AI Governance in Australia: What Every Business Needs to Know in 2026

By Moe Chizari / Feb 5, 2026 / AI & Automation

In 2024, Australia published its voluntary AI Ethics Principles. In late 2025, the government consulted on mandatory AI guardrails. In December 2025, the National AI Plan walked those mandatory guardrails back, replacing them with voluntary guidance. And in 2026, your staff are pasting client data into ChatGPT every day and nobody in your organisation knows about it.

Regulation has not arrived in the form anyone expected. But the risk is already here, and a lot of the legal exposure that businesses thought would be covered by a future AI Act is in fact already covered by laws that exist today. Businesses without governance frameworks are running uncontrolled now, and the Privacy Act amendments coming into effect on 10 December 2026 add a new layer of disclosure obligation on top.

What changed in December 2025

For most of 2024 and 2025, the expectation across the Australian business community was that mandatory AI guardrails were coming. The Department of Industry, Science and Resources had been consulting since late 2024 on a set of ten proposed guardrails for high-risk AI, modelled closely on the EU AI Act. Many businesses, including ours, advised clients to prepare for mandatory compliance.

The December 2025 National AI Plan reversed that direction. Rather than legislate, the government chose to rely on existing technology-neutral laws (the Privacy Act, Australian Consumer Law, Online Safety Act, sector-specific rules) supported by voluntary frameworks. The Voluntary AI Safety Standard was replaced by the Guidance for AI Adoption in October 2025. The AI Safety Institute became operational in early 2026 with $29.9 million in funding, but with a monitoring and analysis role rather than an enforcement one. No mandatory equivalent of the proposed guardrails has been indicated since.

This matters for two reasons. First, businesses that delayed AI governance work waiting for regulatory clarity now have less external pressure to act, and the temptation to defer further is real. Second, the legal exposure under existing law is unchanged. The Privacy Act still applies. APRA CPS 234 still applies to regulated financial entities. Healthcare obligations under the TGA still apply. The regulatory floor stayed where it was. It just stopped rising.

Australia’s AI regulatory landscape in 2026

Date Development Status Business impact
2019 Australia’s AI Ethics Principles published Voluntary, no enforcement Aspirational only
Dec 2024 Privacy and Other Legislation Amendment Act 2024 In force Statutory tort for serious privacy breaches; penalties up to $50M
Sep 2024 Proposals paper for mandatory AI guardrails Consultation phase Industry expected mandatory regulation
Oct 2025 Guidance for AI Adoption (GfAA) replaces VAISS In force, voluntary Updated voluntary standard for AI deployment
Dec 2025 National AI Plan published In force Mandatory guardrails abandoned in favour of voluntary approach
Jan 2026 Mandatory ransomware reporting enforced In force 72-hour reporting for $3M+ businesses
Early 2026 Australian AI Safety Institute operational In force Monitoring and analysis role, no enforcement powers
2026 ISO 42001 AI Management System Standard adoption Voluntary, certification available Formal AI governance framework for early adopters
10 Dec 2026 Privacy Act automated decision-making disclosure Effective Disclosure obligations for substantially automated decisions affecting individuals

The problem: shadow AI is already in your business

Shadow AI is the use of artificial intelligence tools by staff without organisational awareness, approval, or oversight. It is the AI equivalent of shadow IT, and it is happening at scale.

In our AI discovery audits across Perth businesses, we consistently find that between 40 and 60 percent of knowledge workers are using consumer AI tools for work tasks. The typical organisation has 12 to 15 AI tools in active use that IT does not know about. This includes staff pasting client emails into ChatGPT to draft responses, finance teams uploading spreadsheets containing sensitive financial data to AI analysis tools, HR teams using AI to screen resumes containing personal information, marketing teams generating content by feeding confidential strategy documents into AI platforms, and management using AI to summarise board papers and meeting notes.

In almost every case, the staff member believes they are being productive and innovative. They are correct on both counts. They are also creating data governance risks that the organisation does not know about, cannot control, and may be liable for under the Privacy Act.

What is enforceable today (with or without an AI Act)

The Privacy Act

The Privacy Act 1988 and the Australian Privacy Principles regulate how personal information is collected, used, disclosed, and stored. When staff paste client personal information into a consumer AI tool, they may be breaching APPs relating to disclosure, overseas transfer, and purpose limitation, regardless of whether AI-specific regulation exists. The December 2024 amendments introduced a statutory tort for serious privacy breaches and raised maximum penalties to $50 million.

Automated decision-making disclosure (effective 10 December 2026)

From 10 December 2026, the Privacy and Other Legislation Amendment Act 2024 requires organisations to disclose substantially automated decisions affecting individuals. The OAIC defines this as decisions made by systems with limited or no human involvement that significantly affect individuals. This includes hiring, lending, insurance underwriting, and customer analytics. If your business uses AI for any of these functions, or if shadow AI use means it is happening without your knowledge, you have a disclosure obligation that is impossible to meet without governance.

