Australia's approach to AI governance is deliberately technology-neutral: rather than legislate a new AI-specific regime immediately, the federal government has applied existing law, principally privacy and sector-specific financial regulation, while consulting on whether and how to add binding, AI-specific guardrails for high-risk uses. Operators entering this market need to separate what is binding today from what is proposed for tomorrow, and treat both as relevant to a serious compliance programme.
Key takeaways
- The Voluntary AI Safety Standard (DISR, September 2024) sets out ten non-binding guardrails covering accountability, risk management, data governance, testing, transparency, human oversight, and contestability. It is not law, but it is the reference framework Australian regulators and enterprise procurement teams are converging on.
- A companion proposals paper, released alongside the Standard in September 2024, sought views on introducing mandatory guardrails for AI used in high-risk settings. As of mid-2026 this remained a policy proposal rather than enacted legislation, with no binding cross-economy AI statute in force.
- The Privacy Act 1988 (Cth) is the binding federal law that reaches most AI deployments processing personal information, enforced by the Office of the Australian Information Commissioner (OAIC). Reforms since 2022 have raised penalties substantially and are moving toward specific transparency requirements for automated decision-making.
- ASIC's Report 798 (October 2024) and APRA's Prudential Standard CPS 230 (effective 1 July 2025) are the most developed sector-specific AI governance instruments, both directed at regulated financial entities and their AI-using service providers.
- Australia's framework is substantially less prescriptive than the EU AI Act today, but the direction of travel, from voluntary standard to proposed mandatory guardrails, mirrors the EU's own earlier trajectory and should not be read as a permanently light-touch position.
The regulatory landscape
Australia's AI governance environment in 2026 sits across four layers, and an operator's obligations depend heavily on which layer applies to its specific deployment.
The first layer is the Voluntary AI Safety Standard, published by the Department of Industry, Science and Resources in September 2024.[1] It sets out ten guardrails intended to help organisations deploy AI safely and responsibly, covering accountability processes, risk management, data governance, testing and monitoring, human oversight, transparency to end users, contestability of AI-assisted decisions, and supply chain transparency. Compliance is not mandatory, but the Standard functions as the reference point regulators cite when assessing whether an organisation's AI governance is adequate under existing, unrelated legal obligations.
The second layer is the proposed mandatory guardrails regime. Released the same month as the Voluntary Standard, the government's proposals paper, "Safe and Responsible AI in Australia," sought views on three regulatory options ranging from a light-touch amendment of existing laws to a standalone cross-economy AI Act.[2] Public consultation closed in October 2024. As of mid-2026, the government had not enacted a standalone AI statute, and operators should treat mandatory guardrails as a live policy direction rather than a current binding obligation, while recognising that the ten guardrails in the Voluntary Standard are the most likely basis for any future mandatory regime.
The third layer is data protection law under the Privacy Act 1988, the binding federal law most directly relevant to AI deployments that process personal information.
The fourth layer is sector-specific regulation, most developed in financial services through ASIC and APRA, and increasingly relevant in employment, insurance, and consumer credit contexts through existing anti-discrimination and consumer protection law.
The Privacy Act 1988: the binding obligation for most AI operators
The Privacy Act 1988 (Cth) applies to Australian government agencies and to private sector organisations with annual turnover above AUD 3 million, along with certain smaller entities regardless of turnover, such as health service providers and traders in personal information. For AI operators, this scope covers most deployments that process customer or employee personal information, though smaller Australian operators may fall outside the Act entirely under the small business exemption, an important distinction from the EU AI Act and GDPR, which carry no equivalent size-based carve-out.
Automated decision-making and the current reform trajectory
The Australian Privacy Principles (APPs) set out collection, use, disclosure, and security obligations that apply regardless of whether a decision is made by a human or an AI system. The government's 2022-2023 Privacy Act Review recommended new transparency requirements specifically for automated decision-making, including a requirement for entities to set out in their privacy policy the types of personal information used in substantially automated decisions with legal or similarly significant effect on an individual.[3] The Privacy and Other Legislation Amendment Act 2024, which received assent in December 2024, implemented an initial tranche of reforms, including a new statutory tort for serious invasions of privacy, with further tranches addressing automated decision-making transparency expected to follow.
The practical effect for AI operators is that Australia is moving in the same direction as the EU's GDPR Article 22 and the EU AI Act's Article 13 transparency obligations, but through incremental amendment of an existing statute rather than a single comprehensive AI law. Operators who have already built EU AI Act transparency documentation are well positioned for the Australian reforms as they land.
