Complete Inventory of Australian AI Security Documents

April 17, 2026 ยท View on GitHub

68 documents across federal and state/territory governments

This inventory catalogues all known Australian AI Security standards, policies, frameworks, and guidance documents. Each entry includes status (mandatory/voluntary), scope, and direct links where available.

Legend:

  • Mandatory - Legal or policy requirement
  • Sector-Specific - Binding for specific industries
  • Voluntary - Best practice
  • Guidance - Informational/advisory
  • Date - Latest version or release date
  • Link - Direct URL to document

Table of Contents

  1. Federal - ACSC/ASD Technical Guidance
  2. Federal - Information Security Manual (ISM)
  3. Federal - Protective Security Policy Framework (PSPF)
  4. Federal - Critical Infrastructure (SOCI/CISC)
  5. Federal - Digital Transformation Agency (DTA)
  6. Federal - Department of Industry, Science and Resources (DISR)
  7. Federal - Sector Regulators
  8. Federal - Other Agencies
  9. New South Wales
  10. Victoria
  11. Queensland
  12. South Australia
  13. Western Australia
  14. Tasmania
  15. Northern Territory
  16. Australian Capital Territory
  17. Cross-Jurisdictional

Federal - ACSC/ASD Technical Guidance

Primary technical guidance for AI security from Australia's cyber security authority.

DocumentDateStatusPartnersKey Focus
Engaging with Artificial IntelligenceJan 2024VoluntaryCISA, FBI, NSA, NCSC-UK, CCCS, NCSC-NZ, Japan NISCData poisoning, prompt injection, supply chain risks, model stealing
Deploying AI Systems SecurelyApr 2024VoluntaryNSA AISC (lead), Five EyesSecure deployment, access controls, network segmentation, AI red-teaming, GPU security
Guidelines for Secure AI System DevelopmentNov 2023VoluntaryNCSC-UK/CISA (lead), 23 agenciesSecure design lifecycle, SBOM, supply chain, threat modelling
AI Data SecurityMay 2025VoluntaryNSA AISC, Five EyesData supply chain, poisoning, encryption, provenance tracking, content credentials
AI/ML Supply Chain Risks and MitigationsOct 2025VoluntaryASD's ACSC onlyPre-trained model risks, AI BOMs, vendor risk, defence-in-depth
Content CredentialsJan 2025VoluntaryNSA, CCCS, NCSC-UKDeepfakes, media provenance, C2PA standard, cryptographic signing
Frontier Models and Their Impact on Cyber SecurityApr 2026GuidanceASD's ACSCFrontier AI vulnerability discovery, patch tempo, attack surface reduction, defence-in-depth, Secure by Design

Note: ACSC publishes AI-related alerts and advisories periodically. Check cyber.gov.au for current advisories.

Federal - Information Security Manual (ISM)

Mandatory security controls for Australian Government entities. AI-specific controls added 2024-2025.

Control IDTitleDate AddedApplicabilityRequirement
ISM-1923OWASP Top 10 for LLMJun 2024MandatoryMitigate risks identified in OWASP Top 10 for Large Language Model Applications
ISM-1924Adversarial Input DetectionJun 2024MandatoryDetect and mitigate adversarial inputs including prompt injection attempts
ISM-2072AI Model Storage FormatsSep 2025MandatoryStore AI models in formats that do not allow arbitrary code execution (e.g., safetensors over pickle)

Source: Information Security Manual

GuidelineRelevance to AI
Guidelines for Software DevelopmentApplies to AI/ML code development
Guidelines for System HardeningApplies to AI infrastructure
Guidelines for Database SystemsApplies to training data storage
Guidelines for CryptographyApplies to model encryption, secure inference

Federal - Protective Security Policy Framework (PSPF)

Mandatory protective security requirements for Commonwealth entities.

DocumentDateStatusScopeKey AI Provisions
PSPF Release 2025Jul 2025MandatoryNon-corporate Commonwealth entitiesNew AI, quantum, and connected peripherals content
PSPF Policy Advisory 001-2025Oct 2025MandatoryAll Commonwealth entitiesRules for OFFICIAL information with generative AI; approved providers (OpenAI, Anthropic)
PSPF Direction 001-2025 (DeepSeek Ban)Feb 2025MandatoryAll Commonwealth entitiesProhibition on DeepSeek products, applications, web services

PSPF Supporting Materials

DocumentPurpose
Hosting Certification FrameworkCertifies AI service providers for government use
FOCI Assessment GuidelinesForeign Ownership, Control, Influence assessment for AI providers

Federal - Critical Infrastructure (SOCI/CISC)

Requirements for critical infrastructure sectors under the Security of Critical Infrastructure Act 2018.

