Legal Insights

Quick tips and helpful tricks: navigating the latest Government issued guidance on AI

By
• 28 October 2025 • 6 min read

Updated Guidance for AI Adoption was released last week by the Commonwealth Government. This Guidance will support Australian organisations to implement appropriate AI governance frameworks with confidence as they navigate a pathway to responsible, risk-based AI adoption and deployment.

Overview 

Last week the Australian Government released its updated Guidance for AI Adoption, designed to support Australian organisations wherever they are on their AI journey. 

This comes at a critical time. While AI development and deployment continues at pace, existing regulation and guidance remains fragmented. Organisations are frequently left grappling with unclear or evolving legal, regulatory and policy frameworks. 

An implementation gap also persists. The 2025 Responsible AI Index survey identified this as a “saying-doing” gap: while 78% of respondents agreed with ethical AI performance statements, only 29% had been able to implement responsible AI practices, and only 12% were listed in the “Leading” category for implementation of responsible AI practices. 

The Guidance aims to improve these metrics by providing user-friendly resources that organisations can easily implement to develop responsible AI governance frameworks as they move towards a mature compliance posture. 

What does the new guidance cover? 

Published on 21 October 2025, the new Guidance follows a period of industry consultation by the National AI Centre. The outcome of that process has been to streamline the 2024 Voluntary AI Safety Standard (VAISS) into a more accessible framework to support organisations to adopt and deploy AI safely and with confidence. 

The Guidance emphasises a proportionate and human-centered risk approach, noting AI systems have the capacity to amplify harms at speed and scale. It helpfully maps 7 well documented risks and harms associated with AI systems against key Australian laws that are likely to apply, giving key stakeholders including legal, executive and leadership teams a clear legal anchor for governance decisions. Identified areas of legal risk include the security, safety and reliability of AI systems and their outputs, as well as the potential for misuse of data and IP infringement. There are also inherent risks in the use of AI systems themselves (for example, the potential for bias or discrimination) and supply chain risks which may need to be managed.

Expanded to apply to both developers and deployers of AI, the 10 guardrails under the VAISS have been condensed, with clear and actionable steps for implementation. 

Six key practices for responsible AI governance and adoption are now identified, together with practical tips in a user-friendly format. In summary, the six key practices are:

  1. Decide who is accountable.
  2. Understand impacts and plan accordingly.
  3. Measure and manage risks.
  4. Share essential information.
  5. Test and monitor.
  6. Maintain human control.

Implementing the Guidance 

The Guidance is easily digestible, providing a framework for both technical and non-technical stakeholders while maintaining alignment with Australia’s AI Ethics Principles and relevant international standards.

In recognition of the rapidly evolving landscape, two versions have been produced. 

Determine which of the following is right for your organisation:
“Foundations” Guidance – for those just starting their AI journey who are new to AI and AI governance, and those using AI in low-risk ways.  This provides general guidance on best practice.
The more sophisticated “Implementation Practices” Guidance - designed for those with already mature governance structures, technical development capabilities or for high-risk AI use cases. 

In conjunction with the Guidance, a number of templates resources have been developed and are available for download and use as a base: 

  • AI Policy Guide and Template – this should be the first step in your organisation’s journey to responsible AI use;
  • AI Screening Tool – helps determine the level of governance oversight required for a particular AI system; and
  • AI Register Template – a tool to develop and maintain a register of all AI systems.

5 Key Priorities 

As stated in the Guidance, “accountability is the first step to using AI responsibly”. 

In the absence of strict legal obligations and clear enforcement consequences, it may feel tempting to skip risk assessments and other processes designed to mitigate risk. However, as with all compliance obligations, it is easier to ‘start as you mean to continue’ and always more difficult to retro-fit compliance into existing policies and processes.

We recommend organisations consider the following steps as a priority.

  • Nominate a senior leader as the overall AI governance owner

    The guidance recommends nominating an “AI governance owner” who will have oversight and responsibility to ensure responsible AI practices are implemented. Ideally, this should be someone who is sufficiently senior and has a firm understanding of AI capabilities and how to navigate risk. 

    Tip: If you don’t have a senior leader who is confident in overseeing AI use, this may be an opportunity to invest in specific training. 

