AIRiskAware
Australia hub
Australian Regulation

Australia's AI regulatory landscape.

Nine regulatory instruments. Multiple regulators. All active. This is the complete map of what Australian organisations must do — and where enforcement is heading — on AI governance.

Key dates

Oct 2025

AI6 Guidance for AI Adoption released — supersedes 10-guardrail VAISS

Dec 2025

National AI Plan released — mandatory guardrails abandoned, AISI announced

1 Jul 2025

APRA CPS 230 fully operative

Dec 2026

Privacy Act amendment — privacy policies must address substantially automated decisions (already passed)

2026–27

Privacy Act reform — "fair and reasonable" test for data processing progressing through Parliament

Aug 2026

EU AI Act transparency obligations — chatbot disclosure etc.

Dec 2027

EU AI Act high-risk AI (Annex III) — applies to AU orgs with EU customers

2026

ACCC continuing digital platform enforcement program

Ongoing

AI workplace standards development — Fair Work Commission

The nine frameworks

What each framework requires, who it applies to, and where to start.

AI Safety StandardIn force (voluntary)

Australia's Voluntary AI Safety Standard

Issued by: Department of Industry, Science and Resources
Applies to: All Australian organisations using AI
Key obligations
  • Practice 1: Accountability — named organisational responsibility for AI governance
  • Practice 2: Risk management — proportionate to AI risk level throughout lifecycle
  • Practice 3: Human oversight — appropriate to context, meaningful (not rubber-stamping)
  • Practice 4: Transparency — disclosure about AI use and automated decisions
  • Practice 5: Privacy and data governance — APP compliance for AI systems
  • Practice 6: Continuous improvement — ongoing monitoring and incident management

The AI6 framework replaced the 10-guardrail VAISS in October 2025. It is more operationally prescriptive. Voluntary status is narrowing: government procurement and enterprise buyers increasingly reference AI6. From December 2026, a new Privacy Act obligation requires disclosure of substantially automated decisions — this element is statutory, not voluntary.

Privacy ActIn force (mandatory)

Privacy Act 1988 and the Australian Privacy Principles

Issued by: Office of the Australian Information Commissioner (OAIC)
Applies to: Organisations with turnover >$3M, health information handlers, government contractors
Key obligations
  • APP 1 — Privacy policy must address AI-driven data processing
  • APP 3 — Collection only for purposes individuals would reasonably expect
  • APP 6 — Use and disclosure limited to original collection purpose
  • APP 11 — Reasonable security measures for AI systems handling personal data
  • Notification obligations when AI affects individual rights
  • Reform agenda: incoming "fair and reasonable" test for data processing

Most organisations using AI to process customer data have a non-compliant privacy policy. APP 3 and APP 6 frequently conflict with AI training practices. OAIC enforcement is active.

APRAIn force (mandatory for regulated entities)

APRA Prudential Standards: CPS 230, CPG 234, CPS 220

Issued by: Australian Prudential Regulation Authority
Applies to: Banks, insurers, superannuation funds, and other APRA-regulated entities
Key obligations
  • CPS 230 — AI in material business activities is an operational risk requiring management
  • CPG 234 — AI systems are information assets subject to information security standards
  • CPS 220 — AI risk must be identified and managed in the enterprise risk framework
  • Model risk management frameworks must extend to ML/AI models
  • Third-party AI providers subject to CPS 230 outsourcing requirements
  • Board and senior management accountability for AI risk

APRA supervisory conversations increasingly address AI governance. Entities with model risk frameworks need to assess whether those frameworks apply adequately to ML systems.

ASICIn force (mandatory)

ASIC Conduct Obligations in Financial Services AI

Issued by: Australian Securities & Investments Commission
Applies to: Financial services licensees, credit providers, insurers, financial advisers
Key obligations
  • Responsible lending obligations apply to AI-driven credit assessment
  • Best interests duty applies to AI-assisted financial advice
  • RG 271 — AI-driven decisions subject to IDR obligations
  • AI chatbots making product representations create conduct liability
  • Anti-hawking provisions apply to AI-initiated contact
  • Market conduct obligations apply to algorithmic trading and pricing

ASIC has explicitly stated that Australian Consumer Law and financial services conduct obligations apply fully to AI-driven interactions and decisions.

ACCCIn force (mandatory)

Australian Consumer Law and ACCC Enforcement

Issued by: Australian Competition & Consumer Commission
Applies to: All businesses operating in Australia
Key obligations
  • Prohibition on misleading and deceptive conduct applies to AI-generated content
  • AI chatbot false representations are the deploying organisation's legal liability
  • Dynamic pricing AI subject to unconscionable conduct provisions
  • Dark pattern AI subject to ACL prohibitions
  • Algorithmic price discrimination can breach anti-discrimination and ACL provisions
  • AI-generated advertising must comply with ACL representations standards

ACCC has enforcement history in digital platform contexts. AI-related consumer law breaches are not low-risk. The ACCC Chairman has explicitly identified AI as a priority area.

