I've been having a lot of conversations about AI governance lately. More than at any point in the last three years. Boards want to know what the rules are. CEOs want to know what their competitors are doing. Legal teams want to know whether they're exposed.
The honest answer to all of those questions is: it depends which jurisdiction you're looking at.
Because the EU and Australia have taken completely different approaches, and understanding that gap is important, especially if your organisation operates across both, or procures technology from vendors who do.
The EU AI Act (Regulation EU 2024/1689) is the most comprehensive AI governance framework in the world. It entered into force in August 2024 and its high-risk AI obligations fully activate on 2 August 2026, which is weeks away as you read this.
It is not voluntary. It is not guidance. It is law, and it carries penalties of up to EUR 35 million or 7% of global annual turnover for the most serious violations. That exceeds GDPR.
The framework is risk-based. Not all AI is treated equally. Prohibited practices, things like social scoring by public authorities and real-time biometric surveillance in public spaces, have been illegal since February 2025. General-purpose AI models like large language models have been subject to binding obligations since August 2025. High-risk AI systems, covering employment decisions, credit assessments, critical infrastructure, healthcare, and education, face full compliance requirements from this month.
What does compliance actually require for high-risk AI? A documented risk management system. Data governance controls. Technical documentation. Mandatory human oversight. Transparency to users. Record keeping sufficient for third-party review. Conformity assessment by independent auditors for the highest-risk categories.
There is also extraterritorial reach. Article 2 of the Act applies to any provider placing AI systems on the EU market, regardless of where that provider is established. An ANZ software company with European customers is in scope. A managed services firm whose technology vendors sell into the EU is potentially in scope. Geographic distance does not create regulatory distance.
The honest summary: a lot of consultation, a voluntary standard, and a decision not to legislate.
In September 2024, the Australian Government released a Voluntary AI Safety Standard with ten guardrails, and simultaneously published a proposals paper for mandatory equivalents in high-risk settings. The guardrails themselves were sensible. Governance accountability, risk management, data integrity, testing, human oversight, user transparency, contestability, supply chain transparency, and record keeping. They mapped closely to what the EU AI Act requires.
Then the mandatory element was shelved. In December 2025, the National AI Plan confirmed the government would not proceed with mandatory guardrails at this time. Instead, it would rely on existing technology-neutral laws, incrementally amend the Privacy Act and Australian Consumer Law as needed, and establish an AI Safety Institute (AISI) to monitor and test advanced AI systems.
The AISI launched with $29.9 million in funding and an advisory mandate. It does not have regulatory enforcement powers. The existing regulators, the OAIC, ACCC, and eSafety Commissioner, retain those under their existing legislation.
So Australia has good guidance. It does not yet have an enforceable AI-specific regime.
This is the part that matters most for organisations trying to decide what to do right now.
Despite the difference in enforceability, the underlying governance principles of the EU AI Act and Australia's voluntary framework are almost identical. Both require risk management processes. Both require meaningful human oversight in high-risk settings. Both require data governance and data quality controls. Both require transparency to the people affected by AI-driven decisions. Both require documentation sufficient for independent review.
That convergence is deliberate. Australia's standard was developed with explicit reference to international frameworks, and the EU Act was itself informed by years of global standards work. They are not two different answers to two different questions. They are two different levels of enforcement around the same answer.
I'll tell you what I tell boards when this comes up.
First, if you have any EU market exposure, or if your technology vendors do, you are dealing with binding obligations today, not future-state aspiration. The extraterritorial reach of the EU AI Act is real. Domestic guidance in Australia does not discharge EU obligations.
Second, if you operate purely in Australia and New Zealand, the voluntary floor is not the risk floor. Sector regulators are not waiting for an Australian AI Act. APRA's April 2026 letter on AI and ASIC's May 2026 letter on frontier AI are clear signals that financial services organisations are already subject to mandatory expectations through their existing prudential and market conduct frameworks. The Aged Care Quality and Safety Commission, the OAIC, and others are moving in the same direction. The gap between voluntary and mandatory is narrowing sector by sector, regardless of whether a standalone AI Act is ever passed.
Third, the governance infrastructure you need to build is the same either way. A documented risk management process for AI. Data governance controls. Meaningful human oversight mechanisms. Records that would survive independent scrutiny. These are not EU requirements and Australian recommendations. They are sound governance, and any credible framework requires them.
Build your AI governance posture to the EU standard, not the Australian floor. Not because regulators are about to knock on your door in Sydney or Auckland, but because the direction of travel is clear, and building to the higher standard now is cheaper than retrofitting it later when it becomes mandatory.
ISO 42001 is the international management system standard for AI governance, and it is the most practical framework available for doing this in a structured, auditable way. It maps directly to the risk management, data governance, human oversight, and transparency requirements that both the EU AI Act and Australia's voluntary guardrails share. Organisations that implement it now are not doing extra work. They are doing the right work once, in a way that stands up under scrutiny from any direction.
At Insicon Cyber, this is the conversation we are having with boards and leadership teams across Australia and New Zealand right now. The regulatory environment is not uniform, and it is not static. What is stable is the underlying logic: AI governance is no longer optional, and organisations that treat it that way are carrying risk they cannot currently see.
The EU figured that out and legislated it. Australia is getting there. The question for your organisation is whether you are going to wait for the mandate or build ahead of it.