For years, AI regulation in Australia was a topic for policy papers and academic conferences. Something that was coming eventually, but not something most businesses needed to worry about right now.

That’s changed. The federal government has moved from discussion to action, and the regulatory landscape is taking shape faster than many expected.

The Current State of Play

Australia doesn’t yet have a comprehensive AI-specific law like the EU’s AI Act. But it’s heading in that direction. The Department of Industry, Science and Resources released its voluntary AI safety standard in 2024, and subsequent policy announcements have signalled that mandatory requirements are likely within the next 12 to 18 months.

The voluntary standard covers ten guardrails, including transparency, accountability, human oversight, and testing for fairness and bias. It’s not legally binding, but it provides a clear preview of what mandatory regulation will probably look like.

State governments are moving too. New South Wales has published its own AI governance framework for public sector use, and other states are developing similar policies. If you’re doing business with government at any level, these frameworks already affect you.

What’s Likely Coming

Based on the government’s public consultations and the direction of international regulation, here’s what Australian businesses should expect:

Risk-based classification. Similar to the EU approach, AI systems will likely be categorised by risk level. High-risk applications — healthcare diagnostics, hiring decisions, credit assessments — will face stricter requirements than low-risk ones like spam filters or recommendation engines.

Transparency obligations. If you’re using AI to make decisions that affect people, you’ll likely need to tell them. That means disclosing when AI is being used, explaining how it works at a general level, and providing mechanisms for people to challenge automated decisions.

Impact assessments. For high-risk AI systems, expect a requirement to conduct and document impact assessments before deployment. This means evaluating potential harms, testing for bias, and demonstrating that you’ve considered the system’s effects on different groups.

Record-keeping. You’ll need to maintain records of your AI systems — what they do, what data they use, how they were tested, and how they’re monitored. This is about auditability. If something goes wrong, regulators will want to see your documentation.

What This Means Practically

If your business uses AI in any meaningful way — and increasingly, most do — here’s what you should be thinking about now:

Know What You’ve Got

Start with an inventory. What AI systems does your organisation use? Include everything from machine learning models you’ve built internally to AI features embedded in third-party software. That chatbot on your website? The AI scoring in your CRM? The automated resume screening in your HR platform? All of it counts.

Many organisations are surprised by how much AI they’re already using once they start cataloguing it. Shadow AI — tools adopted by individual teams without central oversight — is particularly common.

Assess the Risk

Not all AI applications carry the same risk. A tool that recommends blog topics is very different from one that decides who gets a loan. Map your AI systems against the likely risk categories and focus your governance efforts on the high-risk ones first.

The OECD’s AI classification framework is a useful starting point for thinking about risk levels, even though Australia’s specific categories may differ.

Build Documentation Habits Now

Don’t wait for regulation to become mandatory before you start documenting your AI systems. If you build the habit now, compliance will be straightforward when requirements kick in. If you scramble to retrofit documentation after the fact, it’ll be painful and expensive.

For each AI system, document:

• Its purpose and scope
• The data it uses (and where that data comes from)
• How it was tested and validated
• Who’s responsible for monitoring it
• How people can raise concerns or request reviews

Talk to Your Vendors

If you’re using AI through third-party software, you need to understand what those vendors are doing. Are their models tested for bias? Do they provide transparency about how decisions are made? Can they supply the documentation you’ll need for compliance?

Some vendors are well ahead of this. Others aren’t. It’s worth asking the questions now rather than discovering gaps when regulation arrives.

The Opportunity in Getting Ahead

Here’s the thing about regulation: it’s coming regardless of what any individual business thinks about it. The companies that prepare early will have an advantage. They’ll build trust with customers who increasingly care about responsible AI. They’ll avoid the scramble that catches unprepared organisations off guard. And they’ll be better positioned to adopt AI confidently, knowing they’ve got proper governance in place.

Don’t Panic, But Don’t Ignore It

AI regulation isn’t something to fear. It’s a natural maturation of the technology’s role in society. Just as we regulate how companies handle personal data, financial transactions, and workplace safety, regulating AI is a logical next step.

The key is to treat it as an operational priority, not a legal afterthought. Start mapping your AI usage now. Build governance habits. Engage with the policy process — the government is actively seeking industry input.

The organisations that’ll struggle most aren’t the ones using AI. They’re the ones using AI without knowing what they’ve got, how it works, or what happens when it goes wrong. Don’t be one of them.