Leadership Briefing

AI Usage Control Baseline. Meridian Holdings.

Prepared for

The Board, Meridian Holdings

Engagement Sponsor

Group CFO

Engagement Lead

Lumen & Lever

Engagement Period

Two weeks · concluded

Document Version

Final · for Board distribution

Classification

Confidential · Board only

Section 1 · Executive summary

What we found.

Meridian Holdings is at a point most diversified family groups reach roughly twelve months into informal AI use. The pattern is consistent and the implications are now actionable.

The headline finding

AI is already operating across all six business units at Meridian, predominantly through personal accounts, mostly on sensitive material. The binding constraint is not whether to adopt AI. It is governance over what is already happening.

Across 218 staff surveyed, 74% report regular AI use for work tasks. Of those, 61% access AI tools through personal accounts, predominantly ChatGPT and the AI features built into consumer phone and laptop operating systems. 43% have entered information that meets the group's existing definition of confidential, including lease documents, tenant correspondence, employee performance notes, and supplier negotiations.

None of this use is currently logged, sanctioned, or governed. Staff have not been issued guidance. No AI policy exists. No central register of tools is maintained. The exposure is not from an absence of staff capability. It is from an absence of structure around the capability they have already built informally.

A single workflow in the Property division, lease abstraction at renewal, has emerged as the strongest first candidate for a controlled implementation. Roughly 80 leases per year, three weeks of senior paralegal time per cycle, a corpus of accessible documents. The economics are real and the exposure is bounded.

74%

of Meridian staff use AI tools at work regularly

Source · Meridian staff survey · n=218

61%

access AI through personal accounts

Source · Meridian staff survey · n=161

43%

have entered confidential information into AI tools

Source · Meridian staff survey · n=161

formal controls currently in place

Source · Meridian governance review

Section 2 · Sector context

The pattern at Meridian is not unusual.

Meridian's findings sit within an established industry pattern. The figures from independent research are consistent with what the Baseline surfaced internally, which gives the leadership team confidence that the controls recommended below are appropriate to the scale of exposure.

90%

of organisations report employees regularly using personal AI tools for work, while only 40% have purchased official subscriptions

Source · MIT Project NANDA, State of AI in Business 2025

68%

of enterprise employees who use generative AI access it through personal accounts

Source · TELUS Digital, January 2025

57%

of those have entered sensitive information into AI tools

Source · Menlo Security 2025 / TELUS Digital

$670K

additional cost when a data breach involves shadow AI, on average

Source · IBM Cost of a Data Breach Report 2025

"If employees don't feel safe admitting how they use AI, you fail to manage the risks you can't see and you fail to capture the value you don't know exists. The most effective policies start with psychological safety and transparency, not punishment."

Khullani Abdullahi · Managers at Work, 2025

Section 3 · AI Use Register

What is actually in use, and where.

The register names the AI tools observed in use across Meridian's six operating units. Tools listed have been confirmed through the staff survey, the targeted intake conversations with senior leaders, or both. The register is current as at the close of the engagement and is intended to be maintained by the group's nominated AI governance owner going forward.

Tool

Primary Use

Account Type

Units

Frequency

ChatGPT (OpenAI)

Drafting, summarising, research

Personal · 87%

All 6

Daily

Microsoft Copilot

Email, document drafting

Work · partial rollout

Property · Finance

Weekly

Otter.ai · Fireflies

Meeting transcription

Mixed · 60% personal

All 6

Daily

Claude (Anthropic)

Long document analysis

Personal · 100%

Property · Hospitality

Weekly

Gemini (Google)

Search-augmented research

Personal · 100%

Marketing · Construction

Weekly

Canva AI features

Marketing imagery, social

Work · sanctioned

Marketing

Daily

Grammarly

Proofreading, tone

Mixed

Property · Hospitality · HR

Daily

Built-in OS AI features

Photo, transcription, summary

Personal devices

All 6

Daily

Perplexity

Research with citations

Personal · 100%

Property · Construction

Weekly

DALL-E · Midjourney

Marketing image generation

Personal

Marketing

Monthly

Where AI is being used · share of staff per business unit reporting regular use

Property

89%

Marketing

92%

Hospitality

71%

Childcare

54%

Beverages

67%

Construction

78%

Section 4 · Exposure Classification

Proceed. Conditions. Stop.

Each pattern of observed AI use has been classified against the group's existing risk appetite. The classification model is intended to be operational rather than aspirational. Staff can be told what they may do, what requires sign-off, and what must stop.

Pattern of Use

Risk Profile

Classification

Volume

Action

General drafting on public information

Low. No data exposure.

Proceed

Daily, all units

Issue staff guidance

Marketing copy and image generation

Low. Brand voice drift.

Proceed

Daily, Marketing

Brand-voice guideline

Internal note summarisation

Medium. Internal data drift.

Conditions

Daily, all units

Sanctioned tool only

Meeting transcription via personal accounts

Medium-high. Confidential meeting content stored externally.

Conditions

Daily, all units

Move to enterprise tool

Lease and contract analysis

High. Commercial obligations.

Conditions

Weekly, Property

Workflow under design

Tenant correspondence drafting

High. PII exposure to consumer tools.

Stop

Weekly, Property

Halt pending sanctioned alternative

Employee performance note drafting

High. HR confidentiality, regulatory.

Stop

Monthly, HR and managers

Halt immediately

Childcare incident note drafting

Severe. Child PII, regulatory.

Stop

Weekly, Childcare

Halt immediately. Audit trail.

Supplier pricing and negotiation

High. Commercial confidentiality.

Stop

Monthly, all units

Halt pending review

Section 5 · Workflow Candidate Shortlist

Where AI would land cleanly, ranked.

