Australia’s AI framework sets the direction, now organisations must do the heavy lifting

Article
Published: 

Australia now has two cornerstone documents shaping the national AI conversation: The National AI Plan (2025) and the AI Plan for the Australian Public Service 2025.

The National AI Plan sets out an economy‑wide vision to invest in smart infrastructure, realise the benefits of AI, and keep Australians safe. The Australian Public Service (APS) AI Plan establishes baseline expectations for government agencies, including transparency statements, accountable officials, use‑case registers, staff training, and impact assessments.

Together, these plans provide clarity of intent and minimum expectations, supported by practical examples such as the Australian Government’s AI in government policy. They are not intended to be universal operating manuals – nor could they be. Given the pace of technological change and the breadth of AI applications, any attempt to prescribe a detailed “how-to guide” would be outdated as soon as it was published. While these plans are valuable, organisations must take ownership of translating the national principles into practical, risk-proportionate approaches to AI governance, controls and assurance.

For example, the plans reference periodic reviews, particularly for higher-risk use cases. Yet models, prompts, and datasets change continuously. In this context, organisations need to think about ongoing assurance mechanisms, such as drift detection and automated alerts, to keep their AI safe and reliable, and to remain aligned with the principles set out in the plans.

Human oversight is another consistent theme. What the plans leave open, by design, is how oversight should operate in practice: when reviews are required, what evidence should be considered, how responsibility should be recorded and how they maintain the skills to ensure that oversight is effective rather than “procedural”.

Organisations need to do the heavy lifting

Regardless of AI maturity, the transition from policy awareness to practical implementation requires deliberate structure, clear ownership and ongoing self-assessment. This is particularly important where AI influences decisions that affect customers and trust must be actively earned. The following focus areas reflect BDO’s view on where organisations should prioritise their efforts, building on existing governance, risk and control capabilities.

Self‑impose robust AI governance

  • Consider establishing an AI policy and framework aligned to global baselines (e.g., EU AI Act, ISO/IEC 42001, NIST AI Risk Management Framework)
  • Clearly assign accountability for AI governance (e.g., Chief AI Officer, Chief Data Officer, or committee) and expand existing forums to include AI where objectives and attendees align
  • Maintain a record of all AI systems, covering purpose, data sources, controls, and performance metrics. Where explainability is critical, or AI supports a key process, develop flow charts to show exactly which steps are managed by AI.

Define an AI risk appetite and decision framework

  • Define acceptable use thresholds, required controls, and escalation triggers so teams can move quickly and safely
  • Implement a risk tiered approval approach, with increased due diligence for AI use cases that affect individuals, support critical processes or process sensitive information
  • Tie approvals to evidence such as testing, monitoring, explainability and data governance controls.

Establish continuous monitoring and assurance

Monitoring should not only focus on technical performance, but also on outcome consistency and customer impact, including complaints, overrides and challenge rates linked to AI‑supported decisions.

  • Move beyond annual reviews by implementing ongoing AI model performance monitoring, and data and concept drift detection
  • Assess the impact of vendor or model changes before deployment. Vendor contracts should require disclosure of model changes, training data sources, and evaluation results, and allow independent checks or audits where appropriate
  • Create incident runbooks and escalation paths that are integrated with enterprise crisis management
  • Allocate control and assurance budgets alongside expected benefits when approving AI use cases.

Data governance for AI

Strong data governance is essential not just for model performance, but to ensure customers are treated fairly, their data is used lawfully, and outcomes can be defended if questioned.

  • Record where data originated, whether it’s permitted for use and evidence of consent if required
  • Define clear data quality rules and service level agreements (SLAs) that are used to monitor the completeness, accuracy and consistency of data
  • Use the minimum data required for the task and embed privacy-by-design principles from the outset
  • Conduct adequate pre-deployment testing, including bias and representativeness testing across cohorts, to ensure AI does not produce unfair or systemically different outcomes for certain groups.

Define human‑in‑the‑loop (HITL) standards

  • Using the risk tiered approach, specify when human review is mandatory within AI process flows, particularly for decisions affecting fairness, eligibility or safety
  • Define how manual reviews are conducted, what evidence is required, and how challenge and escalation pathway operate
  • Ensure HITL standards clearly describe how customers can request human review, how those requests are assessed, and how outcomes are communicated in a way that is understandable and respectful.

Invest in people

  • Executives should be skilled in risk appetite, trade‑off decisions, and the value criteria used when prioritising one AI initiative over another
  • Front‑line users should be empowered to understand safe prompting, verification habits, and secure data handling
  • Information security, privacy and data governance teams should be proactively involved in developing AI governance and implementation guidelines.

Treat policy as the floor and build your ceiling

The National AI Plan and the APS AI Plan set direction, principles and minimum expectations. The organisations that will win with AI will be those that earn trust by embedding AI into their operating model, implementing continuous assurance, strengthening data governance, and giving customers confidence that AI-influenced decisions are fair, informed and open to challenge. That is the heavy lifting, and it’s how you turn national direction into enterprise grade outcomes.

So, where should you start in managing your risk? 

The pace of change has left many boards and executives stuck between the fear of being left behind and the fear of getting it wrong. They know AI is moving quickly but must wade through options and uncertainty.

AI risk assessments provide a practical starting point to help organisations to understand where they are today and what must be strengthened to deploy AI safely, responsibly and at scale.

An AI risk assessment can help to: 

  • Assess controls to ensure safe implementation of AI
  • Review the identified risks and mitigation strategies
  • Review the change control, testing and system development lifecycles deployed to productionise your AI
  • Review the controls in place to protect personal data and adopt privacy principles
  • Identify and assess shadow AI and potential data leakage across the enterprise
  • Review the adoption of data access controls to protect sensitive data
  • Integrate AI into existing cyber, data, and governance frameworks.

This is not a one-size-fits-all exercise, it’s a tailored reflection of an organisation’s capability, risk appetite, and mission. Start small, start safe, but start now. 

How BDO can help

Our risk advisory services team supports clients to embed AI risk into broader enterprise risk frameworks. This includes AI maturity assessments, aligning governance with regulatory standards, embedding governance across the AI lifecycle and establishing oversight structures such as ethics committees and cross-functional AI teams.

Contact BDO today to move beyond policy awareness to confident, responsible AI adoption, and to turn principles into practice.

Key takeaways

Australia’s AI framework sets direction but requires organisational implementation
  • The National AI Plan and APS AI Plan provide high‑level principles, expectations and governance benchmarks for AI use. However, they are not prescriptive, requiring organisations to translate these principles into practical, risk‑proportionate frameworks and controls.
Strong governance, assurance and accountability are central to safe AI adoption
  • Effective AI deployment depends on clearly defined governance structures, risk‑based approval processes and continuous monitoring of models, data and outcomes. Organisations must move beyond periodic reviews to implement ongoing assurance and evidence‑based decision‑making.
Data governance and human oversight remain critical to trusted AI outcomes
  • Reliable AI outcomes require strong data governance, including data quality, provenance and privacy controls, alongside clearly defined human‑in‑the‑loop processes. Investing in skills, oversight and governance capability supports fair, explainable and defensible AI‑driven decisions.

Authors

Subscribe to receive the latest insights.

Filter by: