How We Govern AI

AI Governance. Automated.

Every Australian organisation is running AI it cannot see, cannot govern, and cannot prove it manages – we fix that.

Australia's AI governance is complex – Shadow AI is everywhere. Safe AI projects are difficult to monitor. Guvn.AI is built to help organisations automate the discovery of AI tools in real time (whether approved or not), assess the risk they pose, provide formal control against Australia's sprawling 33 regulatory governance frameworks and assessments, and report to Directors, Regulators, Government overseers and international standards organisations.

Request a Demo Explore the platform
Built natively for the Australian regulatory environment
33
Frameworks
10
Sectors
8
State Jurisdictions
6
Regulatory Bodies
Apply to the Foundation Partner Programme Explore the AI regulations applying to you
The reality inside Australian organisations

See every AI system. Govern every control. Prove every decision. Report to every regulator. Assure Directors on Safe AI.

01

Shadow AI

Staff are using AI tools the business has never approved, never inventoried, and cannot examine. The data flowing through them is already gone.

02

Assess AI Risk

Guvn.AI automatically and in real time assesses the risk of every AI tool in your organisation – approved or Shadow AI – across data, security, compliance and operational dimensions, so you always know your exposure.

03

Multiple overlapping frameworks

Privacy Act, APRA, NAIC AI6, ISO 42001, NIST AI RMF, the Corporations Act. Boards are drowning in the overlap and cannot tell where compliance starts and ends.

04

Personal director liability

Section 180 of the Corporations Act applies to AI failures the same way it applies to any other governance failure. The evidence trail does not exist.

The Platform

One system. Discovery, control, and the evidence to prove it. We use AI to govern AI.

Guvn.AI is the only Australian-native AI governance platform that simultaneously solves the four problems boards actually face: visibility into AI use, control over AI risk, alignment with Australian regulatory frameworks, and an evidence trail directors can stand behind. Five integrated modules.

MODULE 01

AI Tool Registry

A live inventory of every AI tool, model, agent and integration touching your data – risk-scored, classified, and continuously refreshed. 200+ tools pre-loaded; new ones surfaced automatically.

Discovery + classification
MODULE 02

Five-Vector Discovery

We surface AI activity across the network, browser, identity, SaaS estate and code repositories. The vectors a single-source scanner cannot see are exactly where the regulatory exposure lives.

Network + endpoint + cloud
MODULE 03

Policy & Control Manager

Translate the eight NAIC AI6 essential practices, ISO 42001 clauses and Privacy Act obligations into operational controls – with version history, evidence capture and exception management.

Operational controls
MODULE 04

Compliance Hub

One framework mapped against six. Run a single control set; produce APRA, OAIC, ISO 42001 and ASX-aligned evidence packs on demand. No duplicate work, no reconciliation gaps.

Cross-framework mapping
MODULE 05

Board Reporting Suite

Director-grade summaries with the audit trail underneath. Personal liability under section 180 demands evidence; this is the evidence layer, formatted for the board pack and the regulator both.

Director-ready output
MODULE 06

Continuous Assurance

Drift detection, anomaly alerts, and automated re-attestation as your AI estate changes. Compliance is a state, not an event – the platform keeps you in it.

Always-on monitoring
Detection Architecture

Five vectors. Because one is never enough.

A single-source AI scanner shows you what its sensor can see. Shadow AI lives in the gaps between sensors – the personal browser tab, the unsanctioned API key, the agent embedded inside a SaaS application your security team hasn't reviewed. Guvn.AI watches all five.

The result is the most complete picture of AI use in an Australian organisation that exists today. The 20% gap is where the regulatory exposure lives – and where every weekend prototype falls short.

01
Network Telemetry
Outbound traffic to known and emerging AI endpoints, classified in real time.
02
Browser Layer
Extension-level visibility into ChatGPT, Claude, Gemini, Copilot and 200+ tools.
03
Agents, Identity & SSO
Sign-in events to AI services tied to user, role, and data sensitivity. AI agents detected and monitored alongside human-initiated activity.
04
SaaS Estate
AI features embedded inside Microsoft 365, Salesforce, ServiceNow, Atlassian, and the long tail.
05
Code & API
AI keys, embeddings and inference calls inside repos and pipelines.
Regulatory Coverage

Australian first. Everything else mapped.

Most AI governance platforms are designed against the EU AI Act and bolt the Privacy Act on afterwards. Guvn.AI is built the other way around. Australian instruments sit at the centre of the model; international frameworks cross-map onto them. The result: one control set, six frameworks, no duplicate work.

PRIVACY ACT 1988

Automated decision transparency

APP 1.7–1.9 obligations from December 2026. Register, PIA documentation, and data sensitivity scoring all built in.

