Australia's AI Regulation: From Wait-and-See to Lead-by-Example?
From reactive to proactive
For years, Australia took a cautious “wait and see” approach to AI. The 2019 Robo-debt crisis was a hard lesson: automated decision-making without ethical, human-centric foundations has no place in government.
Early measures were voluntary: DISR's AI Ethics Principles (November 2019) and Australia's commitment to the OECD AI principles (May 2019). Useful framing, but voluntary guardrails leave businesses uncertain about liability, which slows responsible innovation.
Despite the surge in generative AI after ChatGPT launched in 2022, the Senate Select Committee on Adopting AI didn't release its final report until late 2024. The pace then picked up sharply through 2024–25: the National Framework for the Assurance of AI in Government, the mandatory DTA Policy, and in early 2026: the Australian AI Safety Institute (AISI), set up to monitor frontier models and advise regulators before harm materialises.
Securing the ‘backyard’ before the nation
National regulation for the private sector is still slow-moving. AI use across the economy runs on a patchwork of technology-neutral laws including the Privacy Act, Copyright Act, Australian Consumer Law, rather than a unified AI Act.
But the APS appears to be moving faster on securing its own interests than the government is on regulating AI for the rest of the nation.
The APS AI Plan 2025 is built on Trust, People, and Tools. The DTA Policy for Responsible Use of AI in Government (v2.0) became mandatory in December 2025. Agencies must now appoint Chief AI Officers, complete AI impact assessments, and publish a strategic position on AI adoption. GovAI is being tested to provide a secure, sovereign generative AI tool for the APS which keeps sensitive data inside Australian infrastructure.
AI supply chain risk
AI systems introduce supply chain risks that traditional systems don't, including:
Data poisoning: malicious modifications producing biased or harmful outputs
Training data extraction: exfiltration of sensitive information via third-party pre-trained models
Data drift: AI performance degrading as real-world data shifts over time
To protect national interests, PROTECTED-level information must remain within Australian infrastructure, under government control.
So what does all this mean for the rest of us? Do we need to prepare for compliance requirements? And why are Australian companies already being asked to sign contracts requiring compliance with the EU AI Act?
Insights from the European Union (EU)
The EU AI Act is horizontal and risk-based, applying to anyone whose AI touches the EU market regardless of where they're headquartered. It prohibits practices that threaten Union values (e.g. subliminal techniques causing physical or psychological harm) and imposes mandatory requirements on high-risk systems affecting health, safety, or fundamental rights including:
Data quality: using high-quality, representative data, free of errors to prevent biased or discriminatory outcomes
Transparency: providing clear instructions so users understand how the AI works and its limitations
Human oversight: designing the system so it can be monitored and overridden by humans
Technical standards: ensuring the system is accurate and secure from cyber-attacks
Record keeping: automatic generation of logs for audit
High-risk classification turns on intended purpose and modality of use, not just function. And the Act actively supports innovation through regulatory sandboxes. The lesson for Australia: a horizontal model gives certainty to providers and a clear sovereignty floor, which are both gaps in the current Australian regulatory patchwork.
There are strict compliance requirements and penalties for non-compliance. Any AI developers need to watch these obligations when negotiating contracts and start preparing their backyard to demonstrate compliance if they want to play in this space.
Lessons from the US patchwork
The US has no single federal AI statute. California and Colorado now drive binding regulation, with strict mandates on frontier models and high-risk systems. The FTC, EEOC, and FDA each apply their own rules. The draft TRUMP AMERICA AI Act (March 2026) would preempt this with a federal liability and audit framework, but it isn't law yet. The cautionary tale: fragmented enforcement creates compliance overhead without delivering sovereignty protection.
Partnerships
Australia is building international relationships. An MOU with the UK draws on the UK AI Security Institute's expertise to evaluate emerging risks. In April 2026, Australia signed an MOU with Anthropic, a frontier AI developer, covering safety research, technical exchanges with AISI, and the economic impacts of AI. Anthropic no doubt has a very sophisticated AI model that is underpinned by a constitution embodying the values they develop and work by, with the intent that their AI solution ‘acts well in the world’.
So, what next?
Regulators including ASIC, APRA, ACMA and ACCC are calling out AI risks across governance, accountability, operations, cybersecurity, and supply chains while the government builds AI in its own backyard. Private sector companies, meanwhile, are waiting to see what compliance requirements emerge from changes to the current patchwork of technology-neutral laws.
There is no AUS AI Act on the horizon, but companies should be aware that contracts to provide ICT services to government are already starting to require compliance with the EU AI Act. In particular an express contractual provision that companies do not employ practices that would infringe the prohibitions in the EU AI Act.
Companies building or buying AI, or technology that incorporates AI, should build their compliance framework now. This framework should cover risk management, data governance, technical resilience and documentation, record management, human oversight, cybersecurity and assurance across the full AI supply chain.
The businesses that build compliance into their workflows now will be the ones operating confidently when AI regulation, or a contract that imports it, catches up with them.
Beyond the APS backyard, the government could look to the EU AI Act’s framing of prohibited and high-risk AI, particularly as we start seeing AI agents that can affect critical infrastructure, law enforcement, and access to essential health services. Patchwork legislative fixes won't be sustainable forever in a space moving this fast.
If you have any questions, or if you want more information: reach out