Penalties and enforcement
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 substantially increased penalties for serious or repeated privacy interferences, to the greater of AUD 50 million, three times the value of any benefit obtained through the misuse of information, or 30 percent of adjusted turnover during the breach period.[4] This penalty ceiling is broadly comparable in severity to the EU AI Act's 7 percent of global turnover maximum, even though the underlying legal basis, privacy rather than AI-specific conduct, is different. The OAIC has pursued enforcement action against organisations for inadequate data handling practices and has signalled that AI-enabled processing, including profiling and automated decisions, is a supervisory priority.
Financial services: ASIC and APRA
Australia's financial sector has the most developed AI-specific regulatory attention of any sector in the country, delivered through supervisory guidance and prudential standards rather than new legislation.
The Australian Securities and Investments Commission published Report 798, "Beware the gap: Governance arrangements in the face of AI innovation," in October 2024, following a review of 23 licensees across banking, insurance, and financial advice.[5] The report found that many licensees had not yet updated existing governance arrangements to address AI-specific risks, including model risk, consumer outcome monitoring, and accountability for AI-assisted decisions, and signalled that ASIC expects existing obligations under the Corporations Act 2001, including licensee governance and best-interests duties, to extend to AI use without a separate AI-specific carve-out.
The Australian Prudential Regulation Authority's Prudential Standard CPS 230 on operational risk management took effect from 1 July 2025 for APRA-regulated entities, including banks, insurers, and superannuation trustees.[6] CPS 230 requires regulated entities to manage material service providers, including AI vendors, within a documented operational risk framework, with board-level accountability for critical operations and incident reporting obligations. While CPS 230 is not an AI-specific standard, its treatment of AI vendors as material service providers subject to due diligence and ongoing monitoring creates a binding governance obligation that reaches most AI deployments in regulated financial institutions.
A cautionary domestic precedent: Robodebt
No discussion of automated decision-making accountability in Australia is complete without reference to the Robodebt scheme, an automated debt assessment and recovery system operated by Services Australia between 2015 and 2019, which the Royal Commission into the Robodebt Scheme found in its July 2023 report to have been unlawful and to have caused substantial harm through automated income averaging that produced inaccurate debt notices at scale.[7] Although Robodebt was a government scheme rather than a commercial AI agent, and predates the current generation of large language model based systems, the Royal Commission's findings have shaped Australian regulatory and public discourse on automated decision-making accountability, human oversight, and the limits of relying on system output without meaningful review. Operators deploying AI agents that make or influence consequential decisions about individuals in Australia should expect this precedent to inform how regulators and courts assess the adequacy of human oversight claims.
Comparison with the EU AI Act and NIST AI RMF
Operators already compliant with the EU AI Act (Regulation 2024/1689) will find that the ten guardrails in Australia's Voluntary AI Safety Standard map closely to their existing governance documentation: accountability, risk management, data governance, testing, transparency, and human oversight all appear in both frameworks in substantially similar form. The principal gaps are Australia's Privacy Act automated decision-making transparency requirements, which are still being finalised through incremental amendment rather than a single comprehensive statute, and the sector-specific ASIC and APRA requirements, which go beyond the general EU AI Act framework for regulated financial entities.
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) and the NIST AI 600-1 Generative AI Profile (July 2024) map well to the Voluntary AI Safety Standard's structure. NIST's GOVERN, MAP, MEASURE, and MANAGE functions correspond closely to the Standard's accountability, risk management, and testing guardrails, and operators using NIST AI RMF as their primary governance tool will find it straightforward to demonstrate alignment with Australian expectations.[8]
The most important practical difference is regulatory maturity rather than substantive divergence in principle. The EU AI Act imposes binding conformity assessment obligations with a hard enforcement date. Australia's mandatory guardrails proposal remains exactly that, a proposal, with the government yet to commit to a specific legislative timeline as of mid-2026. Operators should not read this as a permanently lighter compliance burden; the direction of policy travel in the proposals paper points toward eventual mandatory obligations for AI used in high-risk settings, closely modelled on the same risk-based logic that underpins the EU AI Act.
What operators should do
The minimum compliance programme for an AI operator deploying in Australia consists of five elements.
First, map your deployments against the ten guardrails in the Voluntary AI Safety Standard, even though compliance is not mandatory. Enterprise procurement teams and government agencies are increasingly asking suppliers to demonstrate alignment with the Standard as a condition of contract, and it is the most likely basis for any future mandatory regime.
Second, confirm your Privacy Act 1988 exposure, including whether the small business exemption applies, and if not, map your APP obligations for any AI system that collects, uses, or discloses personal information. Prepare for automated decision-making transparency requirements to firm up over the next reform cycle.
