In 2024, Australia published its voluntary AI Ethics Principles. In 2025, the Australian Government began consulting on mandatory AI guardrails. In 2026, your staff are pasting client data into ChatGPT every day and nobody in your organisation knows about it.
The regulatory framework has not caught up yet. But the risk is already here. And when mandatory AI regulation arrives in Australia — as it inevitably will, following the EU’s AI Act and similar frameworks globally — businesses without existing governance will face the same scramble that many experienced when the Notifiable Data Breaches scheme took effect in 2018.
| Date | Development | Status | Business impact |
|---|---|---|---|
| 2019 | Australia’s AI Ethics Principles published | Voluntary — no enforcement | Aspirational only |
| 2024 | Government consultation on mandatory AI guardrails begins | Consultation phase | Signal of mandatory requirements ahead |
| Dec 2024 | Privacy and Other Legislation Amendment Act 2024 | In force | Statutory tort for serious privacy breaches; penalties up to $50M |
| Jan 2026 | Mandatory ransomware reporting enforced | In force | 72-hour reporting for $3M+ businesses |
| 2026 | ISO 42001 AI Management System Standard available | Voluntary — certification available | Formal AI governance framework for early adopters |
| 2026–2027 | Mandatory AI guardrails for high-risk AI (expected) | Pending legislation | Healthcare, finance, and government decision-making likely first |
| TBC | Broader mandatory AI obligations | Following EU AI Act model | All businesses using AI in significant roles |
Shadow AI is the use of artificial intelligence tools by staff without organisational awareness, approval, or oversight. It is the AI equivalent of shadow IT — and it is happening at scale.
In our AI discovery audits across Perth businesses, we consistently find that between 40% and 60% of knowledge workers are using consumer AI tools for work tasks. This includes staff pasting client emails into ChatGPT to draft responses, finance teams uploading spreadsheets containing sensitive financial data to AI analysis tools, HR teams using AI to screen resumes containing personal information, marketing teams generating content by feeding confidential strategy documents into AI platforms, and management using AI to summarise board papers and meeting notes.
In almost every case, the staff member believes they are being productive and innovative. They are correct on both counts. They are also creating data governance risks that the organisation does not know about, cannot control, and may be liable for under the Privacy Act.
Australia currently operates under eight voluntary AI Ethics Principles — human oversight, contestability, fairness, privacy, reliability, transparency, accountability, and human wellbeing. These carry no enforcement mechanism. No Australian business has been penalised for violating the AI Ethics Principles because they cannot be violated — they are aspirational, not enforceable.
What many businesses miss is that existing legislation already applies to AI usage. The Privacy Act 1988 and the Australian Privacy Principles regulate how personal information is collected, used, disclosed, and stored. When staff paste client personal information into a consumer AI tool, they may be breaching APPs relating to disclosure, overseas transfer, and purpose limitation — regardless of whether AI-specific regulation exists. The December 2024 amendments introduced a statutory tort for serious privacy breaches and raised maximum penalties to $50 million.
The Australian Government has been consulting on mandatory AI guardrails since 2025, with a focus on high-risk AI applications in healthcare, financial services, and government decision-making. The direction is clear: Australia is moving toward mandatory requirements for AI transparency, accountability, and risk management. Businesses that have already established AI governance frameworks will adapt quickly. Businesses that have not will face a compressed compliance project on top of their existing obligations.
ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). It follows the same management system structure as ISO 27001 and ISO 9001, providing a formal framework for AI governance. While not yet required by Australian law, it provides the most structured approach to AI governance available and aligns with the direction of Australian regulation.
You cannot govern what you cannot see. The first step is identifying every AI tool in use across your organisation — approved, conditional, and shadow. This requires both technical scanning and organisational engagement. Discovery is not a one-time exercise — new AI tools emerge weekly, and staff adopt them without waiting for IT approval.
A clear, enforceable policy that defines what AI tools are approved, what data can and cannot be used with AI tools, who is responsible for AI-related decisions, how to request approval for new tools, and consequences for policy violations. The policy should be practical, not aspirational. Staff will not read a 30-page governance document. They need clear, specific rules: “You may use Claude for drafting client communications. Consumer ChatGPT is prohibited for work use.”
Your existing data classification framework needs an AI layer. A practical classification defines which sensitivity levels of data are permitted to interact with AI platforms: Public data can be used with any approved AI tool. Confidential data requires enterprise AI platforms with zero-retention policies. Restricted data (PII, health records, legal privilege) is prohibited from AI input without a documented privacy impact assessment.
Policies without enforcement are suggestions. The technical controls that make AI governance real include deny-by-default blocking of unapproved AI tools, Data Loss Prevention policies that prevent sensitive data from being submitted to AI platforms, sensitivity labels in Microsoft 365 that restrict AI interactions based on classification, and browser policies that block access to unapproved AI platforms from work devices.
Every AI tool entering your environment should be assessed against consistent criteria: data sovereignty (where is the data processed?), privacy compliance with Australian Privacy Principles, data retention and training policies (does the provider use your data to train models?), security posture (SOC 2, encryption, access controls), and terms of service. Each tool receives Approved, Conditional, or Prohibited status.
Your staff are the front line of AI governance. They need to understand what tools are approved, what data is off-limits, how to recognise AI-generated content, what prompt injection and data exposure risks look like, and how to report AI-related incidents. Training should be practical and scenario-based, not abstract.
AI governance is not a project — it is an ongoing function. Quarterly reporting should cover shadow AI detection (new tools identified, usage trends), DLP events (attempts to submit sensitive data to AI platforms), policy compliance (training completion, policy acknowledgment rates), tool register updates, and incident summary. This reporting feeds into your broader risk and compliance programme.
Data exposure today. Every day without controls, your staff are putting sensitive data into uncontrolled platforms. The data has already left your environment. If a breach is subsequently traced to AI usage, your business faces Privacy Act obligations, client notification, and potential regulatory action.
Compliance scramble tomorrow. When mandatory AI regulation arrives, businesses without existing governance will face a compressed timeline to build what should have been developed over months. The cost of reactive compliance is always higher than proactive governance.
Competitive disadvantage ongoing. Enterprise clients and government agencies are beginning to include AI governance questions in their due diligence and procurement processes — just as businesses without Essential Eight compliance are now excluded from many government tenders.
AI Governance is the foundation tier of our AI services, available to any client with an active Managed IT Services agreement. The approach starts with enforcement — deny-by-default blocking of unsanctioned AI tools, full shadow AI discovery, M365 permissions review, a client-branded AI acceptable use policy, data classification framework, staff awareness training, and the initial technical baseline for enforcement and monitoring.
The ongoing service covers all seven pillars described above, with quarterly governance reviews. Each layer integrates with your existing Microsoft 365 security infrastructure and aligns with ISO 42001, the Australian AI Ethics Principles, and the Privacy Act APPs. For businesses that want to go further, our Managed AI and Custom AI Development tiers add secure AI platforms, cross-platform agent governance, and dedicated engineering capacity.
We published the full cross-platform governance methodology in our free white paper. If you want to understand your current AI exposure, contact us on 1300 EPIC IT to get started.
Epic IT helps Perth businesses develop practical AI governance frameworks that protect your organisation and prepare you for upcoming regulation. Download our free white paper for the full cross-platform governance methodology.
Or call us on 1300 EPIC IT (1300 374 248)
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
