AI governance in Australia: what the law actually requires of business

Introduction

Australia has no standalone AI Act. That does not mean AI is unregulated. It means the obligations sit inside the laws you already answer to: privacy, consumer law, anti-discrimination, intellectual property, negligence and the duties owed by company directors. Add one concrete near-term obligation that lands on 10 December 2026, and AI governance is best handled as a legal task rather than a technical one.

This article sets out where the law genuinely stands as at June 2026, what is coming, and the practical steps that position a business well. It is written for boards, directors and owners who are deploying AI tools across their operations and want to do it without creating a problem they have to explain later.

No AI Act, but plenty of law

Australia has not passed a dedicated AI law and, on current policy, is not about to. The Federal Government consulted on whether to introduce mandatory guardrails for high-risk AI, but the National AI Plan, released in December 2025, confirmed that Australia will rely on existing, technology-neutral laws and sector regulators, supported by voluntary guidance and a new AI Safety Institute. In plain terms, the proposal for immediate mandatory high-risk guardrails has been shelved. AI regulation in Australia, for now, is the regulation you already live with, applied to a new tool.

Two pieces of guidance matter alongside that decision. The Voluntary AI Safety Standard, released on 5 September 2024, sets out ten voluntary guardrails for organisations deploying AI. In October 2025 the National AI Centre published updated Guidance for AI Adoption, built around six essential practices. Both are voluntary. Neither creates a new cause of action. But both are becoming the reference point for what a reasonable organisation is expected to do, which is exactly why they matter to directors.

Here is the practical consequence. When something goes wrong with an AI system, a regulator, a court or a counterparty will not ask whether you breached “the AI Act”. They will ask whether you met your existing obligations, and whether your conduct was reasonable. Voluntary guidance shapes that reasonableness standard. Ignoring it is a choice you may have to defend.

The laws that already apply to your AI use

Treat AI as a new way of doing things you are already accountable for, rather than a separate legal category. The exposures cluster in a few areas.

Privacy

If an AI tool collects, uses or discloses personal information, the Australian Privacy Principles apply in full. Feeding personal information into a model, training on it, or generating outputs about identifiable people are all privacy events. The privacy reforms of recent years have sharpened this: a statutory tort for serious invasions of privacy commenced on 10 June 2025, and the OAIC now holds strengthened enforcement powers, including infringement and compliance notices and a tiered civil penalty regime. We cover these reforms in detail in the privacy reforms boards need on the cyber radar this financial year.

Consumer law

The Australian Consumer Law prohibits misleading or deceptive conduct. An AI system that produces inaccurate claims about your products, or a chatbot that gives customers inaccurate information they rely on, can put you in breach regardless of the fact a machine generated it. Responsibility does not transfer to the tool.

Anti-discrimination

An AI model used in recruitment, lending, pricing or service decisions can produce discriminatory outcomes even where no one intended it. Existing anti-discrimination law applies to the outcome, not the intention behind the code.

Intellectual property and confidentiality

Inputs and outputs both carry risk. Putting confidential client material or trade secrets into a public AI tool can waive confidentiality. Relying on AI-generated content can raise infringement and ownership questions you should resolve before publishing or reusing it.

Directors’ duties

Adopting AI across material parts of a business is a governance decision. The duties of care and diligence under the Corporations Act extend to overseeing material technology and data risk, and AI deployment can fall squarely within that.

The one near-term deadline: 10 December 2026

The most concrete near-term AI-specific obligation for most businesses is the automated decision-making (ADM) transparency requirement, which commences on 10 December 2026.

From that date, APP entities must disclose in their privacy policy where computer programs make, or substantially help make, decisions that could significantly affect an individual. The disclosure must cover the kinds of personal information used and the kinds of decisions made. If you use software to assess loan applications, screen job candidates, set prices for individuals, allocate services or make any decision with a significant effect on a person, your privacy policy will need to say so, accurately.

This is not a technical exercise. It requires you to map where automated and AI-assisted decisions actually happen across your business, classify which of them significantly affect individuals, and then draft disclosure that is true and complete. Many organisations will discover decisions are being automated in places they had not catalogued. Starting the mapping now leaves enough time to do this properly, and not much more if it has not begun.

What good AI governance looks like

You do not need a large program. You need a small number of things done well, documented, and prepared with your legal exposure in mind.

• An AI acceptable-use policy: Set out which tools are approved, what may and may not be entered into them, who is accountable, and the rules on confidential and personal information. A policy scoped so that privilege can attach where properly engaged, and drafted with the legal exposures front of mind, is worth more than a generic template.
• A deployment risk assessment: Before adopting an AI tool for anything that touches customers, staff, money or decisions about people, assess it against privacy, consumer-law, discrimination, IP and confidentiality exposure. Keep the assessment on file.
• Vendor contracts that hold up: AI vendor terms vary widely on data use, training rights, confidentiality, liability and where data is processed. Review the contract before you commit. Standard SaaS terms are often inadequate for AI tools that ingest your information.
• ADM readiness for 10 December 2026: Map automated and AI-assisted decisions, identify those that significantly affect individuals, and prepare the privacy-policy disclosure now.
• Board visibility: AI risk should appear in board reporting alongside cyber and privacy, not sit unexamined in operations.

How GRM LAW helps

GRM LAW’s AI Governance Counsel is built for exactly this. It delivers automated decision-making readiness for the 10 December 2026 obligation, an AI acceptable-use policy scoped so that privilege can attach where properly engaged, a legal review of the AI tools you actually use (for example Microsoft Copilot or ChatGPT), and a board paper on AI risk. It is available as a defined project or as a retainer add-on, depending on how much ongoing support you want.

The point of difference is that this is legal work. We sit it within your wider privacy and cyber obligations, we keep the framing commercial, and we prepare the policies with the exposures we have seen in real matters firmly in mind.

AI governance is most affordable before a problem arises, and most useful when it is done as legal work rather than a checklist. To ensure your organisation is meeting its evolving obligations, book a no-obligation 30-minute scoping call with the cyber and privacy lawyers at GRM LAW.

To get oriented first, you can also request our free Cyber Readiness Checklist to assess your current risk profile.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.