From the Voluntary AI Safety Standard to the Guidance for AI Adoption (AI6)

Australia's AI governance framework has evolved significantly since 2024. The original Voluntary AI Safety Standard (VAISS), published in September 2024 with its 10 guardrails, was superseded on 21 October 2025 by the Guidance for AI Adoption — a new national framework that consolidates the 10 guardrails into six essential practices, now commonly referred to as "AI6".

This is not a weakening of the framework. The AI6 guidance is more prescriptive and operationally focused than the VAISS, places greater emphasis on whole-of-lifecycle AI management, and is pitched at both AI developers and deployers. A crosswalk between the VAISS guardrails and the AI6 practices is published by the National AI Centre for organisations that structured their governance around the original standard.

What the National AI Plan (December 2025) means

On 2 December 2025, the Australian Government released its National AI Plan — a strategic document that definitively resolved a question that had been open for most of 2025: will Australia pursue mandatory AI guardrails for high-risk AI?

The answer is no — at least for now. The National AI Plan explicitly abandoned the proposed mandatory guardrails that had been consulted on through 2024 and 2025. Instead, Australia will rely on existing technology-neutral laws (Privacy Act, ACL, sector legislation), voluntary guidance (the AI6 framework), and a new Australian AI Safety Institute (AISI) to manage AI risks.

The AISI launched in early 2026 with AUD$29.9 million in funding. Its mandate is advisory — technical analysis, safety testing, and monitoring — not enforcement. It has no powers to impose penalties or require compliance.

The six essential practices (AI6)

The Guidance for AI Adoption sets out six essential practices that organisations are encouraged to adopt: accountability for AI systems; risk management throughout the AI lifecycle; human oversight and control appropriate to context and risk; transparency and explainability to users and affected individuals; privacy and data governance aligned with Privacy Act obligations; and continuous monitoring and improvement of AI systems.

These practices are voluntary. But "voluntary" is becoming a narrower category in practice. The Australian government's procurement framework is beginning to reference AI6. Enterprise buyers are incorporating it into vendor assessments. Directors' duty exposure creates de facto governance expectations. The OAIC, ACCC, APRA, and ASIC all have powers that apply to AI in their respective domains, and the AI6 framework signals what "reasonable" AI governance looks like when those powers are exercised.

Privacy Act reform: the AI obligation that is coming

The one significant new legal obligation on the horizon for Australian organisations is the Privacy Act reform. The Privacy and Other Legislation Amendment Bill 2024, passed by Parliament in December 2024, includes a requirement that privacy policies address substantially automated decisions that significantly affect individuals' rights or interests. This provision comes into effect in December 2026. For organisations using AI in consequential decisions — credit, employment, insurance, service access — this creates a specific disclosure obligation that is not voluntary.

What Australian organisations should do now

Given the abandonment of mandatory guardrails, some organisations may conclude that AI governance can be deferred. This conclusion is mistaken for three reasons. First, existing laws — Privacy Act, ACL, Fair Work Act, sector-specific regulation — already apply to AI and are being enforced. Second, the AI6 framework has become the de facto benchmark for what "responsible AI" means in Australia, even without legal force. Third, the regulatory direction — in Australia and globally — is toward more, not less, formal obligation. Organisations building strong governance now will find adaptation straightforward when formal requirements come.