All resources
Guide · AI Governance

AI governance in Australia: what boards must do now the guardrails were shelved

There is no AI Act coming to Australia. In December 2025 the government shelved its proposed mandatory guardrails and put the weight back on existing law. That does not let boards off the hook. It moves the obligation onto directors today.

15 min readPublished 2 July 2026

The regime you actually have

For two years Australian boards waited to see whether the government would legislate mandatory guardrails for high-risk AI. In December 2025 they got their answer: no. The National AI Plan put the proposed guardrails on hold and confirmed the government will keep regulating AI through the laws already on the books[1]. The Productivity Commission had reached the same conclusion, recommending a dedicated AI Act only as a last resort[3].

This is easy to misread as a reprieve. It is the opposite. There is no future compliance deadline to prepare for, because the obligations already live inside directors’ duties, the Privacy Act, the Australian Consumer Law, and sector rules. AI risk is a present-tense governance problem, not a scheduled one.

The regulators moved even though Parliament didn’t

In a six-week window in 2026, two regulators told boards to get their AI governance in order. APRA wrote to every regulated entity on 30 April, warning against treating AI as "just another technology" and naming four weak spots: information security, governance immaturity, supplier concentration, and inadequate assurance[4]. ASIC, having already documented a governance gap in its REP 798 review, went further in May and directed boards to table its cyber-and-AI letter at board and risk-committee level[5].

If you are not APRA-regulated, you might read that as someone else’s problem. That is a mistake. When courts, insurers, and B2B customers decide whether a board took "reasonable steps", these letters are the nearest thing to a written benchmark. They describe what good looks like, and they apply the moment anyone asks.

The one hard deadline: 10 December 2026

There is exactly one statutory date on the AI calendar that most mid-market companies must meet. From 10 December 2026, under the Privacy and Other Legislation Amendment Act 2024, an organisation that uses a computer program to make substantially automated decisions significantly affecting people must disclose that in its privacy policy[7]. Credit assessment, pricing, hiring shortlists, claims triage: if a model is deciding, the policy has to say so.

The work behind that disclosure is an AI and automated-decision use-case inventory, including the tools staff adopted without asking. Build it once and it does more than satisfy the Privacy Act. It is the same register the AICD guide, the OAIC, and the government’s own six practices all expect you to hold.

Privacy is where AI enforcement is actually happening

While the AI Act debate ran, privacy law quietly became the live front. A statutory tort for serious invasions of privacy has been in force since 10 June 2025. In February 2026 the Administrative Review Tribunal’s Bunnings facial-recognition decision let the retailer rely on a consent exemption for the collection itself, but upheld breaches for failing to be transparent and failing to run a documented risk assessment[7]. The lesson for any AI deployment: governance and notice failures stand on their own, even where the underlying use is defensible.

The OAIC’s practical guidance is blunt about generative AI: do not enter personal information, and especially sensitive information, into publicly available tools[7]. That single rule, enforced internally, closes off a large share of the accidental-disclosure risk that shadow AI creates.

A defensible baseline in one quarter

The excuse that "we didn’t know what good looked like" has run out. Between the National AI Centre’s six essential practices[2] and the AICD and Human Technology Institute’s Director’s Guide, now in its second edition and updated for agentic AI[6], a mid-market board has a recognised playbook it can stand up in a quarter.

  • Name a single accountable executive for AI, the way you would for finance or safety
  • Build and maintain an AI and automated-decision use-case register, including shadow AI
  • Run risk-tiered impact assessments before deployment, heavier for anything touching people or money
  • Put AI and data clauses into vendor and MSP contracts, covering transparency, data use, and your right to audit
  • Report AI to the board on a real cadence, with defined triggers for when management must escalate
You do not need to predict the regulation. You need a named owner, an honest use-case register, and impact assessments proportionate to the risk. That is a defensible position under the law you already have.
Research sources

Evidence-based, transparently sourced.

All statistics and research findings on this page are supported by authoritative sources. Behind The SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    Department of Industry, Science and Resources. (2025). National AI Plan
    Released 2 December 2025. Shelved the proposed economy-wide mandatory guardrails and confirmed the government will keep regulating AI through existing technology-neutral laws, backed by an advisory Australian AI Safety Institute.
    View source
  2. [2]
    National AI Centre. (2025). Guidance for AI Adoption
    Published 21 October 2025. Condenses the earlier Voluntary AI Safety Standard into six essential practices: ensure accountability; assess impact; measure and manage risk; share information; test and monitor; maintain human oversight.
    View source
  3. [3]
    Productivity Commission. (2025). Harnessing data and digital technology (inquiry)
    The Commission recommended applying AI-specific regulation only where existing frameworks genuinely cannot address a harm, treating a dedicated AI Act as a last resort.
    View source
  4. [4]
    APRA. (2026). Letter to industry on artificial intelligence
    Issued 30 April 2026. Found AI maturity varied widely, warned against treating AI as "just another technology", and named four weakness areas: information security, governance immaturity, supplier concentration, and inadequate assurance.
    View source
  5. [5]
    ASIC. (2024). REP 798 Beware the gap: Governance arrangements in the face of AI innovation
    Review of 23 licensees and 624 AI use cases: adoption is outpacing governance, with nearly half of licensees holding policies that did not address consumer fairness or bias. In May 2026 ASIC told boards to table its cyber-and-AI letter at board level.
    View source
  6. [6]
    Australian Institute of Company Directors & Human Technology Institute. (2026). A Director’s Guide to AI Governance (Version 2)
    Version 2 released 29 June 2026, updated for agentic AI. Sets out eight elements of AI governance and the questions directors should be asking management.
    View source
  7. [7]
    Office of the Australian Information Commissioner. (2024). Privacy and the use of commercially available AI products
    From 10 December 2026, under the Privacy and Other Legislation Amendment Act 2024, privacy policies must disclose substantially automated decisions that significantly affect individuals. The OAIC also recommends not entering personal information into publicly available generative AI tools.
    View source

Methodology Note: Behind The SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience.

Want this applied to your organisation?

An independent advisory conversation costs nothing, and clarifies whether what you have read here is relevant to where you actually are.

Schedule a conversation