Fair WorkIn force (mandatory)

Fair Work Act and AI-Driven Workplace Change

Issued by: Fair Work Commission and Fair Work Ombudsman
Applies to: All employers of national system employees
Key obligations
  • Consultation obligations triggered by AI-driven major workplace change
  • AI performance data subject to procedural fairness requirements
  • Redundancy driven by AI must still meet FWA genuine redundancy tests
  • Many enterprise agreements have specific technology change consultation clauses
  • AI monitoring subject to state-based workplace surveillance laws (especially NSW, ACT)
  • Anti-discrimination law applies to AI-driven employment decisions

The Australian Government has committed to developing AI workplace standards. This area is actively developing — watch for Awards and enterprise agreement provisions.

Privacy AmendmentIn force (mandatory from December 2026 for ADM)

Privacy and Other Legislation Amendment Act 2024

Issued by: Attorney-General’s Department / OAIC
Applies to: All entities subject to the Privacy Act 1988
Key obligations
  • Section 16H — Entities must include automated decision-making information in their privacy policy
  • Definition of “substantially automated decision” — decisions where AI output is determinative or near-determinative
  • Privacy policy must describe the kinds of decisions that are substantially automated
  • Obligation operative from December 2026 — privacy policies need updating now
  • Criminal penalty provisions for serious interferences with privacy (up to $50M)
  • Statutory tort for serious privacy invasions — new individual right of action

The ADM disclosure obligation (Section 16H) is the first statutory AI transparency requirement in Australian law. It is already passed and operative from December 2026. Organisations must audit their AI-assisted decision-making processes now.

AI6 FrameworkIn force (voluntary, increasingly required)

Australia's AI6 Guidance for AI Adoption (October 2025)

Issued by: Department of Climate Change, Energy, the Environment and Water (DCCEEW)
Applies to: All Australian Government entities (mandatory in spirit); all organisations (best practice)
Key obligations
  • Transparency — be transparent about AI use and what data is collected
  • Fairness — AI decisions must be fair and not discriminate unlawfully
  • Reliability — AI systems must perform as intended and be regularly tested
  • Privacy and security — personal data used in AI must be protected appropriately
  • Contestability — individuals must be able to challenge AI-assisted decisions
  • Accountability — clear responsibility for AI outcomes at the organisational level

AI6 replaced the 10-guardrail Voluntary AI Safety Standard in October 2025. It is voluntary for private sector organisations but mandatory in practice for government entities. Government procurement increasingly requires AI6 alignment. Enterprise buyers are beginning to reference AI6 in AI vendor due diligence.

CPS 230In force from 1 July 2025 (mandatory)

APRA CPS 230: Operational Risk Management

Issued by: Australian Prudential Regulation Authority
Applies to: All APRA-regulated entities: banks, insurers, superannuation funds
Key obligations
  • AI systems in material business activities are “material service arrangements” requiring governance
  • Board must approve risk appetite for operational risk — AI risk is explicitly included
  • Service provider management: AI vendors must be assessed under CPS 230 outsourcing standards
  • Business continuity planning must address AI system failure scenarios
  • Operational incident reporting now includes AI system failures and unexpected outputs
  • Concentration risk: single AI provider dependency must be assessed and managed

CPS 230 is now fully operative. APRA supervisory conversations increasingly probe AI governance. Entities using third-party AI services (including cloud AI APIs) as part of material business activities should review whether those arrangements meet CPS 230 requirements.

The bottom line for Australian organisations

Australia does not have a single comprehensive AI law. It has something more complex: nine regulatory instruments across multiple regulators, all applying simultaneously, with overlapping obligations and different enforcement mechanisms.

For most Australian enterprises, Privacy Act compliance is the immediate priority — because it is already mandatory, already applies to most AI use cases, and the OAIC actively enforces it. The AI Safety Standard provides the governance framework that positions you well regardless of how the regulation evolves. APRA and ASIC obligations apply as sector-specific overlays for financial services entities. ACCC and Fair Work obligations apply across the board.

The direction of travel is clear: toward more formal obligation, broader enforcement, and higher standards of evidence. Organisations that build strong AI governance now — before it is required — will find adaptation straightforward. Those that wait for mandatory requirements will find themselves in catch-up mode under regulatory scrutiny.

Back to Australia hub

Stay ahead of AI governance

Regulatory updates, practical frameworks, and analysis. No spam, unsubscribe anytime.

No spam. Unsubscribe anytime. We'll never share your email.