For boards and directors

AI governance for Australian boards and directors.

Artificial intelligence has moved from an IT procurement question to a board-level governance issue in Australia. Directors now face concrete, dated obligations across corporations law, prudential regulation and privacy law, and regulators have signalled they will act where oversight falls short. This page sets out, accurately and specifically for Australia, what boards and directors need to understand and do.

Why AI is now a board-level issue in Australia

AI is no longer something a board can leave entirely to management or to vendors. The reason sits in long-standing law: under section 180(1) of the Corporations Act 2001 (Cth), every director must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director of a corporation in the company's circumstances and occupied the same office. Australian courts have framed breach around foreseeable harm: the question is whether an act or omission exposed the company to a foreseeable risk of harm that a reasonable director in that position would have guarded against. A risk counts if it is real, that is, not far-fetched or fanciful.

Applied to AI, the foreseeable-harm framing is direct. Where a company deploys AI in ways that could produce discriminatory outcomes, breach privacy, mislead consumers, generate inaccurate disclosures or disrupt critical operations, those harms are increasingly foreseeable rather than speculative. A board that does not turn its mind to such risks, or that relies uncritically on vendor assurances, may struggle to show it met the standard of care.

Directors do have protection for genuine, informed decisions. The business judgment rule in section 180(2) shields a director who makes a business judgment in good faith for a proper purpose, without a material personal interest, who informs themselves about the subject matter to the extent they reasonably believe appropriate, and who rationally believes the judgment is in the best interests of the corporation. The practical lesson is that the rule rewards a documented, informed process. A board that can show it understood the AI risk, sought appropriate information and made a reasoned decision is in a far stronger position than one that cannot.

What APRA expects of boards

For banks, insurers and superannuation trustees, prudential regulation now sets explicit expectations. On 30 April 2026, the Australian Prudential Regulation Authority (APRA) issued a letter to industry on artificial intelligence, calling for a step-change in AI-related risk management and governance. It set out AI-specific supervisory expectations for boards and senior management, drawn from a targeted review APRA conducted across its regulated industries. The letter is a statement of supervisory expectations rather than a binding prudential standard, though APRA pursues such expectations through supervision. APRA observed strong appetite for AI's benefits but warned of overreliance on vendor presentations and summaries without sufficient examination of key risks such as unpredictable model behaviour and impacts on critical operations.

The letter points to baseline governance arrangements: frameworks (policy, standard, guidance) and reporting lines; clear ownership and accountability across the full AI lifecycle from design through to decommissioning; an inventory of AI tooling and use cases; human involvement and accountability for high-risk decisions; staff training on AI use, misuse and limitations; and active management of the AI supply chain, including material third-party and fourth-party dependencies, with contractual rights to transparency, auditability and assurance.

These expectations sit on top of existing, binding standards. Prudential Standard CPS 230 Operational Risk Management commenced on 1 July 2025 for most APRA-regulated entities, with certain requirements deferred for non-significant financial institutions to 1 July 2026 and transitional arrangements for pre-existing service-provider contracts. CPS 230 requires sound management of operational risk, business continuity for critical operations, and oversight of material service providers, all of which bear directly on AI systems and vendors. Prudential Standard CPS 234 Information Security requires entities to maintain information security capability commensurate with threats, which extends to AI tooling and the data it touches. Across these instruments, accountability runs to the board: APRA expects the board to oversee the framework, not to delegate the question away.

Privacy and automated decision-making

AI systems frequently process personal information and make or support decisions about individuals, which brings the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) into scope. Boards of APP entities should treat privacy as a standing element of AI governance, covering collection, use, disclosure, data quality, security and accountability under the APPs.

A specific, dated obligation is approaching. The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new transparency requirements for automated decision-making (ADM), with the relevant provisions scheduled to commence on 10 December 2026. From that date, an APP entity that uses a computer program to make, or to do something substantially and directly related to making, a decision that could reasonably be expected to significantly affect an individual's rights or interests, using personal information, must disclose this in its privacy policy. The disclosure must cover the kinds of personal information used, the kinds of decisions made solely by these programs, and the kinds of decisions where the program does something substantially and directly related to making the decision.

