← All posts
complianceAPRA CPS 234Privacy ActADM transparency

AI compliance for Australian regulated industries: what changes in December 2026

Australia's ADM transparency laws commence 10 December 2026, with civil penalties up to $50 million. Here's what regulated businesses need in place before then — and how per-call evidence changes the compliance conversation.

Australian businesses in financial services, health, insurance, and government are adopting AI faster than their compliance frameworks can keep up. The technology is useful. The problem is proving it’s safe — to a board, to an auditor, and soon, to a regulator with the power to issue civil penalties of up to $50 million.

That deadline is not abstract. Under the Privacy and Other Legislation Amendment Act 2024 (Cth), automated decision-making (ADM) transparency obligations commence on 10 December 2026. Businesses using AI to make decisions that significantly affect someone’s rights will need to disclose what data was used and how the decision was reached. Most organisations have no mechanism to produce that evidence today.

The three obligations that matter

Three regulatory pressures converge on any regulated business sending data to an AI model:

  • APRA CPS 234 — Information security for APRA-regulated entities. Section 15 covers third-party arrangements. If you send data to an overseas AI provider, you are expected to demonstrate active oversight of that arrangement, not just a contract on file.
  • Privacy Act 1988, APP 8 — Cross-border disclosure of personal information. The moment personal information leaves Australia for an overseas AI provider, APP 8 obligations are triggered. The question an auditor asks is simple: can you show, per request, what was disclosed and where it went?
  • ADM transparency (from December 2026) — Disclosure of the data inputs and decision basis behind automated decisions.

The common thread is evidence. Each obligation assumes you can produce a record of what happened, when, and under what controls — at the level of an individual AI call.

Why post-hoc log analysis isn’t enough

The standard answer is to analyse logs after the fact. Pull the request logs, run a classifier, generate a report. That works until a regulator asks you to prove the control was active at the time of the request — not reconstructed afterwards from logs you could, in principle, have edited.

The shift that matters is from after-the-fact analysis to inference-time evidence: a record generated at the moment of the AI call, cryptographically signed, and stored so that it cannot be altered without detection.

What “compliant” should actually look like

A defensible AI compliance posture for an Australian regulated business produces, for every single AI call:

  1. A scan for Australian PII — Tax File Numbers, Medicare numbers, ABNs, BSB and account details — using validation, not just pattern matching.
  2. A check for prompt injection in the request, including content hidden inside uploaded documents.
  3. A signed attestation that maps what happened to the relevant control — CPS 234 S15, APP 8, ADM transparency — so the evidence speaks the regulator’s language.
  4. An immutable, tamper-evident audit trail retained for seven years.

None of this should change how your team works. The right architecture sits between your business and the AI model, intercepts each call, and does the compliance work transparently. One API URL changes. Nothing else.

The window is closing

December 2026 is the forcing function, but the underlying obligations — CPS 234, APP 8 — already apply today. The businesses that will be ready are the ones that treat AI compliance as an architectural decision now, rather than a reporting scramble later.

If you’re weighing how to put per-call evidence in place before the deadline, get in touch. It’s the conversation we’re built for.

40° South acknowledges the Traditional Custodians of the lands on which we work and live. We pay our respects to Elders past, present, and emerging, and recognise their continuing connection to land, waters, and culture.