The flagship Helixar research report on enterprise AI governance in Australia and New Zealand, covering regulation, standards, operational resilience, privacy, agentic AI, readiness, board assurance, and control-plane evidence.
Executive summary
- Enterprise AI governance in Australia and New Zealand has moved from policy drafting to operating capability. Boards now need to know where AI is used, which workflows are material, which controls operate, and what evidence proves governance worked.
- Australia and New Zealand are not one regulatory market. Australia is moving through voluntary AI safety guidance, sector regulation, prudential operational risk, information security, privacy, consumer, employment, and safety settings. New Zealand is emphasising AI adoption confidence, privacy principles, public-sector AI guidance, and existing law.
- The most material 2026 shift is agentic AI. Organisations are no longer only governing model outputs. They are governing delegated authority, tool access, workflow action, vendor AI, evidence, and operational dependency.
- The leading enterprises in ANZ are building AI governance as infrastructure: inventory, risk tiers, policy, operational controls, review workflows, incident response, vendor assurance, audit evidence, and continuous improvement.
- The gap is widening between organisations that can describe AI governance and organisations that can prove it. Evidence is becoming the practical differentiator for regulated industries, public-sector agencies, healthcare, insurance, critical infrastructure, and financial services.
- The next two to five years will reward organisations that build durable governance infrastructure now: common controls, local obligation overlays, agent authority boundaries, operational resilience testing, supplier assurance, and board-level evidence.
Executive view: ANZ AI governance has entered its operating phase
Enterprise AI governance in Australia and New Zealand has entered its operating phase. In 2023 and 2024, many organisations focused on principles, acceptable-use policies, and cautious experimentation. In 2025 and 2026, the centre of gravity has shifted. AI is embedded in enterprise software, productivity suites, customer operations, developer tools, document workflows, security products, analytics, and increasingly in agents that can act through tools. The governance question is no longer whether the organisation has an AI policy. It is whether the organisation can operate that policy across real AI activity.
This shift is especially important in ANZ because many enterprise buyers operate in high-trust sectors: financial services, insurance, healthcare, government, critical infrastructure, education, energy, telecommunications, and professional services. These sectors already understand privacy, prudential risk, conduct, information security, procurement, operational resilience, and audit. AI governance is not replacing those disciplines. It is forcing them to extend into model providers, generative AI, embedded SaaS AI, and autonomous agents.
The leading organisations are beginning to treat AI governance as infrastructure. They are building inventories, risk tiers, approval lanes, data controls, vendor review, human oversight design, operational policy governance, incident response, audit evidence, and board reporting. The lagging organisations are still treating AI governance as a position statement. The gap between those two postures matters because AI adoption will continue even when governance is immature. Employees and vendors do not wait for perfect operating models.
What changed from AI policy to AI infrastructure
The 2026 governance question is shifting from whether the organisation has a responsible AI position to whether it can operate one.
Australia and New Zealand are related, not identical
ANZ is often discussed as a single market, but enterprise AI governance should not treat Australia and New Zealand as one legal or policy environment. Australia has its own federal and state regulatory context, privacy and consumer law settings, sector regulators, APRA prudential standards, critical infrastructure requirements, workplace and safety obligations, and government AI guidance. New Zealand has its own Privacy Act 2020, Information Privacy Principles, AI strategy, public-sector AI framework, procurement context, official information norms, and trust expectations.
For a trans-Tasman enterprise, the practical answer is not to build two unrelated programs. It is to define common AI governance capabilities and then map local obligations and expectations onto them. Common capabilities include inventory, classification, purpose review, privacy assessment, security review, vendor assurance, human oversight, incident response, control evidence, and board reporting. Local overlays determine what review is required, which notices are needed, which regulator expectations apply, and how affected communities should be engaged.
This hybrid approach is also useful because AI providers are global. The same model provider, SaaS product, or agent framework may be used in both countries. The vendor contract may be regional or global, while the privacy, sector, and operational context differs locally. Enterprises need a governance system that can handle shared technology and local accountability. That is why framework mapping alone is insufficient. Operating controls must know jurisdiction, data, user, vendor, workflow, and risk tier.
