The regulatory shift: what the December 2025 National AI Plan changed
Throughout 2024 and early 2025, the Australian Government was consulting on mandatory AI guardrails for high-risk AI — a formal regulatory framework that many organisations were preparing for. On 2 December 2025, the National AI Plan definitively ended that expectation. The Government announced it would not pursue a standalone AI Act or mandatory guardrails. Instead, it will rely on existing technology-neutral laws, the voluntary AI6 guidance framework, and the new Australian AI Safety Institute (AISI).
The Plan's approach can be summarised as: existing laws apply to AI just as they apply to other technologies; the Privacy Act, ACL, sector regulation, and common law all already govern AI to a significant degree; where genuine gaps are identified, targeted amendments to existing laws are preferred over a new AI Act. The AISI, launched in early 2026, will help identify gaps and provide technical expertise — but has no enforcement powers.
Why "voluntary" doesn't mean "optional" for enterprises
The gap between what the law formally requires and what organisations must do in practice is narrower than it appears. Several mechanisms are tightening it. Government procurement contracts are beginning to reference the AI6 framework. Enterprise buyers — particularly in financial services, healthcare, and government — are incorporating AI governance evidence into vendor assessments. Directors' duties under the Corporations Act apply to material risks, and AI is increasingly material. The OAIC, ACCC, APRA, ASIC, and the Fair Work Commission all have existing powers that apply to AI-related harms — the AI6 framework signals what those regulators will treat as "reasonable" practice.
The Robodebt Royal Commission findings have changed how Australian regulators approach automated decision-making. APRA and ASIC have both updated their supervisory focus in response. ACCC has pursued algorithmic pricing practices. The OAIC has investigated AI-related privacy breaches. This is not a passive enforcement environment.
The Privacy Act reform: the one new obligation that is coming
The Privacy and Other Legislation Amendment Bill 2024, passed in December 2024, includes a new requirement that privacy policies address substantially automated decisions that significantly affect individuals. This comes into effect in December 2026. It is not voluntary. For organisations using AI in consequential decisions — credit assessment, employment screening, insurance underwriting, service access decisions — this creates a specific, legally required disclosure obligation. Most organisations' current privacy policies do not address this. Updating them should be a priority before December 2026.
The strategic advantage for early movers
The regulatory retreat from mandatory guardrails creates genuine uncertainty about where Australian AI regulation will land — and this uncertainty itself is a governance risk. Organisations that have invested in strong AI governance — documented frameworks, clear accountability, monitoring, human oversight of high-risk decisions — are well-positioned regardless of how the regulatory landscape evolves. Those that interpret the voluntary framework as permission to wait are accumulating governance debt that will be more expensive to discharge when formal requirements eventually come. And on current trajectory — globally and domestically — they will come.
