AI governance for Australian procurement teams

Procurement teams are on the front line of AI governance, they're the ones buying AI tools, negotiating vendor contracts, and managing third-party AI risk. For Australian organisations, procurement decisions about AI vendors create regulatory exposure under APRA (Australian Prudential Regulation Authority) CPS 230, Privacy Act, WHS legislation, and anti-discrimination law.

Before you buy, the assessment

Vendor data handling. Does the vendor use your data for model training? Consumer-tier tools typically do; enterprise-tier tools typically don't. Get the answer in the contract, not from marketing materials. Request the vendor's Data Processing Agreement.

Security. SOC 2 Type II minimum for enterprise AI procurement. ISO 27001 preferred. ISO/IEC 42001 (AI management system) increasingly expected for material AI vendors. Ask about adversarial testing and incident response capabilities.

Regulatory compliance. For APRA-regulated entities: AI vendors are material service providers under CPS 230 and must meet contractual requirements (service descriptions, locations, security, audit rights, sub-outsourcing, exit provisions). The APRA limited NTSP exemption categories don't cover AI vendors.

Risk classification. Classify the AI procurement by risk tier before negotiating: what data goes in, what decisions come out, who is affected, what happens if the AI fails. High-risk AI (affecting customers, regulated decisions, safety) needs deeper assessment than low-risk (internal productivity tools).

Contract provisions

No-training commitment (contractually binding). DPA with AI-specific provisions. Sub-processor disclosure and change notification. Model change notification for material updates. Performance SLAs with measurable benchmarks. AI-specific incident notification. Audit rights. IP indemnification. Exit provisions with data return and deletion. For APRA entities: CPS 230 compliant service agreements.

Ongoing vendor management

AI vendor management is not set-and-forget. Monitor: vendor performance against SLAs; security attestation currency; vendor incident reports; sub-processor changes; ownership and financial stability; concentration risk. APRA expects ongoing management, not just point-of-procurement assessment.

Primary sources: APRA CPS 230 · OAIC (Office of the Australian Information Commissioner)

Related reading