The 2026 enterprise AI governance map
Enterprise AI governance in ANZ sits at the intersection of emerging AI guidance and long-standing obligations in privacy, security, operational risk, procurement, and accountability.
Australia’s 2026 governance signals
Australia’s AI governance landscape in 2026 is best understood as a layered environment rather than a single AI statute. The Australian Government’s Voluntary AI Safety Standard was published in September 2024 and updated in December 2025. It provides practical guidance and ten voluntary guardrails intended to support safe and responsible AI across the AI supply chain. It also sits alongside guidance for AI adoption and existing legal regimes. For enterprises, the practical value is the guardrail mindset: accountability, risk management, transparency, testing, human oversight, and supply-chain responsibility.
The Australian layer also includes sector regulators and existing obligations. APRA CPS 230 and CPS 234 are not AI standards, but they are highly relevant where AI affects operational risk, critical operations, material service providers, business continuity, information assets, control testing, and incident response. Privacy, consumer law, financial services obligations, employment law, safety duties, records obligations, and critical infrastructure requirements may also matter depending on the use case. A bank’s AI agent, a hospital’s AI triage assistant, and a retailer’s product-description generator do not sit in the same risk universe.
The strategic implication for Australian enterprises is that waiting for a final comprehensive AI law is not a governance strategy. Existing obligations already touch AI in meaningful ways. Voluntary standards and guidance provide a structure for safer adoption. Sector expectations create specific pressure. Boards should therefore ask whether management has mapped AI use to the obligations that already exist. The absence of one consolidated AI law does not mean the absence of accountability.
New Zealand’s 2026 governance signals
New Zealand’s AI governance landscape in 2026 is shaped by confidence, privacy, public-sector trust, and existing law. MBIE’s New Zealand AI Strategy is framed around investing with confidence. Digital government guidance points businesses toward the strategy and AI guidance. The Privacy Commissioner’s AI guidance is explicit that the Privacy Act applies to AI tools in New Zealand and that organisations should understand enough about those tools to uphold the Information Privacy Principles. Public-sector agencies also have a dedicated AI framework to guide responsible use.
The Privacy Act 2020 is central because AI agents handle information. The current legislation page shows the Act in force and current as at May 1, 2026, with IPP 3A introduced by the Privacy Amendment Act 2025. The privacy implications of AI are practical: purpose, notice, indirect collection, minimisation, security, access, correction, accuracy, retention, use, disclosure, overseas processing, unique identifiers, and notifiable privacy breaches. An enterprise agent can touch many of those issues in one workflow.
New Zealand organisations should also pay attention to trust and context. AI governance is not only a legal exercise. It must consider affected people, communities, Māori data and taonga considerations where relevant, transparency, public confidence, and the ability to explain AI-assisted processes. A small-market trust breach can have outsized reputational effect. The governance bar is therefore not only whether a tool is technically capable. It is whether its use is legitimate, proportionate, understandable, and controlled.
Global frameworks are becoming the operating language
NIST AI RMF and ISO/IEC 42001 have become practical reference points for ANZ enterprises because they provide vocabulary and structure that local law alone does not. NIST AI RMF helps organisations think through Govern, Map, Measure, and Manage. ISO/IEC 42001 provides an AI management-system model: scope, policy, objectives, controls, monitoring, audit, management review, and continual improvement. ISO/IEC 23894 adds risk-management guidance. OECD AI principles and local voluntary guardrails add values and accountability language.
The strongest ANZ governance programs are not choosing one framework and ignoring the others. They are building crosswalks. NIST helps structure risk functions. ISO/IEC 42001 helps structure the management system. Local privacy law, APRA standards, public-sector guidance, and sector obligations define local requirements. Security frameworks and operational resilience standards provide technical and continuity expectations. This lets the enterprise avoid framework theatre. The question is not which framework looks best in a slide. The question is which controls and evidence the organisation needs.
