What Australia's December 2026 AI Requirements Mean for Your Business
Most businesses think the December 2026 automated decision-making obligations are about "AI regulation."
They're not.
They're about transparency when automated decisions are made about people and those decisions may significantly affect rights or interests.
And if you're using tools like Copilot, ChatGPT, or AI features in your CRM, this is worth checking before the obligation commences.
You May Already Have Relevant Use Cases
The risk does not depend on whether you "built AI."
If:
- AI is helping screen candidates
- AI is influencing pricing, approvals, or recommendations
- AI is generating outputs based on customer or employee data
Then you may have automated decision-making use cases that need privacy, governance, and legal review.
From 10 December 2026, relevant APP privacy policies will need to explain certain automated decisions where personal information is used and rights or interests may be significantly affected.
Where Most Businesses Get This Wrong
Here's the mistake:
They treat AI like a better Google search.
Search returns information.
AI:
- Interprets data
- Generates new outputs
- Combines information across systems
- Influences decisions
That's a completely different risk profile.
"But We're Using Microsoft Copilot — That's Secure, Right?"
This is where things get dangerous.
Most businesses assume:
> "It's Microsoft, so it must be secure."
That's not how this works.
The real questions are:
- What internal documents can Copilot access?
- What happens when someone prompts it incorrectly?
- Can it surface sensitive data across your organisation?
- Do you have any visibility or audit trail?
The tool may be enterprise-grade.
Your usage of it probably isn't.
What the Law Actually Requires
Before 10 December 2026, affected organisations need to be able to answer:
- Where are we using AI?
- What data is flowing into it?
- What decisions does it influence?
- Could those decisions impact individuals?
And critically:
Can you explain this in plain English if asked?
Because updating your privacy policy without understanding your systems won't hold up.
What This Means in Practice
This isn't a legal problem.
It's a visibility problem.
Most businesses:
- Don't have an inventory of AI tools
- Don't know where data is flowing
- Haven't assessed risk
Many businesses have not done this yet — and SMBs face the same practical visibility problem even when legal obligations vary.
That's exactly what regulators—and clients—will start asking about.
The fastest way to get clarity is to start by mapping where AI is already active in your business.
Not Sure Where You Stand?
If you can't clearly map where AI is used in your business and what data it touches, that's the starting point.
Start a conversation — we'll tell you honestly if this is something you need to act on.
Related reading
Law Firm AI Policy Quick Start
A practical quick start for law firms setting plain-English AI rules for ChatGPT, Claude, Copilot, client data, review steps, and partner oversight.
ReadChatGPT, Claude and Copilot for Law Firms: Governance Differences That Matter
A practical comparison of governance risks for law firms using ChatGPT, Claude, Microsoft Copilot and AI-enabled legal tools.
ReadAccounting Firm AI Governance Checklist
A practical AI governance checklist for accounting firms using ChatGPT, Claude, Copilot, tax software, client portals, and AI-enabled SaaS.
ReadLLM Decision Guide for Professional Services Firms
A practical trust, review, and block decision guide for professional services firms using ChatGPT, Claude, Copilot, Gemini, AI-enabled SaaS, and agentic workflows.
Read