Perspectives

Australia's agent governance gap

69% of Australian organisations already run autonomous AI agents; 22% have advanced governance for them. I have watched this movie in every compliance wave of my career, and this time the dates are already printed.

Published
2 July 2026
Updated
3 July 2026
Read
4 min read

Australian organisations adopted agents faster than they governed them. 69% already run autonomous AI agents somewhere in the business; 22% have advanced agent governance in place. The global picture is the same shape: close to three quarters of enterprises plan agents within two years, and 21% report a mature governance model.

I have spent much of my career inside Australian regulated institutions, and I have never seen a capability spread this far ahead of its control structure. What makes this wave different from the ones I worked through is that the compliance clock is already printed:

  • 1 July 2025 — APRA's CPS 230 came into force. It treats material service providers, an AI platform among them, as regulated dependencies for banks, insurers, and superannuation trustees.
  • October 2024 — ASIC's Report 798 reviewed AI governance across 624 use cases at 23 licensees and said it plainly: governance should arrive ahead of deployment, and the gap between the two is where licensees fail.
  • 1 July 2026 — every non-corporate Commonwealth entity was required to have a Chief AI Officer. 104 of 106 met the deadline. Named, senior AI accountability is now the public-sector default.
  • 10 December 2026 — the Privacy Act's automated-decision-making disclosure obligations take effect. If an automated decision uses personal information, your privacy policy must say so.

What "governed" actually means

Governance programmes fail as policy documents and succeed as operating controls. Four columns cover what I would require of any agent deployment, and they are the same four we run inside every engagement:

Model. Which model does which work, pinned by role and workload, with a documented path to swap it. "Whatever the vendor ships" is not an answer a regulator accepts for any other material input.

Cost. Spend visible per user and per task, caps set before scale. Agent workloads consume by the token, not the seat; one ungoverned power user can quietly consume a month's budget.

Security. Data residency, retention, and access defined in writing; every agent action logged and auditable. The December disclosure obligation is easy to meet if the inventory of automated decisions already exists, and painful if it has to be reconstructed in November.

Guardrails. What agents may touch, where humans hold the gates, and what evidence each gate requires. The gate positions are the real design decision: money, legal exposure, and customer-visible actions stay human-gated long after throughput moves to agents.

The advantage in going first

The gap statistic reads as a warning; I read it as a ranking. Two organisations in three are already running agents, and roughly one in five can demonstrate governed operation to a board, a regulator, or an acquirer. The organisation that can show its model register, its cost-per-task instrumentation, its audit trail, and its gate evidence is not slower for it. It is the one that gets to scale, because it is the one that can answer the questions that arrive after the first incident.

The dates above are the same for everyone. What differs is whether they arrive as deadlines or as differentiators.


Sources

  • Deloitte Australia, State of AI in the Enterprise (Australian cut), 12 February 2026: 69% of Australian organisations run autonomous agents; 22% have advanced agent governance.
  • Deloitte, State of AI in the Enterprise, 9th edition, January 2026 (n=3,235, 24 countries): close to three quarters plan agents within two years; 21% mature governance.
  • APRA, Prudential Standard CPS 230 (Operational Risk Management), in force 1 July 2025.
  • ASIC, Report 798, Beware the gap: Governance arrangements in the face of AI innovation, 29 October 2024.
  • Australian Government Department of Finance, APS Chief AI Officer mandate, effective 1 July 2026.
  • Privacy and Other Legislation Amendment Act 2024: automated-decision disclosure obligations, decisions on or after 10 December 2026.

Book a scoping conversation.

A free working conversation on where you stand, and the first move that fits.

Book a scoping conversation