Framework crosswalks should be evidence-led. A crosswalk that maps clauses to policy statements is useful but insufficient. A mature crosswalk maps obligations and expectations to controls, owners, systems, evidence, testing, and reporting. If a NIST Govern outcome or ISO management-system requirement is mapped to an AI policy, what proves the policy operated? If a voluntary guardrail says human oversight should exist, which workflow records show oversight occurred? If APRA CPS 234 requires control testing, which AI controls were tested and by whom? Evidence turns frameworks into assurance.
The agentic shift: from output governance to delegated authority
The most important enterprise shift in 2026 is agentic AI. Earlier AI governance work often focused on model outputs: hallucination, bias, explainability, toxicity, privacy leakage, and intellectual property. Those risks remain. But agents introduce delegated authority. An AI system can now plan steps, call tools, retrieve records, update workflows, draft and send messages, create tickets, run code, configure systems, or initiate actions. The governance unit is no longer only a model. It is the human-agent-system chain.
This shift changes control design. A policy that says users must check AI output is not enough when the AI can act. Organisations need delegation boundaries. Which users may delegate which tasks? Which tools may agents call? What data classes may they access? Which actions require approval? What happens on uncertainty? Can the agent retry? Can it operate outside business hours? Can it contact external parties? Can it execute irreversible actions? Can it hand tasks to another agent? These questions should be answered before deployment.
Agentic AI also changes evidence. A transcript may not show enough. The enterprise needs evidence of user identity, delegated authority, policy decision, retrieved context, tool call, approval, exception, blocked action, output, and downstream effect. This is where AI governance starts to resemble operational control and audit infrastructure. The organisations that can prove agent authority and control will be better positioned for incidents, audits, customers, and regulators.
The readiness gap across ANZ enterprises
The readiness gap appears to be widening. Many ANZ enterprises now have executive awareness, approved AI tools, and initial policies. Fewer have reliable inventory, risk tiering, vendor AI visibility, operational control, agent permissions, incident playbooks, and audit-ready evidence. That uneven maturity is understandable. AI adoption has moved faster than governance infrastructure. But the gap becomes more dangerous as AI use shifts from drafting and summarisation into customer, operational, regulated, or autonomous workflows.
A common pattern is policy maturity without control maturity. The organisation has an AI policy, but does not know where AI is used. It has an acceptable-use page, but cannot prevent sensitive information from being sent to unapproved tools. It has a review process, but vendor AI features are enabled outside the process. It has human-in-the-loop language, but no evidence that humans reviewed consequential outputs. It has incident response, but no AI-specific triage or logs. These are not small documentation gaps. They are operating gaps.
The practical readiness test is by use-case tier. Is the organisation ready for low-risk productivity AI? Many are. Is it ready for internal workflow support using moderate sensitivity data? Some are. Is it ready for customer-impacting AI, regulated decision support, operationally critical AI, or autonomous agents? Far fewer are. That does not mean adoption should stop. It means governance should create adoption lanes and remediation plans rather than pretending all AI use is equal.
Typical 2026 maturity across enterprise control areas
The pattern Helixar sees in regulated AI governance work is uneven maturity: policy and experimentation often move faster than operational control and assurance.
Privacy is the first hard constraint
Privacy is often the first hard constraint for ANZ AI governance because AI systems consume and produce information. In New Zealand, the Privacy Commissioner’s AI guidance is explicit that the Privacy Act applies to AI tools and recommends privacy impact assessment before use. In Australia, privacy law and reform debates sit alongside sector obligations and consumer expectations. Across both countries, privacy questions arise before any sophisticated AI-risk debate: what information is used, why, where does it go, who sees it, how long is it retained, and how can people exercise rights?
AI agents intensify privacy risk because they can retrieve and combine personal information across systems. A human user may be authorised to see a record in one context, but an agent may pull the record into another context or send a summary to a provider. A retrieval system may surface information beyond what is necessary. A generated output may create a new inference about a person. A log may retain sensitive context. Privacy governance must therefore cover prompts, retrieval, output, memory, tool calls, logs, vendors, and downstream records.
Privacy is also where trust becomes visible. People may tolerate AI used for internal efficiency but object to opaque AI use that affects services, financial decisions, employment, health, insurance, government interactions, or vulnerable communities. Organisations should be able to explain AI use in plain language, provide challenge routes, correct records, and show that data use is necessary and proportionate. Privacy governance is not a drag on AI adoption. It is one of the conditions for trusted adoption.
