In September 2024, the Federal Government proposed ten mandatory AI rules for high-risk settings. By December 2025, the proposal was reversed in favour of “technology-neutral” regulation.
Technology-neutral does not mean fewer rules. It means every existing law still applies to your AI system - one of them has a hard deadline.
On 10 December 2026, new transparency rules under the Privacy Act commence. If you’re building or adopting AI in a regulated environment, this date is critical.
The National AI Plan
The plan is built around three goals — capturing the opportunities, spreading the benefits, keeping Australians safe — each supported by three pillars covering infrastructure, capability, public services, workforce, regulation, and international engagement.
The government has committed A$29.9 million to stand up the AI Safety Institute (AISI) in early 2026, with a brief to monitor, test, and share information on emerging AI capabilities, risks and harms. A new “AI Accelerator” round of the Cooperative Research Centres program is on the way. The government also released the Guidance for AI Adoption (GfAA) — a voluntary framework — and signalled tighter expectations for data centres as critical national infrastructure, alongside multi-billion-dollar commitments from Microsoft, Amazon, and Firmus.
The plan itself contains no AI-specific legislation, no mandatory guardrails, and no timeline for either. It relies on existing laws, supplemented with targeted reforms where gaps emerge.
Technology-Neutral in Practice
Seven distinct regulatory layers already apply to your AI system, often at the same time. Here is what each layer is, and the one thing it may change about how you build.
Privacy Act 1988
Australia’s primary information privacy regime, enforced by the OAIC. It already covers personal information used by AI systems for collection, use, disclosure, and access. From 10 December 2026, new automated decision-making transparency obligations sit on top of it.
Australian Consumer Law
The ACL prohibits misleading or deceptive conduct and unconscionable conduct. The law makes no distinction between a human agent, a chatbot, or a recommendation engine — if your AI output misleads a consumer, the entity that deployed it is on the hook.
Hallucinations are not a technical curiosity from a regulator’s perspective. They are a product representation, and the company supplying the product owns them.
APRA CPS 230
In force since 1 July 2025 for all APRA-regulated entities (banks, insurers, super funds). CPS 230 treats AI as core operational risk, not an IT concern.
If your business is APRA-regulated and you rely on a third-party AI service, that vendor is now in scope of your CPS 230 service provider obligations. Standard SaaS due diligence is not enough.
ASIC
In October 2024, ASIC published REP 798 Beware the gap. The finding: Australian Financial Services (AFS) and credit licensees are using AI faster than they are governing it. Financial services must be delivered “efficiently, honestly and fairly,” and directors remain accountable for the outcome — model or no model.
An AI decision you can’t explain is a governance problem, not a tech one.
Therapeutic Goods Administration (TGA)
If your AI helps make a clinical decision, the TGA treats it as a medical device. That includes diagnostic tools, AI scribes that suggest diagnoses, and image analysis. Updated guidance landed in February 2026, and the TGA is now actively chasing non-compliant products.
“We just plugged in an LLM” doesn’t get you out of medical device rules. If your AI influences clinical care, it has to be approved by the TGA before you can supply it in Australia.
Online Safety Act
The eSafety Commissioner has registered industry codes that already apply to generative AI, including obligations on developers and distributors to mitigate the risk of CSAM and pro-terror content.
If you ship a generative AI product to consumers, you have eSafety obligations today.
Guidance for AI Adoption (GfAA)
Released October 2025, replacing the Voluntary AI Safety Standards. Voluntary in name, increasingly mandatory in practice.
Federal government procurement teams and large enterprises are starting to require GfAA compliance in their vendor assessments — meaning if you want to sell to government or big corporates, you’ll need to demonstrate it.
Changes on 10 December 2026
The Privacy and Other Legislation Amendment Act 2024 adds new clauses to Australian Privacy Principle 1.
From that date, your privacy policy must disclose two things: the kinds of personal information your AI systems use, and the kinds of decisions those systems make.
Two things to know. The rules apply to the decision, not the system — if your model was built three years ago and you make a decision with it on 11 December 2026, the rules apply. There is no grandfather clause. And the OAIC isn’t waiting — it started its first proactive compliance sweep in January 2026, targeting around 60 organisations.
To be ready, you need three things most companies don’t have today: a complete inventory of every system that makes or supports decisions about people, data flow traceability for each one, and an updated privacy policy before the deadline.
Steps to take now
1. Build an AI inventory. Every system in your business that uses AI — internal tools, customer-facing features, third-party SaaS with AI baked in. One central inventory, with a single nominated owner. If you can’t list it, you can’t govern it.
2. Run each one against the three-condition test. Does it make or support a decision? Could that decision significantly affect someone’s rights or interests? Does it use personal information? If yes to all three, that system is in scope for the December 2026 rules.
3. Commission a privacy policy gap review. Get legal advice on your current policy. Most policies written before 2024 will not pass.
4. If you’re in financial services, healthcare, or government, layer the sector overlay. Pull APRA CPS 230 (banks, insurers, super), ASIC REP 798 (AFS and credit licensees), or TGA guidance (anything clinical). Your obligations are heavier.
5. Move AI governance from “future problem” to “current quarter.” It is not a 2027 issue. The OAIC compliance sweep already started in January 2026.
There is enough time if you start now.
This post is a technology practitioner’s read of Australia’s current AI regulatory landscape, not legal advice. The rules cited apply differently depending on your sector, scale, and specific use case. Before making compliance decisions, get advice from an Australian privacy or technology lawyer.
Working through this in your own organisation? I’d be interested to hear what you’re finding. Reach me on LinkedIn here.