AI practice
Practical AI governance for Australian businesses — policy, risk registers, board reporting, and the audit trail that satisfies both your CISO and your CEO.
AI governance is where most Australian organisations get stuck. The Voluntary AI Safety Standard, APRA's expectations, OAIC guidance, industry-specific obligations — the regulatory surface is real, but it's also implementable. Our AI governance practice produces governance artefacts your team can actually use: policies that map to specific obligations, risk registers with named owners, controls you can test, board-ready briefings that don't require translation. Implemented, not just documented.
What we deliver
Full AI governance baseline aligned to the Voluntary AI Safety Standard + your industry regulators. Policy, risk register, control framework, board pack. Productised offer with disclosed pricing.
Mapping the 10 guardrails to your organisation. Where you already comply, where the gaps are, what implementing each one practically looks like. Output: a 6-month implementation plan.
AI use policies, AI risk frameworks, AI ethics charters, AI procurement guidelines — drafted to fit your organisation, not generic templates dressed up.
Independent AI briefings for boards, audit committees and exec teams. What's actually changing in the AI regulatory landscape, what it means for your business, what the board needs to ask management.
When to engage us
Stack
Engagement-specific stack choices are always driven by your constraints. The below is what we have current production experience with.
FAQ
Yes — for now. But it's the published expectation of the federal government and increasingly the baseline regulators and procurement bodies refer to. Treating it as if it were mandatory is the prudent move; aligning to it now costs significantly less than retrofitting in 12-24 months when it likely becomes the de facto compliance baseline.
AI systems are in-scope for both. CPS 234 (information security) treats LLM APIs the same as any external data flow. CPS 230 (operational risk) treats AI systems as material service providers when they're critical to operations. Our APRA-regulated client engagements always map AI-specific risks back to the CPS frameworks explicitly — internal audit can adopt the documentation directly.
Our governance frameworks are designed to absorb change without rewrite. The pattern: policies stated at the principle level; risk register mapped to specific implementation evidence; controls testable. When new regulation arrives (e.g. a mandatory AU AI Act, EU AI Act-adjacent obligations), the policy frame absorbs it; you update the evidence layer, not the architecture.
Yes. Independent AI briefings for boards and audit committees are a frequent engagement pattern. Typically a 60-minute prepared briefing + 30-minute Q&A; we provide a 2-page summary deck the company secretary can append to the board pack.
Next step
Discovery calls are 30 minutes, no deck, no pitch. We’ll tell you honestly whether we’re the right team for your specific situation.