Security and information assets are now AI governance issues
Security has moved from being adjacent to AI governance to being inside it. AI systems process sensitive information, connect to identity systems, call tools, generate code, summarise security events, and interact with vendors. In APRA-regulated environments, CPS 234 provides a clear information-security lens: information assets, confidentiality, integrity, availability, controls, testing, incidents, third-party assurance, and audit. Even outside APRA, the same concepts apply. AI governance without security integration is incomplete.
The security challenge is not only malicious model behaviour. It includes prompt injection, data exfiltration, secrets exposure, insecure plugins, over-permissive agents, vendor model changes, embedded SaaS AI, insufficient logging, and authorised-but-unsafe tool use. Traditional controls may see network traffic or identity events but miss AI context. A model call may be allowed by the firewall and still violate data policy. A tool call may be authorised by identity and still exceed the agent’s approved purpose.
Security readiness therefore requires AI-specific telemetry and controls. Who initiated the AI action? What data class was involved? Which provider processed it? Which tool did the agent call? Which policy applied? Was approval required? Was the action blocked? Did an incident occur? These records connect AI governance to security operations and audit. They also help security teams avoid treating every AI issue as either a classic cyber incident or a harmless user mistake.
Operational resilience is becoming the board-level AI issue
Operational resilience is moving up the board agenda because AI is becoming embedded in business processes. A model provider outage, SaaS AI change, agent error, document automation failure, approval queue backlog, or AI-assisted decision defect can affect customers and operations. In APRA-regulated environments, CPS 230, which commenced on 1 July 2025, makes the operational-risk lens explicit. Outside APRA, the same business logic applies. If AI supports an important process, the organisation should know how the process continues when AI fails.
Resilience governance starts with dependency mapping. Which critical or material operations depend on AI? Which model providers, SaaS vendors, cloud services, data sources, and agent tools support them? What happens if the provider changes, fails, or withdraws a model? Can staff operate manually? Are source systems still accessible? Does the fallback preserve privacy, security, and evidence? Has the fallback been tested? A continuity plan that has never been exercised is weak assurance.
Operational resilience also changes the adoption conversation. AI can improve resilience by speeding triage, reducing manual error, and supporting decision-making. But AI can also create concentration, opacity, and automation fragility. Boards should see both sides. The right question is not whether AI is good or bad for resilience. The right question is whether the specific AI dependency is visible, controlled, tested, and recoverable.
Vendor AI and SaaS copilots are the quiet governance problem
Vendor AI is the quiet governance problem of 2026. Many organisations focus on internally approved AI tools while missing AI that arrives inside software they already use. CRM platforms, productivity suites, customer support tools, HR systems, finance platforms, document processors, security tools, data platforms, and workflow systems can all add AI features. These features may process enterprise data, change user behaviour, create outputs, or influence decisions before the central AI governance team reviews them.
Procurement and vendor management must become AI governance control points. Vendor due diligence should ask what AI features exist, what data is processed, where processing occurs, whether data is used for training or improvement, which subcontractors are involved, how model changes are handled, whether logs and evidence are available, whether features can be disabled, and how incidents are notified. Vague responsible-AI statements are not enough for material use cases.
Vendor AI also creates evidence problems. If a SaaS copilot summarises customer records, can the enterprise see what data was used? If a vendor model changes, can the enterprise know whether outputs changed? If an AI feature sends external communications, can approval be evidenced? If a regulator or customer asks what happened, can evidence be exported? Vendor governance should include evidence portability. Otherwise the enterprise may rely on a black box for accountability it still owns.
Human oversight is moving from slogan to control design
Human oversight has been one of the most repeated AI governance phrases and one of the least consistently designed controls. In 2026, ANZ enterprises need to move beyond human-in-the-loop slogans. Meaningful oversight requires a named reviewer, clear criteria, enough context, authority to reject or override, time to review, escalation pathways, and evidence that review occurred. A human rubber stamp is not oversight. A hidden human burden is not governance.