APRA CPS 234 & CPS 230

Information security & operational risk

Identify, classify and secure every AI tool as an information asset (CPS 234); manage vendor AI under the same operational risk regime as any critical service provider (CPS 230). Continuous attestation, examination-ready evidence by default.

NAIC AI6

Australia's eight essential practices

Policy manager, compliance hub and evidence generation aligned to the National AI Centre's 2025 guidance.

CORPORATIONS ACT s.180

Director duty of care

Board reporting, risk register and governance trail formatted to the standard ASIC enforcement actually relies on.

DTA AI POLICY

Mandatory AI register, future-ready

The DTA mandatory register obligations are already met by the AI Tool Registry – no retrofit needed when they bind.

DISR AI REGISTER

Mandatory AI register (proposed)

The DTA mandatory register obligations are already met by the AI Tool Registry – no retrofit needed when they bind. DISR consultation closed 2025; instrument expected 2026–27.

MY HEALTH RECORDS ACT

AI in health data

Strict authorisation requirements for AI systems accessing or processing My Health Record data, with significant civil and criminal penalties for unauthorised access.

CONSUMER DATA RIGHT

CDR AI data obligations

Accredited data recipients using AI to process CDR data must disclose AI processing, maintain consumer consent, and comply with CDR data standards.

AGED CARE ACT

AI in aged care services

Rights-based obligations for AI used in aged care assessment, care planning and service delivery – with a strong focus on dignity, autonomy and human oversight.

ASD IRAP

Information security assessment

ASD IRAP assessment required for AI systems handling PROTECTED or above classified government data. Essential for AI suppliers to Australian Government and Defence.

AI SAFETY INSTITUTE

Frontier AI safety evaluations

Launched 2026, the Australian AI Safety Institute develops safety evaluation frameworks for high-risk AI systems. Engagement expected to become mandatory for frontier AI deployments.

QLD AI POLICY

Queensland Government AI Policy

Mandatory for all Queensland public sector agencies. Covers transparency, accountability, human oversight, safety and fairness – and requires completion of the FAIRA assessment.

FAIRA · QUEENSLAND

Foundational AI Risk Assessment

Queensland's structured AI risk assessment methodology – the first state government AI assessment framework delivered in Guvn.AI's Regulatory Command Centre. Mandatory for all QLD Government AI deployments.

LGAQ · QUEENSLAND

Local Government AI Guidance

LGAQ guidance on responsible AI governance for Queensland's 77 local councils – covering procurement, community consultation, workforce planning and minimum governance standards.

NSW AI STRATEGY

NSW Government AI Ethics Policy

Mandatory seven AI Ethics Principles and the NSW AI Assessment Framework for all agencies deploying AI in public-facing services. Applies to NSW agencies and referenced for local councils.

VICTORIAN AI FRAMEWORK

Victorian Government AI Framework

Mandatory AI disclosure registers for high-risk AI, human oversight requirements and departmental Secretary approval for high-risk deployments across Victorian public sector entities.

WA DIGITAL STRATEGY

WA Government AI Principles

Western Australia's digital transformation strategy includes AI governance principles for government agencies, with oversight by the Office of Digital Government.

SA DIGITAL GOVERNMENT PLAN

SA AI Governance

South Australian Government AI governance aligned with the SA Information Privacy Principles and Commonwealth frameworks. Applies to SA agencies and funded organisations.

ACT AI FRAMEWORK

ACT Government AI Framework

ACT AI governance guidance including Human Rights Act compatibility assessments for AI used in government decisions – reflecting the ACT's unique dual Commonwealth/Territory obligations.

NT DIGITAL GOVERNANCE

NT AI Governance Guidance

Northern Territory guidance with particular emphasis on remote community service delivery and Indigenous data sovereignty requirements for AI systems used in NT Government services.

TASMANIAN DIGITAL STRATEGY

Tasmania Government AI

Tasmanian Government Digital Strategy AI governance aligned with Commonwealth principles and the Personal Information Protection Act 2004. Whole-of-government approach for Tasmanian agencies.

TGA · MEDICAL DEVICES

AI as a regulated medical device

Software-as-a-Medical-Device (SaMD) classification and post-market AI surveillance for healthcare deployments.

ASD ESSENTIAL EIGHT

AI security baseline

Essential Eight maturity for AI tools and the data they process – mapped to information security expectations.

AICD GUIDANCE

Director-level AI oversight

Aligned to the AICD's published expectations on board AI governance, AI risk reporting and director education.

ASX LISTING RULES

Continuous disclosure for AI risk

Material AI exposures and incidents formatted for ASX continuous disclosure and operating risk reporting.

ACNC GOVERNANCE

Not-for-profit AI obligations

AI use mapped to ACNC governance standards for charities and not-for-profits with sensitive beneficiary data.

