Australia Will Not Pass an AI Act. You Are Still Regulated., practitioner guidance from TheAICommand
← GRC
Regulatory analysis

Australia Will Not Pass an AI Act. You Are Still Regulated.

The National AI Plan settled the question every GRC team was waiting on. Australia will not pass a standalone AI Act. That is not a reprieve. It means AI is already regulated, spread across the laws and regulators you answer to now. Here is how to stop waiting for an AI law and map every AI use to the obligation it already touches.

·monthly

GRC content. Written for compliance, risk, and audit professionals in Australian financial services. General information. Not legal or compliance advice.

Quick answer

Australia's National AI Plan (2 December 2025) ruled out a standalone AI Act and the 2024 mandatory guardrails, relying instead on existing technology-neutral laws, sector regulators and an advisory AI Safety Institute. So AI is already regulated under the Privacy Act, the ASIC Act and APRA's prudential standards. The GRC work is to map each AI use to the obligations you already hold, not wait for a new AI law.

The AI Act you were bracing for is not coming.

For two years, Australian compliance teams watched the government work through what an AI law might look like. In September 2024 the Department of Industry, Science and Resources proposed ten mandatory guardrails for AI in high-risk settings, covering accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply chain visibility, record keeping and conformity assessments. It read like the skeleton of an Australian AI Act. Then, on 2 December 2025, the government launched the National AI Plan and settled the question the other way. It would not proceed with the mandatory guardrails, and it would not build a standalone AI statute.

For a certain kind of reader, that lands as relief. No new Act, no new penalties, no fresh conformity regime to stand up. That reading is a trap. The absence of an AI Act is not the absence of AI regulation. It is a decision about where the regulation lives, and it puts more of the interpretive burden on you, not less.

A wide harbour at dusk with a single lighthouse beam sweeping across many small vessels, one steady guiding light over a distributed fleet, sky-blue light on deep navy
There is no single AI law. The obligations are distributed across the ones you already have.

What the National AI Plan actually decided

The plan set out a deliberate, two-pronged approach. First, the government will "continue to build on Australia's robust existing legal and regulatory frameworks," uplifting and clarifying technology-neutral laws where they fall short rather than writing AI-specific ones. Second, it will support that with guidance on responsible practices and a new Australian AI Safety Institute to monitor, test and share information on emerging AI capabilities, risks and harms.

The reasoning was pragmatic. The 2024 consultation drew more than 300 submissions, and a strong industry line held that a prescriptive, cross-economy mandatory regime risked slowing productivity and innovation before the technology had settled. Rather than legislate against a moving target, the government chose to lean on laws that already bind conduct regardless of the tool used to carry it out.

The AI Safety Institute is the visible new piece, launched in early 2026 with about 29.9 million dollars in funding. It is worth being precise about what it is. It is an advisory and technical body. It tests systems, assesses risks and shares findings. It has no enforcement powers. It is not a regulator, and it does not issue binding rules. Its output is intelligence, not obligation.

So the map of Australian AI governance now has no AI Act at its centre. It has a policy plan, an advisory institute, a voluntary standard, and, doing the actual regulating, the full body of existing law.

Why "no AI Act" means "already regulated"

Here is the shift GRC has to internalise. When there is no dedicated statute, the governance question is never "does an AI law apply". It is "which of the laws I already comply with does this particular AI use touch". And the answer is almost always more than one.

Consider how quickly a single AI deployment fans out into existing obligations. An AI tool that drafts customer marketing sits under the misleading-conduct prohibitions in the ASIC Act and the Corporations Act. An AI system that makes or substantially informs a decision about a person engages the Privacy Act, whose automated decision-making transparency rule commences on 10 December 2026 and requires that use to be disclosed in the privacy policy. An AI vendor supporting a bank, insurer or superannuation trustee is a material service provider under APRA's prudential standards CPS 230 and CPS 234. An AI tool used in monitoring for suspicious activity sits inside the AML/CTF regime. None of these is an AI law. Every one of them regulates AI.

