Australian AI governance self-assessment (AI6).

AI6 Practice 1 (Accountability) requires clear organisational accountability for AI — a named person with defined responsibility, not a committee. This is the starting point for all other governance.

You cannot govern what you cannot see. An AI inventory is the foundation of all other governance measures.

AI6 Practice 2 (Risk Management) requires identifying, assessing, and mitigating AI risks proportionate to the risk level — high-risk AI applications require more rigorous processes.

Guardrail 4 requires human oversight appropriate to the context and risk level. For high-risk AI decisions, meaningful human review is expected.

A documented, communicated policy is fundamental to consistent AI governance. Guardrail 1 and 2 both implicitly require this.

AI6 Practice 5 (Privacy & Data Governance) cross-references Privacy Act obligations. APP 1 requires your privacy policy to address AI use of personal information. From December 2026, a new statutory obligation requires disclosure of substantially automated decisions.

AI6 Practice 4 (Transparency) requires disclosure about AI use. From December 2026, Australian privacy law will require privacy policies to address substantially automated decisions affecting individual rights.

AI6 Practice 4 (Transparency) and Australian Consumer Law require that individuals affected by AI decisions have meaningful explanation and access to human review.

AI6 Practice 6 (Continuous Improvement) requires ongoing monitoring. AI systems degrade over time — monitoring, incident management, and learning from failures are all part of responsible AI governance.

Every organisation deploying AI at scale will eventually experience an AI incident. Not having a plan makes the response slower and more costly.