The regime you actually have
For two years Australian boards waited to see whether the government would legislate mandatory guardrails for high-risk AI. In December 2025 they got their answer: no. The National AI Plan put the proposed guardrails on hold and confirmed the government will keep regulating AI through the laws already on the books[1]. The Productivity Commission had reached the same conclusion, recommending a dedicated AI Act only as a last resort[3].
This is easy to misread as a reprieve. It is the opposite. There is no future compliance deadline to prepare for, because the obligations already live inside directors’ duties, the Privacy Act, the Australian Consumer Law, and sector rules. AI risk is a present-tense governance problem, not a scheduled one.
The regulators moved even though Parliament didn’t
In a six-week window in 2026, two regulators told boards to get their AI governance in order. APRA wrote to every regulated entity on 30 April, warning against treating AI as "just another technology" and naming four weak spots: information security, governance immaturity, supplier concentration, and inadequate assurance[4]. ASIC, having already documented a governance gap in its REP 798 review, went further in May and directed boards to table its cyber-and-AI letter at board and risk-committee level[5].
If you are not APRA-regulated, you might read that as someone else’s problem. That is a mistake. When courts, insurers, and B2B customers decide whether a board took "reasonable steps", these letters are the nearest thing to a written benchmark. They describe what good looks like, and they apply the moment anyone asks.
The one hard deadline: 10 December 2026
There is exactly one statutory date on the AI calendar that most mid-market companies must meet. From 10 December 2026, under the Privacy and Other Legislation Amendment Act 2024, an organisation that uses a computer program to make substantially automated decisions significantly affecting people must disclose that in its privacy policy[7]. Credit assessment, pricing, hiring shortlists, claims triage: if a model is deciding, the policy has to say so.
The work behind that disclosure is an AI and automated-decision use-case inventory, including the tools staff adopted without asking. Build it once and it does more than satisfy the Privacy Act. It is the same register the AICD guide, the OAIC, and the government’s own six practices all expect you to hold.
Privacy is where AI enforcement is actually happening
While the AI Act debate ran, privacy law quietly became the live front. A statutory tort for serious invasions of privacy has been in force since 10 June 2025. In February 2026 the Administrative Review Tribunal’s Bunnings facial-recognition decision let the retailer rely on a consent exemption for the collection itself, but upheld breaches for failing to be transparent and failing to run a documented risk assessment[7]. The lesson for any AI deployment: governance and notice failures stand on their own, even where the underlying use is defensible.
The OAIC’s practical guidance is blunt about generative AI: do not enter personal information, and especially sensitive information, into publicly available tools[7]. That single rule, enforced internally, closes off a large share of the accidental-disclosure risk that shadow AI creates.
A defensible baseline in one quarter
The excuse that "we didn’t know what good looked like" has run out. Between the National AI Centre’s six essential practices[2] and the AICD and Human Technology Institute’s Director’s Guide, now in its second edition and updated for agentic AI[6], a mid-market board has a recognised playbook it can stand up in a quarter.
- Name a single accountable executive for AI, the way you would for finance or safety
- Build and maintain an AI and automated-decision use-case register, including shadow AI
- Run risk-tiered impact assessments before deployment, heavier for anything touching people or money
- Put AI and data clauses into vendor and MSP contracts, covering transparency, data use, and your right to audit
- Report AI to the board on a real cadence, with defined triggers for when management must escalate