Oversight should match the workflow. Drafting public marketing copy may require ordinary editorial review. Summarising internal research may require source checking. Drafting customer communications may require approval before send. Recommending credit, claims, benefits, employment, clinical, security, or operational action may require stronger review, documented rationale, and challenge pathways. Agents that can act should have explicit review gates for higher-risk actions.
Oversight should also be measured. Organisations should track approval volume, queue delay, rejection rate, override rate, incident themes, reviewer workload, and user feedback. If reviewers approve almost everything instantly, oversight may be ceremonial. If approval queues block operations, the control may need redesign. If users work around controls, governance may be too hard to use. Human oversight is an operating control, and operating controls need performance management.
Boards need a new AI reporting pack
Boards need AI reporting that distinguishes adoption from governed adoption. A board pack showing the number of AI pilots, licences, productivity gains, or training completions is useful but incomplete. It does not show whether material AI use is inside risk appetite. A stronger board pack shows AI portfolio exposure, high-risk use cases, vendor dependencies, control gaps, exceptions, incidents, evidence completeness, maturity movement, and remediation progress.
The board should not be asked to approve every AI system. It should approve risk appetite and hold management accountable for controls. Useful board questions include: where is AI used today? Which use cases affect customers, employees, critical operations, regulated decisions, or sensitive information? Which agents can act through tools? Which vendors are material? What incidents or near misses occurred? Which controls are not yet automated? Can internal audit test evidence? What changed since last quarter?
Board reporting should be evidence-led. If management says sensitive data is not sent to unapproved providers, what evidence supports that? If management says high-risk actions require human approval, where are approval records? If management says AI incidents are managed, what exercises or incidents prove the pathway? This is not about mistrust. It is about making AI governance governable at board level.
Internal audit is becoming the forcing function
Internal audit is becoming the forcing function for AI governance maturity. Early AI governance programs often relied on policy statements, committee minutes, and best intentions. Internal audit asks whether controls are designed effectively and operated during the period under review. That question exposes weak inventory, vague ownership, inconsistent risk tiering, absent runtime logs, missing vendor evidence, and human review without records.
AI audit should not attempt to audit every prompt. It should sample material use cases and test the control chain. Is the use case registered? Is the owner named? Is the risk tier justified? Were privacy, security, legal, vendor, and operational reviews triggered where required? Were controls implemented? Were human approvals captured? Were incidents escalated? Were exceptions expired? Was evidence retained? Were model or vendor changes reassessed? These tests are practical and revealing.
Audit readiness also changes how systems should be designed. Evidence should be captured automatically where possible, structured for review, and tamper-evident. Audit teams should be involved early enough to define testable controls, not only after deployment. A governance program that cannot be audited is not mature, no matter how carefully its principles are written.
Sector patterns: financial services, insurance, healthcare, government, and infrastructure
Financial services are likely to remain among the most governance-demanding AI environments in ANZ because AI touches customer outcomes, prudential expectations, information security, operational resilience, fraud, conduct, privacy, third-party risk, and audit. Banks and insurers are already familiar with regulated control environments, but AI adds speed, opacity, vendor dependency, and delegated authority. The key challenge is connecting AI governance to existing risk machinery without slowing all adoption to the pace of the highest-risk use case.
Healthcare and government carry different trust burdens. Healthcare AI can affect patient safety, clinical accountability, sensitive health information, access, and workforce pressure. Public-sector AI can affect transparency, fairness, public trust, official records, procurement, and review rights. In both sectors, human oversight and explanation matter. The governance system should distinguish administrative productivity from clinical, citizen-impacting, or rights-affecting use. AI should support professionals and public servants without obscuring accountability.
Critical infrastructure and essential services are where resilience becomes the dominant frame. AI can optimise maintenance, security, forecasting, scheduling, customer operations, incident response, and operational planning. But it can also introduce fragile dependencies, unsafe automation, and vendor concentration. Operators should be cautious with agents near operational technology or safety-critical processes. The governance question is whether AI improves resilience under stress or creates a new dependency that fails at the worst time.
