Short version: Australia decided not to pass a single AI Act. In its National AI Plan, released on 2 December 2025, the Government confirmed it would not proceed with the mandatory guardrails it consulted on in 2024, and would instead rely on existing laws and sector regulators backed by voluntary guidance.[^1] For a Head of Risk, CISO or Head of Data, that decision is the whole game: your AI governance framework cannot be a copy of NIST's or the EU's. It has to map your AI controls onto the actual Australian regulatory stack (APRA, the OAIC and the Privacy Act, AHPRA) with the Voluntary AI Safety Standard and ISO/IEC 42001 as the connective tissue. This is that framework, built as a working artefact rather than a reading list.
Why an Australian enterprise needs an Australian framework
Search "AI governance framework" and you get the same three answers: the NIST AI Risk Management Framework, the EU AI Act, and ISO/IEC 42001. They are good documents. The NIST AI RMF, released on 26 January 2023, is a clear voluntary four-function model.[^8] But none of them tells an Australian Head of Risk which Australian regulator will ask which question, on what date, with what consequence.
That gap got wider, not narrower, at the end of 2025. When the Government released the National AI Plan on 2 December 2025, it confirmed it would not introduce the standalone mandatory guardrails for high-risk AI that industry had spent a year preparing for, opting instead to govern AI through the laws and regulators already in place.[^1] A separate Australian AI Safety Institute, announced on 25 November 2025, will monitor, test and share information on AI risks, but it sits alongside the existing regulators rather than replacing them.[^9]
The practical effect is the opposite of simplification. There is no single rule to comply with. Instead, AI is governed by the obligations you already carry, and those obligations are technology-neutral, so they bind your AI whether or not they mention it. A framework that does not name APRA CPS 234, CPS 230, the Privacy Act amendments and AHPRA's guidance has not done the Australian part of the job.
That is the lane this framework is built for. It treats two things the global frameworks treat as optional, data sovereignty and human accountability, as governance primitives, because in the Australian stack they are the most direct way to satisfy obligations you cannot avoid.
The Australian regulatory stack, mapped to AI
Before the framework, the map. These are the instruments an Australian enterprise actually answers to, and what each one demands of an AI system. Every date below was verified for this article against the regulator or primary source; see the footnotes.
| Instrument | Status / key date | What it demands of your AI |
|---|---|---|
| APRA CPS 234, Information Security | In force since 1 July 2019[^3] | Board-level accountability for information-security capability; controls commensurate with data sensitivity; control testing; remediation of weaknesses; material incidents notified to APRA within 72 hours. Binds any AI system inside the information-asset perimeter. |
| APRA CPS 230, Operational Risk Management | In force from 1 July 2025[^4] | Sound operational-risk management, business-continuity planning, and management of material service providers, including third-party model and platform providers behind an AI workflow. |
| Privacy Act (as amended by the Privacy and Other Legislation Amendment Act 2024) | ADM transparency (APP 1.7) commences 10 December 2026[^5] | Disclose in your privacy policy where a computer program uses personal information to make, or substantially help make, decisions that could significantly affect a person's rights or interests. |
| AHPRA, AI in healthcare guidance | Released 2024[^7] | The registered practitioner stays fully accountable for any AI-assisted output; human judgement must be applied; patients should be informed where AI is used in their care. |
| Voluntary AI Safety Standard | Published 5 September 2024[^2] | Ten guardrails covering accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply-chain transparency and record-keeping. Voluntary, but the Government's reference model for good practice. |
| ISO/IEC 42001:2023, AI management system | Published December 2023[^6] | A certifiable management-system standard: policy, roles, AI risk assessment, controls, lifecycle management, supplier oversight, continual improvement. |
| NIST AI RMF 1.0 | Released 26 January 2023[^8] | A voluntary risk-management model (Govern, Map, Measure, Manage). Useful structure; not Australian law. |
APRA CPS 234, Information Security
APRA CPS 230, Operational Risk Management
Privacy Act (as amended by the Privacy and Other Legislation Amendment Act 2024)
AHPRA, AI in healthcare guidance
Voluntary AI Safety Standard
ISO/IEC 42001:2023, AI management system
NIST AI RMF 1.0
Two things fall out of this table. First, the financial-services obligations (CPS 234 and CPS 230) and the clinical obligations (AHPRA) are already live and enforceable. They are not waiting for an AI Act. Second, the one genuinely AI-specific obligation that is coming, the Privacy Act's automated decision-making transparency requirement, has a fixed date on the calendar: 10 December 2026.[^5] That is a deadline you can plan a programme around.
The framework: seven control domains
A framework is only useful if it survives contact with a real deployment. These seven domains are the ones that decide whether an Australian AI system is defensible. For each, the goal is the same: a control you can evidence to whichever regulator asks, not a principle you can recite.
