AI Governance in ANZ 2026

The Regulatory Landscape, Enterprise Readiness, and What Actually Matters Only 30% of ANZ enterprises are governance-ready for AI. The gap between AI adoption (87% in NZ, 69% using agentic AI in AU) and governance maturity (21% with mature agentic models) is the defining enterprise risk of 2026. This analysis covers the regulatory landscape, board expectations, ISO 42001 trajectory, industry-specific requirements, and what the Big 4 are selling versus what you actually need.

Get Your Governance Assessment Read Full Analysis

By Gregory McKenzie · Registered Trans-Tasman Patent Attorney & Systems Architect · NETEVO · 17 min read · Published 13 Mar 2026

The ANZ Regulatory Landscape: No AI Act, But No Free Pass

Australia has deliberately rejected standalone AI legislation. Unlike the EU AI Act, Australia's approach strengthens existing laws and empowers sector-specific regulators. The premise: AI risks like discrimination, privacy breaches, and safety failures are already addressed by current statutes, provided those statutes are updated and rigorously enforced. The Government confirmed that direction when it decided not to proceed with the mandatory AI guardrails it had proposed for high-risk settings in 2024, folding the consultation feedback into the National AI Plan. This sounds permissive. It is not. The practical effect is that AI governance obligations are distributed across multiple regulators, each with enforcement powers, making the compliance landscape harder to navigate, not easier.

The Privacy Act 1988, amended in December 2024, now explicitly addresses automated decision-making. Organisations must disclose when personal information is used for substantially automated decisions affecting individual rights. The Australian Privacy Principles apply to both inputs and outputs of AI systems, and critically, AI-generated inferences about individuals are considered collected personal information under APP 3. The Office of the Australian Information Commissioner has set out how those principles apply in practice, in separate guidance on the use of commercially available AI products and on developing and training generative AI models. This means using a model to infer a customer's creditworthiness or health status triggers the same obligations as directly collecting that data.

The National AI Centre's Guidance for AI Adoption is the current expression of Australia's national voluntary AI governance. Published in October 2025 and updated in May 2026, it sets out six essential practices — deciding who is accountable, understanding impacts, managing risk, sharing essential information, testing and monitoring, and maintaining human control — and it evolves the ten guardrails of the 2024 Voluntary AI Safety Standard and the eight 2019 AI Ethics Principles into a single current frame. The practices are voluntary for the private sector, but they set the benchmark for government procurement. If you sell to government, alignment with them is effectively non-negotiable.

The Australian Government's Policy for Responsible Use of AI in Government v2.0 became effective in December 2025, requiring accountable officials, transparency statements, and mandatory AI Impact Assessments by June 2026. It delivers against the National Framework for the Assurance of AI in Government, the assurance regime the Commonwealth and every state and territory adopted in June 2024. Meanwhile, in New Zealand, 85% of citizens want assurance about trustworthy AI use, and the NZ Privacy Commissioner is calling for strengthened legislation amid increasing data breaches.

Australia's financial-services regulators have moved on AI specifically. ASIC's Report 798, Beware the gap (October 2024), found that governance arrangements at the licensees it reviewed had not kept pace with their AI deployment. APRA's Letter to Industry on AI of 30 April 2026 reports the same pattern across banks, insurers, and superannuation trustees, and calls for a step-change in AI risk management under the existing prudential standards rather than a new AI-specific regime. APRA notes that frontier AI models are expected to further increase the probability, speed and scale of cyber attacks. The conduct and prudential regulators are now aligned on the same finding: adoption has outpaced governance.

A parallel signal: the Australian Government Department of Finance has sponsored Rules as Code enterprise adoption on GovCMS — described as a global first in centralised RaC deployment. This complements AustLII's DataLex platform (peer-reviewed legal reasoning in yscript) and the Jersey Computer-Readable Legislation Project (2023-2025, a collaboration between the States of Jersey Legislative Drafting Office, AustLII, and Singapore Management University). The peer-reviewed work of Mowbray, Chung and Greenleaf establishes both the explainability properties of Rules as Code and its viability at legislative scale, and the rule-of-law critique of the approach is itself part of the literature — the practitioner application is the one that designs for the critique rather than ignoring it. The direction of travel is clear: regulation and compliance are moving from PDFs toward executable, machine-readable logic. The AustLII submission to the Robodebt Royal Commission (2023) made the case plainly: automated decision systems that are not transparently grounded in the legislation they implement are indefensible. For enterprises deploying AI for customer-affecting decisions, that principle now has regulatory teeth under the amended Privacy Act and the Guidance for AI Adoption.

Key Regulatory Instruments for ANZ Enterprises (2026)

  • Privacy Act 1988 (amended Dec 2024) — automated decision-making disclosure; APPs apply to AI inputs, outputs, and inferences; OAIC guidance on commercial AI use and on generative AI training
  • Guidance for AI Adoption (DISR / National AI Centre) — six essential practices; the current national voluntary frame, evolving the 2024 Voluntary AI Safety Standard and the 2019 AI Ethics Principles
  • APRA CPS 230 — operational risk management, including AI vendors as material service providers; commenced 1 July 2025; targeted amendments of 30 April 2026 (with CPG 230) commence 1 July 2026
  • APRA CPS 234 (with CPG 234) — AI as part of the critical technology stack; information asset classification
  • ASIC Report 798 and APRA's 30 April 2026 Letter to Industry on AI — the dual conduct-and-prudential finding that AI governance has lagged AI adoption
  • Government AI Policy v2.0 (Dec 2025) and the National Framework for the Assurance of AI in Government (2024) — mandatory AI Impact Assessments by June 2026 for Commonwealth entities
  • NSW AI Assessment Framework (formerly the AI Assurance Framework) — the state-government assessment workbook, now overseen by the operational AI Review Committee
  • TGA — AI as a medical device under the Therapeutic Goods Act 1989 where applicable

The Readiness Gap: Adoption Outpacing Governance

Enterprise AI adoption data from Deloitte, the Tech Council of Australia, and NewZealand.AI.

