Building an Enterprise AI Governance Programme in Australia: From Policy to Operating Model

What a governance programme actually is

The most common enterprise AI governance failure mode in Australia in 2025–26 is confusing a policy with a programme. An organisation writes an AI use policy, establishes a steering committee, perhaps produces a risk framework document — and believes it has AI governance. What it has is governance architecture. The programme is what animates that architecture: the processes, roles, controls, monitoring, and decision-making that turn policy into practice.

Mature enterprise AI governance in Australia in 2026 has five operational components: an AI system inventory with risk classification; a governance operating model with clear roles and accountability; an AI controls framework with testable, monitored controls; a training and capability programme that reaches all relevant staff; and an incident response capability that handles AI-related failures, near-misses, and regulatory inquiries. Each component is necessary. None is sufficient alone.

The Australian benchmark

The APS AI Plan, published November 2025, provides the clearest statement of what the Australian government considers mature AI governance to look like. Its three-pillar structure — Trust, People, Tools — has become a de facto benchmark for private sector programme design. Trust covers governance, accountability, and regulatory compliance. People covers AI literacy, role-specific capability, and change management. Tools covers secure, approved AI technology deployment with appropriate technical controls.

Private sector boards and executives reviewing their AI governance programme should use this structure as a reference. The question is not "do we have an AI policy?" but "do we have a sustained capability across all three pillars?"

The operating model: roles and accountability

The APS AI Plan's requirement for a Chief AI Officer in each agency reflects an emerging expectation in the private sector as well. ASIC has signalled that director duty of care may require boards to ensure adequate oversight of AI-related risks — which requires someone at executive level who can provide that oversight. AI6 Practice 1 requires a named executive accountable for AI governance. The question is who that person is, what their mandate is, and what they can actually do when the programme requires change.

The three-line model maps clearly to AI governance. First-line business functions own AI risk in their areas — they maintain the AI system register for their domain, complete risk assessments for new deployments, and operate the controls required for systems they use. Second-line risk, compliance, and legal functions set AI governance policy, provide challenge and oversight of first-line practices, and manage regulatory compliance. Third-line internal audit provides independent assurance that controls are operating effectively, not just documented. AI governance should be integrated into this structure, not organised as a separate programme outside it.

Building from the compliance deadline backward

For most Australian enterprises, the most practical way to start building a governance programme is to work backward from the December 2026 Privacy Act automated decision transparency obligation. Meeting APP 1.7 requires: identifying all AI systems used in consequential decisions about individuals; categorising them against the disclosure scope; updating the privacy policy; and establishing a review process. The AI system inventory built for this purpose also forms the foundation of the broader governance programme — it becomes the AI register that all other governance activities operate against.

Working backward from December 2026 is not the only way to sequence the programme, but it is the approach with the most immediate hard deadline and the most clearly defined output. It also produces an artefact — a documented AI system inventory with risk classification — that boards, auditors, and regulators can assess.