You’re looking at adopting AI, and you need governance frameworks that keep you compliant with privacy, security, and workplace regulations while not creating a bureaucratic nightmare. As part of Australia’s National AI Plan, the National AI Centre released the AI6 framework in October 2025, taking the previous 10-guardrail Voluntary AI Safety Standard and consolidating it down to six essential practices.
AI6 is streamlined and actionable. It aligns with ISO/IEC 42001 and NIST AI RMF international standards. And here’s the best part – you can integrate it into your existing DevOps pipelines, security reviews, and privacy-by-design practices. No parallel governance systems to maintain.
The Australian Public Service AI Plan released in November 2025 shows you what enterprise-scale adoption looks like. It’s built on Trust, People, and Tools pillars. You get access to NAIC templates, over $460 million in funding opportunities, and mechanisms to participate in policy consultations.
What Role Does the National AI Centre Play in AI Governance?
The National AI Centre (NAIC) is the Australian Government’s entity consolidating over $460 million in AI funding and publishing the official governance guidance for businesses adopting AI.
NAIC publishes the AI6 Guidance for AI Adoption in two versions – Foundations gets you started, Implementation gives you detailed technical guidance. They also run AI Accelerator funding programmes and provide templates for AI system registers and policy development. NAIC works closely with the AI Safety Institute on safety evaluation processes to ensure governance frameworks align with safety infrastructure.
You access all the practical resources like screening tools, implementation guides, and contract templates through industry.gov.au. No need to develop governance frameworks from scratch. The funding portfolio includes Cooperative Research Centres programmes, regional support initiatives, and First Nations AI programmes.
What Are the Six Essential Practices in the AI6 Framework?
The AI6 framework consists of six essential practices for responsible AI: decide who is accountable, understand impacts and plan accordingly, measure and manage risks, share information, test and monitor, and maintain human control.
These six practices replace the previous Voluntary AI Safety Standard’s 10 guardrails. Less bureaucracy, more action. AI6 also applies proportionately – if you’re running higher-risk systems you need more rigorous implementation. Lower-risk systems need lighter oversight.
Practice 1 is about accountability. You nominate an executive official responsible for AI governance and document accountability in your policies.
Practice 2 requires assessing affected stakeholders and potential harms across privacy, safety, fairness, security, and employment domains. These assessments complement mandatory compliance requirements under Privacy Act and Consumer Law that form the legal foundation for AI governance.
Practice 3 integrates AI risks into enterprise risk registers and defines risk appetite thresholds.
Practice 4 requires you to disclose AI use to impacted parties and maintain an AI system register.
Practice 5 requires pre-deployment testing for accuracy, bias, and robustness and establishing ongoing monitoring.
Practice 6 ensures humans remain in the loop or on the loop for decisions and prevents over-reliance on AI.
How Do You Implement Practice 1: Establish Accountability in Your Organisation?
Appoint a Chief AI Officer with the executive authority to oversee AI governance, adoption strategy, and system register maintenance. Define ownership by assigning responsible individuals for each AI system. Establish reporting lines to the Chief AI Officer.
Position the Chief AI Officer within your current executive governance. Typically they’ll report to your CTO, CIO, or risk management. The Australian Public Service model appointed Chief AI Officers coordinating with an AI Review Committee for high-risk deployments.
If you’re a smaller organisation, combine Chief AI Officer responsibilities with existing CTO or CIO roles. The requirement is executive accountability for AI governance, not necessarily a standalone role.
Secure executive-level sponsorship from your CEO, CTO, or Chief Risk Officer. You need adequate resources and organisational priority.
The Chief AI Officer role extends beyond policy. They oversee vendor contracts, approve impact assessments, and coordinate incident response.
How Do You Implement Practice 2: Understand Impacts Through AI Impact Assessments?
Conduct AI Impact Assessments evaluating your system’s effects across five domains: privacy for data handling and consent, safety for physical and psychological harm, fairness for bias and discrimination, security for vulnerabilities and misuse, and employment for workforce displacement.
The classification outcome tells you whether your system is lower-risk requiring minimal oversight or higher-risk requiring enhanced governance controls.
Assessments are mandatory for all Australian Public Service AI deployments, higher-risk systems in the private sector, and any system affecting vulnerable populations or making high-stakes decisions. Combine assessments with your existing Privacy Impact Assessments, security reviews, and workplace health assessments.
NAIC provides assessment frameworks aligned with existing PIA and security review formats. Integrate with your enterprise risk register so AI-specific risks are documented alongside privacy, cybersecurity, and workplace health risks.
