Back to all articles
Insight23 March 20268 min read
AI Governance Is Coming to Australia. Here's How to Prepare Without Paralysis.
R
Riverstone Team
Riverstone Labs
AI Governance Is Coming to Australia. Here's How to Prepare Without Paralysis.
10 December 2026 is nine months away. On that day, every Australian business using automated systems to make decisions about customers, employees, or suppliers must publish exactly how those decisions work, or face penalties up to $50 million.
Most business owners I speak with don't know this deadline exists. I didn't either until I reviewed the legislation in January while preparing for a client engagement. They're busy deploying AI to speed up hiring, simplify credit checks, or automate customer onboarding. They've heard about EU regulations and wondered if Australia will follow. It already has. The Privacy and Other Legislation Amendment Act 2024 passed in December with minimal fanfare, embedding automated decision-making disclosure requirements into law.
This isn't a theoretical compliance exercise. I've seen what happens when audits arrive without warning. When a customer disputes an AI-influenced decision, and they will, you need an audit trail. The businesses that treat governance as operational discipline, not legal checkbox, will outperform those scrambling to comply at the deadline.
The Deadline is Real
The Privacy Act reforms create what I read as three new obligations under APP 1.7-1.9. The OAIC hasn't published detailed guidance yet, so I'm interpreting the legislation as written. From 10 December 2026, your privacy policy must include:
- The kinds of personal information your systems use to make decisions
- Which decisions are made entirely by computer programs
- Which decisions rely substantially on computer assistance
The "computer program" definition is deliberately broad. It captures rule-based automation, not just AI. If you use an algorithm to score loan applications, a script to flag suspicious transactions, or even a sophisticated Excel macro that influences hiring decisions, it likely qualifies.
The trigger is a decision that "could reasonably be expected to significantly affect the rights or interests of an individual." I'm still not entirely sure where the line falls between "significant" and routine administrative decisions, the legislation leaves room for interpretation. Examples from the legislation include granting or refusing benefits, employment screening, credit assessments, and decisions affecting access to significant services.
Who does this cover? APP entities: businesses with annual turnover over $3 million, all private health providers, and some others. The small business exemption still applies for now, but "Tranche 2" reforms expected in 2026-2027 may remove it, bringing 2.3 million additional businesses under the Act.
Penalties have teeth. Serious breaches can attract fines up to $50 million, three times the benefit obtained, or 30% of turnover during the breach period. Since June 2025, individuals can also sue directly for serious privacy invasions through a new statutory tort, with no need to prove financial damage first.
Most Businesses Are Underprepared
In my work reviewing automation systems for mid-sized businesses, here's what I typically find: a credit assessment tool that pulls data from five sources, applies proprietary scoring, and rejects 15% of applicants. When I ask "Can you show me exactly what data influenced this specific rejection?" Silence. The system works. Until it doesn't, and someone asks why.
The gap between "we use AI" and "we can explain how decisions are made" is massive. I see this in almost every audit I conduct. Most AI deployments in Australian SMEs have zero documentation. Not because owners don't care, but because nobody told them documentation was required. They bought a tool, integrated it, and moved on.
Common scenarios that trigger disclosure obligations include customer onboarding systems that check eligibility automatically, credit and insurance algorithms that score risk, employment tools that screen resumes or rank candidates, fraud detection that blocks transactions, and automated triggers that terminate or downgrade services.
The Robodebt Royal Commission taught us what happens when automated decision-making lacks transparency. I suspect we're only seeing the beginning of similar cases as AI adoption accelerates. The legislation that follows reflects those lessons. I'm not sure the regulators appreciate how many existing systems will need retroactive documentation.
Governance is Risk Management
Compliance is the floor, not the ceiling. In my view, the businesses that will thrive aren't those with the most elaborate governance frameworks, they're the ones with operational discipline.
