AI Governance in Australia

Australia has a framework
for responsible AI.
You just have to use it.

The Australian Government has done the work.The Guidance for AI Adoption, the Voluntary AI Safety Standard, the AI Ethics Principles, the DTA Policy — the frameworks exist, and they are good. The job inside an organisation is harder: translating them into governance that actually holds when AI lands in the building.

AI6Six essential practices
VAISSTen guardrails
DTA · 15 June 2026Mandatory for Commonwealth
Privacy Act · 10 Dec 2026ADM transparency
The shift, in plain language

Voluntary guidance is becoming
mandatory practice.

For two years, Australian AI governance was a conversation. Voluntary standards, ethics principles, framework consultations. Most organisations watched.

That conversation is ending. From 15 June 2026, Commonwealth agencies must run AI Impact Assessments, complete foundational training, and appoint Chief AI Officers. From 10 December 2026, every organisation in scope of the Privacy Act must disclose, in its privacy policy, where it uses AI to make substantially automated decisions about people. The Australian Consumer Law penalty for misleading AI claims now sits at $100 million per contravention, and the ACCC has named AI-washing an enforcement priority.

None of these dates were a surprise. They are the predictable end of the consultation period. The organisations that prepared early will find them straightforward. The organisations that did not will discover that AI governance — like privacy, like cyber, like WHS — is not a project. It is a permanent operating capability.

What we are working with

Six layers of Australian AI governance,
working together.

AI governance in Australia is not a single document. It is a layered system — strategic guidance, control standards, ethical principles, government policy, international alignment, and existing law applied to AI. Each layer answers a different question. Together they describe what good looks like.

01 · Strategic
Guidance for AI Adoption (AI6)
Published by the National AI Centre, October 2025. Six essential practices: accountability, understanding impacts, measuring risks, sharing information, testing and monitoring, maintaining human control. The primary reference for organisations using AI in Australia.
National AI Centre · DISR
02 · Control
Voluntary AI Safety Standard (VAISS)
Ten guardrails covering accountability, risk management, data protection, testing, human control, transparency, contestability, supply chain, records, and stakeholder engagement. Integrated into AI6 and used as the detailed control library beneath it.
DISR · September 2024
03 · Ethical
Australian AI Ethics Principles
Eight principles: wellbeing, human-centred values, fairness, privacy and security, reliability and safety, transparency and explainability, contestability, accountability. The ethical foundation that AI6 and VAISS operationalise.
DISR · 2019, current
04 · Government
DTA Policy for Responsible AI
Mandatory for Commonwealth agencies. AI Impact Assessment Tool (12 sections), procurement guidance, foundational training, Chief AI Officer appointments. First mandatory requirements take effect 15 June 2026; full effect December 2026.
Digital Transformation Agency
05 · International
ISO/IEC 42001, 23894 · NIST AI RMF
The international standards Australian frameworks explicitly align with. ISO/IEC 42001 (AI Management System), 23894 (AI Risk Management), and the NIST AI Risk Management Framework. Useful for procurement, certification, and clients with international operations.
Globally recognised
06 · Legal
Existing Australian law, applied to AI
Privacy Act, Australian Consumer Law, anti-discrimination law, Fair Work Act, WHS law, sector regulators (ASIC, APRA, TGA, eSafety), directors' duties. None are AI-specific, all apply. The Government has confirmed Australia will not pass a standalone AI Act in this term.
Technology-neutral
Worth saying plainly
The frameworks are good. The Australian Government, through NAIC and the DTA, has produced governance guidance that is clear, proportionate, and internationally credible. The problem most organisations have is not the framework. It is making the framework operational inside their building.
The dates that matter

Three deadlines,
already running.

Most of the Australian AI governance work is still voluntary. These three obligations are not — and they affect different organisations differently. If you are not certain which apply to you, that is the conversation to have first.

Australian AI regulatory timeline, 2026Three mandatory milestones across calendar year 2026: ACL penalties doubled on 28 March, DTA requirements taking effect on 15 June, and Privacy Act automated decision-making transparency commencing on 10 December.Q1Q2Q3Q42027CALENDAR YEAR 2026 — MANDATORY MILESTONES28 Mar 2026ACL PENALTIES DOUBLED15 Jun 2026DTA MANDATORY REQUIREMENTS10 Dec 2026PRIVACY ACT ADM TRANSPARENCY
Source: ACCC · DTA · OAIC published guidanceMandatory · Calendar Year 2026
28 March 2026
ACL penalties doubled — already in force
Maximum corporate penalty under the Australian Consumer Law rose from $50M to $100M per contravention for the most serious breaches. The ACCC has named AI-washing — misleading claims about AI capabilities — an enforcement priority.
Applies to everyone making AI claims
15 June 2026
DTA mandatory requirements take effect
Mandatory AI Impact Assessments, mandatory foundational AI training for APS staff, mandatory procurement guidance, mandatory Chief AI Officer appointments. Commonwealth agencies first; the direction-setting moment for everyone else.
Commonwealth · sets the floor for suppliers
10 December 2026
Privacy Act ADM transparency
Under amended APP 1.7–1.9, organisations must disclose in their privacy policies where computer programs make substantially automated decisions that significantly affect individuals. OAIC guidance is being released progressively through 2026.
Most organisations using AI in decisions
Field Guide · 2026

Clarity in Complexity

A field guide to AI governance in Australia — and the work of making the frameworks operational.