DocumentDateStatusScopeAI Relevance
Security of Critical Infrastructure Act 2018Nov 2024 (amended)Mandatory22 critical infrastructure asset classesAI systems in CI must be covered under CIRMP
CIRMP RulesAug 2024MandatoryResponsible entitiesCyber hazard vector covers AI systems
CISC AI FactsheetJun 2025GuidanceCritical infrastructure ownersThree AI risk categories: attacks using AI, attacks on AI, AI reliability failures
Cyber Incident Reporting RequirementsJul 2024MandatoryCI asset owners12-hour reporting for critical AI-related incidents

Federal - Digital Transformation Agency (DTA)

AI governance for the Australian Public Service.

DocumentDateStatusScopeKey Requirements
Policy for the Responsible Use of AI in Government v2.0Dec 2025MandatoryNon-corporate Commonwealth entitiesChief AI Officers, transparency statements, high-risk oversight
AI Plan for the Australian Public ServiceNov 2025PolicyAPSEvery agency to have AI training, Chief AI Officers, usage tracking
AI Technical StandardJul 2025MandatoryCommonwealth agenciesTechnical implementation requirements
Public Generative AI Tools GuidanceJun 2024GuidanceAPS staffDo's and don'ts for public GenAI
GovAI Platform Requirements2025MandatoryAgencies using GovAISovereign hosting, security controls

Federal - Department of Industry, Science and Resources (DISR)

National AI policy and adoption guidance.

DocumentDateStatusScopeKey Content
National AI PlanDec 2025PolicyNational9 actions; AISI establishment; no dedicated AI Security provisions
Guidance for AI Adoption (AI6)Oct 2025VoluntaryAll sectors6 essential practices for responsible adoption
Being Clear About AI-Generated ContentOct 2025VoluntaryAll sectorsLabelling, watermarking, metadata recording
Voluntary AI Safety Standard (VAISS)Sep 2024Voluntary (superseded)All sectors10 guardrails; replaced by AI6
Australia's AI Ethics PrinciplesOct 2024 (updated)VoluntaryAll sectors8 principles including privacy, security

Federal - Sector Regulators

Binding requirements for specific regulated industries.

Financial Services (APRA/ASIC)

DocumentDateStatusScopeAI Provisions
CPS 234 Information SecurityJul 2019MandatoryAPRA-regulated entitiesAll infosec requirements apply to AI systems
CPS 230 Operational Risk ManagementJul 2025MandatoryAPRA-regulated entitiesNew technology (including AI) risk assessment
ASIC Report 798: Beware of the GapOct 2024GuidanceFinancial servicesAI governance, third-party risk, human oversight
SPS 220 Risk ManagementVariousMandatorySuperannuationApplies to AI in investment decisions

Online Safety (eSafety)

DocumentDateStatusScopeAI Provisions
eSafety Industry StandardsJun 2024MandatoryOnline service providersGenAI services, AI companion chatbots, model distribution platforms
eSafety Generative AI Position Statement2024GuidanceGenAI providersSafety by design expectations

Privacy (OAIC)

DocumentDateStatusScopeAI Provisions
OAIC Guide to Data Analytics and AI2023GuidanceAPP entitiesPrivacy obligations for AI
APP Guidelines - AI Automated DecisionsDec 2026MandatoryAPP entitiesDisclosure requirements for automated decisions (APP 1.7-1.9)

Healthcare (TGA)

DocumentDateStatusScopeAI Provisions
TGA Regulation of Software as Medical Device2021MandatoryMedical AIAI in medical devices, SaMD classification
AI in Healthcare Legislation ReviewOngoingReviewHealthcare sectorReview of AI regulation in healthcare

Federal - Other Agencies

AgencyDocumentDateStatusScopeKey Focus
DefenceMethod for Ethical AI in Defence2021Mandatory (Defence)Defence AIVerification, human control, IHL compliance
Attorney-General'sCopyright and AI Reference GroupOngoingConsultationAI developersCopyright implications of AI training
FinanceNational Framework for AI AssuranceJun 2024FrameworkAll governments5 cornerstones for AI assurance (also listed under Cross-Jurisdictional)
EducationAustralian Framework for GenAI in SchoolsDec 2023GuidanceSchoolsSafe classroom use of GenAI

New South Wales

Maturity Level: Comprehensive

NSW operates Australia's most mature mandatory government AI governance framework.

DocumentDateStatusScopeKey Requirements
NSW AI Assessment Framework (AIAF)Mar 2022MandatoryAll NSW GovernmentRisk self-assessment, lifecycle governance, >$5M to DAF
NSW AI Ethics Policy2022MandatoryAll NSW Government6 mandatory principles
Circular DCS-2024-042024MandatoryAll NSW Government bodiesCompliance directive
NSW AI Strategy2024PolicyNSW GovernmentStrategic direction
Cyber Security NSW GenAI Guidance2024GuidanceNSW agenciesDo's and don'ts for public GenAI
NSW AI Review Committee Terms2022GovernanceHigh/very-high risk projectsExpert review of significant AI

Victoria

Maturity Level: Developing

Victoria formalised AI governance in November 2024 with mandatory guidelines.