Consider what happens when a customer disputes a decision. Without documentation, you're reconstructing events from system logs while a complaint escalates. With proper governance, you pull the decision record, explain the factors, and either defend the outcome or identify where the system erred. The former takes days and damages trust. The latter takes minutes and demonstrates competence.
The Australian AI Safety Institute became operational in early 2026 with $29.9 million in funding. It provides guidance on AI opportunity, risk, and safety, but has no enforcement power. The "teeth" remain with existing regulators: the OAIC for privacy, the ACCC for consumer protection, and sector-specific bodies like ASIC for financial services.
Australia isn't getting an EU-style AI Act. Instead, we're layering AI obligations onto existing laws. Anti-discrimination laws make you liable for biased AI outcomes regardless of intent. Consumer law lets the ACCC pursue "AI-washing', misleading claims about AI capabilities. Copyright law has no carve-out for AI training data. The regulatory environment is complex precisely because it's distributed across multiple frameworks.
Four Steps to Prepare
You don't need an enterprise governance board. You need visibility, documentation, and a review process. Here's how to get there in the time remaining.
Step 1: Inventory (This Week)
List every system that influences decisions about people. Be thorough. Include official AI tools like customer scoring and chatbots, the "shadow AI" of employee ChatGPT subscriptions and departmental tools, rule-based systems that predate your AI investments, and even Excel models or database scripts that apply logic to personal data.
Ask each department: "Where do you use systems to make or support decisions about customers, applicants, or suppliers?" You'll be surprised what surfaces.
Step 2: Map Data Flows (Weeks 2-3)
For each system, document what personal information enters it, what decisions it influences, whether it's fully automated or human-assisted, and whether outcomes could significantly affect individuals.
Don't overthink the "significant effect" test. If a decision affects someone's access to a service, their employment, their creditworthiness, or their legal rights, it qualifies. When in doubt, include it.
Step 3: Document (Weeks 4-6)
Update your privacy policy with the required disclosures. The OAIC guidelines emphasize "kinds of" rather than "every single model." A section titled "Automated Decision-Making" that lists decision categories and data types suffices.
Create an internal AI Governance Register. Simple spreadsheet:
| System | Decision Type | Data Inputs | Automation Level | Human Review | Last Reviewed |
|---|---|---|---|---|---|
| Credit scoring | Loan approvals | Financial history, application data | Fully automated | Appeals only | March 2026 |
| Resume screening | Candidate ranking | CV content, application answers | Assisted | Hiring manager review | March 2026 |
Start with what you have. Perfect is the enemy of compliant.
Step 4: Establish Review Process (Ongoing)
Designate someone responsible for governance oversight, doesn't need to be a full-time role, but needs a name attached. Create a process for handling disputes: when someone questions an automated decision, who reviews it, how do they access the relevant records, what's the timeline?
Test your explanation capability. Pick a recent automated decision and explain it in plain English. If you can't, your documentation needs work.
Set an annual review cycle. Systems change, data sources evolve, new tools get adopted. Governance is maintenance, not installation.
The Real Competitive Advantage
Businesses that get this right will move faster with AI than those operating in regulatory uncertainty. They'll have customer trust because they can explain their decisions. They'll pass due diligence when investors or partners ask about AI governance. They'll avoid the operational chaos of retrospective compliance.
The alternative isn't pretty. Wait until December, then scramble to understand what you've built without documentation. Hope no disputes arise before you're ready. Accept that you'll be learning governance under pressure rather than by design.
Nine months is enough time if you start now. The first step, simply knowing what systems you have, is achievable this week.
Book a free 15-minute assessment. We'll review your current setup and identify what needs documentation before the December deadline.
The legislation isn't going to wait. Neither should you.
Related guides
Industry deep dive:
Want this implemented in your business? Book a Diagnose call — free 30-minute consultation, no pitch.
aigovernancecomplianceprivacy-actaustralia
Want to implement what you just read?
Book a free 15-minute assessment. We'll look at your operations and identify the highest-ROI automation opportunities.
Book your free assessment