Australians Don't Trust AI Companies. The OAIC's 2026 Privacy Survey Explains Why.

Four percent.

That is the share of Australians who trust AI companies with their personal information. Not four in ten. Four in one hundred.

The Office of the Australian Information Commissioner published that figure in May 2026 as part of itsAustralian Community Attitudes to Privacy Survey (ACAPS 2026). The survey covered 1,504 Australians, fieldwork ran through March 2026, and the results are not easy reading for any organisation that uses AI.

There is a second problem running underneath that number. What leadership teams think is happening with AI inside their organisations, and what is actually happening on the ground, are two different things. When you put both pictures together, the compliance risk becomes clearer and more urgent.The community has made up its mind.

87% of Australians said they are more concerned about privacy than they were five years ago. 93% said protecting personal information is personally important to them. Privacy complaints to the OAIC have increased by 73% in the current financial year to date.

On AI specifically, the numbers are stark. 96% said conditions must be in place before AI touches their personal data. 93% said it is not fair for an organisation to use information collected to deliver a service to then train AI models. Only 25% view automated eligibility or risk-based decisions -- loan approvals, benefit assessments, credit scoring -- as acceptable at all.

For financial services, aged care, and healthcare organisations across Australia and New Zealand, those three numbers describe the context your customers are operating in right now.

Inside organisations, a different picture.

TrendAI's 2026 research across 3,700 business and IT decision makers globally found that 53% of organisations are still drafting their AI policies. Governance frameworks are being written after AI tools are already in use. 67% of respondents reported pressure to accelerate AI deployment even when security concerns were raised.

The result is shadow AI. KnowBe4's State of Human Risk 2025 found that 56% of employees feel access to approved AI tools is too slow or too restrictive, and 17% said they had used an AI tool for work without permission from their security or IT team. AI applications recorded a 43% increase in security incidents over the past 12 months, driven largely by employees uploading company documents and customer data into unvetted external platforms.

When that data includes personal information belonging to Australian or New Zealand customers, the Privacy Act obligation stays with the employing organisation. Shadow AI is not just a disciplinary issue. It is a data governance failure with regulatory consequences.

A hard deadline is approaching.

From December 2026, APP regulated entities must disclose the use of AI and automated decision-making in their privacy policies. That obligation covers both formally deployed AI systems and any AI use that touches personal information -- which now includes tools employees are accessing independently of IT approval.

Meeting it requires three things most organisations may not have yet completed:

1. an accurate AI inventory that reflects what is actually in use, not just what was approved;

2. updated privacy policies that honestly reflect AI data flows; and

3. a shadow AI response that creates clear pathways to approved tools rather than simply banning alternatives people are already using.

68% of Australians said they would be more likely to use digital services if they felt their data was handled fairly and responsibly. Privacy governance is a commercial lever, not just a compliance cost.

This is what we do.

Insicon Cyber's AI Security and Governance practice is built for exactly this moment. We test it. We certify it. We maintain it.

Our AI Assurance tests your AI systems for privacy risks, data exposure, and unintended behaviour before they reach customers. ISO 42001 implementation gives your organisation a documented AI management system that satisfies OAIC, APRA, and ASIC expectations. Managed Compliance keeps your AI governance current as the regulatory environment tightens through 2026 and beyond.

The December deadline is six short months away. If you are not certain where your organisation stands, that conversation needs to happen now.

Sources

OAIC, Australian Community Attitudes to Privacy Survey 2026, 28 May 2026:

TrendAI, Securing the AI-Powered Enterprise: Governance Gaps, Visibility Challenges and Rising Risk, 2026.

KnowBe4, The State of Human Risk 2025, December 2025.