DocumentDateStatusScopeKey Requirements
Administrative Guideline for Safe and Responsible Use of GenAI in VPSNov 2024MandatoryVictorian Public SectorAdopts 8 AI Ethics Principles
Victorian AI Assurance FrameworkPilotingIn developmentVPSUnder development, piloting with Copilot
VPDSF v2.12023MandatoryVictorian agencies12 mandatory standards, 5 domains - applies to AI
OVIC AI Privacy Guidance2024GuidanceVictorian organisationsPrivacy obligations for AI
Victoria Police AI Ethics FrameworkMar 2024Mandatory (VicPol)Victoria Police8 enabling principles including Human Rights

Queensland

Maturity Level: Developing

Queensland has comprehensive mandatory policy with sophisticated risk assessment.

DocumentDateStatusScopeKey Requirements
AI Governance PolicySep 2024MandatoryQLD GovernmentISO 38507-based governance, ISMS integration
FAIRA Framework2024MandatoryQLD GovernmentTwo-part risk assessment (Components + Values)
IS18 Information and Cyber Security Policy2024MandatoryQLD GovernmentMandatory ISMS, Essential Eight implementation
QChat GenAI Environment2024PlatformQLD GovernmentSecure government-approved GenAI
OIC AI Privacy Guidance2024GuidanceQLD agenciesPrivacy and RTI obligations for AI

South Australia

Maturity Level: Developing

SA established Australia's first state Office for AI in July 2025.

DocumentDateStatusScopeKey Requirements
Office for Artificial IntelligenceJul 2025GovernanceSA Government$28M budget, strategic coordination
AI Ethics Policy (DTF/P9.1)2024MandatorySA GovernmentDesign, development, deployment, operation
LLM Guideline (DPC/G13.1) v1.32024OptionalSA GovernmentPractical LLM controls
SACSF v2.02024MandatorySA Government18 policy statements, 4-tier implementation

Western Australia

Maturity Level: Comprehensive

WA has the most comprehensive framework among smaller jurisdictions.

DocumentDateStatusScopeKey Requirements
WA Government AI Policy v2Jul 2025MandatoryWA GovernmentAI Accountable Officers by Sep 2025
WA AI Assurance Framework2024MandatoryWA GovernmentSelf-assessment, mid-range+ to Advisory Board
WA AI Advisory BoardJan 2025GovernanceHigh-risk projectsIndependent expert review
WA Cyber Security Advisory 20230509001May 2023AdvisoryWA agenciesAI chatbot security risks
WA Health AI Policy (MP 0193/25)2025Mandatory (Health)WA HealthSector-specific AI requirements

Tasmania

Maturity Level: Minimal

Tasmania has the least developed AI governance, relying on guidance.

DocumentDateStatusScopeKey Content
Guidance for AI Use in Tasmanian Government v1.42024VoluntaryTAS Government7 recommendations; references NSW AIAF
Digital Strategy - AI Focus2024StrategyTAS GovernmentStrategic intent only

Note: Tasmania recommends using NSW AIAF for detailed guidance. Economic Diversification and Investment Strategy with AI focus expected H1 2026.

Northern Territory

Maturity Level: Basic

NT has a mandatory framework with territory-specific principles.

DocumentDateStatusScopeKey Requirements
NT Government AI Assurance FrameworkMay 2024MandatoryNT Government6 NT-specific AI Ethics Principles
AI Advisory Board2024GovernanceHigh-risk assessmentsReports to ICT Governance Board

NT AI Ethics Principles:

  1. Community Benefit
  2. Safety
  3. Fairness
  4. Privacy and Security
  5. Transparency
  6. Accountability

Australian Capital Territory

Maturity Level: Developing

ACT released comprehensive mandatory framework in May 2025.

DocumentDateStatusScopeKey Requirements
ACT Government AI Policy v1.0May 2025MandatoryACT Government4 responsible officers per AI initiative
ACT AI Assurance FrameworkMay 2025MandatoryACT GovernmentAligned with National and NSW frameworks
AI Advisory Group (AIAG)2025GovernanceMedium/high riskReviews significant assessments

ACT Required Officers:

  • AI System Owner
  • AI Administrator
  • Data Custodian
  • Project Manager

Cross-Jurisdictional

Documents agreed or relevant across multiple jurisdictions.

DocumentAuthorityDateScopeStatus
National Framework for AI Assurance in GovernmentData and Digital MinistersJun 2024All governmentsFramework
Australia's AI Ethics PrinciplesDISR2024NationalReferenced by all jurisdictions
Essential Eight Maturity ModelACSCOngoingReferenced nationallySecurity baseline

Document Totals by Jurisdiction

JurisdictionMandatorySector-SpecificVoluntaryTotal
Federal - ACSC0077
Federal - PSPF/DHA3025
Federal - DTA3025
Federal - DISR0055
Federal - Regulators06410
Federal - Other2024
NSW4026
VIC3115
QLD3025
SA2024
WA3115
TAS0022
NT1012
ACT2013
TOTAL2683468

Last Updated

17 April 2026

See CHANGELOG.md for update history.

Contributing

Found a missing document? See CONTRIBUTING.md to submit additions or corrections.