Third, if operating in financial services, read ASIC Report 798 and APRA's CPS 230 in full. Your governance obligations in this sector exceed the general Privacy Act floor, with specific requirements for material service provider due diligence, board accountability, and incident reporting.
Fourth, document your human oversight arrangements with specificity, given the Robodebt precedent's influence on Australian regulatory expectations. A generic claim of human oversight is unlikely to satisfy a regulator or a court examining whether a consequential automated decision was genuinely reviewed.
Fifth, align existing EU AI Act or ISO/IEC 42001 governance documentation with the Voluntary AI Safety Standard's ten guardrails. This alignment work positions you for both current procurement expectations and future binding regulation.
For a comparison of Australia's approach to other non-EU jurisdictions, see the South Africa AI regulation guide. For the EU AI Act operator obligations that form the highest-current-stringency benchmark, see the Article 26 deployer obligations guide on agentliability.eu. For how documentation built for Australian or EU purposes can support an insurance submission, see agentinsured.eu's underwriting submission guide.
Frequently asked questions
Does Australia have a dedicated AI law in 2026?
No. Australia regulates AI through existing law rather than a dedicated AI statute as of mid-2026. The Voluntary AI Safety Standard (DISR, September 2024) sets out ten non-binding guardrails. A companion proposals paper sought views on mandatory guardrails for high-risk AI, but no binding cross-economy AI statute had been enacted as of mid-2026. Existing law, principally the Privacy Act 1988 and sector-specific financial services regulation, carries the binding obligations that apply today.
How does the Privacy Act 1988 apply to AI agents in Australia?
The Privacy Act 1988 (Cth) applies to any AI agent that collects, uses, or discloses personal information about an individual, subject to the Act's small business exemption for most entities with turnover below AUD 3 million. The Australian Privacy Principles impose collection, use, disclosure, and security obligations. Reforms under the Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy and signalled further transparency obligations for automated decision-making.
What penalties apply to AI-related privacy or conduct failures in Australia?
Serious or repeated interferences with privacy can attract penalties of up to the greater of AUD 50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period, under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. The OAIC is the primary enforcement body. In financial services, ASIC and APRA can pursue licence conditions, directions, and civil penalties under the Corporations Act 2001 where AI-related failures breach existing obligations.
How does Australia's AI framework compare to the EU AI Act?
Australia's approach is substantially less prescriptive than the EU AI Act. The EU AI Act creates a binding risk classification system with mandatory conformity assessments. Australia's Voluntary AI Safety Standard is non-binding, and its proposed mandatory guardrails remained at the proposals stage as of mid-2026. Operators already EU AI Act compliant will find their documentation covers most of the Voluntary Standard's ten guardrails, with the Privacy Act and sector regulation as the binding Australian layer to map separately.
Do ASIC and APRA have specific AI requirements for regulated financial entities?
Yes. ASIC's Report 798, published October 2024 following a review of 23 licensees, found governance gaps in AI use in retail financial services. APRA's Prudential Standard CPS 230, effective from 1 July 2025, requires regulated entities to manage AI as part of their operational risk and material service provider frameworks, including board-level accountability and incident reporting. Neither is an AI-specific statute, but both create binding obligations reaching AI deployments in regulated financial institutions.
References
- Department of Industry, Science and Resources (DISR), Australian Government. Voluntary AI Safety Standard, published September 2024. Ten guardrails for organisations developing or deploying AI systems. Available at industry.gov.au.
- Department of Industry, Science and Resources. Safe and Responsible AI in Australia: Proposals Paper for Introducing Mandatory Guardrails for AI in High-Risk Settings, September 2024. Public consultation closed October 2024. Available at industry.gov.au.
- Attorney-General's Department, Australian Government. Privacy Act Review Report, 2022-2023. Recommendations on transparency for automated decision-making. Available at ag.gov.au.
- Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth). Increased maximum penalties for serious or repeated interferences with privacy under the Privacy Act 1988. Available at legislation.gov.au.
- Australian Securities and Investments Commission (ASIC). Report 798: Beware the gap, Governance arrangements in the face of AI innovation, October 2024. Available at asic.gov.au.
- Australian Prudential Regulation Authority (APRA). Prudential Standard CPS 230, Operational Risk Management, effective 1 July 2025. Available at apra.gov.au.
- Royal Commission into the Robodebt Scheme. Final Report, July 2023. Findings on the automated income averaging debt recovery scheme operated 2015-2019. Available at robodebt.royalcommission.gov.au.
- NIST AI Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, January 2023. NIST AI 100-1. NIST AI 600-1 (Generative AI Profile), July 2024. Available at nist.gov/artificial-intelligence.