Australia: Adoption vs Readiness

30% of Australian companies are reimagining business through AI, but only 12% are transforming at a significant level (vs 25% globally). 69% are using agentic AI. Yet governance readiness sits at just 30%, data management readiness at 40%, and only 20% report their talent is highly prepared. The 2026 Tech Leaders Survey confirms: 78% see AI as the defining trend, but only 7% believe Australia has the capability to meet future demand.

New Zealand: Trust Deficit

82-87% of NZ businesses use AI in some capacity, up from 48% in 2023. Large enterprises lead at 92%. Public sector AI use cases grew from 108 to 272 in one year. But only 34% of New Zealanders trust AI systems. 81% believe specific AI regulation is necessary, and 85% want assurance about trustworthy use. The adoption is ahead of the trust infrastructure.

The Agentic AI Governance Gap

This is the most consequential finding: 75% of companies plan agentic AI deployments within two years, but only 21% have a mature governance model in place. Agentic AI, where autonomous agents perform complex workflows, requires real-time governance, not the narrative-based compliance reports most organisations still rely on. Policy-as-code, not policy-as-PDF.

In NSW, the Guide to using AI Agents in NSW Government (October 2025) is the first AU public-sector framework written specifically for agentic deployment.

ISO 42001: Bottleneck Reality

ISO/IEC 42001, adopted in Australia as AS ISO/IEC 42001:2023, is the premier AI governance certification, but the market is constrained. Only 10-15 accredited auditors exist in ANZ. Only 8-10 consultants have genuine AI governance plus ISO implementation experience. First-year costs: $73K (small, 30 staff), $185K (mid, 120 staff), $353K+ (large, 500+ staff). Early certifications: KPMG International (December 2025), CrowdStrike (January 2026), Darktrace (early 2026). The standard is right; the implementation supply is not yet ready.

AS ISO/IEC 42001:2023 sits with the companion impact-assessment (ISO/IEC 42005) and risk-management (ISO/IEC 23894) standards as the certifiable AI management stack.

Board Expectations: AICD Framework

The AICD has articulated five governance domains for boards: oversight (demanding AI risk metrics, not just policies), boardroom wisdom (using AI to challenge assumptions), strategy (asking 'if we built this organisation today as AI-enabled, what would we build?'), ESG (leading mixed human-agent teams), and resilience (understanding inference housing and jurisdictional data exposure). The ASX Corporate Governance Principles 5th edition is under expert review, with AI governance updates expected.

These expectations are reinforced by the AICD and HTI Director's Guide to AI Governance, by ISO/IEC 38507 on the governance of AI by the governing body, and by a growing body of Australian scholarship on directors' duties and AI.

Financial Services: Zero Tolerance

APRA's CPS 230 (Operational Risk Management) requires end-to-end critical-operations mapping, including AI vendors as material service providers. The standard commenced on 1 July 2025; APRA's targeted amendments of 30 April 2026 — which narrow the material-arrangement contractual requirements for non-traditional service providers — and the updated CPG 230 commence on 1 July 2026. CPS 234 (Information Security) treats AI as part of the critical technology stack. Both ASIC (Report 798, 2024) and APRA (Letter to Industry on AI, 30 April 2026) have found that governance has lagged AI adoption across the sector. The projected $48.9B GDP impact from AI in finance by 2035 is contingent on regulatory certainty that does not yet exist.

What the Big 4 Are Selling — And What You Actually Need

Comparative analysis of enterprise AI governance approaches in ANZ. Source data: KPMG, PwC, EY, and Deloitte public materials, current to early 2026.

KPMG

Trust-First: ISO 42001 certified (December 2025). Trusted AI Framework plus a Risk Hub managed service. Microsoft and IBM alliances for integrated governance tooling.
Strength: brand trust.
Gap: $500K+ engagement scope for most organisations.

First Big Four entity certified. Framework oriented.

PwC

Scale-First: Agent OS platform with 25,000 agents deployed globally. A Three Lines of Defence model (Builders, Governors, Auditors). Reports 30-40% faster innovation cycles.
Strength: scale evidence.
Gap: Agent OS is PwC's platform, not yours.

Most operationally mature. Platform-centric. The Three Lines of Defence is a recognised governance architecture (Schuett, 2023), adoptable independently of any single vendor's platform.

EY

Investment-First: $1.4B committed to EY.ai on IBM watsonx. 24+ AI tools in Australian audit and assurance. Focus on agentic AI for operational efficiency.
Strength: audit integration.
Gap: internal tooling, not client governance capability.

Largest single investment. Audit-centric.

Deloitte

Sovereign AI focus: governance under local laws and data infrastructure. The State of AI in the Enterprise report is the benchmark dataset. Only 34% of companies reimagining business models.
Strength: data authority.
Gap: research-led, implementation-follows.

Best research. Sovereignty angle.

From Research to Practice

We practice what we research. The governance principles in this analysis are drawn from production systems delivered for regulated and listed organisations.

