Australian AI Governance Tracker
Every AI governance obligation and deadline that applies to Australian organisations, dated and sourced, in one place. Including the EU AI Act dates that reach Australian exporters. Maintained against primary sources and updated as instruments commence.
Last updated 21 June 2026
| Obligation | Instrument and regulator | Status | Date | Source |
|---|---|---|---|---|
| Operational risk over AI and AI vendors Manage the operational risk of critical operations, including AI embedded in them and material service providers (AI and cloud vendors). | APRA Prudential Standard CPS 230APRA | In force | In force 1 Jul 2025 | Official |
| CPS 230 transition for pre-existing arrangements Pre-existing contracts with material service providers must comply by the earlier of next renewal or 1 July 2026, when remaining transition relief ends. | APRA Prudential Standard CPS 230APRA | Commences | Deadline 1 Jul 2026 | Official |
| Automated decision-making transparency Privacy policies must describe the kinds of decisions made or substantially assisted by computer programs using personal information. | Privacy and Other Legislation Amendment Act 2024 (new APP 1 / s 16H)OAIC | Commences | Commences 10 Dec 2026 | Official |
| Security and cross-border handling of personal information Take reasonable steps to secure personal information used with AI, and stay accountable for offshore AI providers that process it. | Privacy Act 1988 (APP 11, APP 8)OAIC | In force | In force | Official |
| Statutory tort for serious invasions of privacy Individuals can sue directly for serious invasions of privacy, including intrusive AI surveillance, scraping or profiling. | Privacy and Other Legislation Amendment Act 2024 (Sch 2)Courts (private right of action) | In force | In force (2024 Act) | Official |
| "Fair and reasonable" test for data processing A proposed reform that personal-information handling be fair and reasonable. Not part of the 2024 tranche; track its progress. | Privacy Act review (future reform tranche)Attorney-General / OAIC | Proposed | Proposed (not yet legislated) | Official |
| Six essential practices (AI6) for AI adoption Voluntary government guidance on accountability, risk, data and system governance, testing and monitoring, human oversight, and transparency and contestability. The benchmark courts and procurement look to. | National AI Centre, Guidance for AI AdoptionNational AI Centre / DISR | In force | Guidance from Oct 2025 (voluntary) | Official |
| National AI Plan (no standalone AI Act for now) Confirms Australia governs AI through existing technology-neutral law and sector regulators, supported by the National AI Centre and a new AI Safety Institute, rather than a standalone AI Act. | National AI PlanDISR | In force | Released Dec 2025 | Official |
| Conduct obligations in financial-services AI Responsible lending, best-interests duty, complaints handling and market-conduct obligations apply fully to AI-driven decisions and representations. | Corporations Act / ASIC Act (conduct, RG 271)ASIC | In force | In force | Official |
| Misleading AI outputs are your conduct Misleading or deceptive conduct rules apply to what your AI tells customers. A hallucinated price or claim is attributable to the business. | Competition and Consumer Act 2010, Sch 2 (ACL s 18)ACCC | In force | In force | Official |
| AI-driven workplace change and monitoring Consultation duties on major AI-driven change, procedural fairness on AI performance data, and surveillance-notice rules for AI monitoring. | Fair Work Act 2009; state surveillance lawsFair Work Commission | In force | In force | Official |
| Critical-infrastructure risk program must cover AI Responsible entities must manage material risks to critical infrastructure assets, including hazards introduced by AI systems and AI vendors. | Security of Critical Infrastructure Act 2018CISC / Home Affairs | In force | In force | Official |
| Tell people they are interacting with AI (EU exposure) Australian organisations whose AI chatbots or AI-generated content reach EU users must disclose this. Not deferred by the Digital Omnibus. | EU AI Act (Regulation (EU) 2024/1689), Art 50EU market surveillance authorities | Global | Applies 2 Aug 2026 | Official |
| High-risk AI obligations (EU exposure) AU organisations placing high-risk AI (employment, credit, and other Annex III uses) on the EU market face the heaviest duties. Deferred to 2 Dec 2027 under the Digital Omnibus, pending Official Journal publication. | EU AI Act, Art 6 and Annex IIIEU market surveillance authorities | Global | Applies 2 Dec 2027 | Official |
| AI management system certification The certifiable AI management system standard. Voluntary, but increasingly requested in government and enterprise procurement. | ISO/IEC 42001:2023Certification bodies (voluntary) | In force | Published Dec 2023 | Official |
General information, not legal advice. Dates are tracked against primary sources and were current at 21 June 2026; verify against the official source before relying on them. Status reflects Australian application, including EU AI Act dates that apply to Australian organisations serving the EU.
Journalists, researchers and compliance teams are welcome to cite and link to this tracker.
Which of these apply to you?
The free AIRA Health Check maps your organisation to the exact subset of these obligations your AI use triggers, with the instrument and clause for each. About fifteen minutes, answers stay in your browser.
Take the free Health Check