The regulatory shift: what the December 2025 National AI Plan changed
Throughout 2024 and early 2025, the Australian Government was consulting on mandatory AI guardrails for high-risk AI, a formal regulatory framework that many organisations were preparing for. On 2 December 2025, the National AI Plan definitively ended that expectation. The Government announced it would not pursue a standalone AI Act or mandatory guardrails. Instead, it will rely on existing technology-neutral laws, the voluntary AI6 guidance framework, and the new Australian AI Safety Institute (AISI).
The Plan's approach can be summarised as: existing laws apply to AI just as they apply to other technologies; the Privacy Act, ACL, sector regulation, and common law all already govern AI to a significant degree; where genuine gaps are identified, targeted amendments to existing laws are preferred over a new AI Act. The AISI, launched in early 2026, will help identify gaps and provide technical expertise, but has no enforcement powers.
Why "voluntary" doesn't mean "optional" for enterprises
The gap between what the law formally requires and what organisations must do in practice is narrower than it appears. Several mechanisms are tightening it. Government procurement contracts are beginning to reference the AI6 framework. Enterprise buyers, particularly in financial services, healthcare, and government, are incorporating AI governance evidence into vendor assessments. Directors' duties under the Corporations Act apply to material risks, and AI is increasingly material. The OAIC (Office of the Australian Information Commissioner), ACCC, APRA (Australian Prudential Regulation Authority), ASIC (Australian Securities and Investments Commission), and the Fair Work Commission all have existing powers that apply to AI-related harms, the AI6 framework signals what those regulators will treat as "reasonable" practice.
The Robodebt Royal Commission findings have changed how Australian regulators approach automated decision-making. APRA and ASIC have both updated their supervisory focus in response. ACCC has pursued algorithmic pricing practices. The OAIC has investigated AI-related privacy breaches. This is not a passive enforcement environment.
The Privacy Act reform: the one new obligation that is coming
The Privacy and Other Legislation Amendment Bill 2024, passed in December 2024, includes a new requirement that privacy policies address substantially automated decisions that significantly affect individuals. This comes into effect in December 2026. It is not voluntary. For organisations using AI in consequential decisions, credit assessment, employment screening, insurance underwriting, service access decisions, this creates a specific, legally required disclosure obligation. Most organisations' current privacy policies do not address this. Updating them should be a priority before December 2026.
The strategic advantage for early movers
The regulatory retreat from mandatory guardrails creates genuine uncertainty about where Australian AI regulation will land, and this uncertainty itself is a governance risk. Organisations that have invested in strong AI governance, documented frameworks, clear accountability, monitoring, human oversight of high-risk decisions, are well-positioned regardless of how the regulatory landscape evolves. Those that interpret the voluntary framework as permission to wait are accumulating governance debt that will be more expensive to discharge when formal requirements eventually come. And on current trajectory, globally and domestically, they will come.
Further reading: OECD AI Principles
Related reading
- Australia's AI Safety Standard: What It Actually Requires and Who It Applies To
- EU AI Act vs Australia: Two Approaches to AI Governance and What It Means for Your Organisation
- AI Governance in New Zealand: Privacy Act, Algorithmic Decision-Making, and the NZ Framework
- New Zealand AI Governance in 2026, Privacy Act, Algorithms, and the Public Sector
Further reading: OECD AI Principles