Government

NSW Department of Industry

90%+ of audit preparation time eliminated. Governed platform delivery for a NSW state government agency: policy-as-code enforcement, automated compliance evidence, and audit-ready infrastructure — the governance principles described in this analysis applied to production systems.

Read case study
Global Banking

RISKflo at HSBC

99%+ uptime over 24+ months. An event-sourced risk platform serving 1,100+ daily users at HSBC, with immutable audit trails, policy-as-code enforcement, and Zero Trust access controls. NETEVO encodes such obligations — operational risk under CPS 230 (commenced 1 July 2025; amended 30 April 2026, with the updated standard and CPG 230 effective 1 July 2026) and information security under CPS 234 — as executable controls. This platform demonstrated the pattern before those standards reached their current form.

Read case study
ASX Prospectus

MoneyMe

$208M of organic demand quantified for an ASX prospectus, with board-grade reporting and a defensible evidence trail.

Read case study
Board Reporting

Sheridan

$10.78M of attributed revenue with board reporting — regulatory-grade delivery applied to a commercial measurement problem.

Read case study

Assessing Your AI Governance Readiness

From awareness to board-defensible governance.

Phase 1 — Regulatory Mapping

  • Map applicable regulations to your AI use cases — APRA prudential standards, the Privacy Act and OAIC guidance, the Guidance for AI Adoption, and sector-specific obligations
  • Identify material service providers and AI vendor dependencies (the CPS 230 material-arrangements surface)
  • Assess current governance against the AICD Director's Guide and ISO/IEC 38507
  • Review board reporting capabilities and conduct a gap analysis
  • Deliverable: a regulatory obligations register and gap analysis

Phase 2 — Readiness Assessment

  • Score organisational readiness across Deloitte's four dimensions (infrastructure, strategy, data, talent)
  • Benchmark against ANZ enterprise peers
  • Audit existing AI experiments and shadow AI usage
  • Assess agentic AI governance maturity against the 21% benchmark
  • Deliverable: a scored readiness matrix with peer benchmarking and a board-ready summary

Phase 3 — Framework Design

  • Design the AI governance policy architecture (policy-as-code, not policy-as-PDF)
  • Map to ISO/IEC 42001 (AS ISO/IEC 42001:2023) where certification is a goal
  • Define the decision-rights matrix and accountability chains
  • Design an AI risk classification schema aligned to ISO/IEC 23894 and an impact-assessment workflow aligned to ISO/IEC 42005
  • Deliverable: a complete governance framework with an implementation roadmap

Phase 4 — Implementation & Enablement

  • Deploy policy-as-code for AI governance (automated enforcement, not checklists)
  • Implement AI risk monitoring and evidence capture
  • Deliver a workforce AI fluency program (foundation, practitioner, builder tiers)
  • Establish a board reporting cadence and regulatory monitoring
  • Deliverable: operational AI governance with trained internal ownership

Engagement options

  • Readiness Assessment (one-off): regulatory mapping, readiness scoring against ANZ benchmarks, and a board-ready gap analysis — $30K-$60K
  • Governance Framework Design: the assessment plus a full governance framework, policy architecture, and ISO 42001 alignment — $60K-$120K
  • Full Governance Implementation: end-to-end from assessment through policy-as-code deployment, workforce enablement, and board reporting — $100K-$250K

Is AI Governance Assessment Critical for You?

AI governance assessment is critical if...

  • Your board or audit committee is asking about AI governance and you cannot demonstrate a framework
  • You are APRA-regulated and need to map AI vendors against CPS 230 requirements
  • AI experiments are running across teams without consistent governance or risk classification
  • You sell to Australian government and need to demonstrate alignment with the Guidance for AI Adoption
  • You are preparing for IPO and need to demonstrate AI governance maturity to investors
  • Your organisation uses agentic AI but has no governance model for autonomous agents
  • You are considering ISO 42001 certification but do not know where to start

This analysis is less relevant if...

  • Your organisation has no AI initiatives in progress or planned
  • You operate in a sector with no regulatory oversight of AI (rare in ANZ)
  • You are looking for AI model selection or prompt engineering training only
  • Your governance needs are purely internal with no board or regulatory reporting

Specialist vs Big 4 AI Governance

Dimension
Big 4 Approach
Specialist (NETEVO)
Engagement scope
$500K-$3M+ as part of broader transformation
$30K-$250K focused governance engagements
Timeline
12-18 months embedded within transformation
3-6 months from assessment to operational governance
Delivery model
Partner sells, manager delivers, analyst executes
Principal architect delivers directly — patent attorney and systems architect
Governance approach
Platform-based (PwC Agent OS, EY.ai) — you adopt their stack
Infrastructure-native — policy-as-code integrated with your existing stack
ISO 42001
Certification as a premium add-on
Framework alignment built into governance design
Post-engagement
Ongoing managed-service dependency
Internal ownership — your team operates independently

Governance is architectural, not procedural

Policy-as-code means compliance is automated and auditable, not a manual checklist. The same approach that achieved 99%+ uptime at HSBC and 90%+ audit time savings at NSW DOI.

Patent attorney rigour applied to AI governance

Regulatory requirements translated into executable controls with the precision of patent claims. Defensible under board scrutiny, auditor examination, and regulatory review — the governance accountability that ISO/IEC 38507 and the Australian director-duty literature frame at the board level.

ANZ regulatory expertise, not imported frameworks

APRA CPS 230 (as amended, effective 1 July 2026) and CPS 234, the Privacy Act amendments and OAIC guidance, the Guidance for AI Adoption (six essential practices), and AICD board expectations — governance designed for the Australian regulatory landscape, not adapted from US or EU templates.