The practical 2026 control stack
The practical 2026 control stack starts with inventory. An enterprise needs a living record of AI systems, agents, vendors, tools, data sources, owners, risk tiers, approvals, and review dates. The second layer is policy: acceptable use, prohibited use, data rules, provider rules, autonomy limits, human oversight, incident escalation, and evidence requirements. The third layer is review: privacy, security, legal, compliance, procurement, operational risk, and business approval triggered by risk tier.
The fourth layer is operational control. Policy should operate at the point of AI use where possible. That means approved providers, sensitive-data controls, tool permissions, review gates, cost limits, blocked actions, and exception handling. The fifth layer is monitoring and incident response: detect policy violations, unusual activity, provider failures, privacy events, security events, agent mis-actions, approval bottlenecks, and operational disruption. The sixth layer is evidence: structured records that prove what happened and which controls operated.
This stack should be proportionate. Low-risk productivity use may need approved tools, basic logging, and training. High-impact AI needs formal approval, stronger monitoring, human review, vendor assurance, incident planning, and audit evidence. Autonomous agents need explicit delegation boundaries, tool governance, runtime approvals, and event-level evidence. The stack is not meant to suffocate adoption. It is meant to make adoption legible and controllable.
Where ANZ enterprises should focus now
Most organisations should prioritise a small number of high-leverage governance capabilities rather than attempt a perfect AI governance program immediately.
Metrics that matter
ANZ enterprises should be careful with AI metrics. Productivity gains and adoption counts are useful, but they can create a false sense of progress. Governance metrics should show control quality. Examples include inventory coverage, percentage of high-risk use cases assessed, overdue reassessments, exceptions by age and risk tier, vendor AI review completion, PIAs completed, security reviews completed, human approval volume and rejection rate, blocked policy violations, AI incidents, and audit findings closed.
Evidence completeness is an especially important metric. For each high-risk use case, can the organisation produce the use-case record, risk assessment, approval, data map, vendor review, human oversight design, monitoring plan, incident path, and operational evidence? If not, governance may be operating by assertion. Evidence completeness also helps boards understand the difference between adopting AI and governing AI. A low incident count is not reassuring if telemetry is weak.
Maturity movement should also be measured. Use a maturity model with current and target maturity by dimension: strategy, operating model, inventory, data, privacy, security, vendors, operations, workforce, controls, evidence, and audit. Track progress through evidence, not self-rating alone. This helps leaders fund the most important gaps and prevents governance from becoming a once-a-year survey.
Conclusion: Helixar perspective
Helixar’s view is that ANZ enterprises need the operational control and evidence layer that AI governance programs often lack. Policies, risk assessments, PIAs, and vendor reviews are necessary, but they do not automatically control AI activity across model providers, SaaS tools, internal applications, and agents. This research frames an AI control plane as a way to observe AI activity, evaluate policy, support proportionate governance responses, and retain evidence.
For Australian organisations, this governance pattern can include APRA-aligned operational risk and information-security governance by recording AI policy events, approvals, blocked actions, exceptions, provider use, and agent tool activity. For New Zealand organisations, this governance pattern can include privacy-aligned governance by enforcing provider and data policies, limiting sensitive information movement, requiring approval for higher-risk actions, and retaining evidence for PIA updates, incidents, and review. Across both markets, Helixar supports turning governance requirements into controls that operate when AI is used.
Helixar does not replace legal advice, privacy advice, APRA interpretation, clinical governance, procurement review, internal audit, or board accountability. It supports the practical infrastructure of governed adoption. The ANZ challenge is not only knowing what responsible AI should mean. It is proving that AI activity stayed inside the boundaries the organisation set. This research focuses on that proof problem.
