The AI Act you were bracing for is not coming.
For two years, Australian compliance teams watched the government work through what an AI law might look like. In September 2024 the Department of Industry, Science and Resources proposed ten mandatory guardrails for AI in high-risk settings, covering accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply chain visibility, record keeping and conformity assessments. It read like the skeleton of an Australian AI Act. Then, on 2 December 2025, the government launched the National AI Plan and settled the question the other way. It would not proceed with the mandatory guardrails, and it would not build a standalone AI statute.
For a certain kind of reader, that lands as relief. No new Act, no new penalties, no fresh conformity regime to stand up. That reading is a trap. The absence of an AI Act is not the absence of AI regulation. It is a decision about where the regulation lives, and it puts more of the interpretive burden on you, not less.

What the National AI Plan actually decided
The plan set out a deliberate, two-pronged approach. First, the government will "continue to build on Australia's robust existing legal and regulatory frameworks," uplifting and clarifying technology-neutral laws where they fall short rather than writing AI-specific ones. Second, it will support that with guidance on responsible practices and a new Australian AI Safety Institute to monitor, test and share information on emerging AI capabilities, risks and harms.
The reasoning was pragmatic. The 2024 consultation drew more than 300 submissions, and a strong industry line held that a prescriptive, cross-economy mandatory regime risked slowing productivity and innovation before the technology had settled. Rather than legislate against a moving target, the government chose to lean on laws that already bind conduct regardless of the tool used to carry it out.
The AI Safety Institute is the visible new piece, launched in early 2026 with about 29.9 million dollars in funding. It is worth being precise about what it is. It is an advisory and technical body. It tests systems, assesses risks and shares findings. It has no enforcement powers. It is not a regulator, and it does not issue binding rules. Its output is intelligence, not obligation.
So the map of Australian AI governance now has no AI Act at its centre. It has a policy plan, an advisory institute, a voluntary standard, and, doing the actual regulating, the full body of existing law.
Why "no AI Act" means "already regulated"
Here is the shift GRC has to internalise. When there is no dedicated statute, the governance question is never "does an AI law apply". It is "which of the laws I already comply with does this particular AI use touch". And the answer is almost always more than one.
Consider how quickly a single AI deployment fans out into existing obligations. An AI tool that drafts customer marketing sits under the misleading-conduct prohibitions in the ASIC Act and the Corporations Act. An AI system that makes or substantially informs a decision about a person engages the Privacy Act, whose automated decision-making transparency rule commences on 10 December 2026 and requires that use to be disclosed in the privacy policy. An AI vendor supporting a bank, insurer or superannuation trustee is a material service provider under APRA's prudential standards CPS 230 and CPS 234. An AI tool used in monitoring for suspicious activity sits inside the AML/CTF regime. None of these is an AI law. Every one of them regulates AI.
The regulators have been saying as much. In REP 798, its review of 624 AI use cases across 23 licensees, ASIC found that AI governance maturity "does not always align with the nature and scale" of the AI in use, and made clear that existing obligations, including the licensee's duty to act efficiently, honestly and fairly, already apply to AI. APRA's 30 April 2026 letter to industry told regulated entities to apply their existing risk management and operational resilience obligations to AI, with an inventory of tooling, clear accountability across the AI lifecycle and human involvement in high-risk decisions. Neither regulator waited for an AI Act, because neither needs one.