1. Accountability and board oversight
The first guardrail of the Voluntary AI Safety Standard is accountability, and it is also the first thing APRA CPS 234 makes the board responsible for in the information-security context.[^2][^3] Name an accountable owner for every production AI system. Maintain a register of those systems with their owner, purpose, data classification and decision impact. Put AI risk on the agenda of the body that already owns operational and security risk. Do not invent a parallel committee that the rest of the governance machinery ignores.
A common failure mode in regulated AI deployments is an AI system that no single person is accountable for, discovered only after it has produced an output that reaches a customer or a regulator. The register is what prevents that.
2. Data sovereignty and residency
This is the domain global frameworks treat as a deployment detail and the Australian stack treats as central. The Privacy Act governs how personal information is handled and disclosed, including across borders; APRA expects entities to manage the risk of their material service providers; and clinical accountability under AHPRA does not transfer to an offshore tool.[^3][^4][^7] Each of those is easier to satisfy when the data and the inference stay under Australian control.
The control is concrete: know where each AI system's data is stored, where inference runs, and which third parties can see it. For systems handling sensitive or regulated data, the lowest-risk posture is one where the data never leaves an environment you govern. RyderAI's default is to run on infrastructure the client controls, whether that is the client's own environment or Australian GPU capacity, precisely because residency is the cheapest way to close several obligations at once, not because it is a feature to sell.
3. Human-in-the-loop approval
Human oversight is an explicit guardrail in the Voluntary AI Safety Standard, and under AHPRA the practitioner's accountability for an AI-assisted output is absolute.[^2][^7] The Privacy Act's ADM transparency rule exists precisely because automated decisions that significantly affect people are treated as higher-risk.[^5]
The control is to place a human approval step at the lowest-reversibility transition in each workflow, the point where the action becomes hard to undo. In a lending or underwriting flow that is before the decision is communicated; in a clinical flow it is before anything enters the patient record; in a customer-comms flow it is before send. Design the AI to draft, not to decide, so the human approves a near-finished artefact rather than building from scratch. Tier the load so routine cases are logged and high-stakes cases are always reviewed.
4. Model and supplier risk, including no vendor lock-in
CPS 230 brings third-party and service-provider risk squarely into scope, and the Voluntary AI Safety Standard's supply-chain transparency guardrail asks you to understand what sits behind your AI.[^2][^4] A model you cannot inspect, cannot move, and cannot run without a single external provider is a concentration risk you have to document and a continuity risk you have to mitigate.
The control is to record, for each model, its provider, version, where it runs, and what happens if that provider changes terms or disappears. RyderAI's conviction here is no-lock-in by design: where the data is sensitive, open models you can self-host remove the dependency on a single vendor's pricing, availability and data-handling policy, which makes the CPS 230 service-provider question far easier to answer honestly.
5. Testing and assurance
Testing is its own guardrail in the Voluntary AI Safety Standard, and CPS 234 expects control testing that surfaces design and operating effectiveness rather than mere existence.[^2][^3] For AI specifically, the assurance question is not "does the model work" but "does the model fail safely, and can we show it." Establish an accuracy baseline before go-live, test against representative and adversarial inputs, and re-test on a schedule and after any material change. Keep the results as evidence, because the difference between a defensible AI system and an indefensible one is usually whether the testing was written down.
6. Logging and auditability
Record-keeping is the tenth guardrail, and CPS 234 incident management, CPS 230 resilience, AHPRA accountability and the coming Privacy Act transparency obligation all assume you can reconstruct what an AI system did.[^2][^3][^4][^5][^7] The minimum record for a regulated AI decision is: the input received, the model identifier and version, the output produced, any confidence signal, the human reviewer's identity, the time of review, the decision taken, and the artefact actually sent or stored. Tamper-evidence on that log is what turns it from a debugging aid into evidence of accountable operation.
7. Incident response
CPS 234 requires material information-security incidents to be notified to APRA within 72 hours, and CPS 230 expects tested continuity and recovery.[^3][^4] An AI-specific incident plan answers, in advance: how a bad output is detected, who is paged, how the system is paused or rolled back, what the fallback path is while it is down, and which regulator is notified within which window. Rehearse it. A plan that has never been run is a document, not a control.
How to operationalise it
A framework that lives in a slide deck changes nothing. The sequence that actually moves a programme is short.
- Build the AI system register. You cannot govern what you have not listed. Owner, purpose, data classification, decision impact, models and suppliers behind it. This single artefact powers domains 1, 2 and 4.
- Triage each system against the stack. For each entry, mark which instruments bite: Is it inside the CPS 234 perimeter? A material service-provider dependency under CPS 230? Does it make decisions that meet the Privacy Act ADM threshold? Is it clinical and therefore in AHPRA's scope? This is where the abstract becomes specific.
- Close the highest-impact, lowest-reversibility gaps first. Human-approval gates and logging on the systems whose outputs are hardest to undo. These are the controls a regulator asks about first and the ones cheapest to add before a system is load-bearing.
- Adopt ISO/IEC 42001 as the management-system chassis if you want a certifiable, repeatable governance system rather than a one-off project.[^6] Map its clauses to the Australian obligations so the management system produces the evidence the regulators want.