Rules as Code commercial implementation

Law-to-code is the enterprise application of the same Rules as Code principles validated by AustLII's DataLex platform, the AustLII submission to the Robodebt Royal Commission, and GovCMS enterprise adoption by the Department of Finance. The six properties of explainable RaC — transparency, traceability, availability, sustainability, links to legal sources, accountability — become the baseline for every automated control. The approach engages the full Rules as Code debate — implementation, formal methodology, and the rule-of-law critique — rather than a single corner of it.

From Understanding to Implementation

Solution

AI Governance & Readiness

Board-defensible AI governance framework and implementation. This research page explains the landscape; the AI Governance service delivers the framework, policy-as-code deployment, and workforce enablement.

View service
Solution

Governed SDLC

Policy-as-code for your software delivery lifecycle. AI governance requires governed infrastructure. If your SDLC is not already policy-as-code, start here — it provides the foundation that AI governance builds on.

View service
Solution

AI Agent Infrastructure

Governed agent architecture for enterprise AI. With 75% of companies planning agentic AI within two years but only 21% governance-ready — and the NSW Guide to using AI Agents now the first AU public-sector agentic framework — this engagement bridges AI ambition and governed operations.

View service

Where Does Your Organisation Stand?

With only 30% of ANZ enterprises governance-ready, with both ASIC and APRA now reporting that AI governance has lagged adoption, and with mandatory AI Impact Assessments for Commonwealth entities arriving in June 2026, the gap between AI adoption and governance maturity is closing fast. A readiness assessment gives you the board-ready data to act.

Questions

AI Governance in ANZ: FAQ

What AI regulations apply to Australian businesses in 2026?

Australia has rejected standalone AI legislation, instead strengthening existing laws via sector-specific regulators. Key instruments: (1) Privacy Act 1988 (amended December 2024) — requires disclosure for substantially automated decisions affecting individual rights, with OAIC guidance on both commercial AI use and generative AI training. (2) The Guidance for AI Adoption (DISR / National AI Centre) — six essential practices and the current national voluntary frame, evolving the 2024 Voluntary AI Safety Standard and the 2019 AI Ethics Principles; effectively the benchmark for government procurement. (3) APRA CPS 230 — operational risk management including AI vendors as material service providers; commenced 1 July 2025, with targeted amendments of 30 April 2026 (and the companion CPG 230) commencing 1 July 2026. (4) APRA CPS 234 — treats AI as part of the critical technology stack. (5) Government AI Policy v2.0 — mandatory for Commonwealth entities with AI Impact Assessments required by June 2026.

What is ISO 42001 and how many Australian organisations are certified?

ISO/IEC 42001:2023 is the world's first certifiable Artificial Intelligence Management System (AIMS) standard, adopted in Australia as AS ISO/IEC 42001:2023. It provides a structured framework for organisations to demonstrate AI governance maturity through formal certification. As of early 2026, the certification market in Australia is described as immature but accelerating. There are approximately 10-15 accredited auditors in ANZ who can certify to this standard, and only 8-10 consultants in Australia with genuine AI governance experience integrated with ISO implementation backgrounds. This creates a significant bottleneck. Early adopters include KPMG International (first Big Four entity certified, December 2025), Behavox (RegTech, early 2026), CrowdStrike (Falcon platform, January 2026), and Darktrace (11-month certification process with BSI). Costs vary: approximately $73,000 AUD for a small AI user (30 employees), $185,000 for mid-sized AI developers (120 employees), and $353,000+ for large enterprises (500+ employees) in the first year, plus $8,000-$20,000 annually for surveillance audits.

What does the AICD expect from boards regarding AI governance?

The Australian Institute of Company Directors has articulated board AI governance expectations across five domains in early 2026: (1) Oversight — moving beyond high-level policies to demanding AI risk metrics and qualitative reporting. Boards must shift from passive awareness to active oversight. (2) Boardroom Wisdom — using AI to challenge director thinking and conduct red-team/blue-team assumptions about strategy. (3) Strategy — asking crucial questions about business model reinvention. The AICD poses: 'If this organisation were designed today as AI-enabled, what would we build?' (4) ESG — reframing organisational culture to lead mixed teams of humans and autonomous agents. (5) Resilience — understanding inference housing, the jurisdiction where AI models process data, and its exposure to foreign legal regimes. These expectations are reinforced by the AICD and HTI Director's Guide to AI Governance, by ISO/IEC 38507 on the governance of AI by the governing body, and by a growing body of Australian scholarship on directors' duties and AI. The ASX Corporate Governance Principles (4th Edition, 2019) remain in effect. Work on a 5th edition was paused in 2025 for a broader review, with the ASX now assuming primary responsibility supported by an Advisory Group chaired by Dr Philip Lowe.

How prepared are ANZ enterprises for AI governance in 2026?

The data reveals a significant execution gap. According to Deloitte's State of AI in the Enterprise 2026 report: Governance readiness is only 30%. Data management readiness is 40%. Strategic readiness is 42%. Talent readiness has decreased, with only 20% of organisations reporting their people are highly prepared. Only 12% of Australian companies are transforming at a significant level through AI, compared to 25% globally. For agentic AI specifically, only 21% of companies have a mature governance model despite nearly 75% planning deployments within two years. The Tech Council of Australia and Datacom 2026 survey reports that only 7% of tech leaders believe Australia has the capability and infrastructure to meet future AI demand. In New Zealand, 82-87% of businesses use AI in some capacity but only 34% of citizens trust AI systems, and 85% want assurance about trustworthy use before increasing trust.