AESCSF v2

Energy sector cyber security

AEMO-led Australian Energy Sector Cyber Security Framework — covers IT and OT environments. AI tools in SCADA, DCS or energy management systems assessed across asset, change and identity domains. Supports SOCI Act Risk Management Programme obligations.

NER CYBER RULE 2024

AEMC NEM cyber security obligations

The December 2024 AEMC final rule embeds AI-related cyber risk as a core NEM power system security responsibility. AEMO now formally coordinates NEM-wide cyber incident response and distributes threat intelligence to all market participants.

AER AI BIDDING GUIDELINES

AI in wholesale electricity markets

The AER is actively reviewing AI and autobidders in NEM wholesale bidding. Market participants and their third-party AI providers face direct liability for NER bidding compliance breaches arising from AI-generated bids or rebids.

ISO 42001:2023

AI management system

Full clause-by-clause mapping in the Compliance Hub, with certification-ready evidence packs.

NIST AI RMF

Govern · Map · Measure · Manage

Risk scoring aligned to the four NIST functions, cross-referenced to Australian instruments.

EU AI ACT

Extraterritorial reach

For Australian organisations with EU customers or operations: prohibited uses, high-risk system obligations, and GPAI documentation handled.

ISO 27001

Information security baseline

AI-specific information security controls mapped against ISO 27001 Annex A – cross-mapped to APRA CPS 234.

Early access · Applications open

Use Guvn.AI inside your organisation before launch and help shape what we build.

Apply to the Foundation Partner Programme
Board-ready evidence

The evidence trail directors can stand behind.

Personal liability under section 180 of the Corporations Act applies to AI failures the same way it applies to any other governance failure. The Australian Institute of Company Directors has been clear: directors must be able to demonstrate informed oversight. That requires evidence, not assurance.

  • Audit-grade trail Every control change, attestation and exception logged with timestamp, actor and rationale.
  • Pre-formatted board packs Quarterly governance summary, exception register, and forward-looking risk view, ready for committee.
  • Examination-ready exports APRA, OAIC and ISO auditor formats produced from the same evidence layer.
  • Cross-mapped citations Every control mapped to the source instrument so reviewers can verify the basis on the page.
SAMPLE OUTPUT · BOARD PACK
Board AI Governance Summary Report cover
Executive summary and compliance scorecard
Risk profile table and portfolio distribution
Open actions, board decisions required

An anonymised extract from a real Guvn.AI board pack. Quarterly. Auto-generated. Director-grade.

Our foundation framework

Built on Australia's AI6 voluntary standard.

Published National AI Centre, October 2025
Replaces Voluntary AI Safety Standard (10 guardrails, Sept 2024)
Status Voluntary, principles-based, technology-neutral
Covers Accountability · Impact assessment · Risk management · Transparency · Testing · Human control
Explore the AI6 Guide Take the AI6 Maturity Assessment

The AI6 is the short name for the six essential practices set out in Guidance for AI Adoption, published by Australia's National AI Centre in October 2025. It is the federal government's primary reference for how organisations should govern and adopt AI responsibly — covering accountability, impact assessment, risk management, transparency, testing and human control.

It is voluntary in the same way the ACSC Essential Eight is voluntary — increasingly the de facto standard of care that boards, regulators, auditors, large customers and investors expect to see. The National AI Plan (December 2025) confirms Australia will rely on existing laws plus the AI6 in the near term rather than introducing a standalone AI Act.

Guvn.AI is built on the AI6 as its operational control baseline. Every module — from the AI Tool Registry to the Compliance Hub to board reporting — maps directly to the six practices, with NAIC AI6 fully integrated alongside the Privacy Act and APRA as the core of the Australian control library. International frameworks including ISO 42001 and NIST AI RMF cross-map onto this Australian foundation, not the other way round.

Why Australian-native matters
The imported approach

Translation, not native fit

International platforms apply their EU AI Act control library and call the Privacy Act a sub-mapping. The framing is foreign. The enforcement context is foreign. The audit trail is shaped for someone else's regulator.

  • Privacy Act obligations bolted onto an EU baseline
  • No native APRA prudential framing
  • NAIC AI6 absent or shoehorned in
  • Board reporting written for a different liability regime
The Guvn.AI approach

Australian first, by design

Australian instruments are the spine of the model. International frameworks cross-map onto the Australian baseline – not the other way round. The evidence layer was built for ASIC, APRA and OAIC enforcement contexts.

  • Privacy Act and APRA at the centre of the control library
  • NAIC AI6 fully integrated as the operational baseline
  • Director liability framing throughout the evidence trail
  • EU AI Act and NIST RMF as cross-mapped references
Speak to the team

Every Australian organisation has at least three AI obligations active today. Most have five.

We can map them in an hour, deploy in days, and have your first board-ready evidence pack in your hands within the week.

Request a Demo hello@guvn.ai Apply to the Foundation Partner Programme