  • Adopt (or review and update) your AI Policy

    The Guidance helpfully provides an AI Policy Template and Guide, which you can tailor for use by your organisation. The AI Policy should set out how your organisation will responsibly use AI and navigate its risks, as well as clarifying roles and responsibilities.

    Consider whether this policy should be made public (similar to your Privacy Policy) to ensure that there is clear accountability in relation to your use of AI.

    It will be important to consider how your existing privacy, data governance and cybersecurity practices and policies will link to your AI policies and processes. 

    Tip: You may need to disclose specific risks of the AI systems you use, such as where AI models learned using commercially sensitive data or personal information or are used for decision making, in associated policies such as your privacy policy.

  • Implement appropriate risk assessment and management processes (including ongoing monitoring or audit of AI systems)

    Prior to the deployment of an AI system, we recommend undertaking a suitable impact assessment. Consider developing and implementing an initial ‘threshold’ assessment template, as well as a long-form risk assessment template. 

    Tip: Check out the risk screening template in the Guidance as a starting point.

    These documents should be used to undertake an appropriately robust risk assessment prior to the adoption of an AI system, to consider and identify key stakeholder groups, assess potential impacts(such as unfair decisions or inaccurate or harmful outputs) and to identify appropriate risk mitigations.

    Similar to an effective privacy impact assessment framework, this process will support key stakeholders to undertake appropriate risk assessments as well as to identify key mitigation steps or strategies. 

  • Develop an AI Governance Framework

    Similar to the concept of ‘privacy by design’, embedding a strong culture of AI governance and compliance from the outset will be protective over the long term. Even where it may take time to approve and implement a formal policy or risk assessment process, education, training and embedding core company  values around AI adoption can be done more quickly and will assist to amplify polices and processes as they are implemented.

    If you already have an AI Policy, the next step is to develop that policy into a broader AI Governance Framework. This should include criteria on how to determine whether the risks posed by certain AI tools are acceptable to your organisation, and consider potential harms.

    Your AI Governance Framework should establish a risk assessment triage system, document controls for those risks, and create a process for monitoring and reporting incidents.

    Tip: As always, training is key to ensure that your governance frameworks are embedded across the organisation and operate effectively.

  • Manage your third party and supply chain risks

    There are a broad range of issues to consider when negotiating contractual arrangements or drafting contractual templates for procurement of technology solutions including AI systems. In particular, consider the ways in which your contract will address and allocate risk and responsibility in connection with the use of AI, including which party owns any data (including personal information) which forms part of an input or output, and intellectual property rights in the tools themselves as well as the outputs.

    Tip: Negotiate appropriate contractual provisions with suppliers of AI systems, to ensure suitable oversight and transparency, as well as to appropriately allocate risk. Consider what reporting or audit rights you require to ensure you can comply with your own legal obligations, as well as any commitments you have made in your own governance or policy documents.

Key takeaways 

New Guidance has been released by the Australian National AI Centre to support Australian organisations, no matter where they are on their AI journey.

Consider how the Guidance applies to your organisation, and work to implement each of the 6 key practices identified. Key action items include:

  • Adopting an AI Policy or an AI Governance Framework. You may wish to adopt and tailor the AI Policy template which has been provided.
  • Appointing a senior AI governance officer. Similar to a privacy officer, this role provides a single point of accountability and oversight for the responsible deployment of AI within your organisation.
  • Refer to the Guidance as well as the pre-prepared template documents when assessing and implementing AI systems, or considering your broader AI compliance posture. 

Finally, do not ‘set and forget’. In this rapidly evolving area, it is critical to ensure you revisit your governance framework, policies and processes, and undertake regular reviews. Use the templates and questionnaire tools to streamline and simplify the process, and deliver appropriate training sessions to key stakeholders internally. 

Our national team has experience advising across the full range of legal, compliance and governance aspects of AI. From procurement and implementation to ongoing governance, we are here to support you wherever you are on your AI journey. Reach out to us as you navigate the new Guidance and for assistance in developing your own internal governance and policy documents, for support in relation to procurement of AI solutions or for tailored training sessions.

Ooma Khurana

Ooma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.

View profile

Shivani Thirayan

Shivani has extensive experience advising on a broad range of commercial matters with a focus on technology procurement, telecommunications, consumer laws, privacy and intellectual property protection.

View profile

Georgia Hunt

Georgia is an experienced commercial lawyer advising government, professional services and education organisations.

View profile
By

Recent articles

Online Access