Australia's Guidance for AI Adoption (AI6): The Six Essential Practices Replacing the 10 Guardrails

Why the standard changed

The 2024 Voluntary AI Safety Standard was designed as an interim framework while the government considered mandatory AI guardrails. With the December 2025 National AI Plan definitively ruling out mandatory guardrails — at least for now — the NAIC published updated guidance that is less focused on anticipating future regulation and more focused on providing practical, operational guidance for organisations at different stages of AI adoption.

The new Guidance for AI Adoption is also a response to industry feedback that the original VAISS was broad and principles-based in ways that made practical implementation uncertain. The AI6 framework is more prescriptive. It includes detailed "Implementation Practices" guidance for larger organisations and a "Foundations" guide for organisations at earlier stages of AI adoption.

The six essential practices

Practice 1 — Accountability: Establish clear organisational accountability for AI use. This means named responsibility for AI governance — not diffused team ownership — with appropriate authority and reporting structures. Board-level visibility for material AI risks is expected for larger organisations.

Practice 2 — Risk management: Identify, assess, and mitigate AI risks throughout the AI lifecycle, including risks to individuals, organisations, and broader society. Risk management should be proportionate to the risk level of specific AI systems — high-risk AI applications require more rigorous processes than low-risk AI tools.

Practice 3 — Human oversight: Maintain appropriate human oversight and control of AI systems. The appropriate level of oversight depends on context and risk. For AI used in high-stakes decisions affecting individuals — employment, access to services, credit — meaningful human review is expected. Rubber-stamping AI recommendations without genuine independent assessment is not oversight.

Practice 4 — Transparency: Be transparent about AI use with individuals who interact with AI systems or are affected by AI decisions. Transparency obligations interact with the Privacy Act's APP 1 requirement that privacy policies address AI use of personal information. From December 2026, a new statutory obligation requires privacy policies to address substantially automated decisions affecting individual rights.

Practice 5 — Privacy and data governance: Handle personal information in AI systems in accordance with Privacy Act obligations and APP requirements. This practice explicitly cross-references the Australian Privacy Principles and the OAIC's AI privacy guidance. AI training, inference, and monitoring pipelines all must be assessed against applicable APPs.

Practice 6 — Continuous improvement: Monitor AI system performance and safety, and improve governance practices over time. AI systems degrade. Monitoring is not optional for responsible AI governance. The practice includes requirements for incident management and learning from AI failures.

How AI6 relates to the old 10 guardrails

The NAIC has published a crosswalk document identifying corresponding provisions between the VAISS guardrails and the AI6 practices. Organisations that built governance frameworks around the original 10 guardrails do not need to rebuild from scratch — the AI6 practices cover substantially the same ground with different structure and more operational detail.

The key differences are emphasis and operationalisation. The AI6 framework places greater emphasis on the full AI lifecycle (from development through deployment to decommissioning) and provides more specific guidance on what each practice looks like in operation. It is also explicitly two-tiered: a "Foundations" guide for organisations early in their AI governance journey and "Implementation Practices" detail for more mature organisations.

The AISI: Australia's new AI safety body

The Australian AI Safety Institute launched in early 2026 with AUD$29.9 million in initial funding. The AISI's mandate is technical analysis, safety testing, monitoring of AI capabilities and risks, and provision of expert advice to regulators and government. It has no enforcement powers. It is an advisory and research body, not a regulatory authority.

The AISI joins the International Network of AI Safety Institutes alongside comparable bodies in the US, UK, Canada, South Korea, Japan, and Singapore — providing Australia with participation in international AI safety cooperation. Its work will inform whether gaps in existing laws are identified that require targeted legislative amendment.