For boards, the practical implications are an obligation to know where ADM is occurring across the business, to update privacy policies before the commencement date, and to ensure the underlying systems can be explained and stand behind what the policy says. This requires an accurate inventory and a process to keep it current as new tools are adopted.

Consumer law, ASIC and ACCC exposure

Beyond prudential and privacy regimes, boards should be alert to economy-wide exposure through the Australian Consumer Law (ACL) in Schedule 2 to the Competition and Consumer Act 2010 (Cth), enforced by the Australian Competition and Consumer Commission (ACCC) and, for financial services, mirrored provisions enforced by the Australian Securities and Investments Commission (ASIC). The prohibitions on misleading or deceptive conduct and on false or misleading representations apply regardless of whether a human or an algorithm produced the conduct.

Two areas warrant particular board attention. First, AI-washing: overstating the capability, role or performance of AI in products, services or corporate disclosures can amount to misleading conduct and, for listed entities, raises continuous disclosure and governance concerns that ASIC has signalled it is watching. Second, automated and AI-assisted consumer interactions, including pricing, recommendations, eligibility and chatbots, can mislead, discriminate or produce unfair outcomes; representations made by these systems are attributable to the company.

Directors should also be conscious of so-called stepping-stone liability, where a company's contravention of the law becomes the foundation for a separate claim that directors breached their own section 180 duty by allowing, or failing to take reasonable steps to prevent, the contravention. This reinforces the value of board-level oversight, documented risk assessment and assurance over AI deployments that touch consumers or markets.

Building the governance system

Effective AI governance is a system, not a single policy. It starts with knowing what you have: a maintained inventory of AI use cases and tools, including embedded AI in third-party software. It assigns a single accountable owner at the executive level and clarifies the board's oversight role and reporting cadence. It sets a clear risk appetite for AI, including categories or uses the entity will not pursue, and tiers use cases by risk so that high-risk decisions receive human involvement and stronger controls.

It is underpinned by an AI policy aligned to existing risk, privacy, security and procurement frameworks, and by assurance: independent testing, validation and audit appropriate to the risk, plus contractual rights to transparency and auditability over vendors. The checklist below translates these elements into concrete actions a board can direct and track.

Board agenda

Ten questions every Australian board should ask

Put these on the agenda. If management cannot answer them with evidence, that gap is the work.

Do we have a complete, current inventory of where AI is used across the business, including AI embedded in third-party and vendor software, and who maintains it?

Who is the single accountable executive owner for AI risk, and how and how often does the board receive assurance from them rather than from vendors?

Have we defined our AI risk appetite, including specific use cases or categories of AI we will not deploy, and has the board approved it?

For high-impact or high-risk decisions, where is the human in the loop, and can we evidence meaningful human review rather than rubber-stamping?

If APRA-regulated, how does our AI governance respond to the 30 April 2026 APRA AI letter and align with CPS 230 and CPS 234, and where are the gaps?

Where in the business is automated decision-making occurring that could significantly affect individuals, and will our privacy policy meet the new transparency requirement by 10 December 2026?

What is our exposure to AI-washing, and can we substantiate every public and disclosure-related claim we make about AI capability or performance?

How do we manage AI supply-chain risk, including material third-party and fourth-party dependencies, and do our contracts give us transparency, auditability and assurance?

What independent testing, validation or audit is performed on material AI systems before and after deployment, and who reviews the results?

If a material AI failure occurred tomorrow, do we have an incident response and accountability path, and could we demonstrate that the board exercised due care under section 180?

Checklist

The board AI governance checklist

Ten concrete actions a board can direct and track. Most map directly to the APRA expectations and the directors duty above.

Establish and maintain a board-visible inventory of all AI use cases and tools, including AI embedded in vendor and third-party systems.

