Standard

Australia Voluntary AI Safety Standard

Australia's Voluntary AI Safety Standard was published by the Department of Industry, Science and Resources in September 2024, with a significant update (AI6) in October 2025. It is Australia's most comprehensive and operationally specific AI governance instrument to date, translating the government's AI ethics principles into ten concrete guardrails applicable across the entire AI supply chain—from developers and providers through to deployers and end-user organisations.

The ten guardrails address: accountability structures, risk management processes, data governance practices, testing and evaluation methods, human oversight mechanisms, transparency obligations, contestability provisions, supply chain security and resilience, record-keeping requirements and stakeholder engagement processes. The Standard is explicitly designed to be compatible with and complementary to international frameworks, particularly ISO/IEC 42001 and the NIST AI Risk Management Framework.

Although technically voluntary, the Standard has been developed with a strong signal that its requirements may form the basis of future mandatory obligations, particularly for high-risk AI applications. It applies to any organisation developing, deploying or procuring AI systems in Australia, with guidance tailored to different roles in the AI supply chain.

Our take on this

The Voluntary AI Safety Standard is the document Australian organisations should be working against right now. While the 'voluntary' label might tempt some to file it away for later, that would be a strategic error. This is the clearest signal yet from the Australian Government about where mandatory AI regulation is heading, and the organisations building their governance programs against it today will be significantly better positioned when requirements become compulsory.

The October 2025 AI6 update deepened the Standard considerably, adding greater specificity around human oversight, supply chain accountability and transparency obligations. Crucially, it maintained deliberate alignment with ISO 42001 and NIST RMF—which means if you've already implemented either of those international frameworks, you're working the same muscle groups. Map your existing controls to the Standard's ten guardrails and close the gaps.

Why this matters for Australian organisations

The dynamics that made this Standard important at publication have accelerated since. Australian insurers are including AI governance questions in cyber and D&O underwriting. Institutional investors are conducting AI due diligence as part of ESG assessments. Government procurement is increasingly requiring vendors to demonstrate alignment with the Standard. In regulated sectors—banking, insurance, health, energy—sector regulators are signalling that industry-specific guidance is coming.

The 'voluntary now, mandatory later' pattern is the established Australian regulatory playbook. The Privacy Act operated that way. The Modern Slavery Act operated that way. The pattern of stakeholder consultation the government has conducted around AI regulation strongly suggests the same trajectory. Organisations that treat this Standard as mandatory today will be ahead, not over-compliant.

For supply chain participants, the Standard's explicit coverage of the full AI supply chain matters enormously. If you're a vendor providing AI tools or services to other organisations, your customers are going to start asking you to demonstrate compliance. And if you're procuring AI capabilities from vendors, the Standard gives you the framework to assess them.

Practical steps for adoption

  • Conduct an inventory of all AI systems your organisation develops, deploys or procures, categorised by their impact level and role in the supply chain.
  • Score your current practices against each of the ten guardrails using the Standard's self-assessment guidance to produce a gap analysis you can act on.
  • Prioritise accountability (who owns AI governance), risk management (how you assess AI risk) and human oversight (where humans remain in the loop)—these are typically the most foundational gaps.
  • If you're implementing ISO 42001 or NIST RMF, cross-reference those controls against the ten guardrails to identify where existing work already satisfies the Standard.
  • Establish a record-keeping practice for AI systems now, even informally—the ability to document what systems you use, why, and how they're governed will be critical as scrutiny increases.

Ready to transform your AI strategy?

Partner with Australia's AI strategy and governance specialists. From adoption roadmaps to ISO 42001 audit readiness.