What AI governance requirements exist for Australian financial services?

APRA has made AI risk core to financial stability, not an optional extra. CPS 230 (Operational Risk Management) requires APRA-regulated entities to maintain end-to-end understanding of critical operations and material service providers, including AI vendors. The standard commenced on 1 July 2025; the targeted amendments of 30 April 2026 — with the companion Prudential Practice Guide CPG 230 — commence on 1 July 2026, narrowing the material-arrangement contractual requirements for non-traditional service providers. CPS 234 (Information Security) expects entities to treat AI as part of the critical technology stack; a 2025 tripartite assessment identified that many organisations still struggle with incomplete identification and classification of information assets in AI systems. Both ASIC (Report 798, 2024) and APRA (Letter to Industry on AI, 30 April 2026) have reported that governance has lagged AI adoption; APRA calls for a step-change under the existing standards rather than a new AI-specific prudential regime. For the broader sector, the economic impact of generative AI is projected at $48.9 billion to Australia's GDP by 2035, contingent on regulatory certainty. KPMG's 2026 surveys show that AI implementation has become the number one challenge for Australian business leaders, surpassing inflation.

How do the Big 4 consulting firms approach AI governance in ANZ?

The Big 4 have moved beyond advisory into platform-based governance. KPMG: Trust-First philosophy with ISO 42001 certification (December 2025). PwC: Scale-First with Agent OS (25,000 agents globally), a Three Lines of Defence model, 30-40% faster innovation cycles. EY: $1.4 billion EY.ai platform on IBM watsonx with 24+ AI tools in Australian audit. Deloitte: Sovereign AI focus emphasising governance under local laws. The key difference: Big 4 sell governance within broader transformation at $500K-$3M+. Specialist firms deliver focused governance frameworks at $30K-$250K with faster implementation and direct practitioner access.

What does the Robodebt Royal Commission teach Australian enterprises about AI governance?

AustLII's submission to the Robodebt Royal Commission (Mowbray, Chung and Greenleaf, 2023) argued that automated decision systems must be transparently grounded in the legislation they purport to implement — and Robodebt failed precisely because it was not. The submission established four principles for lawful automated decision systems: explicit acknowledgment of statutory basis, explainability meeting legal requirements, transparency so non-developers can understand, and separation of legal rules from implementation details. For enterprises deploying AI for customer-affecting decisions — credit, employment, insurance, healthcare — the lesson is directly applicable. The Privacy Act 1988 (amended December 2024) now requires disclosure for substantially automated decisions affecting individual rights, and the APPs apply to AI-generated inferences. An automated system whose logic cannot be traced to a specific legal or policy provision is indefensible under both the Privacy Act reforms and the Guidance for AI Adoption (six essential practices) on transparency and accountability. Full submission: https://www.austlii.edu.au/cgi-bin/viewdoc/au/other/CompLRes/2023/1.html

What is Rules as Code and how does it relate to AI governance in ANZ?

Rules as Code (RaC) renders legislation and regulatory obligations as executable, machine-readable logic rather than natural-language documents. The ecosystem includes AustLII's DataLex platform (rule-based legal reasoning using yscript, in use at UNSW, UTS, QUT), the Jersey Computer-Readable Legislation Project (2023-2025, with AustLII and Singapore Management University — explicitly finding that LLMs are not able to reason as such about legal rules), and GovCMS enterprise adoption by the Australian Government Department of Finance (described as a global first in centralised RaC deployment). The peer-reviewed framework by Mowbray, Chung and Greenleaf (Computer Law and Security Review, 2023) identifies six properties of explainable RaC: transparency, traceability, availability, sustainability, links to legal sources, and accountability. These translate directly to the enterprise compliance problem under APRA CPS 230, Privacy Act reforms, and the Guidance for AI Adoption: every automated control visible and auditable, every decision traceable to a regulatory provision, every evidence trail defensible. NETEVO's law-to-code methodology is the commercial implementation of these principles for enterprise governance.