Concretely, in the ANZ setting this report describes, the hardest control surface is the human-agent-system chain: an agent operating under delegated authority that can call tools, retrieve records across contexts, and initiate actions, while APRA CPS 234 information-security duties, CPS 230 operational-resilience obligations, and the New Zealand Privacy Act 2020 Information Privacy Principles still bind every one of those actions. Helixar is an AI control plane that enforces policy at the moment of each AI or agent action, across every model provider, sitting in front of or in place of an AI gateway rather than relying on a policy document to hold. At each action it verifies the user’s and agent’s identity and context, evaluates the action against policy, and applies a graduated response of observe, alert, require approval, block, or contain, so a delegated step that would move sensitive information to an unapproved provider or exceed an agent’s approved purpose is stopped before it completes; it is fail-closed by default and enforces organisation-wide cost caps. Every one of those decisions is written to a tamper-evident, independently verifiable evidence trail, which is what turns the board pack and internal-audit sample this report calls for into something testable rather than asserted. SOC 2 and ISO 27001 evidence packs are available today, while ISO/IEC 42001, APRA CPS 234, RBNZ BS-11, and the New Zealand Privacy Act 2020 are mapped and delivered at implementation, so the same operating controls produce framework-aligned evidence for both Australian and New Zealand obligations.
A 12-month roadmap for ANZ enterprises
In the first 90 days, focus on visibility and triage. Build or refresh the AI inventory. Identify approved and unapproved tools. Map vendor AI and SaaS copilots. Identify agents and tool permissions. Classify use cases by risk. Freeze or restrict clearly high-risk uses without ownership. Create an AI governance charter and decision lanes. Define minimum evidence for high-risk use. Start board reporting with honest gaps rather than polished optimism.
In months three to six, build the operating system. Implement privacy, security, vendor, legal, operational risk, and human oversight triggers. Update procurement questions. Run PIAs for personal-information use. Map APRA CPS 230 and CPS 234 where relevant. Define agent delegation boundaries. Implement operational policy for approved providers, sensitive data, tool use, approvals, and blocked actions. Establish incident playbooks and run at least one AI incident exercise.
In months six to twelve, mature assurance. Test controls. Review evidence completeness. Bring internal audit into a sample of high-risk use cases. Run vendor change reviews. Track exceptions and remediation. Report maturity movement to management and the board. Improve the operating model based on incidents, user feedback, and audit findings. By the end of the year, the enterprise should be able to show not only what AI it uses, but how it governs the most material uses.
The first year of ANZ AI governance
A practical 12-month sequence that turns AI governance from a policy position into an operating capability, moving from visibility to control to assurance.
The two-to-five-year roadmap: from AI governance program to infrastructure
The next two to five years should be treated as the infrastructure-building window for ANZ enterprise AI governance. The organisations that use 2026 only to publish policy will still be catching up when agents, embedded SaaS AI, model-provider changes, automated decision support, and sector expectations become ordinary operating realities. The organisations that use 2026 to build inventory, evidence, operational control, supplier assurance, and board reporting will have a reusable foundation. That foundation can absorb new regulation, new standards, and new AI capability without restarting governance from first principles each time.
In 2027, the priority should be control depth. Enterprises should move beyond acceptable-use guidance into enforceable provider policies, data rules, tool permissions, review gates, exception workflows, AI incident response, and supplier-change monitoring. Australia’s Guidance for AI Adoption is already framed around more complex and higher-risk AI use needing stronger controls and oversight. New Zealand’s public-sector AI material is similarly practical in its emphasis on responsible use, safe uptake, and supporting resources. The direction is clear enough for management action even while future law and regulator practice continue to mature.
In 2028, the priority should be assurance. Internal audit, compliance, privacy, security, operational risk, and the board should be able to test a sample of material AI use cases end to end. That means the organisation can show the business purpose, owner, risk tier, data map, vendor review, privacy and security triggers, human oversight design, operational policy events, incidents, exceptions, remediation, and reassessment. Audit should not need to assemble the AI governance story from disconnected emails and meeting notes. Evidence should be part of the operating system.
From 2029 to 2031, the mature posture is AI governance as standing enterprise infrastructure. The organisation should have common control capabilities across countries and business units, local obligation overlays for Australia and New Zealand, management-system review, measurable maturity movement, and continuous monitoring of high-risk AI activity. This does not mean every AI use is high ceremony. It means the enterprise has learned how to let low-risk AI move quickly while making high-impact AI visible, controlled, evidenced, and reviewable.
