Australia's AI Rules in 2026: No AI Act, the National AI Plan and the 6 Essential Practices

No. As of 2026 there is no Australian AI Act, no mandatory AI guardrails, and none planned. The National AI Plan (2 December 2025) chose to govern AI through existing technology-neutral laws and sector regulators, supported by voluntary guidance and a new advisory AI Safety Institute - not a standalone AI statute.

This is the single most misunderstood point for Australian boards and executives. Earlier signals pointed the other way: in September 2024 the then Department of Industry, Science and Resources published a Proposals Paper on mandatory guardrails for AI in high-risk settings. That proposal did not become law. The Government instead reaffirmed a principles-based, pro-adoption posture in the National AI Plan, structured around three goals: capture the opportunities, spread the benefits, and keep Australians safe.

So what must a regulated Australian enterprise actually do? Two things. First, comply with the laws that already apply to AI - the Privacy Act 1988 (including the new automated decision-making transparency duty), the Australian Consumer Law, anti-discrimination law, the Corporations Act, and sector regimes such as APRA CPS 230 and CPS 234. Second, operationalise the Government's recommended baseline: the 6 Essential Practices in the Guidance for AI Adoption (published 21 October 2025), which evolved and superseded the 2024 Voluntary AI Safety Standard.

Areebi is a sovereign, privately deployable Secure AI Control Plane that gives CIOs, CISOs, GCs and DPOs the technical substrate to satisfy both layers - the binding laws and the voluntary baseline - from a single platform with policy enforcement, real-time DLP, and immutable audit logging, with data kept in Australia.

The National AI Plan, released on 2 December 2025 by the Department of Industry, Science and Resources, is Australia's most comprehensive AI policy statement to date. Its central regulatory decision was to build on Australia's existing legal and regulatory frameworks rather than introduce mandatory guardrails for high-risk AI. There is no AI-specific licensing, certification or pre-market approval regime for general AI in Australia.

The Plan is organised around three goals:

• Capture the opportunities: accelerate AI uptake, invest in compute and skills, and back domestic AI capability, on the Government's view that broad-based AI adoption represents a major productivity and economic opportunity for Australia this decade.
• Spread the benefits: lift adoption among SMEs and regional businesses, and invest in the AI workforce.
• Keep Australians safe: the safety goal, funded with AUD 29.9 million to establish an Australian AI Safety Institute, plus continued reliance on existing regulators and voluntary guidance.

Critically, the safety pillar is advisory and capability-building, not a new enforcement regime. The Government signalled it will keep existing law under review - particularly as agentic AI matures - but it has explicitly declined, for now, to legislate AI-specific mandatory obligations. Read the source at industry.gov.au/publications/national-ai-plan.

For an enterprise this means the compliance question is not "how do we prepare for a coming AI Act" - it is "how do we demonstrably meet the laws that already bind us, plus the Government's stated baseline of good practice". That reframing matters for budget, board reporting and procurement.

No. The Australian AI Safety Institute (AISI) is an advisory and technical body, not a regulator. It has no licensing, certification or enforcement powers. It was funded with AUD 29.9 million under the National AI Plan and began operating in early 2026.

The AISI's mandate is to build national capability on AI safety, not to police organisations. Its functions include:

• Assessing upstream risks of advanced AI - model capabilities, training datasets and system design.
• Studying downstream harms once AI systems are deployed.
• Supporting specialist regulators (such as the OAIC, ACCC, ASIC and APRA) with technical expertise rather than supplanting them.
• Coordinating responses to major AI incidents and engaging with international AI safety institutes.

Because the AISI does not issue binding obligations, organisations should treat its outputs as authoritative technical guidance that informs - but does not replace - their obligations under the Privacy Act, Australian Consumer Law and sector regulation. See the Minister's announcement at minister.industry.gov.au. The practical takeaway: there is no "AISI certification" to obtain, and any vendor claiming one is misrepresenting the regime.

The 6 Essential Practices are the Australian Government's voluntary baseline for responsible AI, set out in the Guidance for AI Adoption published on 21 October 2025 by the National AI Centre, prepared by Gradient Institute. They consolidate the ten voluntary guardrails from the 2024 Voluntary AI Safety Standard into six practices that scale from SME to enterprise.

The six practices are:

1. Governance and accountability: assign clear ownership for AI, with named accountable executives, an AI policy, and board-level oversight.
2. Impact assessment: understand the impact of each AI use case on people, rights and the organisation before deployment, and plan accordingly.
3. Risk management: measure and manage AI risks across the full lifecycle, proportionate to the use case.
4. Transparency: share information with the people and organisations affected, including disclosure that AI is being used.
5. Testing and monitoring: test AI systems before and after deployment and monitor them continuously in production.
6. Human oversight: maintain meaningful human control so a person can intervene in or override AI outputs.