How Do You Implement Practice 3: Measure and Manage Risks in Enterprise Systems?
Integrate AI-specific risks into your existing enterprise risk register alongside privacy, cybersecurity, and workplace health risks. Use the same framework you’re already using to avoid parallel tracking systems.
Define organisational risk appetite by establishing acceptable thresholds for AI risks. Internal tools versus customer-facing systems require different thresholds. Low-stakes versus high-stakes decisions influence acceptable risk levels.
Set up incident response mechanisms that enable timely responses to monitoring alerts. Define what constitutes an AI incident – accuracy degradation, bias detection, security breach, or safety failure. Assign response ownership and create escalation paths to the Chief AI Officer.
Governance measures should be proportionate to the risk level. An AI chatbot answering general questions needs different controls than an AI system approving loan applications.
Risk treatment strategies include mitigation through enhanced controls, acceptance with documented risk appetite, transfer through vendor accountability, and avoidance via system pause or retirement.
How Do You Implement Practice 4: Share Essential Information Through System Registers?
Create an AI system register documenting system purpose and use cases, data sources and types, key risks identified, controls implemented, system owner and accountability, deployment status, and last assessment date.
Share relevant register information with affected stakeholders. Employees need visibility into workplace AI. Customers need information about service AI. Publish summary information where appropriate for public accountability.
NAIC provides system register templates aligned with government transparency standards. Your Chief AI Officer owns register accuracy. System owners update entries when changes occur.
Your AI systems should operate in ways stakeholders can understand and audit. Document how models make decisions, what data they use, their limitations, and how they’re monitored.
How Do You Implement Practice 5: Test and Monitor AI Systems?
Pre-deployment testing evaluates systems using realistic scenarios for accuracy against performance benchmarks, bias for fairness across demographic groups, and robustness for behaviour under edge cases before production use.
Track operational performance continuously with defined incident thresholds triggering review. Accuracy drops below baseline, bias detected in outputs, user complaints exceed threshold, or security anomalies – all trigger investigation.
Higher-risk systems require more rigorous testing protocols and tighter monitoring thresholds than lower-risk systems. Embed tests into your CI/CD pipelines. We’ll cover integration details in the engineering practices section.
Develop test scenarios covering expected use, edge cases, and potential misuse scenarios. Define what metrics to track – accuracy, fairness, drift, and user feedback.
The APS approach mandates pre-deployment testing for all government AI with continuous monitoring and defined escalation paths.
How Do You Implement Practice 6: Maintain Human Control Over AI Systems?
Human-in-the-loop means humans actively participate in AI decisions, reviewing and approving outputs before implementation. This is required for high-stakes, irreversible decisions like medical diagnoses, loan approvals, or hiring.
Human-on-the-loop means humans monitor AI operations with authority to intervene, override, or pause systems when issues are detected. This is appropriate for lower-risk systems where occasional review suffices.
Your AI Impact Assessment and risk classification determine whether you need HITL or HOTL. Higher-risk systems typically require HITL. Lower-risk systems may use HOTL.
Your workforce needs AI literacy to provide effective oversight. Staff need to understand when to intervene and how to recognise AI errors or biases. The APS model includes a universal AI literacy programme.
Implement foundational AI literacy training for all staff covering what AI is, limitations, risks, and responsible use. Provide specialised training for oversight roles covering model limitations, bias recognition, and intervention protocols.
Embed human control checkpoints into business processes without creating bottlenecks. Prevent over-reliance by detecting automation bias where humans trust AI outputs without scrutiny. For workplace AI systems specifically, implementing worker consultation as part of AI6 practices ensures governance operationalizes consultation requirements effectively.
How Do You Access NAIC’s Guidance for AI Adoption and Templates?
Access the official NAIC Guidance for AI Adoption at industry.gov.au/naic, available in two versions. Foundations covers getting started and basic concepts. Implementation provides detailed technical guidance for AI6 practices.
Downloadable templates include an AI system register template, AI policy template, AI screening tool for risk classification, and contractor accountability guidance for vendor contracts.
Industry.gov.au serves as the central access point for all NAIC resources. No registration or fee requirements.
Use the screening tool – it’s a risk classification questionnaire determining higher-risk versus lower-risk system categorisation. Subscribe to the NAIC newsletter for guidance updates, funding announcements, and policy consultation opportunities.
What AI Funding Opportunities Are Available Through NAIC?
NAIC consolidates more than $460 million in existing AI-related government funding. There’s also a new AI Accelerator funding round of the Cooperative Research Centres programme.
