On 2 December 2025, Australia released its long-awaited National Artificial Intelligence (AI) Plan.
While promising a “whole-of-nation roadmap”, for many stakeholders, it lands well short of the long-trailed ambition for strong, economy-wide AI regulation. Instead of a standalone AI Act and hard “guardrails”, the government has opted for an evolutionary, light-touch approach that leans heavily on existing laws and non-binding guidance.
This post will explore the background to the Plan, provide an overview of its key elements, examine responses from industry, civil society, and unions, and consider the next steps for organisations navigating AI governance and compliance.
A quick transparency note: AI was used in the drafting of this piece, but it has been reviewed by our humans for accuracy.
The Australian Government has been debating AI regulation since 2022, considering whether to adopt an EU-style AI Act or a more flexible, US-inspired approach. Former Industry Minister Ed Husic had previously championed a stricter regulatory model, and had strongly flagged that as a direction. However, the final Plan takes a risk-based, innovation-friendly framework – rather than a law mandating protections against harmful uses of AI – to the surprise of many long term watchers of this space.
The new National AI Plan sets out a whole-of-government framework. It positions AI as critical national capability, tying policy together with new funding for an AI Safety Institute, national data-centre principles and public-sector AI governance through the APS AI Plan. The aim is to position Australia as a competitive AI-enabled economy (perhaps at the cost of the protection of individuals from harm).
The Plan is structured around three core goals:
Key features of the National AI Plan include:
An AI Safety Institute will be established and tasked with monitoring and testing advanced AI, coordinating regulators and informing future “targeted” AI-specific reforms, but without an overarching obligation framework equivalent to a comprehensive AI statute. The AI Safety Institute will not act as a regulator.
However, the government will not be proceeding with a permanent AI advisory board. Answers to Senate estimates questions to the Department of Industry, Science and Resources (DISR) show that it will not establish the AI advisory body announced and funded in the 2024-25 federal budget. The body was intended to provide independent advice from civil society, industry, and academia on the opportunities and risks of AI, building on the work of the temporary AI Expert Group, which was established in early 2024 to advise on options for mandatory guardrails in high-risk AI settings.
In place of the board, the department will rely on “existing mechanisms and targeted consultations”, as well as the newly announced Australian AI Safety Institute (AISI).
As part of the “keep Australians safe” goal, the government emphasises that AI is already regulated through technology-neutral laws spanning consumer protection, privacy, discrimination, online safety, and sector-specific regimes. There may be incremental reforms to these existing laws, together with updated regulator guidance, and voluntary governance frameworks to help manage AI risk. But no AI specific law at this time …
Earlier consultations canvassed a set of mandatory guardrails for high-risk AI, including requirements for risk management plans, pre- and post-deployment testing, complaint mechanisms, incident reporting and independent audits, likely to sit within a dedicated AI Act. Those proposals aligned more closely with the EU’s risk-based AI Act model and would have created a recognisable, AI-specific regulatory perimeter for developers and deployers.
However, in the final Plan, those mandatory guardrails have been dropped in favour of uplifting existing law and issuing more guidance rather than imposing new hard-edged duties.
A key undercurrent is economic: the Plan is clearly shaped by advice that premature, heavy regulation could blunt a projected AI-driven productivity and GDP uplift. The Productivity Commission recommended pausing major new AI rules while gaps in the existing legal framework are audited, stressing the risk of constraining what it estimated could be a $100-billion-plus boost to the economy.
The government responded by deferring a standalone AI Act and formal guardrails. This positions Australia as deliberately more permissive than jurisdictions like the EU, betting that a flexible, pro-innovation stance will attract investment and data-centre infrastructure without exposing the country to unacceptable risk
Reactions to the new National Plan have been mixed.
Business groups have generally welcomed the decision to avoid new, economy-wide obligations for now, arguing that leveraging familiar legal frameworks and regulator guidance reduces compliance uncertainty and regulatory lag. For large technology and infrastructure investors, the focus on sovereign compute, data-centre investment and streamlined AI adoption signals a favourable environment for scaling AI services from Australia:
However, civil society groups like Electronic Frontiers Australia criticised the Plan as a “light touch” approach, warning it prioritises economic opportunity over citizen safety and digital rights. It has been noted that more than three-quarters of Australians support explicit AI regulation and that the Plan offers limited specificity on enforcement, redress and accountability for high-risk systems.
Critics argue that relying on general consumer and privacy law leaves systemic harms – such as opaque automated decision-making, algorithmic discrimination and foundation-model risks – under-addressed, particularly where responsibilities in complex AI supply chains remain unclear.
For organisations, the release of the National AI Plan signals both opportunity and responsibility.
For boards and risk committees, the absence of an AI Act does not mean an absence of AI regulation: existing privacy, consumer, discrimination, safety and sectoral rules already apply to AI use, and regulators are expected to interpret them assertively in an AI context. Organisations that treat the Plan as a green light for “business as usual” will likely find themselves exposed as guidance hardens into expectations and targeted reforms begin to codify elements of today’s guardrails into tomorrow’s black-letter law.
In practice, prudent organisations should assume that EU-style concepts—risk-based governance, model testing, data governance, documentation, transparency and human-in-the-loop oversight—will increasingly be treated as baseline expectations in Australia, even without a comprehensive Act. Using the current period to build internal AI inventories, strengthen governance frameworks, align with emerging international norms and prepare for eventual, more prescriptive interventions will place organisations ahead of both the regulatory curve and stakeholder expectations
Ultimately, while the Plan provides a starting point, it leaves many questions unanswered. For privacy and legal professionals, this is a moment to guide organisations through uncertainty—ensuring compliance, ethical adoption, and resilience in the face of rapid technological change.
References
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