Sector-specific overlays

Healthcare AI is regulated as Software as a Medical Device under the TGA. Financial services AI use is governed by APRA CPS 234 (operational risk) and ASIC obligations around automated advice. Government AI use is bound by the AI in Government Policy. The absence of a horizontal AI Act does not mean these sectors are unregulated. It means the regulation is distributed across existing bodies.

ISO 42001: the AI Management System Standard

ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems. It follows the same management system structure as ISO 27001 and ISO 9001, providing a formal framework for AI governance. While not required by Australian law, it is the most structured approach available and aligns with how regulated sectors are being asked to demonstrate AI risk management.

The seven pillars of AI governance for Australian businesses

1. AI discovery and visibility

You cannot govern what you cannot see. The first step is identifying every AI tool in use across your organisation, approved, conditional, and shadow. This requires both technical scanning and organisational engagement. Discovery is not a one-time exercise. New AI tools emerge weekly, and staff adopt them without waiting for IT approval. We cover the operational method for this in our shadow AI audit playbook.

2. AI Acceptable Use Policy

A clear, enforceable policy that defines what AI tools are approved, what data can and cannot be used with AI tools, who is responsible for AI-related decisions, how to request approval for new tools, and consequences for policy violations. The policy should be practical, not aspirational. Staff will not read a 30-page governance document. They need clear, specific rules: “You may use Claude for drafting client communications. Consumer ChatGPT is prohibited for work use.”

3. Data classification for AI

Your existing data classification framework needs an AI layer. A practical classification defines which sensitivity levels of data are permitted to interact with AI platforms. Public data can be used with any approved AI tool. Confidential data requires enterprise AI platforms with zero-retention policies. Restricted data (PII, health records, legal privilege) is prohibited from AI input without a documented privacy impact assessment.

4. Technical controls

Policies without enforcement are suggestions. The technical controls that make AI governance real include deny-by-default blocking of unapproved AI tools, Data Loss Prevention policies that prevent sensitive data from being submitted to AI platforms, sensitivity labels in Microsoft 365 that restrict AI interactions based on classification, and browser policies that block access to unapproved AI platforms from work devices.

5. AI tool vetting

Every AI tool entering your environment should be assessed against consistent criteria: data sovereignty (where is the data processed?), privacy compliance with Australian Privacy Principles, data retention and training policies (does the provider use your data to train models?), security posture (SOC 2, encryption, access controls), and terms of service. Each tool receives Approved, Conditional, or Prohibited status.

6. Staff awareness and training

Your staff are the front line of AI governance. They need to understand what tools are approved, what data is off-limits, how to recognise AI-generated content, what prompt injection and data exposure risks look like, and how to report AI-related incidents. Training should be practical and scenario-based, not abstract.

7. Ongoing monitoring and reporting

AI governance is not a project. It is an ongoing function. Quarterly reporting should cover shadow AI detection (new tools identified, usage trends), DLP events (attempts to submit sensitive data to AI platforms), policy compliance (training completion, policy acknowledgment rates), tool register updates, and incident summary. This reporting feeds into your broader risk and compliance programme.

The cost of doing nothing

Data exposure today. Every day without controls, your staff are putting sensitive data into uncontrolled platforms. The data has already left your environment. If a breach is subsequently traced to AI usage, your business faces Privacy Act obligations, client notification, and potential regulatory action under the existing statutory tort for serious privacy breaches.

December 2026 disclosure deadline. The Privacy Act amendments for automated decision-making take effect on 10 December 2026. Businesses without an AI tool register cannot demonstrate which decisions are substantially automated, by which tools, with what oversight. The disclosure obligation is impossible to meet from a position of ignorance.

Procurement disadvantage ongoing. Enterprise clients and government agencies are beginning to include AI governance questions in their due diligence and procurement processes, even without a mandatory framework. Businesses that cannot demonstrate AI governance will be excluded from opportunities that require it, just as businesses without Essential Eight compliance are now excluded from many government tenders.

How Epic IT delivers AI governance

AI Governance is the foundation tier of our AI services, available to any client with an active Managed IT Services agreement. The approach starts with enforcement: deny-by-default blocking of unsanctioned AI tools, full shadow AI discovery, M365 permissions review, a client-branded AI acceptable use policy, data classification framework, staff awareness training, and the initial technical baseline for enforcement and monitoring.

The ongoing service covers all seven pillars described above, with quarterly governance reviews. Each layer integrates with your existing Microsoft 365 security infrastructure and aligns with ISO 42001, the GfAA, and the Privacy Act APPs. For businesses that want to go further, our Managed AI and Custom AI Development tiers add secure AI platforms, cross-platform agent governance, and dedicated engineering capacity.