The trap of waiting
The real risk in the current settlement is not a gap in the law. It is a gap in posture. A team that reads "no AI Act" as "not yet regulated" defers its AI governance work, waiting for a rulebook that defines the boundaries. That team will be caught out twice. It will be exposed the whole time under laws that already apply, and it will have built no capability when the settlement shifts, as it will.
Because this is not a permanent state. The government explicitly reserved the right to introduce targeted, mandatory obligations where existing law proves insufficient, and it stood up the AI Safety Institute precisely to find those gaps. The Attorney-General has signalled that current privacy law is not fit for the digital age, which points to Privacy Act reform that will reach AI directly. The direction of travel is legible. The entities that come through it well will be the ones already governing AI under existing law, not the ones starting from zero when the first targeted rule lands.
What this means for GRC practitioners
The absence of an AI Act changes the shape of the compliance task without lightening it. Four things follow.
The core control is now a map, not a statute. In a jurisdiction with an AI Act, the compliance artefact is a conformity assessment against the Act. In Australia, the equivalent artefact is a register that traces each material AI use to every existing obligation it touches and names who owns it. That map is the thing an auditor, a board or a regulator will ask for.
The Voluntary AI Safety Standard is your practical framework. The government's voluntary standard sets out ten guardrails that mirror the substance of what the mandatory version would have required. It is not law, but it is the clearest statement of the expectation, and adopting it gives you a defensible, recognised framework to organise your AI governance around while the legal picture stays distributed.
The AI Safety Institute is an intelligence source, not an obligation. Read its published work the way you read a regulator's thematic review. It signals which capabilities and harms are drawing official attention, which is a strong predictor of where targeted regulation will eventually be written. Governing to that signal early is cheaper than remediating to a rule later.
Accountability still has to sit with a named person. Every existing framework this touches, from APRA's to ASIC's, expects an accountable human owner. A distributed legal landscape makes that more important, not less, because there is no single AI officer role the law defines for you. You define it, per system, or the accountability falls into the gap between functions.
There is a quieter benefit to this posture that is worth naming. A team that governs AI against existing obligations is building a capability that transfers, because the underlying laws are stable even as the technology moves. The privacy obligation, the misleading-conduct prohibition, the prudential duty: these were here before generative AI and will outlast this generation of models. A compliance map anchored to them does not need rewriting every time a new model or a new use case appears. You extend it. That durability is the payoff for doing the interpretive work now instead of waiting for a codebook that would, in any case, have dated the moment it was passed.

Do this Monday
- Inventory the AI, then map it. Take your AI use-case register, and for each material entry write down every existing obligation it engages: privacy, misleading conduct, prudential, AML/CTF, sector-specific. If a use case maps to nothing, either it is genuinely low-risk or you have not looked hard enough.
- Adopt the Voluntary AI Safety Standard as your frame. Pick it up as the organising framework for your AI governance rather than inventing your own from scratch. It is the closest thing to an official expectation you will get.
- Put the 10 December 2026 ADM deadline in the plan. The Privacy Act's automated decision-making transparency obligation is a fixed, near-term date that reaches any AI making or substantially informing decisions about people. Build the automated-decision inventory behind the disclosure now.
- Assign an owner to each material AI system. Do not wait for a law to define an accountability model. Name the person answerable for each system today, and record it.
The evidence file to build
When your board, internal audit or a regulator asks how you govern AI in the absence of an AI Act, this is the file that answers:
- A current AI use-case inventory with each material use mapped to the existing obligations it engages and a named owner
- A statement of the framework you govern to, the Voluntary AI Safety Standard, and how your controls align to it
- The automated-decision inventory prepared for the 10 December 2026 Privacy Act transparency rule
- A short watch list of AI Safety Institute outputs and regulator signals you track, with the governance changes each has prompted
Australia did not decline to regulate AI. It declined to write a new law for it. The compliance obligation was there all along, distributed across the frameworks you already run. The plan just made it clear that waiting for a single AI Act to tell you what to do is no longer a strategy, because there is no such Act, and the laws that regulate your AI are the ones already on your desk.
Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from APRA, ASIC, the OAIC or the relevant regulatory authority.
Primary sources
- Department of Industry, Science and Resources, National AI Plan, launched 2 December 2025. https://www.industry.gov.au/publications/national-ai-plan
- ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 29 October 2024. https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/
- APRA, Letter to industry on the use of artificial intelligence, 30 April 2026. https://www.apra.gov.au/news-and-publications
- Privacy Act 1988 (Cth), including the automated decision-making transparency obligation commencing 10 December 2026. https://www.legislation.gov.au/C2004A03712/latest/text
TheAICommand. Intelligence, At Your Command.