Sources

  1. Privacy Act 1988 — Australian Government — Federal Register of Legislation (1988; amended December 2024). Commonwealth of Australia. Includes automated decision-making disclosure requirements and the application of the Australian Privacy Principles to AI system inputs, outputs, and inferences. Licence: Commonwealth Crown copyright (CC BY 4.0).
    https://www.legislation.gov.au/C2004A03712/latest/text
  2. Report 798 — Beware the gap: Governance arrangements in the face of AI innovation — Australian Securities and Investments Commission (ASIC) (2024). ASIC. Findings from a targeted review of AFS and credit licensees: governance arrangements had not kept pace with AI deployment, monitoring was uneven, and consumer-risk identification was inconsistent. The conduct-regulator half of the dual AU AI-specific surface. Licence: © Commonwealth of Australia 2024 (Crown copyright, reproduction with attribution).
    https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/
  3. Letter to Industry on Artificial Intelligence (30 April 2026) — Australian Prudential Regulation Authority (APRA) (2026). APRA. APRA's first AI-specific Letter to Industry, reporting a late-2025 supervisory review across banks, insurers, and superannuation trustees. Finds that governance, risk management, assurance and operational resilience have not kept pace with AI adoption; calls for a step-change under the existing prudential standards (CPS 230, CPS 234) rather than a new AI-specific regime; notes that frontier AI models are expected to further increase the probability, speed and scale of cyber attacks. Licence: © Commonwealth of Australia (APRA); citation by URL.
    https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai
  4. Prudential Standard CPS 230 — Operational Risk Management; and Prudential Practice Guide CPG 230 — Australian Prudential Regulation Authority (APRA) (2023; targeted amendments 30 April 2026, effective 1 July 2026). APRA. Requires end-to-end understanding of critical operations and a register of material service providers for APRA-regulated entities. Commenced 1 July 2025; the 30 April 2026 amendments narrow material-arrangement contractual requirements for non-traditional service providers, with the updated standard and the companion CPG 230 commencing 1 July 2026. Licence: © Commonwealth of Australia (APRA); citation by designation and URL.
    https://www.apra.gov.au/operational-risk-management
  5. Prudential Standard CPS 234 — Information Security; and Prudential Practice Guide CPG 234 — Australian Prudential Regulation Authority (APRA) (2018 (in force 1 July 2019); CPG 234 June 2019). APRA. Treats AI as part of the critical technology stack. The 2025 tripartite assessment identified gaps in AI information asset classification. Registered as legislative instrument F2018L01745. Licence: © Commonwealth of Australia (APRA); citation by designation and URL.
    https://www.apra.gov.au/information-security
  6. Guidance on privacy and the use of commercially available AI products — Office of the Australian Information Commissioner (OAIC) (2024). OAIC. The regulator's stated position on how the Privacy Act and APP 1 and APP 6 apply to the procurement and use of commercially available AI products. Licence: © Commonwealth of Australia (OAIC), CC BY 4.0.
    https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products
  7. Guidance on privacy and developing and training generative AI models — Office of the Australian Information Commissioner (OAIC) (2024). OAIC. The development-side companion: OAIC expectations on data collection, training-data composition, and the application of APP 3 and APP 6 to model training. Licence: © Commonwealth of Australia (OAIC), CC BY 4.0.
    https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models
  8. Guidance for AI Adoption (six essential practices) — Department of Industry, Science and Resources — National AI Centre (2025; updated 5 May 2026). National AI Centre (ai.gov.au). The current operational form of Australia's national voluntary AI governance. Six essential practices — accountability, understanding impacts, risk management, information sharing, testing and monitoring, and human control — distributed across paired foundations and implementation-guidance documents. Evolves the ten guardrails of the 2024 Voluntary AI Safety Standard and the eight 2019 AI Ethics Principles. Licence: © Commonwealth of Australia, CC BY 4.0.
    https://www.ai.gov.au/staying-safe-and-responsible/essential-ai-practices
  9. Voluntary AI Safety Standard — Department of Industry, Science and Resources — National AI Centre (2024). industry.gov.au. Ten guardrails covering accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply-chain accountability, compliance, and stakeholder engagement. The historical national baseline now evolved into the Guidance for AI Adoption. Licence: © Commonwealth of Australia 2024, CC BY 4.0.
    https://www.industry.gov.au/publications/voluntary-ai-safety-standard
  10. Introducing mandatory guardrails for AI in high-risk settings (proposals paper) — Department of Industry, Science and Resources (DISR) (2024). consult.industry.gov.au. The September 2024 consultation paper proposing mandatory guardrails for high-risk AI. The Australian Government has indicated it will not proceed; feedback fed into the National AI Plan. Retained as the AU formulation of high-risk AI. Licence: © Commonwealth of Australia 2024, CC BY 4.0.
    https://consult.industry.gov.au/ai-mandatory-guardrails
  11. Australia's AI Ethics Principles — Department of Industry, Innovation and Science (now DISR) (2019). industry.gov.au. The eight-principle AI Ethics Framework — the 2019 foundational baseline that the Guidance for AI Adoption now evolves. Licence: © Commonwealth of Australia, CC BY 4.0.
    https://www.industry.gov.au/publications/australias-ai-ethics-principles
  12. National Framework for the Assurance of Artificial Intelligence in Government — Australian, state and territory governments (joint) (2024). Department of Finance. The Commonwealth-and-aligned-states assurance regime, adopted at the Data and Digital Ministers Meeting (21 June 2024). Sits above the state-government frameworks in the intergovernmental hierarchy. Licence: © 2024 Commonwealth of Australia, CC BY 4.0.
    https://www.finance.gov.au/government/public-data/data-and-digital-ministers-meeting/national-framework-assurance-artificial-intelligence-government
