Four AI Governance Obligations Australian Regulated SMEs Cannot Ignore in 2026

10 December 2026 8 Months

Under the Privacy and Other Legislation Amendment Act 2024, mandatory automated decision-making transparency obligations take effect on 10 December 2026.

If your business uses AI — or any computer program — to make or influence decisions that significantly affect customers, you are legally required to disclose it. In your privacy policy. At every relevant customer touchpoint.

The obligation is triggered when three conditions are met: a computer program is used to make, or substantially assist in making, a decision; that decision could reasonably be expected to significantly affect the rights or interests of an individual; and personal information about that individual is used in the process.

In regulated industries, the following use cases almost certainly meet that threshold:

Which use cases trigger the obligation?

• Claims assessments Automated triage or scoring that influences whether a claim proceeds or is declined.
• Credit and lending decisions Any algorithmic tool that contributes to approval, rejection, or pricing.
• Underwriting tools Risk scoring systems that use personal data to determine coverage or premiums.
• Referral and eligibility screening Tools that determine whether a customer accesses a service or support.

A privacy policy written before AI was part of your operations will not meet the new standard. The obligation applies to all automated decisions made from 10 December 2026 — regardless of when the system was built or deployed.

The OAIC is not waiting until December. It began its first-ever privacy compliance sweep in January 2026, assessing privacy policies across six sectors. That sweep is ongoing. Firms that arrive at December unprepared will not have the luxury of a quiet correction period.

8 months is enough time to get this right. It is not enough time to leave it until November.

APRA CPS 230 Live

CPS 230 came into effect on 1 July 2025. It is not forthcoming. It is not a proposal. It is the current operational risk standard for APRA-regulated entities.

Under CPS 230, regulated firms are required to formally manage the operational risks associated with third-party service providers — including AI vendors. Formal management means documented controls, vendor exit strategies, and evidence of due diligence. Not intentions. Evidence.

In practice, this means three specific things:

What documented controls look like in practice

• A documented vendor inventory A complete list of every AI vendor in use and a clear record of what decisions they influence — directly or indirectly.
• Vendor exit and continuity planning A documented assessment of what happens operationally if that vendor ceases to exist or withdraws its service tomorrow. Not a theoretical plan — a tested one.
• Evidence of manual fallback testing Documented proof that a manual fallback process has been tested and works. A plan that has never been tested is not a fallback. It is an assumption.

Most SME insurers and financial services firms operating under APRA's remit have not completed this work. Not because they are indifferent to compliance — but because the translation from regulatory language to operational action has not been made clear in terms that a non-legal practitioner can act on.

APRA does not need to initiate a formal investigation for this to become a problem. A complaint, an incident, or an AFCA referral can surface CPS 230 exposure quickly. The firms with documented vendor controls are the ones who answer those questions cleanly.

Shadow AI Live

Your staff are using AI tools your organisation has not approved.

ChatGPT. Microsoft Copilot. Industry-specific tools a team member found and started using because it saved them an hour a day. This is not speculation — it is the documented reality across regulated industries globally, with 67% of executives in a 2026 Writer survey believing their organisation has already suffered a data breach from unapproved AI tool usage.

Under the Privacy Act 1988, your organisation is responsible for how personal information is handled — regardless of whether the tool was approved by IT or sanctioned by management.

Consider what is routinely fed into these tools in insurance and financial services operations:

What staff are feeding into unapproved tools

• Claims files Containing personal injury details, financial records, and third-party information.
• Client summaries Prepared for advisers or underwriters, containing personally identifiable information.
• Underwriting notes Including health, financial, and behavioural data used in risk assessment.

If a staff member fed any of that into an unapproved AI tool, your organisation owns that risk. The employee's intent is irrelevant. The Privacy Act does not distinguish between sanctioned and unsanctioned data handling — only between compliant and non-compliant.

Shadow AI discovery is a structured process: a staff survey combined with an IT log review to surface every tool in active use, approved or not. It typically takes a day to run. It can take months to remediate if the exposure surfaces during an OAIC inquiry rather than an internal review.

Most regulated SMEs have not conducted a Shadow AI discovery exercise. Most are unaware that the obligation to know exists independently of whether they have asked the question.

AFCA and AI-Influenced Decisions Live

AFCA is already investigating AI-influenced decisions.

When a customer lodges a complaint about a claims outcome or a financial decision, AFCA can — and does — ask whether AI was involved in that decision and what human oversight was applied. This is not a future scenario. It is current practice.

Three specific gaps make most regulated SME complaints processes non-compliant with RG 271 when AI is involved:

Three gaps that make most SME complaints processes non-compliant

• No AI flag in the complaint log If your complaint log does not capture whether AI influenced the decision being complained about, you cannot answer AFCA's question. That is not a defensible position.
• No systemic trigger threshold RG 271 requires identification of systemic issues. Without a defined rule — for example, three AI-related complaints about the same system within 30 days triggering a formal review — there is no early warning mechanism. Issues compound silently until they become material.
• No separate IDR tracking for AI-flagged complaints The mandatory 30-day IDR timeframe applies. If AI-flagged complaints are not tracked separately, RG 271 compliance is theoretical, not operational. AFCA will establish that distinction for you if you cannot.

These are not complex structural changes. They are process additions that require someone to have reviewed your complaints function through an AI governance lens — which most regulated SMEs have not done, because no one has framed the requirement in operational terms.

The gap is not awareness of AFCA. It is the absence of a structured review that connects your existing complaints process to the AI governance obligations that now sit alongside it.