  • Seven layers of Australian AI governance, mapped
  • The three obligations already running in 2026
  • A five-phase engagement model you can adapt
64 pages · ~45 min · Free PDF
Get the field guide
Why our advice holds

Most consultants will read you the framework.
I have run the kind of business it was written for.

Ryan BallantyneFounder, Contxtyfy

Before Contxtyfy, I co-founded Canngea and ran it as Managing Director: a licensed medicinal cannabis manufacturer and distributor I built from the ground up inside one of Australia’s most heavily regulated industries.

We navigated TGA licensing, built pharmaceutical-grade manufacturing systems, and managed the operational complexity of a supply chain that could not afford mistakes. Compliance was not a slide deck. It was the licence to operate.

That experience is the lens I bring to AI governance. AI6, VAISS, the DTA Policy, ISO/IEC 42001 — they describe the same kind of system I lived inside at Canngea: named accountability, documented controls, risk registers that are actually used, vendor obligations that hold, and an audit trail that survives external scrutiny. None of that is theory to me.

What I know that most consultants don’t: governance documents are easy to write and hard to land. A policy that staff don’t follow, a register that nobody updates, a risk assessment that lives in a folder — these are worse than nothing, because they create the illusion of control. Real governance is operational. The job is not to write the policy. The job is to make the policy true.

Operational depthManaging Director, CanngeaTGA-licensed pharmaceutical manufacturer built from the ground up
Scale backgroundALDI AustraliaOperations and supply chain at national scale
Strategic foundationMBA, University of SydneyBusiness School · strategy and finance
How we work

A methodology grounded
in named sources.

Every recommendation we make traces to an authoritative reference — Australian or international. We do not give advice that we cannot ground. The five engagement phases below map directly to the six AI6 essential practices, the ten VAISS guardrails, and the legal obligations that apply to your organisation.

01

Discovery and scoping

Stakeholder interviews. AI footprint mapping — including the systems nobody talks about. Jurisdictional and legal profile. A baseline maturity score that reflects the real state of the building, not the aspirational version.

OutputsAI footprint map · jurisdictional profile · maturity baseline · engagement scope
02

Governance foundation

The infrastructure that makes everything else durable. AI Use Policy, the people who own it, the AI System Register that tracks what is actually in use, supply chain accountability, and the training plan that keeps it current.

OutputsAI Use Policy · governance structure · AI System Register · supply chain map · training plan
03

Risk and impact

Per-system risk assessments. AI Impact Assessments for high-risk systems, aligned with the DTA's 12-section tool. A consolidated risk register that connects to your existing GRC framework — not a parallel document that nobody opens.

OutputsRisk assessments · impact assessments · risk register · priority risk briefing
04

Implementation and controls

Vendor evaluation. Testing standards. Human oversight design. Contestability for ADM systems. Contract provisions that hold. Change management — because governance you announce by email is governance that does not happen.

OutputsVendor reports · testing standards · oversight plans · contestability · contract provisions
05

Assurance and sustained governance

The cycle that keeps governance current. Monitoring, incident management, audit programme, regulatory change tracking, board reporting. The work that converts governance from a project into a permanent operating capability.

OutputsMonitoring · incident process · audit programme · regulatory tracking · board reporting
Anchored in
Guidance for AI Adoption (AI6) — six essential practices, National AI Centre, October 2025
Control set
Voluntary AI Safety Standard — ten guardrails, DISR
Ethical foundation
Australian AI Ethics Principles — eight principles, DISR
Government baseline
DTA Policy for Responsible AI · National Framework for the Assurance of AI in Government · sector regulator positions
International standards
ISO/IEC 42001:2023 AI Management System · ISO/IEC 23894:2023 AI Risk Management · NIST AI RMF 1.0
Legal anchors
Privacy Act 1988 (including ADM provisions, December 2026) · Australian Consumer Law · anti-discrimination law · Fair Work Act · WHS law (including the NSW Digital Work Systems Act 2026 where applicable) · directors' duties · sector-specific obligations
What you leave with

Governance you can
actually defend.

A Contxtyfy engagement does not end with a slide deck. You leave with a working set of governance artefacts — AI Use Policy, AI System Register, AI Risk Register, AI Impact Assessments for your high-risk systems, vendor evaluation reports, an incident management process, and a board reporting cadence — every one of them grounded in a named Australian framework and ready to stand up to a regulator, a board, or a procurement question.

And because the regulatory landscape is moving — VAISS v2 in consultation, the NSW Digital Work Systems Act commencement pending, OAIC ADM guidance arriving through 2026 — the work includes the mechanism to keep your governance current after we leave. That is the difference between a project and a capability.

If you are working out where AI fits, what it will cost your people,
and how to move without breaking what already works —

That is the conversation we are built for. A discovery call is exactly what it sounds like: a two-way conversation to find out if there is a fit. No pitch deck, no obligation.

Book a discovery callSee how it works