Five candidate workflows have been identified through the staff survey, the targeted intake, and the analysis of where current shadow AI use clusters. Each has been scored on three dimensions: business value, exposure profile, and feasibility within twelve weeks. The recommended anchor is named. The remaining candidates are held in backlog.

Workflow

Value

Exposure

Feasibility

Confidence

Lease abstraction at renewalRecommended anchor

High

Medium

High

4 of 5

Outgoings reconciliationBacklog · Property

High

Medium

3 of 5

Marketing copy productionSanctioned, light governance

Medium

Low

High

4 of 5

Meeting summary and action captureGroup-wide, enterprise tool

Medium

High

4 of 5

Rent review supportBacklog · pending Property data layer

High

Low

2 of 5

Lease abstraction is named as the recommended anchor not because it is the largest opportunity, but because it is the most defensible first move. The volume is real, the documents are accessible, the cost of error is manageable with appropriate review, and the work that staff are already attempting through personal AI tools can be moved into a sanctioned environment with measurable improvement.

Lumen & Lever · engagement note

Section 6 · Control Baseline

Six controls to install in the next ninety days.

The following six controls move Meridian from no formal posture to a defensible operating baseline. Each is named with an owner, a measurable outcome, and an implementation horizon. None require new technology purchases. All are within the scope of the existing leadership team.

AI Use Register, maintained quarterly

The register established during this engagement becomes a living document. Updated quarterly through a five-minute staff pulse and a review by the nominated owner.

Owner · Group CIO Live · 30 days

Staff Use Guidance, single page

One-page document distributed to all staff stating what is sanctioned, what requires sign-off, and what must stop. Published on the group intranet. Reviewed annually.

Owner · Group HR Live · 14 days

iii

Sanctioned Tool List

A short list of sanctioned AI tools with sanctioned use cases. Personal-account access to sanctioned tools is acceptable for low-risk patterns. Sensitive workflows require enterprise access.

Owner · Group CIO Live · 30 days

Stop List, with audit trail

Three categories of use are stopped with immediate effect. Tenant correspondence, employee performance notes, and childcare incident notes are not to enter any AI tool until a sanctioned alternative is in place.

Owner · Group Legal Live · 7 days

Enterprise meeting transcription

Existing personal-account use of Otter and Fireflies is migrated to the group's Microsoft 365 environment, where transcription inherits the existing data residency and access controls.

Owner · Group CIO Live · 60 days

AI Governance Forum, quarterly

A standing 60-minute quarterly forum chaired by the Group CFO. Reviews the register, surfaces new patterns, ratifies tool list changes, and signs off any new workflow commencing.

Owner · Group CFO First sitting · 60 days

Section 7 · Summary Position

The single page for the Board.

The position below is the Board-grade single-page summary of the Baseline. It is intended for inclusion in the next Board paper without further translation.

For Board Distribution

Meridian Holdings has an undeclared but material AI footprint, and the right next move is to make it declared.

Current state. AI is in regular use by 74% of staff across all six business units. 61% of that use is through personal accounts. 43% has touched material the group considers confidential. No formal controls are in place.
Risk position. The exposure is consistent with sector pattern but currently uncontained. Three patterns of use are recommended for immediate halt. Five further patterns require conditions. Two are appropriate to proceed with light governance.
Recommended controls. Six controls to install over 90 days. None require new technology. All sit within the existing leadership team's scope. Total estimated internal effort: roughly 12 person-days across six owners.
Recommended next investment. A bounded Implementation Control Brief on lease abstraction at renewal, the strongest workflow candidate identified. Not an AI build. A controlled brief that defines what an internal team or external partner must satisfy before any system is commissioned.
What this engagement does not do. This Baseline does not select tools, build software, or commit the group to any specific vendor. It establishes the position from which subsequent decisions can be made with evidence.

Section 8 · Recommended Next Steps

What to do next, in order.

Three options for the Board, ranked by structural priority. The recommended path is the first. The remaining two are listed for completeness.

Recommended

Commission an Implementation Control Brief on lease abstraction at renewal.

The Property division's lease abstraction workflow has emerged as the strongest first candidate. Approximately 80 leases per year. Three weeks of senior paralegal time per cycle. A defined corpus of accessible documents. Staff are already attempting this work informally through ChatGPT, with predictable variability in output quality.

An Implementation Control Brief defines what an internal team, current IT provider, software vendor, or specialist AI implementation partner must satisfy before the workflow is trusted in business use. It does not build the system. It produces the document the implementer can build against and the buyer can hold them to.

Engagement

Implementation Control Brief

Duration

2 weeks

Investment

AUD 15,000 to 18,000

Output

Implementer-ready brief, acceptance criteria, evaluation framework, production gates

Alternative

Resolve the Property data layer first via a Document Structure Review.

If the Board's preference is to resolve technical readiness before commissioning an implementation brief, a Document Structure Review of the lease corpus would test whether the source material can support reliable AI use. This is the right move only if there is concern about the extraction reliability of the existing lease documents. Based on the engagement findings, this concern is moderate but not pressing.

Engagement

Document Structure Review

Duration

1 week

Investment

AUD 9,500 to 12,500

Output

Document-ingestion risk assessment, remediation priorities

If circumstances change

Defer to a Structural AI Architecture Sprint when the engagement scope expands.

If the conversation moves beyond a single workflow into broader AI capital allocation, vendor governance, lifecycle control, and Board-level scale readiness, a four-week Structural AI Architecture Sprint becomes the appropriate engagement. This is not the immediate next step. It is the appropriate step in the medium term if AI becomes a material capital question for the group.

Engagement

Structural AI Architecture Sprint

Duration

4 weeks

Investment

AUD 40,000 to 55,000

Output

Board-grade structural briefing, capital gate recommendation