AI governance for Australian procurement teams
Procurement teams are on the front line of AI governance, they're the ones buying AI tools, negotiating vendor contracts, and managing third-party AI risk. For Australian organisations, procurement decisions about AI vendors create regulatory exposure under APRA (Australian Prudential Regulation Authority) CPS 230, Privacy Act, WHS legislation, and anti-discrimination law.
Before you buy, the assessment
Vendor data handling. Does the vendor use your data for model training? Consumer-tier tools typically do; enterprise-tier tools typically don't. Get the answer in the contract, not from marketing materials. Request the vendor's Data Processing Agreement.
Security. SOC 2 Type II minimum for enterprise AI procurement. ISO 27001 preferred. ISO/IEC 42001 (AI management system) increasingly expected for material AI vendors. Ask about adversarial testing and incident response capabilities.
Regulatory compliance. For APRA-regulated entities: AI vendors are material service providers under CPS 230 and must meet contractual requirements (service descriptions, locations, security, audit rights, sub-outsourcing, exit provisions). The APRA limited NTSP exemption categories don't cover AI vendors.
Risk classification. Classify the AI procurement by risk tier before negotiating: what data goes in, what decisions come out, who is affected, what happens if the AI fails. High-risk AI (affecting customers, regulated decisions, safety) needs deeper assessment than low-risk (internal productivity tools).
Contract provisions
No-training commitment (contractually binding). DPA with AI-specific provisions. Sub-processor disclosure and change notification. Model change notification for material updates. Performance SLAs with measurable benchmarks. AI-specific incident notification. Audit rights. IP indemnification. Exit provisions with data return and deletion. For APRA entities: CPS 230 compliant service agreements.
Ongoing vendor management
AI vendor management is not set-and-forget. Monitor: vendor performance against SLAs; security attestation currency; vendor incident reports; sub-processor changes; ownership and financial stability; concentration risk. APRA expects ongoing management, not just point-of-procurement assessment.
Primary sources: APRA CPS 230 · OAIC (Office of the Australian Information Commissioner)
Related reading
- AI for HR and People Teams in Australia: Fair Work, Privacy and What You Must Get Right
- AI for Finance Teams in Australia: Governance, Privacy and Regulatory Obligations
- AI in Australian HR and Employment: What People Teams Must Get Right
- AI Governance for Australian Insurers: APRA, ASIC (Australian Securities and Investments Commission), and the Pricing Fairness Imperative