Publications

Regulators are concerned that AI adoption is outpacing governance. In the first Australian case that touched on the use of AI in a board context, Justice Lee in ASIC v Bekier & Ors [2026] FCA 196 observed the need for boards to “discuss and deliberately govern any AI use by formal adoption of policies” and that ultimately, responsible AI use is the responsibility of directors¹.

How can boards govern AI? Rules differ markedly around the world and continue to evolve at speed. Data flows easily across jurisdictions. The rapid pace of AI development creates a complex compliance landscape, especially for organisations who operate across borders.

In Australia, there is no standalone AI legislation like the EU AI Act or the Canadian Data and AI Act. Somewhat like the UK, incremental change continues as AI cuts across various areas. They include governance, corporate and commercial law, consumer protection, privacy law, intellectual property and copyright, cybersecurity, ESG (including human rights), anti-discrimination, work, health and safety.

Most recently, ASIC in its industry letter on 8 May 2025 called for urgent cyber uplift as AI accelerates and APRA in its industry letter on 30 April 2026 summarised the minimum board expectations on AI risk management. These two regulators joined others including AUSTRAC, ACMA and ACCC who previously observed the emerging AI risks, as organisations increasingly use AI systems in their day-to-day operations. The regulatory posture sends a clear message: even without any standalone AI legislation, boards and management are on notice when it comes to responsible AI use and its proper governance.

Some industry issues identified by APRA include:

• over‑reliance on IT vendors;
• inadequate visibility over AI systems and data flows;
• gaps in assurance and audit capability; and
• insufficient technical literacy at board level.

ASIC and APRA also highlighted:

• the requirements for governance frameworks of regulated entities to properly capture and address AI risk management; and
• the need to assess and mitigate AI risks against existing requirements including information security, data and privacy, business continuity and disaster recovery as well as operational and supply chain risk management.

All these illustrate how regulatory supervision is turning to how organisations implement and govern AI. In October 2024, ASIC released Report 798 “Beware the gap: Governance arrangements in the face of AI Innovation” which alerted company directors and officers to discharge their duties with reasonable degree of care and diligence in the adoption, deployment and use of AI. In its 2025-2026 Corporate Plan, ASIC also signalled the taking of enforcement action in relation to the poor use of AI². In the context of charities, see our earlier publication for ACNC’s views on Emerging AI Risks for Charities.

The Australian government published and updated some useful AI resources. National AI Plan on 2 December 2025 is a whole-of-government strategy that sets the Australian direction on AI and its risk management through existing legal frameworks, supported by the policy for responsible AI use (v 2.1 dated 15 December 2025). The Digital Transformation Agency also developed some model AI clauses and how to apply them with support from the AGS.   The Department of Industry, Science and Resources published governance resources including the Voluntary AI Safety Standard (updated on 2 December 2025) of 10 AI Guardrails and how to implement them and Australia’s AI Ethics Principles (updated on 2 December 2025). The National AI Centre published Guidance for AI Adoption (on 21 October 2025) for governance professionals and technical experts to implement 6 responsible AI adoption practices.

The Australian Institute of Company Directors also published board materials including:

• A Director’s Introduction to AI (11 June 2024);
• A Director’s Guide to AI Governance (11 June 2024);
• Data Governance Foundations for Boards (14 May 2025);
• Effective board minutes and the use of AI (12 May 2025);
• AI Use by Directors and Boards: early insights (1 December 2025); and
• AI Governance Checklist for SME and NFP Directors (11 June 2024).

International standards are also evolving, including ISO/IEC 42001: 2023 (AI Management System), ISO/IEC 23894: 2023 (IT – AI – Guidance on Risk Management) and ISO/IEC FDIS 27090 (Cyberseucrity for AI). These are in addition to the existing standards of ISO/IEC 27001: 2022 (Information Security Management), ISO 8000 (Data Quality) and ISO 37000: 2021 (Governance of Organisations). 

In courts overseas, IP infringement is currently being tested. The Court of Justice of the European Union on 10 March 2026 held its first hearing on generative AI and copy right in the case of Like Company v Google Ireland Limited (C-250/25). On 4 November 2025, the UK High Court handed down its landmark judgement of Getty Images v Stability AI [2025] EWHC 2863 on copyright and trademark claims. The question of how training AI on materials subject to copyright will cause infringement in Australia remains untested as the government decided against a text and data mining exemption in our copyright law. In other words, there is no blanket exception for organisations to train AI without potentially infringing others’ copyrights.

Some practical takeaways include:

• do due diligence on AI providers;
• review your contractual terms with AI providers;
• follow appropriate AI-labelling and disclosure for transparency;
• keep up to date and where needed, seek legal and technical advice; and
• ensure good governance and consider an AI policy that covers the Voluntary AI Safety Standard and 10 AI Guardrails at a minimum, such as:
  • accountability;
  • risk management;
  • data quality, governance and security;
  • regular testing and monitoring;
  • human centered approach with oversight and control;
  • disclosure to end-users regarding AI-enabled decisions and content;
  • established processes via mechanism to challenge AI use or outcome;
  • supply chain management, including transparency with other organisations on AI use;
  • keep and maintain good records to assess compliance with guardrails, including how AI system generated or modified content; and
  • stakeholder engagement to evaluate their needs and circumstances with a focus on safety, diversity, inclusion and fairness.

This article was published on 5 June 2026 by Carroll & O’Dea Lawyers and is based on the relevant state of the law (legislation, regulations and case law) at that date for the jurisdiction in which it is published. Please note this article does not constitute legal advice. If you ever need legal advice or want to discuss a legal problem, please contact us to see if we can help. You can reach us on 1800 059 278 or via the Contact us page on our website. (www.codea.com.au).

Footnotes

[1] ASIC v Bekier & Ors [2026] FCA 196 at [394].

[2] ASIC Report 798 “Beware the gap: Governance arrangements in the face of AI Innovation” at page 34.