Regulatory Tracker
Every regulatory event that materially affects AI deployment in Australian and New Zealand professional services. APRA, ASIC, OAIC, AHPRA, ACCC, and the Voluntary AI Safety Standard. Each entry links to the primary source so you can verify the current state independently.
In effect
These obligations apply to AI deployment in ANZ professional services today. Boards and risk committees should expect to see evidence of compliance against each item.
Anthropic releases Claude for Legal, a configured Claude deployment with iManage and NetDocuments connectors, privilege classification, conflict screening, and Westlaw grounding. Targets enterprise law firms with sector-specific evaluation suites.
Impact: ANZ law firms now have a sector-tuned Claude option that bypasses the build-vs-buy debate; the question shifts to integration and governance scope.
Claude Managed Agents move to public beta, long-lived Claude agents hosted by Anthropic, with managed retrieval, tool use, and observability. Removes the operational burden of running agent infrastructure.
Impact: Firms with limited engineering capacity can now deploy production agents without standing up their own runtime, accelerating the build-or-buy economics.
APRA's CPS 230 prudential standard applies to all APRA-regulated entities. It introduces material service provider obligations, business continuity requirements, and incident reporting standards that directly cover AI vendors and AI-driven services.
Impact: Banks, insurers, and superannuation funds using third-party AI must classify the AI provider as a Material Service Provider with documented operational resilience evidence.
First tranche of Privacy Act reforms commences, including the statutory tort for serious invasions of privacy and new transparency obligations for automated decision making affecting individuals.
Impact: Customer-facing AI that materially affects an individual decision now requires a Privacy Policy disclosure and a documented review process.
The Office of the Australian Information Commissioner publishes two guides: privacy compliance for businesses using commercial AI products, and a developer guide for training generative AI on personal information.
Impact: Any organisation using third-party generative AI on customer data needs a documented Privacy Impact Assessment and a vendor data-use clause in their contract.
The Department of Industry, Science and Resources publishes the Voluntary AI Safety Standard, ten guardrails covering accountability, risk management, data governance, testing, human oversight, transparency, contestability, supply chain, records, and engagement. Anchors the upcoming mandatory AI Guardrails for high-risk settings.
Impact: Boards now expect to see an internal AI policy mapped against the ten guardrails before approving any production deployment. The mandatory version is in consultation for 2027 commencement.
Upcoming
Each of these dates triggers a new compliance obligation. Procurement, governance, and product roadmaps for any organisation deploying AI should plan against them.
The Australian Health Practitioner Regulation Agency releases its AI-in-clinical-practice position covering scribing, triage, and decision-support tools. Registered practitioners remain accountable for AI-assisted clinical decisions.
Impact: Clinical organisations using ambient scribing or triage AI need an attestation-of-accountability framework in writing before this date.
ASIC's updated guidance on AI use in financial services firms takes effect, building on the existing requirements for AFSL holders. Covers algorithmic advice, customer-facing AI, and governance expectations.
Impact: AFSL holders must document the AI governance posture for any production model before regulator review cycles begin in late 2026.
The Privacy and Other Legislation Amendment Bill 2024 introduces new statutory tort for serious invasions of privacy and tightens automated decision-making notice obligations. Organisations deploying AI that affects individuals must update their Privacy Policy by this date.
Impact: Every AI deployment that touches personal information needs an updated Privacy Policy entry and an automated decision-making disclosure before December 2026.
Foundation
The regulatory infrastructure that current AI requirements build on. Worth understanding when you need to explain to a board or auditor how a present-day obligation arose.
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill brings tranche-two entities (lawyers, accountants, real estate, trust and company service providers, dealers in precious stones) under AML/CTF obligations from 2026.
Impact: Mid-tier law and accounting firms must implement KYC and transaction monitoring from 2026, AI-driven monitoring tools become a procurement priority.
Australia signs the Bletchley Declaration alongside 28 other nations at the inaugural AI Safety Summit. Commits to international cooperation on frontier AI testing and risk management.
Impact: Signals Australia's intent to align with the EU AI Act and UK frameworks, firms operating across jurisdictions can plan for converging requirements.
The ACCC's interim report on the Digital Platform Services Inquiry calls out generative AI deployment risks, misleading content, market concentration, data scraping. Foreshadows competition law application to AI services.
Impact: Vendors making capability or accuracy claims about AI products face heightened ACCC scrutiny, claims must be substantiated with documented testing.
APRA confirms that CPS 234 Information Security obligations apply to AI and machine-learning workloads, including third-party AI services. Material consequences of an information security incident must be reported within 72 hours.
Impact: AI vendors in the APRA-regulated supply chain must demonstrate CPS 234-compliant information security and incident response posture before procurement.
OAIC publishes its five-year review of the Notifiable Data Breaches scheme, calling for expanded notification triggers and shorter response windows. Sets the agenda for the 2024-2026 Privacy Act reforms.
Impact: Organisations using AI on personal data should design data flows assuming a 72-hour notification window will become law within the parliamentary term.
The Attorney-General's Privacy Act Review Report makes 116 proposals, including a statutory tort for serious invasions of privacy, expanded consent requirements, and new obligations for automated decision making. Most accepted by Government in agreed-form 2023 response.
Impact: The trajectory of the Privacy Act reforms was set here. Firms with multi-year AI roadmaps should treat these 116 proposals as the long-tail of what's coming.
Australia publishes eight voluntary AI Ethics Principles: human-centred values, fairness, privacy and security, reliability and safety, transparency and explainability, contestability, accountability, and human-AI teaming.
Impact: The vocabulary that boards and risk committees now use to evaluate AI proposals was established here. Map vendor proposals against these eight principles.
Reference
The Claude Activation Programme builds a sector-tuned governance layer alongside every production agent.