AI Governance in Australia: Two Regulators Just Put Every Business on Notice

Two Australian regulators wrote to the entire financial system about artificial intelligence within eight days of each other. If you read those letters as someone else's problem, this article is for you.

On 30 April 2026, APRA sent a letter to every bank, insurer and superannuation trustee it regulates. Its message: AI adoption is racing ahead of AI governance, and boards are expected to close the gap. Eight days later, on 8 May 2026, ASIC Commissioner Simone Constant issued an open letter to all AFS licensees and market participants about the cyber threat created by frontier AI models, telling regulated entities to act now rather than wait for perfect clarity, and directing them to table the letter at their board and risk committees.

In my fifteen plus years across Big Four advisory and major banks, I cannot recall a faster regulatory convergence on a single risk topic. And here is the part that matters if you run a business that ASIC and APRA have never heard of. The expectations being set at the top of the system do not stay at the top. They travel. Through supply chains, professional standards, insurers and the Privacy Act, they are already on their way to you.

Let's walk through it.

---

What ASIC and APRA actually said about AI

APRA's letter followed targeted engagement with large banks, insurers and superannuation trustees in late 2025. Its findings were not flattering. AI use is maturing unevenly, assurance practices are failing to keep pace with the scale and speed of AI adoption, and boards are leaning too heavily on what APRA called an overreliance on vendor presentations and summaries without sufficient examination of key AI risks. APRA set out minimum expectations covering:

• AI literacy at board level, sufficient for effective challenge and oversight
• AI governance and risk management frameworks that match the scale of use
• Information security controls around AI systems and the data they touch
• Supplier and vendor risk management for AI products
• Assurance that actually tests AI risks rather than accepting vendor claims

ASIC's letter took the threat angle. Frontier AI models have changed the cyber environment, attacks are faster and cheaper to mount, and licensees were told that small weaknesses can now have serious, cascading consequences. The letter contains a 12 point action list and four governance expectations aimed squarely at boards. It also anchors itself to ASIC's enforcement action against FIIG Securities, a reminder that ASIC has already taken a licensee to court over cyber risk management it considered inadequate. The subtext is not subtle. The same logic applies to AI risk.

Neither letter is legislation. Both are regulator expectations. But in Australian financial services, the distance between a regulator's open letter and a regulator's enforcement case has a habit of being shorter than anyone expects. ASIC flagged its concerns about AI governance gaps in Report 798 back in October 2024. Eighteen months later it is writing to the entire market.

---

Why the AI warnings reach beyond banks

You might be reading this as the owner of an accounting practice, a real estate agency, a brokerage, a consultancy or a growing company with no AFSL in sight. The letters were not addressed to you. The expectations inside them will still find you, through four doors.

The supply chain door. APRA regulated entities are now expected to manage AI related supplier risk. If you provide services to a bank, insurer, fund or any large corporate, expect AI usage questions in your next vendor due diligence questionnaire. No documented AI position means a harder conversation, or no contract.

The privacy door. The Privacy Act does not care whether you have a licence. If your business feeds client personal information into AI tools, the Australian Privacy Principles apply to that handling, and the OAIC has published guidance on privacy and the use of commercially available AI products. For the 100,000 plus small businesses entering the Privacy Act through the AML/CTF reforms on 1 July 2026, this lands at exactly the wrong moment to be careless.

The professional standards door. Lawyers, accountants, agents and advisers carry duties of confidentiality and competence that exist independently of any AI rule. Pasting a client's affairs into a free AI tool with no settings reviewed is a confidentiality question before it is ever a technology question. Professional indemnity insurers have started asking about AI use at renewal for the same reason.

The consumer law door. If AI produces your marketing, your pricing or your customer responses, the Australian Consumer Law holds you responsible for the output. An AI generated claim that misleads is your misleading conduct. There is no algorithm defence.

Australia has no standalone AI Act, and as at June 2026 none has been introduced. What it has instead is exactly this: existing law plus rising regulator expectations, applied to whatever AI touches. A Voluntary AI Safety Standard has existed since September 2024 for businesses that want a framework to build against. The absence of an AI Act is not the absence of AI obligations. It just means your obligations are scattered across laws you already have.

---

The shadow AI problem inside Australian small businesses

Here is the uncomfortable bit. Survey data from Intuit QuickBooks put regular AI use among Australian small businesses at 69 per cent by January 2026, up from roughly 40 per cent eighteen months earlier. Adoption is no longer the question. Visibility is.

In almost every business I review, the actual AI footprint is larger than the owner believes. Someone in the team is drafting client emails with a chatbot. Someone is summarising contracts. Someone is running meeting transcripts through a notetaker that stores audio offshore. None of it was approved because there was nothing to approve it against.

This is shadow AI. Real usage, zero governance, and the business owner finds out at the worst possible time, usually when a client asks where their information went.

APRA's complaint about boards relying on vendor slide decks has a small business twin: owners relying on the word "secure" on a pricing page. The fix in both cases is the same and it is not complicated. Know what is being used, decide what is allowed, and write it down.

The AI deadline already on your calendar: 11 December 2026

One AI adjacent obligation is not an expectation. It is legislated, and it has a date.

Under the first tranche of Privacy Act reforms passed as the Privacy and Other Legislation Amendment Act 2024 (Cth), entities covered by the Privacy Act must, from 11 December 2026, include information in their privacy policies about certain automated decision making that significantly affects individuals. In plain terms: if a computer program, including an AI tool, substantially decides or shapes decisions about people, such as screening applications, scoring tenants or triaging customers, your privacy policy will need to say so.

