The Australian AI Governance Landscape
A structured overview of current Australian obligations, government guidance and the ISO 42001 standard - as they apply to companies that build and sell AI products.
This page reflects the regulatory position as understood in early 2026. It is provided for informational purposes and does not constitute legal advice.
calendar_todayKey Dates
Current Legal Obligations
Privacy Act 1988 (Cth) & Australian Privacy Principles
Governs the handling of personal information used in or generated by AI systems. Applies to organisations with annual turnover above $3M and certain others. Key obligations include transparency around automated processing of personal information.
Privacy Act 2024 Amendments
New automated decision-making transparency obligations take effect. AI vendors whose systems make or substantially inform decisions affecting individuals must provide meaningful transparency about how those decisions are made. Entities subject to the Privacy Act should be preparing now.
Australian Consumer Law
Enforced by the ACCC. Prohibits misleading or deceptive conduct in relation to AI-powered products and services - including misleading representations about AI system capabilities, accuracy, or reliability. Applies to all AI vendors operating in Australia regardless of size.
Anti-Discrimination Law
Federal and state anti-discrimination legislation applies where AI systems make or inform decisions affecting individuals across protected characteristics. Algorithmic bias is an increasingly active area of enforcement attention.
Government Guidance
The following is voluntary guidance - not legally binding - but increasingly referenced by enterprise procurement teams and government agencies.
Guidance for AI Adoption (GfAA)
Published October 2025 by the Department of Industry, Science and Resources. The current primary Australian government guidance document on AI adoption. Supersedes the previous Voluntary AI Safety Standard (VAISS).
Australia's 8 AI Ethics Principles
Published 2019 by the Department of Industry. Still current and widely referenced. Covers human, societal and environmental wellbeing; human-centred values; fairness; privacy protection; reliability and safety; transparency and explainability; contestability; and accountability.
OAIC Guidance on Privacy and Generative AI
Published October 2024. Provides the Office of the Australian Information Commissioner's position on how the Privacy Act applies to generative AI systems, including guidance for entities deploying third-party AI tools.
On the Horizon
Australian AI Safety Institute (AISI)
Operational from early 2026. Provides risk assessments and guidance on AI safety, with particular focus on high-risk AI systems. Still developing its scope and enforcement posture.
Mandatory Guardrails for High-Risk AI
Active government consultation is underway regarding mandatory requirements for certain categories of high-risk AI. Timing and scope remain under consideration.
ISO/IEC 42001:2023
The world's first international standard for AI Management Systems. Formally adopted in Australia as AS ISO/IEC 42001:2023 in February 2024. Specifies 38 controls across 9 governance areas covering AI risk management, transparency, accountability, data governance and more.
Why It Matters for AI Vendors
- Enterprise procurement teams are beginning to ask for ISO 42001 as a vendor qualification requirement
- Government procurement is expected to follow as the standard matures
- Inherently covers and in many respects exceeds current Australian regulatory obligations
- Fewer than approximately 30 companies worldwide hold certification as of early 2026 - early movers gain a significant competitive advantage
- Functions similarly to ISO 27001 as a market trust signal