Australia AI Governance — Regulatory Landscape

Tier 1 — National Framework

National AI Plan 2025

Released December 2025 · Department of Industry, Science and Resources

🚀 Capture the Opportunity Sovereign compute access · Industry AI investment · Research & development · AI workforce strategy · Next Generation Graduates

🌏 Spread the Benefits Regional AI adoption · Small business support · Social sector access · Public service AI uplift · APS AI Plan 2025

🛡 Keep Australians Safe AI Safety Institute (est. 2026) · Voluntary AI Safety Standard (10 guardrails) · Existing law enforcement · International cooperation

Tier 2 — Governance Architecture

🏛 Australian AI Safety Institute (AISI)

Announced November 2025 · Rolling out from early 2026. Tests and evaluates advanced AI systems · Coordinates with sector regulators · Shares risk intelligence with government · Advises on safety measures and regulatory frameworks

Status: Developing · Not yet mandatory

📋 Voluntary AI Safety Standard — 10 Guardrails

Released 5 September 2024. Accountability · Risk management · Data governance · Security · Human oversight · Transparency · Contestability · Supply chain · Record-keeping · Testing

Status: Voluntary · No mandatory AI Act

Tier 3 — Sector Regulators (apply existing laws to AI)

APRA

Australian Prudential Regulation Authority

Sectors: Banking, Super, Insurance
Key: CPS 230 (in force Jul 2025)
Focus: Operational risk, technology dependencies
Mandatory

ASIC

Securities & Investments Commission

Sectors: All corps, AFS licensees
Key: Corps Act s180, s912A
Focus: Director duty of care, AI governance
Mandatory

TGA

Therapeutic Goods Administration

Sectors: Healthcare
Key: Therapeutic Goods Act s41BD
Focus: AI as Software as a Medical Device
Mandatory

ACCC

Competition & Consumer Commission

Sectors: All consumer-facing
Key: Australian Consumer Law s18
Focus: Misleading AI outputs, pricing AI
Mandatory

OAIC

Australian Information Commissioner

Sectors: All APP entities
Key: Privacy Act; ADM transparency Dec 2026
Focus: Personal data in AI
Mandatory

CISC / ASD

Cyber & Infrastructure Security Centre

Sectors: Energy, Telco, Water, Health, Finance
Key: SOCI Act 2018; Cyber Security Act 2024
Focus: AI in operational technology
Mandatory

ACMA

Communications & Media Authority

Sectors: Telco, Media
Key: Telecommunications Act; Spam Act
Focus: Outbound AI calling, network AI
Mandatory

eSafety

Office of the eSafety Commissioner

Sectors: Media, Tech, Social platforms
Key: Online Safety Act 2021
Focus: AI-generated content, deepfakes
Mandatory

Tier 4 — Cross-Sector Baseline (applies to ALL organisations)

Every Australian organisation faces these three obligations — the universal floor

Corporations Act 2001 — s180 Duty of Care

Directors must exercise reasonable care and diligence. AI governance is within scope. Technology governance cannot be delegated. Enforced by ASIC.

Privacy Act 1988 — APPs + ADM Transparency

All APP entities must comply with Australian Privacy Principles. From 10 December 2026: organisations must disclose when automated processes make decisions. Enforced by OAIC.

Australian Consumer Law — s18 Misleading Conduct

AI-generated pricing, recommendations and advice must not be misleading. Penalties up to $50M or 30% of turnover. Enforced by ACCC.

Tier 5 — Industry Applicability Matrix

Industry

APRA CPS 230

ASIC

TGA SaMD

ACCC

Privacy ADM

SOCI Act

ACMA

eSafety

Banking & Financial Services

●

–

●

–

Superannuation

●

–

◐

●

–

Insurance

●

–

●

–

Healthcare & Hospitals

–

●

–

●

–

Aged Care

–

●

◐

–

●

–

Energy & Utilities

–

●

–

◐

●

–

Telecommunications

–

●

–

●

–

Resources & Mining

–

●

–

◐

–

Retail & E-Commerce

–

●

–

●

–

Professional Services

–

●

–

●

–

Education

–

◐

–

●

–

Federal & State Government

–

●

◐

–

Media & Technology

–

●

–

●

–

◐

●

Transport & Logistics

–

●

–

◐

–

● Mandatory — in force, active scrutiny

◐ Partial — applies in specific circumstances

– Not applicable