We published the full cross-platform governance methodology in our free white paper. If you want to understand your current AI exposure, contact us on 1300 EPIC IT to get started.

Frequently asked questions

Is AI governance mandatory for Australian businesses?

Not directly. The December 2025 National AI Plan abandoned the proposed mandatory AI guardrails in favour of voluntary frameworks. However, the Privacy Act already applies to AI usage involving personal information, with penalties up to $50 million for serious breaches under the 2024 amendments. From 10 December 2026, organisations also have to disclose substantially automated decisions affecting individuals. AI governance is the only way to meet these obligations in practice.

What happened to the mandatory AI guardrails Australia was consulting on?

The September 2024 proposals paper outlined ten mandatory guardrails for high-risk AI, modelled on the EU AI Act. The December 2025 National AI Plan reversed this direction, choosing instead to rely on existing technology-neutral laws supported by voluntary guidance. The Guidance for AI Adoption (GfAA) replaced the Voluntary AI Safety Standard in October 2025. There is no current timeline for mandatory equivalent regulation.

What is the difference between AI governance and AI policy?

An AI policy is a document that sets rules for how your organisation uses AI. AI governance is the broader framework that includes policies, processes, technical controls, risk assessments, oversight structures, and accountability mechanisms that ensure AI is used responsibly across the entire business.

What is ISO 42001 and does my business need it?

ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems. It follows the same structure as ISO 27001 and provides a formal framework for AI governance. Certification is not required by Australian law, but it provides a structured approach aligned with how regulated sectors are being asked to demonstrate AI risk management. It also signals AI maturity to clients and partners.

Does the December 2026 Privacy Act amendment affect my business?

If your business makes substantially automated decisions affecting individuals (hiring, lending, insurance underwriting, customer analytics, eligibility decisions), yes. From 10 December 2026, you have a disclosure obligation that requires you to know which decisions are automated, by which tools, with what human oversight. Most businesses cannot answer this today because shadow AI use is undocumented.

Do small businesses need AI governance?

Yes. Any business using AI tools, including Microsoft Copilot, ChatGPT, or automated decision-making systems, should have governance in place. The scope scales with the size and risk profile of the business, but the fundamentals apply to all. In our discovery audits, 40 to 60 percent of knowledge workers at Perth SMBs are already using consumer AI tools for work tasks without any organisational oversight.

How does AI governance relate to cybersecurity?

AI governance and cybersecurity overlap significantly. AI systems process sensitive data, so data protection controls, access management, and incident response all need to account for AI-specific risks. For most businesses, AI governance is best implemented as an extension of their existing Microsoft 365 security infrastructure rather than a separate programme.

What should an AI governance framework include?

A practical AI governance framework includes deny-by-default enforcement of approved tools, an AI acceptable use policy, a data classification framework for AI interactions, technical DLP controls, a tool vetting process, staff awareness training, and ongoing monitoring with quarterly reviews. For the full methodology, see our cross-platform AI governance white paper.

Need help building your AI governance framework?

Epic IT helps Australian businesses develop practical AI governance frameworks that protect your organisation today and prepare you for the December 2026 Privacy Act disclosure obligations.

Book an AI Readiness Assessment

About the Author
Written by Moe Chizari, Chief Executive Officer of Epic IT, a managed IT, cyber security and AI partner for Australian mid-market businesses, with offices in Perth, Sydney and Brisbane. Moe brings 17 years across financial markets, treasury and technology, including five years at Bravura Solutions running enterprise software delivery and five years inside Group Treasury at Westpac and Macquarie leading APRA-regulated programmes (APS-117 IRRBB, APS-210 LCR & Capital Transformation). He holds a Bachelor of International Business from RMIT University, is a certified Project Management Professional (PMP), and an AFMA Diploma of Financial Markets graduate.

About the Author
Written by Moe Chizari, Chief Executive Officer of Epic IT, a managed IT, cyber security and AI partner for Australian mid-market businesses, with offices in Perth, Sydney and Brisbane. Moe brings 17 years across financial markets, treasury and technology, including five years at Bravura Solutions running enterprise software delivery and five years inside Group Treasury at Westpac and Macquarie leading APRA-regulated programmes (APS-117 IRRBB, APS-210 LCR & Capital Transformation). He holds a Bachelor of International Business from RMIT University, is a certified Project Management Professional (PMP), and an AFMA Diploma of Financial Markets graduate.

Further Reading

Previous

How to Evaluate and Choose a Managed IT Provider: A Decision Framework

Return to News
Back to News
Next

Microsoft 365 Security Best Practices for Perth Businesses