← All posts

TL;DR

Australia's Automated Intelligence and Data Act (AIDA) proposes penalties up to 5 percent of global annual turnover for high-impact AI systems. The bill covers employment, credit, insurance, healthcare, education, and critical infrastructure. Organisations will need impact assessments, bias testing, explainability documentation, and human oversight. AI vendor compliance becomes the deploying organisation's liability — you can't contract out of AIDA obligations.

There is a bill before the Australian Parliament that could impose fines of up to five per cent of global annual turnover on organisations deploying high-impact artificial intelligence. For a mid-sized Australian company doing fifty million dollars in revenue, that's two and a half million. For an ASX 200 enterprise, it's a number that gets the board's attention within about thirty seconds of being mentioned. For a multinational with significant Australian operations, it's the kind of penalty that changes how global compliance budgets are allocated.

The Automated Intelligence and Data Act — AIDA — is not law yet. But it has bipartisan support in principle, it follows the model established by the EU AI Act, and every indication from Canberra is that AI regulation with serious penalties is coming. The question is not whether. The question is whether your organisation will be ready when it lands.

What the Bill Covers, and What It Doesn't

AIDA is not a blanket regulation of all artificial intelligence. It is targeted at what the bill calls "high-impact" AI systems — the ones that can cause significant harm if they go wrong. The definition is broad enough to capture most enterprise AI deployments that touch people's lives.

AI used in employment decisions falls under the bill. If your organisation uses AI to screen resumes, score candidates, conduct video interviews, assess performance, or make promotion or termination recommendations, that system is likely to be classified as high-impact. The logic is straightforward: an AI that determines whether someone gets a job or keeps a job has a direct and significant effect on that person's life. The regulation follows the impact.

AI used in credit, insurance, and financial product decisions is covered. Automated underwriting, AI-driven claims assessment, algorithmic pricing, and credit scoring models that affect whether someone can get a loan or insurance all fall within scope. These are decisions with financial consequences for individuals, and AIDA treats them accordingly.

AI used in healthcare and medical contexts is covered. Diagnostic support tools, treatment recommendation systems, patient triage algorithms — any AI that influences clinical decisions or patient outcomes is high-impact by definition.

AI used in education and training is covered. Automated grading, student assessment, learning pathway recommendations, and admissions decisions all involve AI systems that affect educational opportunities and outcomes.

AI used by government agencies is covered. Any automated system that affects citizens' access to services, benefits, or rights falls within scope. This is not hypothetical. The Robodebt Royal Commission demonstrated what happens when automated decision-making in government goes wrong, and AIDA is in part a legislative response to that lesson.

AI used in critical infrastructure is covered. Energy, water, transport, communications — any AI system that could disrupt essential services if it fails is regulated under the bill.

What's not covered? Low-risk AI. A chatbot that answers frequently asked questions on a website. A spell-checker. A recommendation engine for music or movies. The bill draws a line between AI that affects people's rights and opportunities and AI that doesn't, and it regulates the former.

What the Bill Requires

Organisations deploying high-impact AI will face a set of obligations that, while still being refined through the parliamentary process, follow a consistent logic: if your AI can significantly affect people, you need to be able to demonstrate that it does so fairly, safely, and accountably.

Impact assessments are the foundation. Before deploying a high-impact AI system, organisations will need to conduct and document an assessment of the system's potential effects on individuals and groups. This isn't a one-time exercise. The bill requires regular reassessment, reflecting the reality that AI systems change over time — models are updated, training data shifts, deployment contexts evolve. An impact assessment from 2026 is not adequate for a system running in 2028.

Bias testing and fairness documentation are mandatory. Organisations must test their AI systems for biased or discriminatory outcomes and document the results. This means testing across relevant demographic dimensions — not just the ones the vendor tested for, but the ones that matter under Australian law. If the model was trained on US data and tested against US protected classes, that does not satisfy the requirement for an Australian deployment where different attributes are protected under the Fair Work Act, the Racial Discrimination Act, the Sex Discrimination Act, and the Disability Discrimination Act.

Explainability is a specific obligation. Affected individuals have the right to a meaningful explanation of how an AI system reached a decision that affected them. Not the mathematics. The reasoning. A customer denied credit by an AI model is entitled to understand why. An applicant rejected by an AI screening tool is entitled to understand what factors led to the rejection. If your organisation cannot provide that explanation because the vendor's model is a black box, you have a compliance problem.

Human oversight must be maintained. AI systems can recommend, suggest, or prepare decisions, but the bill requires that meaningful human oversight remains in the loop for high-impact decisions. The human must be able to understand the AI's recommendation, assess its validity, and override it where appropriate. A human who simply clicks "approve" on whatever the AI recommends is not meaningful oversight.

Notification to regulators is required. Organisations deploying high-impact AI must notify the relevant authority. This creates a regulatory register of high-impact AI deployments, which in turn enables targeted oversight. If your organisation deploys high-impact AI and doesn't notify the regulator, that's itself a compliance failure.

