Why a regulator watch
Since the National AI Plan confirmed in December 2025 that Australia would regulate AI through existing laws and sector regulators rather than a standalone AI Act, the action has moved to the regulators themselves. That makes regulator output, letters, guidance, reviews and enforcement signals, the primary source of truth for what Australian organisations must actually do. This is the first instalment of a recurring watch focused on exactly that.
ASIC: cyber resilience and the accountability agenda
In a letter to industry dated 8 May 2026, ASIC urged licensees and market participants to urgently strengthen cyber resilience in the face of rapidly evolving threats posed by frontier AI models. The letter continues a supervisory line ASIC has been building since REP 798, Beware the Gap, its October 2024 review that found governance arrangements lagging AI adoption across hundreds of use cases, and its 2025-26 corporate plan, which placed AI governance among top supervision priorities. The consistent ASIC position: the Corporations Act obligation to act efficiently, honestly and fairly is technology-neutral, and directors' duties extend to oversight of AI as a material risk.
For licensees the practical reading is that cyber and AI governance have merged into a single supervisory conversation. Frontier models accelerate both sides of the contest: attackers find vulnerabilities faster, and defenders are expected to remediate faster. Boards that cannot show they considered the question are the stated target of the accountability agenda.
OAIC: the countdown to 10 December
The most consequential fixed date on the Australian calendar remains 10 December 2026, when the automated decision-making transparency obligations inserted by the Privacy and Other Legislation Amendment Act 2024 commence. From that date, privacy policies must disclose the kinds of decisions made solely or substantially by computer programs using personal information, and the kinds of personal information used. The OAIC is progressively publishing guidance on the new obligations through 2026, and the regulator-adjacent signal is already visible: several state privacy regulators adopted explicitly AI-focused themes for Privacy Awareness Week 2026.
The trap in this obligation is the inventory, not the drafting. Writing the privacy-policy paragraphs is an afternoon's work once an organisation knows which of its decisions are substantially automated; discovering that across credit, claims, pricing, eligibility and HR systems is the multi-month task. Organisations that have not started the mapping should treat the remaining months as the implementation window, not a buffer.
APRA: expectations set, enforcement flagged
APRA's 30 April letter to all regulated entities, covered in detail in our companion analysis, set minimum board expectations for AI literacy and strategy oversight, named the control weaknesses its late-2025 review found, and stated plainly that unmanaged AI risk will draw stronger supervisory action and, where appropriate, enforcement.
The pattern, and what to do this quarter
Read together, the three regulators are saying one thing in three dialects: there will be no new AI statute to wait for, existing law already applies to AI conduct, and the tolerance for organisations that cannot evidence their governance is shrinking quarter by quarter. The same logic reaches unregulated organisations through directors' duties, consumer law and the Privacy Act.
Three priorities for the quarter follow directly. First, map your automated and AI-assisted decisions now, while the December window is still comfortable. Second, put the APRA and ASIC letters in front of your board even if neither regulator supervises you; the expectations they describe are the emerging Australian baseline for reasonable AI oversight. Third, bring staff AI use inside an approved framework, because shadow AI featured in APRA's findings and features in most organisations' reality. For a structured first pass at which obligations apply to your organisation, the AIRA AI Governance Health Check maps your answers against the current Australian obligation landscape in about fifteen minutes.