  13. Policy for the Responsible Use of AI in Government 2.0 — Digital Transformation Agency (DTA) (2025). digital.gov.au. Mandatory for Commonwealth entities from December 2025. Requires accountable officials, transparency statements, and AI Impact Assessments by June 2026. Licence: © Commonwealth of Australia, CC BY 4.0.
    https://www.digital.gov.au/ai/ai-in-government-policy
  14. NSW AI Assessment Framework (formerly the AI Assurance Framework) — NSW Department of Customer Service (Digital NSW) (2022; renamed and updated 1 July 2024). NSW Government. The NSW state-government framework for assessing AI risk in agency projects, now distributed as an Excel workbook integrated into the NSW Digital Assurance Framework. High and critical-risk assessments are referred to the operational NSW AI Review Committee (chaired by Professor Edward Santow). Licence: © State of New South Wales, CC BY 4.0.
    https://www.digital.nsw.gov.au/policy/artificial-intelligence/ai-governance-assurance-and-frameworks/nsw-ai-assessment-framework
  15. NSW Artificial Intelligence Strategy — NSW Department of Customer Service (Digital NSW) (2020). NSW Government. The NSW Government's strategic policy frame for AI, built around five themes: public trust, digital uplift, data capability, procurement, and innovation and collaboration. The policy substrate above the NSW AI Assessment Framework. Licence: © State of New South Wales, CC BY 4.0.
    https://www.digital.nsw.gov.au/policy/artificial-intelligence/artificial-intelligence-strategy
  16. Guide to using AI Agents in NSW Government — NSW Department of Customer Service (Digital NSW) (2025). NSW Government. The first AU public-sector framework written specifically for agentic AI deployment: policy position, use-case identification, ownership and guardrails before launch, safe pilots, production scaling, and unique-risk understanding. Licence: © State of New South Wales, CC BY 4.0.
    https://www.digital.nsw.gov.au/policy/artificial-intelligence/guide-to-using-ai-agents-nsw-government
  17. ISO/IEC 42001:2023 — Artificial Intelligence Management System (AS ISO/IEC 42001:2023) — International Organization for Standardization (ISO/IEC); adopted by Standards Australia (2023). ISO / Standards Australia. The world's first certifiable AI management system standard, adopted in Australia as AS ISO/IEC 42001:2023. The management-system shell into which AI obligations integrate via the Harmonized Structure. Licence: © ISO/IEC; citation by designation unrestricted.
    https://www.iso.org/standard/81230.html
  18. ISO/IEC 42005:2025 — AI system impact assessment — International Organization for Standardization (ISO/IEC) (2025). ISO. Operational guidance for AI system impact assessment — the implementation of ISO/IEC 42001 Clause 6.1.4 and Annex A.5, and the standards-side basis for a single impact-assessment workflow that satisfies multiple regulatory hooks. Licence: © ISO/IEC; citation by designation unrestricted.
    https://www.iso.org/standard/44545.html
  19. ISO/IEC 23894:2023 — Guidance on AI risk management — International Organization for Standardization (ISO/IEC) (2023). ISO. AI-specific risk management guidance operationalising ISO 31000 for AI; the methodology reference for ISO/IEC 42001 Clauses 6.1.2 and 6.1.3. Licence: © ISO/IEC; citation by designation unrestricted.
    https://www.iso.org/standard/77304.html
  20. ISO/IEC 38507:2022 — Governance implications of the use of AI by organizations — International Organization for Standardization (ISO/IEC) (2022). ISO. The governance standard addressed to the governing body (board / top management). Sits above ISO/IEC 42001 in the stack and anchors board-level AI governance accountability that maps onto Australian director-duty obligations. Licence: © ISO/IEC; citation by designation unrestricted.
    https://www.iso.org/standard/56641.html
  21. Integrated Management Systems: A Practical Guide — International Organization for Standardization (ISO) (2026). ISO (PUB100435). ISO's integration thesis — one engineered management system meeting many normative regimes — built around the Harmonized Structure. The integration substrate beneath the AI management-system stack. Licence: © ISO 2026; single-user licence; citation by publication ID unrestricted.
    https://www.iso.org/publication/PUB100435.html
  22. A Director's Guide to AI Governance — Australian Institute of Company Directors (AICD) and Human Technology Institute (HTI, UTS) (2024). AICD. The AU canonical board-readable AI governance reference, structured as the eight elements of safe and responsible AI governance. Designed to sit alongside AS ISO/IEC 42001:2023 as the operational standard. Licence: Freely web-distributed by AICD; citation by title and attribution.
    https://www.aicd.com.au/risk-management/framework/ai-governance/a-directors-guide-to-ai-governance.html
  23. Directors' duties and AI regulation — Brand, V. (2024). Griffith Law Review. Direct AU academic treatment of director-duty implications of AI adoption, applying the Corporations Act 2001 (Cth) ss 180-183 framework to board-level AI governance. Licence: Informit / Griffith Law Review (paywalled); citation only.
    https://search.informit.org/doi/10.3316/informit.T2025061400003291176417079
  24. AI risks, failures and consequences: Corporate governance for the AI era — Bednarz, Z. and Bennett, S. (2025). Australian Journal of Corporate Law. Applies a risk-failure-consequence triad to AU corporate governance under AI conditions, operationalising the director-duty framework into concrete failure modes and downstream consequences. Licence: Informit / Australian Journal of Corporate Law (paywalled); citation only.
    https://search.informit.org/doi/10.3316/informit.T2025051900015991453730079
  25. Three lines of defense against risks from AI — Schuett, J. (2023). AI & Society. Applies the Institute of Internal Auditors' Three-Lines-of-Defence model to AI risk management — the conceptual bridge between the AI audit literature and APRA CPS 230's governance, control, and assurance architecture. Licence: Springer Open Access (CC BY 4.0).
    https://doi.org/10.1007/s00146-023-01811-0
  26. XAI in Rules as Code: The DataLex approach — Mowbray, A., Chung, P. and Greenleaf, G. (AustLII / UTS / UNSW Sydney) (2023). Computer Law & Security Review 48. Six properties of explainable Rules as Code — transparency, traceability, availability, sustainability, links to legal sources, accountability — assessed against AustLII's DataLex implementation. Licence: Elsevier (paywalled); citation only.