Programmes include CRC grants for collaborative AI research and development, regional support initiatives for AI capability building outside major cities, and First Nations AI programmes supporting Indigenous-led AI projects.
CRC programmes typically require industry-research collaboration. Regional initiatives target specific geographic areas. Check industry.gov.au/naic for current funding rounds, eligibility criteria, and application deadlines.
The Academy welcomes the launch of the AI Accelerator funding round, which will provide researchers a platform to translate their ideas into real-world products.
Strategic use of funding combines governance implementation for AI6 adoption with capability building for training, tooling, and process development.
How Do You Integrate AI Governance with Existing Engineering Practices?
Embed AI testing as automated CI/CD gates with accuracy checks, bias scans, and robustness tests. Integrate monitoring into existing observability platforms like Datadog or Prometheus. Treat governance controls like security controls in deployment workflows.
Position AI governance as an extension of your existing security practices. Vulnerability assessment, threat modelling, and incident response – you’re already doing these. Leverage your security teams’ expertise in risk management and control implementation.
Apply a privacy by design approach by integrating AI Impact Assessments with Privacy Impact Assessments. Apply data minimisation principles to AI training data. Embed fairness controls alongside privacy controls in development processes. These practices implement legal obligations that governance frameworks address under Australian law.
Use your existing enterprise risk registers, incident response protocols, and change management processes rather than creating separate AI-specific governance infrastructure.
Embed accuracy tests, bias detection, and robustness checks in automated testing suites alongside unit tests, integration tests, and security scans. Route alerting through your current incident management systems.
Position AI governance as engineering best practice like code review, testing, and security – not a compliance burden imposed by executives.
What Lessons Can We Learn from the Australian Public Service AI Plan?
The APS AI Plan built on three pillars: Trust covering transparency, ethics, and governance; People addressing capability building and engagement; and Tools providing access, infrastructure, and support.
The Trust pillar establishes regulatory and ethical foundations through updated Policy for Responsible Use of AI requiring mandatory AI Impact Assessments, a new AI Review Committee providing oversight, and enhanced contractor accountability.
The People pillar addresses workforce transformation via mandatory foundational AI literacy training for all staff, Chief AI Officer appointments across agencies, and a central AIDE team.
The Tools pillar provides technical infrastructure through the GovAI secure platform offering Australian-based AI solutions, GovAI Chat universal assistant, and guidance permitting public tools for low-risk activities.
Chief AI Officers will accelerate consistent AI capability development across the APS, identifying where AI can meaningfully improve Australians’ lives through faster service delivery and better policy interventions.
Executive accountability through Chief AI Officers drives coordination. Foundational AI literacy training enables effective oversight. Centralised platforms like GovAI reduce duplication and procurement burden.
New contracting clauses establish that consultants and contractors remain responsible for services they deliver regardless of AI deployment. Commonwealth suppliers must disclose planned AI usage when quoting for services.
The Chief AI Officer role adapts to private sector contexts. You can combine it with existing CTO or CIO positions for smaller organisations. Government’s comprehensive approach demonstrates enterprise-scale governance is achievable.
How Do You Manage Organisational Change When Implementing AI Governance?
You need executive sponsorship with communication of AI strategy, expected outcomes, and resource requirements. Position governance as a strategic enabler for faster compliant AI adoption rather than a compliance burden.
Build an AI literacy foundation by implementing foundational AI literacy training for all staff before deploying governance frameworks. Create a common language for AI discussions across your organisation.
Engage development teams early. Position governance as engineering best practice like testing, security, and code review – not top-down policy imposition. Integrate controls into existing workflows developers already use: DevOps, security reviews, and change management.
Implement incrementally with phased rollout. Phase 1 covers accountability and transparency through Chief AI Officer appointment and system register creation. Phase 2 addresses risk management via impact assessments and classification. Phase 3 adds testing and monitoring. Phase 4 refines human control mechanisms and vendor accountability.
Start with quick wins demonstrating governance value. System registers provide visibility into AI usage. Chief AI Officer coordination removes adoption blockers. NAIC template usage avoids governance framework development from scratch.
Address resistance management concerns. The “governance slows innovation” concern gets answered by showing it enables faster compliant adoption. The “extra work for developers” concern gets addressed through integration with existing workflows.
Pilot programmes are a low-risk way to explore how AI works in your specific environment and gather real-world feedback before scaling.
Wrapping It All Up
The AI6 framework gives you streamlined, actionable governance aligned with international standards as outlined in the plan’s governance pillar. It integrates with existing privacy, security, and workplace frameworks so you’re not creating parallel systems. NAIC resources provide over $460 million in funding, templates, and guidance enabling practical implementation without developing governance from scratch.
