Australia’s AI regulatory landscape has shifted more in the past three months than in the previous two years combined. If you’ve been focused on running your business and haven’t kept track, here’s what actually changed and what it means for you.

The Mandatory Guardrails Framework Takes Shape

The most significant development is the progression of the federal government’s mandatory guardrails for high-risk AI. After years of voluntary principles and gentle encouragement, the Department of Industry, Science and Resources released its draft regulatory framework in late January 2026.

The framework identifies ten categories of high-risk AI use, including employment screening, credit assessment, healthcare diagnosis support, law enforcement, and critical infrastructure management. Organisations deploying AI in these categories would face mandatory obligations around transparency, human oversight, testing, and accountability.

The draft follows a sector-specific model where existing regulators like APRA, the TGA, and the ACCC would enforce AI-specific requirements within their existing jurisdictions. Financial services AI will be regulated by people who understand financial services, not by a new agency learning from scratch.

The consultation period runs until April 2026, with legislation expected in the second half of the year.

State-Level Initiatives Are Moving Faster

While the federal framework gets the headlines, state governments have been moving with less fanfare and more speed.

New South Wales updated its AI Assurance Framework in January, making it mandatory for all state government agencies deploying AI in public-facing services to complete an algorithmic impact assessment. Several agencies have already paused AI deployments to complete the assessments.

Victoria announced a $45 million AI Skills and Safety Fund, directed at helping small and medium businesses understand and comply with emerging AI regulations. The fund includes subsidised advisory services, training programs, and a compliance toolkit designed for businesses with fewer than 200 employees.

Queensland has focused on AI procurement standards for state government. Any AI system purchased or developed for Queensland government use must now meet defined transparency, bias testing, and data governance requirements.

APRA Gets Specific on Financial Services AI

The Australian Prudential Regulation Authority issued updated guidance in February on AI in regulated financial institutions, moving beyond general principles to specific expectations.

Key requirements include documented model risk management for AI systems, board-level accountability for AI decision-making in lending and insurance, regular bias testing with published results for customer-facing AI, and clear escalation pathways when AI systems produce outcomes outside expected parameters.

APRA has also signalled that AI-related questions will feature in upcoming prudential reviews.

The Privacy Act Connection

The Privacy Act review continues to intersect with AI regulation. The Attorney-General’s Department confirmed in January that the reformed Privacy Act will include specific provisions for automated decision-making, including AI systems.

The most significant proposal remains the right to meaningful explanation when AI is involved in decisions that significantly affect individuals. Building explainability into AI systems after the fact is expensive and technically difficult. Building it from the start is much cheaper.

International Alignment Pressures

Australia’s regulatory approach is increasingly influenced by international developments. The EU AI Act is now being enforced, and Australian companies selling into European markets must comply regardless of domestic legislation. Many larger Australian businesses are already building to EU standards.

The OECD’s updated AI Principles provide another reference point. Australia has committed to alignment with OECD standards, which means our domestic framework will likely reflect these principles. Trade agreements are also playing a role, with AI governance provisions appearing in negotiations.

What Businesses Should Do Now

First, don’t wait for final legislation. Start with a basic AI inventory. Document every AI system in your organisation, what it does, what data it uses, who it affects, and what oversight exists.

Second, assess your exposure to high-risk categories. If you’re using AI in any of the ten identified high-risk areas, prepare for mandatory compliance now. The transition period after legislation passes will be shorter than most businesses expect.

Third, get help if you need it. The intersection of AI technology, business operations, and regulatory compliance is genuinely complex. Custom AI development firms in Brisbane and other capitals are reporting growing demand from mid-market companies that recognise they can’t sort this out with internal resources alone.

Fourth, engage with the consultation process. The federal framework is still in draft. Industry submissions carry weight, particularly those from businesses with practical experience deploying AI.

Australia is moving from voluntary AI governance to mandatory regulation. The approach is pragmatic, with sector-specific regulation, risk-based classification, and reasonable transition periods. But compliance will cost money, and the landscape will remain complex while federal and state frameworks are finalised and aligned.

The right response is measured preparation rather than either panic or complacency. The regulatory train has left the station. The only choice now is whether you’re on board or chasing it down the track.