The map Reviewed 17 Jul 2026
Most of the obligations that reach Australian businesses are not AI law. They come from rules that already exist: privacy, consumer law, employment, contract. The AI-specific material is still mostly voluntary, or made overseas.
Personal information handled by or through an AI tool falls under the same collection, use, disclosure and security rules as any other personal information.
Applies to: APP entities: most businesses with annual turnover over $3m, plus some others regardless of size
The regulator's guidance on what the Privacy Act expects when a business adopts an off-the-shelf AI product, including due diligence and what can go into public tools.
Applies to: APP entities using off-the-shelf AI tools
The regulator's guidance on how the Privacy Act applies when personal information is used to build or train generative AI models.
Applies to: Entities developing or fine-tuning generative AI models
The prohibition on misleading or deceptive conduct applies to what your business publishes or tells customers, whether a person or an AI system produced it.
Applies to: All businesses
The corporate regulator's review of how licensees govern AI, and its statement that existing licensee obligations already cover AI use.
Applies to: AFS licensees and credit licensees
The prudential regulator's observations on AI adoption, and its expectation that governance, risk and assurance practices keep pace with it.
Applies to: APRA-regulated entities: banks, insurers, superannuation trustees
The EU's risk-based AI law, in force and phasing in. It reaches Australian businesses through contracts and EU market access, not Australian enforcement.
Applies to: Australian businesses selling into the EU, or via contract with EU partners
Ten voluntary guardrails the government recommends for organisations deploying AI, covering accountability, testing, transparency and human oversight.
Applies to: All organisations using or developing AI
Eight voluntary principles for responsible AI design and use, from human wellbeing to contestability and accountability.
Applies to: All organisations, by choice
An international standard for AI management systems. A standard, not a law. Increasingly requested in contracts and tenders.
Applies to: Organisations seeking certification, or asked for it in procurement
The assessment framework NSW government projects use for AI systems. Binding in practice for suppliers to NSW government, voluntary for everyone else.
Applies to: NSW government agencies and their suppliers
The government's December 2025 roadmap for AI adoption, capability and safety. It signals where regulation is heading rather than imposing requirements.
Applies to: Policy direction, not an obligation
A government proposals paper on mandatory requirements for high-risk AI settings. Consultation stage. Nothing in it binds anyone yet.
Applies to: Would reach developers and deployers of high-risk AI if legislated
From December 2026, privacy policies must explain automated decisions that significantly affect people, under the Privacy and Other Legislation Amendment Act 2024.
Applies to: APP entities using automated decision-making with personal information
A draft code setting how online services must handle children's personal information. In consultation, with registration due by December 2026.
Applies to: Online services likely to be accessed by children