The APS AI Plan demonstrates enterprise-scale adoption through Trust, People, and Tools pillars. The lessons are transferable. You can integrate governance into DevOps pipelines, security reviews, and privacy-by-design practices rather than creating parallel systems.
Start with Chief AI Officer appointment and system register creation as quick wins. Add impact assessments, then testing and monitoring protocols as your capability matures.
Access guidance and templates at industry.gov.au/naic. Subscribe to NAIC updates for funding opportunities and policy consultations.
FAQ
What is the difference between the AI6 framework and the previous Voluntary AI Safety Standard?
AI6 consolidates the previous Voluntary AI Safety Standard’s 10 guardrails into six practices. It’s more streamlined and actionable. NAIC published a crosswalk document mapping the 10 guardrails to the 6 practices, so you can transition existing implementations.
Do I need a dedicated Chief AI Officer or can I combine this with an existing role?
For smaller organisations, you can combine Chief AI Officer responsibilities with existing CTO or CIO roles. The requirement is executive accountability for AI governance, system register maintenance, and adoption strategy – not necessarily a standalone role. Larger organisations with extensive AI deployments may benefit from dedicated Chief AI Officers like the APS AI Plan demonstrates.
How do I determine if my AI system is higher-risk or lower-risk?
Use NAIC’s AI screening tool (available at industry.gov.au) to classify systems based on impact assessment across five domains: privacy, safety, fairness, security, and employment. Higher-risk systems typically affect vulnerable populations, make irreversible decisions, or have significant potential for harm.
Can I use commercial AI tools like ChatGPT, Claude, or Gemini under AI6 governance?
Yes, commercial AI tools are permitted under AI6 governance for lower-risk activities. The APS AI Plan’s Tools pillar guidance demonstrates this. These tools require risk assessment and appropriate controls based on use case. Document usage in your AI system register and apply proportionate governance.
How does AI governance integrate with existing Privacy Impact Assessments?
AI Impact Assessments can be combined with existing Privacy Impact Assessment workflows rather than creating separate processes. Both assess data handling, consent, and stakeholder effects. AI Impact Assessments just extend this to fairness, safety, security, and employment domains.
What should I include in my AI system register?
At minimum, document: system name and purpose, system owner and accountability, data sources and types used, key risks identified in impact assessment, controls and safeguards implemented, system classification, deployment status, last assessment date. NAIC provides downloadable templates at industry.gov.au.
How do I embed AI testing into CI/CD pipelines?
Treat AI testing like security scanning in your DevOps workflow. Add automated accuracy checks, bias detection scans, and robustness tests as pipeline gates before deployment. Integrate monitoring into existing observability platforms like Datadog, Prometheus, or New Relic rather than building separate AI monitoring infrastructure.
When should I use human-in-the-loop vs human-on-the-loop?
Use human-in-the-loop (HITL) for high-stakes, irreversible decisions where humans must actively review and approve each AI output before implementation – medical diagnoses, loan approvals, hiring decisions. Use human-on-the-loop (HOTL) for lower-risk systems where humans monitor AI operations and can intervene when needed – content recommendations, internal productivity tools.
How do I stay current with NAIC guidance updates and policy consultations?
Subscribe to the NAIC newsletter through industry.gov.au to receive updates on guidance changes, funding programme announcements, and policy consultation schedules. Assign responsibility for monitoring these updates to your Chief AI Officer or equivalent governance role.
What if I don’t have resources to implement all AI6 practices immediately?
Implement incrementally, starting with quick wins: (1) Appoint Chief AI Officer (or assign responsibilities to existing CTO/CIO), (2) Create AI system register using NAIC template, (3) Conduct impact assessments for higher-risk systems, (4) Add testing to deployment workflows. This builds capability progressively while showing early governance value.
How do I extend AI governance to third-party vendors and contractors?
Update vendor contracts to include AI usage disclosure requirements and accountability clauses. Follow the Commonwealth Contracting Suite amendments model from the APS AI Plan. Require vendors to document their AI usage in your system register, provide impact assessment results, and meet testing standards.
Does implementing AI6 governance slow down AI adoption in my organisation?
AI6 governance enables faster compliant AI adoption. It provides decision frameworks, reduces deployment uncertainty, and prevents incidents requiring rollback or remediation. Integration with existing DevOps pipelines, security reviews, and privacy processes embeds governance into workflows developers already use, avoiding separate approval bottlenecks.