- Put the dated obligation on the roadmap. The Privacy Act ADM transparency requirement commences 10 December 2026.[^5] Working out which of your AI systems meet the threshold, and updating the privacy policy accordingly, is a finite task with a fixed deadline. Schedule it now rather than discovering it late.
None of this requires waiting for the standalone AI guardrails the Government has, for now, decided not to introduce.[^1] The obligations are live, the deadline that matters is fixed, and the controls are buildable today.
The short close
The global frameworks tell you how to think about AI risk. They do not tell you which Australian regulator will ask which question. Australia's choice to govern AI through its existing regulators rather than a single new law puts the burden on you to do the mapping, and rewards the organisations that do it well with a governance posture that is genuinely defensible, not merely compliant-looking.
Sovereignty, human accountability and no vendor lock-in are not features in this framework. They are the cheapest, most direct ways to satisfy obligations Australian enterprises already carry. Build the register, map it to the stack, close the irreversible gaps first, and the rest is execution.
If you want a second set of eyes on how your AI sits against the Australian stack, talk to the team about your AI governance posture.
References
[^1]: National AI Plan and decision not to proceed with mandatory guardrails. Australia released its National AI Plan on 2 December 2025, confirming it will rely on existing laws and sector regulators rather than introduce standalone mandatory AI guardrails. MinterEllison, "Australia introduces a national AI plan: Four things leaders need to know," https://www.minterellison.com/articles/australia-introduces-a-national-ai-plan-four-things-leaders-need-to-know ; Maddocks, "The new national plan for Australia's AI-enabled future," https://www.maddocks.com.au/insights/the-new-national-plan-for-australias-ai-enabled-future . Verified 14 June 2026.
[^2]: Voluntary AI Safety Standard. Published by the Australian Department of Industry, Science and Resources on 5 September 2024; ten voluntary guardrails for safe and responsible AI across the supply chain. Department of Industry, Science and Resources, "Voluntary AI Safety Standard," https://www.industry.gov.au/publications/voluntary-ai-safety-standard . Verified 14 June 2026.
[^3]: APRA Prudential Standard CPS 234 Information Security. Applies to all APRA-regulated entities from 1 July 2019; includes the 72-hour material-incident notification requirement. APRA, "Information security requirements for all APRA-regulated entities," https://www.apra.gov.au/information-security-requirements-for-all-apra-regulated-entities . Verified 14 June 2026.
[^4]: APRA Prudential Standard CPS 230 Operational Risk Management. Came into force on 1 July 2025; covers operational-risk management, business-continuity planning and management of material service providers. APRA, "Operational risk management," https://www.apra.gov.au/operational-risk-management ; Norton Rose Fulbright / Global Regulation Tomorrow, "Now in force – APRA CPS 230 Operational Risk Management," https://www.regulationtomorrow.com/2025/07/now-in-force-apra-cps-230-operational-risk-management/ . Verified 14 June 2026.
[^5]: Privacy and Other Legislation Amendment Act 2024. Introduces automated decision-making transparency via a new APP 1.7; the relevant provisions are scheduled to commence on 10 December 2026. Johnson Winter Slattery, "Practical implications of the new transparency requirements for automated decision making," https://jws.com.au/what-we-think/practical-implications-of-new-transparency-requirements-for-automated-decision-making/ ; Hamilton Locke, "Transparency in automated decision-making: what regulated entities need to know and do before December 2026," https://hamiltonlocke.com.au/transparency-in-automated-decision-making-what-regulated-entities-need-to-know-and-do-before-december-2026/ . Verified 14 June 2026.
[^6]: ISO/IEC 42001:2023. The first international AI management system standard, published in December 2023. International Organization for Standardization, "ISO/IEC 42001:2023, AI management systems," https://www.iso.org/standard/42001 . Verified 14 June 2026.
[^7]: AHPRA AI guidance. "Meeting your professional obligations when using Artificial Intelligence in healthcare," released by the Australian Health Practitioner Regulation Agency in 2024; the registered practitioner remains accountable for AI-assisted outputs and must apply human judgement, with patients informed where AI is used. AHPRA, https://www.ahpra.gov.au/Resources/Artificial-Intelligence-in-healthcare.aspx . Verified 14 June 2026.
[^8]: NIST AI Risk Management Framework (AI RMF 1.0). Released by the U.S. National Institute of Standards and Technology on 26 January 2023; a voluntary framework structured around Govern, Map, Measure and Manage. NIST, "AI Risk Management Framework," https://www.nist.gov/itl/ai-risk-management-framework . Verified 14 June 2026.
[^9]: Australian AI Safety Institute. Announced by the Australian Government on 25 November 2025 to monitor, test and share information on AI risks and harms, with operations expected to commence in early 2026. Bird & Bird, "Australian Government to establish AI Safety Institute," https://www.twobirds.com/en/insights/2025/australia/australian-government-to-establish-ai-safety-institute . Verified 14 June 2026.