Most large companies have this on a project plan. Most small and mid sized businesses have never heard of it. And the businesses entering the Privacy Act for the first time on 1 July 2026 through the AML/CTF reforms inherit this deadline within six months of arriving. If you are updating a privacy policy this winter anyway, build the automated decision making disclosure at the same time and save yourself a second project.

Need that privacy policy looked at before December? Our Regulatory Health Review is the entry-point diagnostic for this exact problem.

---

Five artefacts every business needs this quarter

Forget the 40 page frameworks. For a business of five to fifty people, defensible AI governance is five artefacts, most of them a page long.

1. Write an AI use policy

What your people may use AI for, what they may never put into an AI tool (client identity documents, health information, anything privileged or confidential without approval), and who approves new tools. One to two pages, written in language a new hire understands on day one.

2. Build an AI register

A simple list of every AI tool in use, who uses it, what data it touches and where that data goes. You cannot govern what you have not listed. This is also the document that answers a client's or insurer's questionnaire in minutes instead of days.

3. Run a vendor check on every new tool

Before any new tool is adopted: where is data stored, is it used to train models, can you switch that off, what happens on deletion. Four questions, asked every time, recorded.

4. Put a human on anything that leaves the building

AI drafts, a person decides. Client advice, marketing claims, valuations, anything with a number in it. The Consumer Law point above is the reason this is a rule and not a preference.

5. Map your AI use to your privacy obligations

Connect your AI register to your privacy obligations: collection notices that cover AI processing where needed, the 11 December 2026 automated decision making disclosure, and retention settings inside the tools themselves.

That is the whole system. A business with these five artefacts is ahead of a large share of the licensed entities the regulators wrote to in May. I have seen the gap from the inside, and it is not a technology gap. It is a writing it down gap.

If you do not have someone whose actual job is to keep the register current, review new tools, and run interference between your business and whoever asks the questions next, you do not have a framework. You have a folder. This is the gap our Managed Compliance Partner retainer was built to close. We embed inside the business as your external compliance function, with AI governance handled alongside privacy, AML/CTF and employment obligations as one system.

---

Frequently asked questions

Does my business need an AI policy in Australia?

There is no law that says every business must have an AI policy. There are existing laws, including the Privacy Act and the Australian Consumer Law, plus regulator expectations and client due diligence demands, that an AI policy is the simplest way to satisfy. If your team uses AI tools and you handle client information, a short AI use policy is the practical baseline.

What did ASIC and APRA say about AI in 2026?

APRA wrote to regulated banks, insurers and superannuation trustees on 30 April 2026 about gaps in AI governance, assurance and board oversight. ASIC issued an open letter to AFS licensees and market participants on 8 May 2026 about cyber risk accelerated by frontier AI models, with a 12 point action list and an instruction to table the letter at board level.

Is AI regulated in Australia?

Australia has no standalone AI Act as at June 2026. AI use is governed through existing law, including the Privacy Act, the Corporations Act, the Australian Consumer Law and sector regulation, supported by a Voluntary AI Safety Standard published in September 2024 and growing regulator guidance. Verify the current position at industry.gov.au.

What should an AI use policy include?

Permitted and prohibited uses, the categories of information that must never be entered into AI tools without approval, the approval path for new tools, human review requirements for client facing output, and who owns the policy. For most small businesses this fits on one to two pages.

What is the automated decision making privacy requirement?

From 11 December 2026, privacy policies of entities covered by the Privacy Act must include information about certain computer programs, including AI systems, used to make or substantially influence decisions that significantly affect individuals. The requirement comes from the Privacy and Other Legislation Amendment Act 2024 (Cth). Verify the current position at oaic.gov.au.

Does the Privacy Act apply to tools like ChatGPT?

The Privacy Act applies to your handling of personal information, including when you enter it into an AI tool. If your business is covered by the Privacy Act, putting client personal information into an AI product is a use and disclosure you are responsible for, and the OAIC has published guidance on using commercially available AI products consistently with the Australian Privacy Principles.

Can small businesses ignore the ASIC and APRA letters?

The letters do not directly bind unlicensed small businesses, but the expectations inside them flow outward through supplier due diligence, professional indemnity insurers, professional standards and client questionnaires. Building basic AI governance now is cheaper than building it under pressure when a contract or renewal depends on it.

Who can help my business build an AI governance framework?

ComplyEdge works directly with business owners, principals and directors across Australia to build defensible AI governance alongside privacy, AML/CTF and employment compliance. Our Regulatory Health Review is the entry-point diagnostic. The Managed Compliance Partner retainer is the ongoing solution for businesses that need an embedded compliance function.

---

For more analysis like this, subscribe to Comply or Explain, our LinkedIn newsletter, where Edition 17 covers the other 1 July story: the Privacy Act quietly arriving for more than 100,000 small businesses through the AML/CTF reforms.

This article is general information only and does not constitute legal advice. Regulatory positions described reflect APRA's and ASIC's letters to industry of 30 April 2026 and 8 May 2026, the Privacy and Other Legislation Amendment Act 2024 (Cth), and OAIC guidance as at the date of publication. Regulator expectations, commencement dates and legislative requirements may change. Seek advice specific to your circumstances. ComplyEdge® is a registered trademark of ComplyEdge Pty Ltd (IP Australia, Class 45).