Appoint a single accountable executive owner for AI risk and document the board's oversight responsibilities in the board or committee charter.

Adopt a board-approved AI policy aligned with existing risk, privacy, information security and procurement frameworks.

Define and approve an AI risk appetite statement, including prohibited or restricted uses and a risk-tiering approach for use cases.

Set a regular board or committee reporting cadence on AI risk, with management and independent assurance, not vendor summaries, as the primary inputs.

Require human involvement and clear accountability for high-risk AI-assisted decisions, and document where the human in the loop sits.

Map the AI supply chain and ensure contracts with material providers include rights to transparency, auditability, assurance and incident notification.

Review and update privacy policies and ADM practices ahead of the 10 December 2026 automated decision-making transparency commencement.

Commission independent testing, validation or audit of material AI systems proportionate to their risk, and review the findings at board level.

Confirm AI is integrated into incident response, business continuity and operational resilience plans, and that decisions are documented to support the business judgment rule.

Frequently asked questions

Is AI governance really a board responsibility, or can it be left to management?

It is a board responsibility to oversee, even where day-to-day execution sits with management. Directors owe a duty of care and diligence under section 180(1) of the Corporations Act 2001 (Cth), assessed against foreseeable harm. Where AI risks are foreseeable, a board that fails to turn its mind to them, or relies uncritically on vendors, may not meet the standard. The board role is oversight, accountability and informed decision-making, not necessarily technical detail.

Does the business judgment rule protect directors who make AI decisions?

It can, but only for genuine, informed decisions. Section 180(2) protects a director who makes a business judgment in good faith for a proper purpose, without a material personal interest, who informs themselves to the extent they reasonably believe appropriate, and who rationally believes it is in the best interests of the corporation. The protection rewards a documented, informed process, which is why board records of how AI risks were considered matter.

What does the APRA AI letter require, and who does it apply to?

APRA's letter to industry on artificial intelligence, issued on 30 April 2026, applies to APRA-regulated entities including banks, insurers and superannuation trustees. It calls for a step-change in AI governance and risk management, setting expectations around frameworks and reporting lines, lifecycle ownership and accountability, an AI inventory, human involvement in high-risk decisions, staff training and supply-chain oversight. It is a statement of supervisory expectations and sits alongside binding standards such as CPS 230 and CPS 234.

When do the new automated decision-making transparency rules start?

The transparency requirements for automated decision-making, introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), are scheduled to commence on 10 December 2026. From that date, APP entities that use qualifying automated decision-making affecting individuals rights or interests must disclose specified information in their privacy policy. Boards should ensure they know where ADM occurs and that policies and systems are ready before commencement, and confirm the final requirements as implementation guidance is released.

What is AI-washing and why should directors care?

AI-washing refers to overstating or misrepresenting the capability, role or performance of AI in products, services or corporate disclosures. It can constitute misleading or deceptive conduct under the Australian Consumer Law and, for listed entities, raise disclosure and governance concerns that ASIC has signalled it is monitoring. Directors should ensure every public claim about AI can be substantiated, and be aware of stepping-stone liability, where a company contravention founds a separate claim of breach of directors duties.

We are a smaller, non-regulated company. Does any of this apply to us?

Yes, in substance. The directors duty under section 180 and the Australian Consumer Law prohibitions on misleading conduct apply to companies generally, not only regulated entities. If you handle personal information as an APP entity, the Privacy Act and the upcoming automated decision-making transparency rules can also apply. The prudential standards and the APRA AI letter are specific to APRA-regulated entities, but their governance expectations are a useful benchmark for any board.

This page is general information, not legal advice. It reflects the position as at June 2026 and the law continues to develop. Obtain advice tailored to your entity from your own solicitor or qualified adviser before you act.

See where your board stands

A free, 15-minute AI Governance Health Check maps your exposure and obligations against the Australian regime and gives you a board-ready picture of where the gaps are.

Run the free Health Check Deadlines tracker