AI Governance

AI governance

We build AI, and we help you use it responsibly. We can assess your AI risk, implement ISO 42001, and keep your governance current as the rules tighten. There's no single AI law in Australia, but existing privacy, consumer, and anti-discrimination laws all apply to how you use AI, and we help you make sense of the patchwork.

What's involved

A rapid assessment of how your organisation is using AI today and where the governance gaps are. Maps current AI usage across the business, identifies shadow AI, and assesses risk posture against Australia's Guidance for AI Adoption (6 essential practices), ISO 42001, and existing legal obligations under the Privacy Act, consumer law, and anti-discrimination law. With Privacy Act reforms introducing automated decision-making transparency obligations in December 2026, this isn't hypothetical — a practical assessment that gives leadership a clear picture of AI risk exposure and a prioritised action plan.

Deliverables

  • AI usage inventory across the organisation
  • Shadow AI identification and risk assessment
  • Gap analysis against Guidance for AI Adoption (6 essential practices)
  • Risk heat map with prioritised findings
  • Board-ready summary report
  • Recommended governance roadmap

Business benefits

  • Clear picture of AI risk exposure before regulators ask
  • Identifies shadow AI before it creates compliance or security issues
  • Practical roadmap aligned with Australian and international frameworks
  • Foundation for ISO 42001 implementation if needed

Engagement process

DiscoveryInterview key stakeholders, map AI usage across the organisation.
AssessmentEvaluate against frameworks (Guidance for AI Adoption, ISO 42001) and existing legal obligations, identify gaps and risks.
AnalysisRisk assessment and prioritisation of findings based on impact and likelihood.
ReportBoard-ready findings, governance roadmap, and recommendations for next steps.
Discuss this assessment

ISO 42001 Implementation

What's involved

ISO/IEC 42001 is the world's first AI management system standard, published December 2023. We build your AI Management System (AIMS) from the ground up — scope, AI risk assessment, controls, policies, and governance structure. This isn't a documentation exercise; it's a management system that changes how your organisation identifies, assesses, and treats AI-specific risks including ethical considerations, transparency, bias, and data quality. Integrates with existing management systems (ISO 27001, ISO 27701) if you have them. We support from gap analysis through to certification readiness.

Deliverables

  • AIMS scope definition and context
  • AI risk assessment methodology and treatment plan
  • AI system inventory and classification
  • Statement of Applicability with control mapping
  • AIMS documentation suite (policies, procedures, records)
  • Internal audit programme and first AI-focused audit
  • Certification audit preparation and support

Business benefits

  • First-mover advantage — ISO 42001 is becoming enterprise-expected
  • Systematic approach to AI risk that replaces ad-hoc policies
  • Competitive advantage in tenders and enterprise procurement
  • Framework that integrates with existing ISO 27001/27701 certifications

Engagement process

Gap analysisAssess current AI governance against ISO 42001 requirements.
AIMS designScope, risk methodology, governance structure, and Statement of Applicability defined with your leadership team.
ImplementationControls implemented, documentation created, processes established. Your team is trained and involved throughout.
Internal auditVerify the AIMS is operating effectively and identify gaps before certification.
Certification supportAudit preparation, auditor liaison, and support through to successful ISO 42001 certification.
Discuss this implementation

AI Risk Assessment

What's involved

AI risk doesn't stop after the initial assessment or certification. This is an ongoing service for organisations that need continuous AI risk management. We monitor your AI risk register, assess new AI tools and use cases before deployment, maintain your AIMS, and provide regular board reporting on AI risk posture. Also covers supplier AI risk — assessing third-party AI tools your vendors are using that may affect your data or operations.

Deliverables

  • Ongoing AI risk register maintenance
  • New AI tool/use case risk assessments
  • Supplier AI risk assessments
  • Regular board reporting on AI risk posture
  • AIMS maintenance and continuous improvement
  • Shadow AI monitoring and detection
  • Regulatory change monitoring (Privacy Act reforms including December 2026 automated decision-making obligations)

Business benefits

  • Manage AI risk before it becomes a compliance problem
  • Board confidence that AI risks are being governed
  • Early warning on regulatory changes affecting AI usage
  • Vendor AI risk visibility before it becomes your problem

Engagement process

OnboardingEstablish baseline, review existing AIMS and current risk register.
MonitoringOngoing risk register maintenance, shadow AI detection, emerging risk tracking.
AssessmentEvaluate new AI tools and use cases before deployment, assess vendor AI tools.
ReportingRegular board-level AI risk reporting with status updates and emerging issues.
ReviewQuarterly review of scope and emerging risks, AIMS updates as needed.
Discuss ongoing AI governance

Ready to govern AI responsibly?

Whether you're starting from scratch or building on existing frameworks, we'll give you an honest assessment of where you stand.

Get in touch