Record-keeping is comprehensive. Organisations must maintain documentation of AI system design, training data provenance and composition, testing results, bias assessments, change logs, and oversight decisions. When the regulator asks, the records must exist. When a court asks, the records must be producible. A verbal assurance from the vendor that everything is fine is not a record.

The Vendor Problem

Here is the part of AIDA that will catch organisations off guard: you cannot contract your way out of compliance. If you buy an AI system from a vendor and deploy it in a high-impact context, you are the regulated entity. The vendor might have made the model. The vendor might have trained it. The vendor might host it. But you deployed it. You used it to make or influence decisions about people. You bear the liability.

This means that vendor due diligence becomes not just best practice but a legal necessity. You need documented evidence that the AI you deploy meets AIDA's requirements. The vendor's website saying "fair and unbiased AI" is not evidence. The vendor's sales team assuring you the model is compliant is not evidence. An independent audit that examines the training data, tests the outputs for bias, documents the decision logic, and verifies the vendor's claims — that's evidence.

And here is the sharper edge: if the vendor won't provide the information needed for an audit, you can't deploy the system. AIDA doesn't exempt black-box AI. If you can't explain it, you can't use it. If the vendor's model is proprietary and they won't disclose enough to satisfy the explainability obligation, the model can't be used for high-impact decisions. The bill doesn't bend to accommodate vendors who want to protect their intellectual property. The obligation to explain rests with the deploying entity. If you can't meet it, you can't deploy.

The Timeline and What to Do Now

AIDA is in Parliament. The committee process will refine it. The final form may differ from the current draft. But the fundamentals are stable: high-impact AI will be regulated, deploying entities will be responsible, and penalties will be serious. This is the consensus position across both major parties. The bill may change, but the direction will not.

The organisations that will be ready when AIDA becomes law are the ones that started building compliance infrastructure before they were legally required to. They are auditing their AI vendors now. They are conducting impact assessments now. They are testing for bias now. They are building the documentation trails that will satisfy a regulator now. By the time the law requires these things, they will already have them.

The organisations that will be caught out are the ones waiting for the bill to pass before they act. They will discover that auditing AI systems takes time, that vendors are slow to respond to due diligence requests, that bias testing requires expertise they don't have in-house, and that building compliance infrastructure from scratch under a regulatory deadline is expensive and stressful. They will be the organisations that make the news when the first AIDA enforcement actions land.

Regulators notice which group you're in. Starting early signals that you take the obligation seriously. Starting late signals that you waited until you had no choice. When an incident occurs — and in AI, incidents are a matter of when, not if — the regulator will ask what you did before the incident, not what you scrambled to do after.

The Competitive Advantage

AIDA, like the EU AI Act before it, will create a dividing line in the market. Organisations that can demonstrate AI compliance will have a competitive advantage. They will be able to deploy AI in high-impact contexts that competitors cannot. They will be the vendors that regulated entities can buy from without inheriting compliance risk. They will be the partners that sophisticated customers choose because the audit trail exists.

The flip side is that organisations that cannot demonstrate AI compliance will be locked out. Regulated entities won't buy from them because AIDA makes the deploying entity liable for the vendor's compliance gaps. Sophisticated customers won't choose them because the risk is too high. The market will bifurcate into audited and unaudited AI, and the audited side will command a premium.

This isn't speculation. It's what happened in Europe after the GDPR. It's what happened in financial services after Basel. It's what happens every time a serious regulatory framework is introduced: the prepared organisations thrive, and the unprepared organisations scramble.

Get ahead of AIDA. An independent AI vendor audit builds the compliance infrastructure you'll need before the bill becomes law.

Frequently asked questions

What is the AIDA bill?

The Automated Intelligence and Data Act is proposed Australian legislation that would regulate high-impact AI systems with penalties up to 5 percent of global annual turnover. It covers AI used in employment, credit, insurance, healthcare, education, government, and critical infrastructure.

How much can AIDA fine a company?

Up to 5 percent of global annual turnover. For a $50 million company that's $2.5 million. For a $500 million enterprise, $25 million.

Does AIDA apply to AI we buy from third-party vendors?

Yes. If you deploy a third-party AI system in a high-impact context, you are liable for its compliance. You cannot contract out of AIDA obligations — the deploying organisation bears the responsibility.

When will AIDA become law?

AIDA is still in Parliament and the final form may change. However, it has bipartisan support in principle and follows the EU AI Act model. The direction is clear even if the timeline is not yet fixed.

How should companies prepare for AIDA?

Start auditing AI vendors now. Document AI system design, training data provenance, bias testing results, and decision explainability. Conduct impact assessments. Establish human oversight mechanisms. Companies that build compliance trails before AIDA passes will be ahead of competitors who wait.