The regulators have been saying as much. In REP 798, its review of 624 AI use cases across 23 licensees, ASIC found that AI governance maturity "does not always align with the nature and scale" of the AI in use, and made clear that existing obligations, including the licensee's duty to act efficiently, honestly and fairly, already apply to AI. APRA's 30 April 2026 letter to industry told regulated entities to apply their existing risk management and operational resilience obligations to AI, with an inventory of tooling, clear accountability across the AI lifecycle and human involvement in high-risk decisions. Neither regulator waited for an AI Act, because neither needs one.

A screen split into two contrasting halves divided by a thin gold line, the left half a single closed empty vault labelled no ai act, the right half many small active doorways each glowing labelled already regulated, sky light on deep navy
No standalone AI Act does not mean no obligations. It means many, distributed.

The trap of waiting

The real risk in the current settlement is not a gap in the law. It is a gap in posture. A team that reads "no AI Act" as "not yet regulated" defers its AI governance work, waiting for a rulebook that defines the boundaries. That team will be caught out twice. It will be exposed the whole time under laws that already apply, and it will have built no capability when the settlement shifts, as it will.

Because this is not a permanent state. The government explicitly reserved the right to introduce targeted, mandatory obligations where existing law proves insufficient, and it stood up the AI Safety Institute precisely to find those gaps. The Attorney-General has signalled that current privacy law is not fit for the digital age, which points to Privacy Act reform that will reach AI directly. The direction of travel is legible. The entities that come through it well will be the ones already governing AI under existing law, not the ones starting from zero when the first targeted rule lands.

What this means for GRC practitioners

The absence of an AI Act changes the shape of the compliance task without lightening it. Four things follow.

The core control is now a map, not a statute. In a jurisdiction with an AI Act, the compliance artefact is a conformity assessment against the Act. In Australia, the equivalent artefact is a register that traces each material AI use to every existing obligation it touches and names who owns it. That map is the thing an auditor, a board or a regulator will ask for.

The Voluntary AI Safety Standard is your practical framework. The government's voluntary standard sets out ten guardrails that mirror the substance of what the mandatory version would have required. It is not law, but it is the clearest statement of the expectation, and adopting it gives you a defensible, recognised framework to organise your AI governance around while the legal picture stays distributed.

The AI Safety Institute is an intelligence source, not an obligation. Read its published work the way you read a regulator's thematic review. It signals which capabilities and harms are drawing official attention, which is a strong predictor of where targeted regulation will eventually be written. Governing to that signal early is cheaper than remediating to a rule later.

Accountability still has to sit with a named person. Every existing framework this touches, from APRA's to ASIC's, expects an accountable human owner. A distributed legal landscape makes that more important, not less, because there is no single AI officer role the law defines for you. You define it, per system, or the accountability falls into the gap between functions.

There is a quieter benefit to this posture that is worth naming. A team that governs AI against existing obligations is building a capability that transfers, because the underlying laws are stable even as the technology moves. The privacy obligation, the misleading-conduct prohibition, the prudential duty: these were here before generative AI and will outlast this generation of models. A compliance map anchored to them does not need rewriting every time a new model or a new use case appears. You extend it. That durability is the payoff for doing the interpretive work now instead of waiting for a codebook that would, in any case, have dated the moment it was passed.

A left-to-right flow of five sky pill nodes reading inventory, map, adopt, watch and own, connected by one flowing line
Govern AI under existing law: inventory it, map it to obligations, adopt the standard, watch the signal, own it.

Do this Monday

  1. Inventory the AI, then map it. Take your AI use-case register, and for each material entry write down every existing obligation it engages: privacy, misleading conduct, prudential, AML/CTF, sector-specific. If a use case maps to nothing, either it is genuinely low-risk or you have not looked hard enough.
  2. Adopt the Voluntary AI Safety Standard as your frame. Pick it up as the organising framework for your AI governance rather than inventing your own from scratch. It is the closest thing to an official expectation you will get.
  3. Put the 10 December 2026 ADM deadline in the plan. The Privacy Act's automated decision-making transparency obligation is a fixed, near-term date that reaches any AI making or substantially informing decisions about people. Build the automated-decision inventory behind the disclosure now.
  4. Assign an owner to each material AI system. Do not wait for a law to define an accountability model. Name the person answerable for each system today, and record it.

