Governing AI in the Australian Enterprise
AI governance for Australian organisations: the obligations that already apply, the frameworks worth adopting, and the structures that make adoption defensible.
Artificial intelligence is being adopted faster than most organisations can govern it. The gap between the two is where risk accumulates: unsanctioned tools handling sensitive data, models making decisions no one can explain, and vendors making claims no one has verified. Closing that gap does not require waiting for AI-specific legislation — it requires applying disciplines the enterprise already understands.
The obligations that already apply
Australia does not yet have an economy-wide AI statute, but that does not mean AI use is unregulated. Existing obligations reach it today:
- Privacy Act 1988. Personal information used to train, prompt or operate AI systems remains subject to the Australian Privacy Principles, and the reform program under way continues to raise expectations around transparency and automated decision-making.
- APRA CPS 230 and CPS 234. For regulated financial entities, AI systems that support critical operations fall within operational risk management and information security obligations — including where they are delivered by service providers.
- Sector and general law. Consumer law, anti-discrimination law and directors’ duties all apply to AI-assisted decisions exactly as they apply to human ones.
The practical consequence: “we are waiting for AI regulation” is not a governance position. Boards are accountable now, under law that already exists.
The frameworks worth adopting
Two voluntary frameworks have emerged as the reference points for structured AI governance:
- ISO/IEC 42001 defines an AI management system — the policy, accountability, risk and lifecycle structure an organisation wraps around its AI use, in the same way ISO 27001 structures information security.
- NIST AI RMF provides the risk vocabulary: govern, map, measure and manage functions that translate AI risk into assessable, improvable practice.
Neither is mandatory in Australia. Both are useful precisely because they let an organisation demonstrate reasonable, structured care — to regulators, customers and its own board.
What good governance looks like in practice
Across regulated environments, effective AI governance consistently rests on five structures:
- An accountable owner. A named executive owns AI risk — commonly the CISO or CRO jointly with the CIO — with a mandate that spans procurement, development and use.
- A living inventory. You cannot govern what you have not found. Sanctioned systems, embedded AI features in SaaS platforms, and unsanctioned “shadow AI” all belong in one register, risk-tiered by data sensitivity and decision impact.
- Lifecycle controls. Security and governance requirements applied at each stage — data sourcing, model selection, deployment, monitoring and retirement — rather than a one-time approval.
- Assurance over claims. Vendor and model claims are verified, not accepted. Assurance effort scales with the risk tier of the use case.
- Board-grade reporting. AI risk reported in the same language as other enterprise risks: exposure, appetite, control effectiveness and incidents.
Where architecture comes in
AI systems inherit the security posture of the environment around them. Identity, data protection, segmentation and logging determine what a compromised or misbehaving AI system can actually do. That is why AI governance is strongest when it is architecture-led: the controls are designed into the platform the AI runs on, not bolted onto each initiative.
Key takeaways
- Existing Australian law already governs enterprise AI use; accountability does not wait for AI-specific legislation.
- ISO/IEC 42001 and the NIST AI RMF are the practical reference frameworks for demonstrating structured care.
- Governance rests on ownership, inventory, lifecycle controls, assurance and board-grade reporting.
- Architecture determines the blast radius of AI failures — govern the platform, not just the model.
Start with the CISO’s guide to AI governance for the practitioner’s first-90-days view, or discuss an AI governance review with our AI security advisory practice.