Australian AI governance self-assessment (AI6).

AI6 Practice 1 (Accountability) requires clear organisational accountability for AI, a named person with defined responsibility, not a committee. This is the starting point for all other governance.

You cannot govern what you cannot see. An AI inventory is the foundation of all other governance measures.

AI6 Practice 2 (Risk Management) requires identifying, assessing, and mitigating AI risks proportionate to the risk level, high-risk AI applications require more rigorous processes.

Guardrail 4 requires human oversight appropriate to the context and risk level. For high-risk AI decisions, meaningful human review is expected.

A documented, communicated policy is fundamental to consistent AI governance. Guardrail 1 and 2 both implicitly require this.

AI6 Practice 5 (Privacy & Data Governance) cross-references Privacy Act obligations. APP 1 requires your privacy policy to address AI use of personal information. From December 2026, a new statutory obligation requires disclosure of substantially automated decisions.

AI6 Practice 4 (Transparency) requires disclosure about AI use. From December 2026, Australian privacy law will require privacy policies to address substantially automated decisions affecting individual rights.

AI6 Practice 4 (Transparency) and Australian Consumer Law require that individuals affected by AI decisions have meaningful explanation and access to human review.

AI6 Practice 6 (Continuous Improvement) requires ongoing monitoring. AI systems degrade over time, monitoring, incident management, and learning from failures are all part of responsible AI governance.

Every organisation deploying AI at scale will eventually experience an AI incident. Not having a plan makes the response slower and more costly.