    https://doi.org/10.1016/j.clsr.2022.105771
  27. Representing legislative Rules as Code: Reducing the problems of 'scaling up' — Mowbray, A., Chung, P. and Greenleaf, G. (AustLII / UTS / UNSW Sydney) (2023). Computer Law & Security Review 48. Methodology for representing legislative rules propositionally at scale, demonstrated across the AustLII corpus of AU statutes and regulations — the empirical answer to whether Rules as Code is academic or industrial. Licence: Elsevier (paywalled); citation only.
    https://doi.org/10.1016/j.clsr.2022.105772
  28. Rules as code and the rule of law — Burton Crawford, L. (2023). Public Law (UK). An Australian public-law critique of Rules as Code on rule-of-law grounds — the academic counterweight that the practitioner application is designed to mitigate rather than ignore. Licence: Informit / Public Law (paywalled); citation only.
    https://search.informit.org/doi/10.3316/agispt.20230721091881
  29. Applying the Rule of Law in Automated Decision Systems through Rules as Code — Mowbray, A., Chung, P. and Greenleaf, G. — Submission to the Robodebt Royal Commission (AustLII) (2023). Royal Commission into the Robodebt Scheme (AustLII). Argued that automated decision systems must be transparently grounded in the legislation they implement, with four principles for lawful ADS: explicit statutory basis, legal explainability, transparency, and separation of legal rules from implementation. Licence: AustLII; citation by URL.
    https://www.austlii.edu.au/cgi-bin/viewdoc/au/other/CompLRes/2023/1.html
  30. GovCMS Enterprise Rules as Code — Australian Government — Department of Finance / GovCMS (2024). GovCMS. Department of Finance-sponsored implementation of Rules as Code as a shared utility for government agencies — described as a global first in centralised, shared, open-source RaC deployment. Licence: © Commonwealth of Australia, CC BY 4.0.
    https://www.govcms.gov.au/news-events/news/govcms-announces-enterprise-adoption-rules-code
  31. Jersey Computer-Readable Legislation Project (CRLP) — States of Jersey Legislative Drafting Office, AustLII, and Singapore Management University (2023-2025). States of Jersey / AustLII / SMU. A two-year project developing drafter-friendly tools for encoding legislative logic, which explicitly found that LLMs are not able to reason as such about legal rules — validating deterministic rule-based systems over probabilistic AI for compliance. Licence: Project-distributed; citation by URL.
    https://crlp-jerseyldo.github.io/
  32. NIST AI Risk Management Framework 1.0 — National Institute of Standards and Technology (NIST), U.S. Department of Commerce (2023). NIST. The US national voluntary framework — Govern, Map, Measure, Manage — cited here as a cross-jurisdictional comparator, not an implied obligation on AU entities. Cross-walks cleanly onto ISO/IEC 42001. Licence: U.S. Government work — public domain.
    https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
  33. NIST AI 600-1 — Generative AI Profile — National Institute of Standards and Technology (NIST), U.S. Department of Commerce (2024). NIST. The generative-AI-specific profile of the NIST AI RMF — twelve risk categories and 200+ recommended actions. Cited as a cross-jurisdictional comparator, not an implied obligation on AU entities. Licence: U.S. Government work — public domain.
    https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  34. EU AI Act — Regulation (EU) 2024/1689 — European Parliament and Council of the European Union (2024). Official Journal of the European Union. The EU's horizontal AI regulation, including the Article 27 Fundamental Rights Impact Assessment. A cross-jurisdictional comparator for AU entities — except those offering AI systems or outputs in the EU market, for whom it binds directly under Article 2. Licence: Reuse authorised under Commission Decision 2011/833/EU with attribution.
    https://eur-lex.europa.eu/eli/reg/2024/1689/oj
  35. Australian Human Rights Commission — Human Rights and Technology Final Report — Australian Human Rights Commission (AHRC) (2021). AHRC. The foundational AU statutory-body report on AI and human rights — 38 recommendations, including stronger protections in high-risk settings and the proposed AI Safety Commissioner. The AU rights-side anchor predating the downstream substrate. Licence: © Australian Human Rights Commission, CC BY 4.0.
    https://humanrights.gov.au/resource-hub/by-resource-type/publications/technology-and-human-rights/final-report-human-rights-and-technology
  36. Deloitte — State of AI in the Enterprise 2026 — Deloitte (2026). Deloitte. Source for governance readiness (30%), agentic AI maturity (21%), talent readiness (20%), and the 12% significant-transformation figure for Australian enterprises. Licence: © Deloitte; cited as published market research.
    https://www.deloitte.com/au/en/Industries/technology/perspectives/state-of-ai.html
  37. KPMG — Trusted AI Framework — KPMG (2024-2026). KPMG. First Big 4 entity to achieve ISO 42001 certification (December 2025). Trust-first governance philosophy with Microsoft and IBM alliances. Licence: © KPMG; cited as published material.
    https://kpmg.com/au/en/home/insights/2024/07/trusted-ai-framework.html
  38. PwC — Responsible AI — PwC Australia (2025-2026). PwC. Agent OS platform with 25,000 agents deployed globally. Three Lines of Defence model and 30-40% faster innovation cycles with embedded governance. Licence: © PwC; cited as published material.
    https://www.pwc.com.au/artificial-intelligence.html
  39. EY — Board Oversight of Artificial Intelligence — EY (2025-2026). EY. $1.4 billion EY.ai platform on IBM watsonx. 24+ AI tools deployed in Australian audit and assurance. Licence: © EY; cited as published material.
    https://www.ey.com/en_au/ai
  40. AustLII DataLex Platform — Australasian Legal Information Institute (2023). AustLII (UNSW / UTS). Rule-based legal reasoning platform encoding legislation as executable consultations using yscript. Ecosystem validation of the Rules as Code approach NETEVO operationalises commercially. Licence: Free non-commercial use; citation by URL.
    https://www.datalex.org/

Bibliography

33 of 52 catalogued resources. See the full citation substrate.