The Guidance ships with free, practical templates that materially lower implementation cost: an AI screening tool to flag higher-risk use cases, an AI register template to inventory deployed systems, an AI policy guide and template, and a glossary. Download them from industry.gov.au/publications/guidance-for-ai-adoption.

These six practices are voluntary, but they are fast becoming the de facto expectation - referenced in procurement, supply-chain due diligence and board assurance. Treating them as your operating baseline is the most defensible position for a regulated Australian enterprise.

Australia's "AI rules" are mostly existing, technology-neutral laws applied to AI - not new AI statutes. The National AI Plan deliberately relies on this stack, and the regulators have confirmed it is fit for purpose.

Privacy Act 1988 and automated decision-making

The Privacy Act governs personal information used to train or run AI. The Privacy and Other Legislation Amendment Act 2024 introduces a new automated decision-making transparency obligation requiring privacy policies to disclose where personal information is used in automated decisions that could reasonably be expected to significantly affect the rights or interests of individuals, with the ADM transparency provisions commencing on 10 December 2026. The OAIC enforces this regime.

Australian Consumer Law

Treasury's Review of AI and the Australian Consumer Law (final report, October 2025) concluded the ACL is principles-based and technology-neutral, remains fit for purpose for AI, and that no new AI-specific mandatory safety standard is required at this time. AI products attract the same consumer guarantees, safety and misleading-conduct protections as any other product - so "AI washing" and unsafe AI features are already actionable by the ACCC.

Sector and prudential regulation

• APRA: CPS 230 (operational risk management, effective 1 July 2025) and CPS 234 (information security, in force since 1 July 2019) bind banks, insurers and superannuation trustees, covering AI as a service, model and third-party risk.
• ASIC: applies existing financial services, market integrity and directors' duties law to AI in advice, lending and trading.
• Other regimes: the Therapeutic Goods Act (AI in medical devices), the Security of Critical Infrastructure Act, anti-discrimination law and the Corporations Act all apply to AI without modification.

The compliance implication is that an Australian enterprise faces overlapping obligations from multiple regulators simultaneously - which is why a unified policy engine and a single audit trail across all AI usage is more efficient than point solutions per regulator.

If you want a certifiable, externally auditable AI governance benchmark, AS ISO/IEC 42001 is the one to adopt - and it pairs naturally with the 6 Essential Practices. Australia has no mandatory AI standard, so the certifiable artefact buyers increasingly ask for is ISO/IEC 42001, adopted domestically by Standards Australia as AS ISO/IEC 42001:2023.

The relationship is complementary, not competing:

• The 6 Essential Practices are a free, lightweight national baseline - ideal for getting governance, an AI register and human oversight in place quickly.
• AS ISO/IEC 42001 is a full AI Management System (AIMS) standard that an accredited body can certify against - the evidence many enterprise and government procurement teams now request to de-risk AI suppliers.
• The international NIST AI Risk Management Framework provides the risk taxonomy that underpins the "risk management" practice.

A pragmatic sequence is: implement the 6 Essential Practices now, map them onto the AS ISO/IEC 42001 clauses, then pursue certification when procurement demand or board appetite justifies the audit cost. Standards Australia has worked with CSIRO's National AI Centre on plain-language guidance for the standard and partnered with the Australian National University on training to support its adoption. Because 42001 is a management-system standard, much of the evidence it requires - access control, logging, monitoring, incident handling - is operational rather than documentary, which is where a control plane earns its place.

The 6 Essential Practices and AS ISO/IEC 42001 describe what good AI governance looks like; a Secure AI Control Plane provides the technical how. Areebi sits between your people and the AI models they use - whether 30+ commercial LLMs or self-hosted open models - and enforces governance at the point of use, with all data kept in Australia.

Mapped to the six practices

• Governance and accountability: a central policy engine encodes your AI policy as enforced rules, with role-based access control mapping usage to accountable owners.
• Impact assessment and risk management: shadow-AI discovery surfaces every AI tool and model in use so high-impact use cases can be screened and prioritised - feeding the Government's AI screening tool and register.
• Transparency: immutable audit logging records prompts, responses, data flows and policy decisions, providing the evidence base for ADM transparency and disclosure duties.
• Testing and monitoring: continuous monitoring and guardrails watch production AI behaviour, not just pre-deployment tests.
• Human oversight: policy-driven controls keep a human in the loop for sensitive actions, with the ability to block or escalate.
• Data protection underpinning all six: real-time DLP prevents personal and confidential information leaving your boundary into external models, supporting Privacy Act compliance.

Areebi deploys privately - Docker, Kubernetes, on-premises or private cloud - so sovereignty and data residency are structural, not contractual. To be transparent about our own posture: Areebi is an early-stage company with SOC 2 readiness in progress; we hold no certifications yet and make no customer or metric claims. See our Trust Center and SOC 2 readiness page, or request a demo to see the controls mapped to your obligations.