AI for Risk and GRC Teams in Australia: Building AI Governance Into Your Framework

AI governance is a GRC problem by nature

Whatever terminology is used — AI governance, responsible AI, AI risk management — the substance is GRC capability applied to a new risk domain: identifying and assessing AI-specific risks; designing and implementing controls; developing and maintaining policies; providing assurance that controls work; and managing compliance with the Privacy Act, AI6, and sector-specific requirements. GRC teams already do this work. AI extends the scope, not the capability model.

Integrating AI into enterprise risk management

The starting point for most Australian organisations is integrating AI into existing ERM processes: adding AI as a named risk category in the risk register; incorporating AI into the technology risk appetite statement; requiring AI system entries with risk classification and control documentation; and including AI risk as a standing agenda item in risk committee meetings.

For organisations using ISO 31000:2018 — the predominant enterprise risk framework in Australian practice — AI risk management should be explicitly scoped in without creating a parallel structure. AI risk is enterprise risk. Govern it through enterprise processes.

AI6 and GRC accountability

Practice 1 (Accountability): governance structure, named executive, board oversight, escalation pathways. Practice 2 (Impact Assessment): risk assessment methodology, Privacy Impact Assessment integration, completion requirements before deployment. Practice 3 (Risk Management): AI in enterprise risk register, risk appetite, control design by risk classification. Practice 4 (Transparency): privacy policy disclosure obligations including December 2026 automated decision requirement, AI register maintenance. Practice 5 (Testing and Monitoring): pre-deployment testing standards, post-deployment monitoring design, audit scope. Practice 6 (Human Oversight): specifying oversight mechanisms required by risk classification.

APRA regulated entity obligations

For banks, insurers and superannuation funds, AI governance has explicit prudential dimensions. CPS 230 (in force July 2025) requires AI systems supporting critical operations to have documented resilience controls. CPS 220 requires AI risk to be identified and managed within the ERM framework. GRC teams should assess whether their model risk governance framework adequately covers: LLM outputs used in customer communications; ML models in credit, pricing or underwriting decisions; AI in claims handling and fraud detection; and cloud AI APIs accessed as material services.

The December 2026 compliance deadline

The automated decision-making transparency obligations introduced by the Privacy and Other Legislation Amendment Act 2024 commence on 10 December 2026. APP 1.7 requires disclosure in the privacy policy when AI makes decisions significantly affecting individuals rights or interests. GRC teams should own this compliance stream: inventorying all AI systems in scope; categorising against APP 1.7; drafting required disclosures; and implementing a review process to keep disclosures current as AI use evolves. The OAIC can issue compliance notices, infringement notices, and civil penalties for non-compliant privacy policies.

Governing your own AI use

GRC teams using AI in contract risk review, regulatory change monitoring, audit workpaper preparation, or policy gap analysis must apply the organisations AI governance framework to that use. Apply your own controls. Document your AI use cases in the register. Conduct the risk assessment. Maintain human review of AI-assisted GRC outputs before they inform governance decisions.