The evidence file to build

When your board, internal audit or a regulator asks how you govern AI in the absence of an AI Act, this is the file that answers:

  • A current AI use-case inventory with each material use mapped to the existing obligations it engages and a named owner
  • A statement of the framework you govern to, the Voluntary AI Safety Standard, and how your controls align to it
  • The automated-decision inventory prepared for the 10 December 2026 Privacy Act transparency rule
  • A short watch list of AI Safety Institute outputs and regulator signals you track, with the governance changes each has prompted

Australia did not decline to regulate AI. It declined to write a new law for it. The compliance obligation was there all along, distributed across the frameworks you already run. The plan just made it clear that waiting for a single AI Act to tell you what to do is no longer a strategy, because there is no such Act, and the laws that regulate your AI are the ones already on your desk.

Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from APRA, ASIC, the OAIC or the relevant regulatory authority.

Primary sources

  • Department of Industry, Science and Resources, National AI Plan, launched 2 December 2025. https://www.industry.gov.au/publications/national-ai-plan
  • ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 29 October 2024. https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/
  • APRA, Letter to industry on the use of artificial intelligence, 30 April 2026. https://www.apra.gov.au/news-and-publications
  • Privacy Act 1988 (Cth), including the automated decision-making transparency obligation commencing 10 December 2026. https://www.legislation.gov.au/C2004A03712/latest/text

TheAICommand. Intelligence, At Your Command.

Frequently asked questions

Does Australia have an AI Act?
No. The National AI Plan, launched on 2 December 2025, confirmed the government will not introduce a standalone AI Act or the mandatory guardrails for high-risk AI proposed in 2024. Australia has chosen to regulate AI through existing technology-neutral laws, sector regulators, voluntary guidance and an advisory AI Safety Institute, rather than a single dedicated statute.
If there is no AI Act, is AI unregulated in Australia?
No, and that is the point most teams miss. AI is regulated by every law that already applies to what the AI does. Misleading AI marketing is caught by the ASIC Act, an AI decision affecting a person engages the Privacy Act, an AI vendor supporting a bank engages APRA's prudential standards. The absence of an AI Act does not mean an absence of obligations. It spreads them across the frameworks you already answer to.
What is the Australian AI Safety Institute?
The Australian AI Safety Institute is an advisory body launched in early 2026 with about 29.9 million dollars in funding under the National AI Plan. It monitors, tests and shares information on emerging AI capabilities, risks and harms. It has no enforcement powers. For GRC its value is as an early-warning signal for where targeted regulation may eventually land.
What should GRC teams do given there is no AI Act?
Build a map from each AI use case to the existing obligations it touches, adopt the Voluntary AI Safety Standard as a practical framework, watch the AI Safety Institute and the coming Privacy Act reforms as the direction of travel, and name an accountable owner for each material AI system. The work is compliance mapping and governance, not waiting for a law that is not coming.

Context

Australia's choice runs against the grain of the European Union, whose AI Act takes the opposite path of a single, risk-tiered statute with dedicated obligations and penalties. Australia is betting that technology-neutral laws, updated where they fall short, can carry the load. That bet puts the interpretive work on entities and their regulators rather than on a codebook, which is more flexible and less certain at the same time.

AI angle

For GRC the AI angle is the whole story. Because there is no AI-specific statute, the governance of AI is an exercise in applying laws written for other purposes to a technology they did not anticipate. That makes the compliance map the core control, and it makes the practitioner who can trace an AI use to its real obligation more valuable than one waiting for a rulebook.

Primary sources

National AI PlanAI RegulationAI GovernancePrivacy ActAPRAASICAI Safety InstituteCompliance
← Back to GRC

Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from APRA, ASIC, or the relevant regulatory authority.