow?"
This is the baseline question. Many boards will be surprised by the answer.
"Do we have a policy governing the use of AI in the preparation of our governance records?"
If the answer is no — or "I think so, but I'm not sure" — that gap needs to be closed at the next board meeting.
"What data controls are in place to prevent confidential board information being exposed to uncontrolled AI environments?"
This is the privacy and information security question. The risk committee should own it, but the full board should understand the answer.
"What is our review process for AI-generated governance documents before they are executed?"
AI assistance does not reduce the quality standard for governance records. Directors need to know that human professional review is happening before they execute resolutions or sign off on minutes.
"How will we know if an AI tool has produced an error in our governance records?"
Detection, not just prevention. The governance framework needs to address what happens when something goes wrong.
"Is our AI governance policy being reviewed annually as the tools evolve?"
Static policies become liabilities in fast-moving technology environments.
The risk of getting AI governance wrong in the company secretary's office is not that boards overreact and ban the tools. The risk is that they write vague, unworkable policies that don't actually change behaviour — and create a false sense of compliance while the real risks continue.
A practical AI use framework for the company secretary's function has three components.
Tool classification: Tier your AI tools. Tier 1 — AI-native governance platforms (EntityFlo, purpose-built tools with data controls and audit trails) — approved for all company secretarial work. Tier 2 — enterprise AI tools with appropriate data processing agreements and data residency guarantees — approved for non-confidential drafting and research with sign-off. Tier 3 — consumer AI tools — not approved for any work involving confidential information, personal data, or governance records.
Process integration, not process addition: The review step for AI-generated documents should be built into the existing approval workflow, not added as a separate gate. If the company secretary already has a sign-off process before board minutes go to the chairman for approval, the AI review happens at the same point. Don't create a new compliance burden — integrate the standard into the existing one.
Capability investment: The most effective safeguard against AI-generated errors in governance records is a company secretary who understands both governance requirements and AI limitations. The framework should include a commitment to ongoing professional development — specifically, education on where AI tools fail and how to catch failures in review.
The goal is not AI-free governance. The goal is AI-governed AI use in governance. Those are very different things — and the distinction is where the best-run boards are already operating.
Should the board approve which AI tools the company secretary uses?
The board should establish the governance framework — including the tool classification policy — and delegate operational implementation to the company secretary and the risk function. The board doesn't need to approve each specific tool, but it should approve the criteria by which tools are classified and the controls required at each tier. Annual reporting on AI tool usage in the governance function should come to the audit and risk committee.
What happens if AI-generated board minutes contain an error that isn't caught?
An uncorrected error in board minutes is a governance record issue with potential legal consequences. The immediate response is to identify the error, convene a correction process (which may require ratification at the next board meeting), and assess whether any material decision or legal position is affected. If the error was material, legal advice should be obtained. The company secretary should document the circumstances, and the policy should be updated to address the gap that allowed the error through review.
Do directors have a duty of care obligation around AI tools used in governance?
Directors have a duty to act with reasonable care and diligence under the Corporations Act 2001 (s180). This includes taking reasonable steps to ensure that the governance processes they oversee are fit for purpose. If the board was aware that AI tools were being used in the preparation of governance records without appropriate controls — and took no action — that could constitute a failure of duty of care in the event of a material governance failure. The standard is what a reasonable director would have done, not perfection. But "we didn't think to ask" is increasingly hard to sustain as AI in the company secretary's office becomes common knowledge.
How do we create an AI governance policy for the company secretary's function?
Start with a one-page audit: what tools is the company secretary currently using, for which tasks, and under what (if any) controls? From that baseline, apply a tool classification framework — which tools are approved for which data categories — and add review requirements for AI-generated governance documents. Run a draft policy past your legal team for privacy law compliance, and put it to the audit and risk committee for adoption. Review annually. If you want to accelerate the process, EntityFlo's governance team can provide a starting framework aligned to Australian compliance requirements.
What's the difference between AI-assisted governance and AI-native governance?
AI-assisted governance means using AI tools to help with tasks that exist in a traditional governance workflow — using ChatGPT to draft minutes, using Copilot to summarise documents. The governance framework is traditional; AI helps execute it. AI-native governance means the governance framework itself is built around AI capabilities from the ground up — compliance monitoring that runs continuously rather than periodically, document generation from live verified data rather than blank templates, automatic obligation tracking that updates in real time as regulations change. EntityFlo is an AI-native governance platform. Traditional entity management software with AI features bolted on is AI-assisted at best.
We use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.