Australian Mandatory AI Guardrails Framework (DISR, enactment pending)
|
|
| Regulator |
Department of Industry, Science and Resources |
| Jurisdiction |
AU |
| Status |
Draft — not yet in force |
| Applicability |
Platform |
Status: Consultation draft — not yet enacted as of April 2026.
The Australian Government's Department of Industry, Science and Resources (DISR) published a
consultation paper in 2023 proposing mandatory guardrails for AI systems used in high-risk
settings. As of April 2026 the framework has not been enacted as legislation or a legislative
instrument. The government's position is that voluntary adoption (see the Voluntary AI Safety
Standard) should precede mandatory obligations, with mandatory requirements targeted at
high-risk AI use cases once the voluntary framework has been assessed.
When enacted, the mandatory guardrails are expected to apply to AI systems that make or
materially influence high-impact decisions — including credit approvals, account restrictions,
fraud detection, and conduct monitoring in financial services. A full policy and module review
will be required at that point.
The proposed guardrails cover: accountability (designated responsible person), transparency
(disclosure to affected persons), human oversight for high-impact decisions, data governance
(training data quality and provenance), bias testing, and security (adversarial robustness).
Compliance register
This register maps the proposed mandatory guardrails to current platform controls and identifies
the institutional processes required. Coverage is assessed against the proposed framework as
consulted; it will require updating when final requirements are published.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Proposed guardrail 1 — Accountability
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| Designated responsible person for each AI system; governance documentation linking each model to an accountable owner |
📊 Evidenced |
DT-009 |
MOD-150 (LOG) — model inventory auto-maintained; records the designated model owner and validation approver for every production model; model validation gate blocks promotion without a closed validation case |
🔨 |
Proposed guardrail 2 — Transparency
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| Disclosure to affected persons when an AI system materially influences a decision about them |
🏛 Institutional |
DT-009 |
Disclosure content design is institutional. MOD-050 (GATE) — disclosure enforcement gate ensures the correct disclosure version is presented and acknowledged before product activation or credit decision; content accuracy is institutional |
🔨 |
Proposed guardrail 3 — Human oversight for high-impact decisions
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| Human review pathway for AI decisions that materially affect individuals; review must be available before the decision takes effect where practicable |
🏛 Institutional |
DT-009 |
Human review of high-impact AI decisions (credit declines, fraud holds, account restrictions) is an institutional process. MOD-064 (AUTO) — work queue routing ensures decisions above a risk threshold are placed into the human review queue for the appropriate role; no bypass path exists below role authority |
🔨 |
| Records of human review decisions must be retained for audit |
📊 Evidenced |
DT-009 |
MOD-048 (LOG) — AI decision inputs, model version, human reviewer identity, and override decision logged against every case |
🔨 |
Proposed guardrail 4 — Data governance
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| Training data provenance documented; data quality checks performed; sensitive data handling restrictions applied |
🏛 Institutional |
DT-009 |
Training data governance is institutional — managed by the data engineering team. MOD-150 (LOG) — model validation records include training data provenance as a required field; validation gate blocks promotion if provenance is not documented |
🔨 |
Proposed guardrail 5 — Bias testing
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| Bias and fairness testing required before AI model deployment and periodically thereafter; results documented |
📊 Evidenced |
DT-009 |
MOD-150 (GATE) — model validation gate requires a bias testing section in the validation report; model cannot be promoted to production without a completed validation case |
🔨 |
Proposed guardrail 6 — Security
| Proposed obligation |
Scope |
Policy |
Platform controls |
Build |
| AI systems must be tested for adversarial robustness; model poisoning and evasion attack risks assessed |
🏛 Institutional |
DT-009 |
Adversarial robustness testing is institutional — conducted as part of model validation. MOD-150 (LOG) — security assessment is a required section of the model validation report |
🔨 |
Enactment note
When the mandatory guardrails framework is enacted, the following review actions will be required:
- Confirm the final guardrail scope and definitions — some proposed guardrails may be narrowed or expanded.
- Assess whether MOD-150 model inventory and validation gate covers the data governance and bias testing obligations in full, or whether additional controls are needed.
- Review MOD-064 work queue routing to confirm it meets any prescriptive human oversight requirements.
- Update DT-009 (AI & algorithm policy) and DT-011 (AI development guardrails) to reflect mandatory obligations.
| Obligation |
Owner |
Platform evidence input |
| AI governance committee — oversight of model deployments; responsible person designation |
Chief Risk Officer / CTO |
MOD-150 model inventory feeds committee review pack |
| Human review process for high-impact AI decisions |
Head of Credit / Head of Financial Crime |
MOD-064 work queue; MOD-048 decision logs |
| Training data governance and provenance documentation |
Head of Data Engineering |
MOD-150 validation records |
| Adversarial robustness testing |
Chief Information Security Officer |
MOD-150 validation reports |
| DISR engagement during consultation — submission and monitoring of enactment timeline |
General Counsel / Chief Compliance Officer |
Institutional |
Coverage summary
| Area |
Total proposed obligations |
Platform evidenced 📊 |
Institutional 🏛 |
| Accountability |
1 |
1 |
0 |
| Transparency |
1 |
0 |
1 |
| Human oversight |
2 |
1 |
1 |
| Data governance |
1 |
0 |
1 |
| Bias testing |
1 |
1 |
0 |
| Security |
1 |
0 |
1 |
| Total |
7 |
3 (43%) |
4 (57%) |
All attributed modules are currently build_status: Not started.
Coverage assessment is preliminary pending final enactment of the mandatory framework.
| Policy |
Title |
| DT-009 |
AI & algorithm policy |
| DT-011 |
AI development guardrails |
Official documentation
Policies referencing this standard
- DT-009 — AI & algorithm policy
Compiled 2026-05-22 from source/entities/regulations/au-mandatory-ai-guardrails.yaml