Most enterprise AI governance programmes have a risk register. Almost none of them have AI training data copyright as a risk item. That gap is worth examining.
In April 2026, Parliament passed the Copyright Amendment (Orphan Works and Other Measures) Act 2026. Alongside it came formal confirmation of something the Attorney-General had signalled in October 2025: Australia will not introduce a text-and-data mining exemption for AI training. The Copyright and AI Reference Group, established within the Attorney-General's Department, is now actively exploring a mandatory paid licensing framework as the alternative.
The enterprise implications of this are not abstract. They affect procurement decisions your organisation has already made and content workflows your teams are running today.
What the TDM Exemption Was and Why It Matters
When AI companies build large language models and image generation systems, they typically train those models on vast quantities of existing content: books, websites, articles, code repositories, images, academic papers. Whether that constitutes copyright infringement depends on local law and any available exceptions.
Several jurisdictions have adopted a text-and-data mining exemption that permits this kind of processing under certain conditions. The European Union's DSM Directive includes one with opt-outs for rightsholders. The United Kingdom has a narrower research exception. Singapore permits TDM for computational data analysis.
Australia confirmed it will not take this path. The Productivity Commission had recommended a TDM exception in its August 2025 interim report as part of its inquiry into Harnessing Data and Digital Technology. The government rejected that recommendation. The Attorney-General was direct: there are no plans to weaken copyright protections for AI.
What exists instead is the Copyright and AI Reference Group, exploring a paid licensing model, a possible collective licensing framework and enforcement mechanisms including a small-claims forum for copyright disputes. The framework is being developed. The default position in the interim is that existing copyright law applies.
The Two Enterprise Risks Most Governance Programmes Are Missing
Here is the practical consequence for any Australian organisation deploying AI tools.
Risk one: vendor training data exposure. The AI tools your organisation procures and deploys were trained on content. That training may have involved Australian copyrighted material. If a vendor's model was trained on Australian copyright-protected works without licence or an applicable exception, the lawfulness of that training is at least questionable under Australian law.
This is not yet a scenario where enterprise customers are facing direct infringement claims. But it is a scenario where: vendor indemnification provisions matter considerably more than they did two years ago, due diligence questions about training data provenance are no longer esoteric, and the risk profile of a vendor with a clear position on training data differs meaningfully from one that has no position.
Risk two: AI-generated content. If your organisation publishes or distributes AI-generated content using tools trained on potentially unlicensed material, the copyright status of that content carries some uncertainty. The Attorney-General's framing of "fair remuneration" for creators and "lawful access" to copyright material as the baseline signals the direction of travel.
Some organisations have significant content generation workflows already running. The legal exposure from any individual piece of AI-generated content is probably low. The aggregate exposure across a large content programme is worth understanding.
Vendor Procurement Is Now a Copyright Governance Question
Most AI vendor assessments today ask about data security, privacy practices and compliance certifications. Very few ask about training data provenance. That is starting to change, and it should change faster.
Here is what good AI vendor due diligence in the current Australian environment looks like.
Ask what the vendor's position is on copyright compliance for training data. A vendor that cannot articulate one is a vendor taking on risk and, by extension, passing some of that risk to customers.
Ask whether the vendor participates in any licensing frameworks, industry groups or copyright compliance programmes. Several major AI providers are now entering licensing arrangements with publishers, news organisations and other rightsholders. Participation in those arrangements is meaningful.
Review the indemnification provisions in vendor contracts. Standard enterprise software indemnification clauses were not drafted with AI training data copyright in mind. Specifically, consider whether copyright-related claims arising from the AI outputs your organisation produces are covered.
Monitor CAIRG developments. The Reference Group is expected to produce recommendations that will shape the mandatory or voluntary licensing framework. The direction it takes will determine whether the current risk profile improves or intensifies.
Where Most AI Governance Frameworks Have a Blind Spot
There is a structural reason why training data copyright sits outside most AI governance programmes: frameworks were built around deployment risk, not provenance risk.
Risk classifications assess what an AI system does, how it affects people and what regulatory obligations apply to its outputs. They do not typically ask where the model came from and what data went into building it. That was a reasonable design choice when the copyright question was unsettled and vendors were not facing liability. It is a less reasonable design choice now that the government has confirmed its position and a licensing framework is in development.
The part many organisations miss is that the risk is not only about being sued. It is about being in a position where, when the paid licensing framework is established, your organisation cannot easily demonstrate that its AI tool vendors have adapted to comply. Organisations that have tracked training data provenance from the start will have a much cleaner position than those that have not.
What Good Governance Looks Like in This Environment
This does not require dismantling existing AI deployments. It requires adding a dimension to how AI tools are assessed and monitored.
For each AI system in your use-case register, add a field for training data position: what is known about what the system was trained on, whether the vendor has a stated copyright compliance approach and whether any licensing arrangements are in place. Even a field that currently reads "unknown" is useful, because it surfaces the question.
For AI content generation workflows, implement a review step that considers copyright provenance. This is particularly relevant for content produced at scale, such as marketing copy, product descriptions or summarisation outputs, where aggregate exposure is meaningful.
For vendor contracts being negotiated now, engage legal counsel on whether training data indemnification provisions are adequate for the Australian environment.
Key Takeaways
- Parliament confirmed in April 2026 that Australia will not introduce a text-and-data mining exemption for AI training, meaning existing copyright law applies to AI training data
- The Copyright and AI Reference Group is exploring a mandatory paid licensing framework, and enforcement mechanisms including a small-claims forum are being considered
- Enterprise AI governance programmes face two gaps: vendor training data risk and AI-generated content copyright uncertainty
- AI vendor due diligence should now include questions about training data provenance, copyright compliance approach and indemnification scope
- AI use-case registers should capture training data position as a governance field for each deployed AI system
How Trusenta Can Help
AI Governance provides the use-case register and vendor risk framework that allow organisations to capture training data provenance as a governance field for each AI deployment, making it possible to track and report on copyright risk exposure across the AI portfolio.
Risk Management enables organisations to classify and track AI-related risks including emerging copyright exposure, with treatment plans and control assignments that keep the risk profile current as the CAIRG framework develops.
AI Governance Foundations establishes the governance infrastructure organisations need to systematically assess AI tool risk including vendor due diligence, training data questions and the accountability structures required to manage emerging regulatory obligations.
A Governance Problem Before It Is a Legal One
The AI copyright question in Australia is not yet a crisis. But governance problems that are ignored at the low-risk stage tend to become legal problems at the higher-risk stage.
The CAIRG is active. The licensing framework is coming. The enforcement mechanisms are being designed. Organisations that have been asking training data questions, reviewing vendor positions and building provenance into their governance registers will navigate that landscape considerably more easily than those that have not.
AI governance must be a capability the organisation owns. That means owning the questions too, not just waiting for the answers to arrive in the form of a claim or a regulatory inquiry.