How ANZ AI governance should mature after 2026
The flagship view is that AI governance will shift from project governance to durable infrastructure, with boards expecting proof of control design, operation, and improvement.
What makes this report a flagship view
This report sets a flag because it treats ANZ AI governance as an operating discipline rather than a compliance footnote. The region does not need another abstract statement that AI should be safe, fair, accountable, and transparent. Those values are important, but enterprise leaders now need a control architecture. They need to know how to connect Australia’s voluntary AI safety and adoption guidance, New Zealand’s AI strategy and public-sector framework, privacy law, APRA operational resilience and information-security expectations, NIST AI RMF, ISO/IEC 42001, ISO/IEC 23894, internal audit, and agentic AI into one workable governance system.
The central claim is deliberately practical: proof will become the product of governance. An organisation can have an impressive AI policy and still fail to govern AI if it cannot show what AI is used, who owns it, which risks were assessed, which controls operated, what was blocked or approved, which vendor changes mattered, which incidents occurred, and what management did about them. That proof problem is becoming more important as AI moves from chat interfaces into workflows, decisions, agents, and operational dependencies.
The report also sets a regional view. Australia and New Zealand share business relationships, vendors, regulators that watch international practice, and enterprise buyers that often operate across both markets. But they do not share identical legal systems, privacy settings, public-sector guidance, or sector obligations. The right ANZ approach is therefore neither one generic global framework nor two disconnected local programs. It is a common governance backbone with local overlays and evidence that can answer local questions.
Data sources and signal quality
This report is grounded in primary and official sources rather than market claims. For Australia, the source base includes the Voluntary AI Safety Standard, Guidance for AI Adoption, Australian AI policy pages, APRA operational-risk and information-security material, OAIC AI privacy guidance, and the 2026 Australian Community Attitudes to Privacy Survey digital-technology findings. For New Zealand, the source base includes MBIE’s AI strategy, Digital Government’s public-service AI framework, responsible GenAI guidance, public-service AI toolkit, the Privacy Act 2020, and the Privacy Commissioner’s AI guidance. Internationally, the report uses NIST AI RMF, ISO/IEC 42001, ISO/IEC 23894, and OECD AI principles as governance reference layers.
These sources do not provide a single quantitative score for the state of ANZ enterprise AI governance. The report should therefore not be read as a statistical market survey. It is a governance synthesis: a structured interpretation of official policy signals, regulator expectations, standards, privacy guidance, operational-risk practice, and the practical control needs created by agentic AI. Where the report describes typical maturity patterns, those patterns are framed as enterprise governance observations and control-design implications, not as a claim that every organisation in the region has been measured.
This matters for credibility. AI governance writing often overstates certainty. A flagship report should be clear about what can be evidenced from public sources and what is an analytical judgement. The public-source evidence shows a strong direction of travel: safer adoption guidance, privacy concern, operational resilience expectations, information-security accountability, public-sector AI frameworks, management-system standards, and AI risk-management frameworks. The analytical judgement is that enterprises will need control-plane evidence to make those expectations operational at scale.
Risks to avoid in 2026
The first risk is shadow AI normalisation. If official governance is too slow or unclear, teams will use unapproved tools and vendors. The second is vendor AI drift. SaaS features change faster than procurement records. The third is agent over-permission, the failure mode catalogued as OWASP LLM06:2025 Excessive Agency. Agents inherit broad user access and can act beyond purpose. The fourth is weak evidence. Governance activity happens, but no one can prove it later. The fifth is privacy under-scoping. Prompts, logs, outputs, inferences, and overseas processing are missed.
The sixth risk is human oversight theatre. Reviewers are nominally in the loop but lack time, context, or authority. The seventh is operational dependency blindness. AI becomes critical to a workflow before continuity is tested. The eighth is framework overclaiming. Organisations say they are aligned with NIST, ISO, or voluntary guardrails without mapped controls or evidence. The ninth is board under-reporting. Boards see adoption, not residual risk. The tenth is treating AI governance as one team’s job.
These risks are manageable if the enterprise is honest. AI governance does not need to be perfect to be useful. It does need to be real. A good program finds material exposure, assigns owners, implements controls, records evidence, learns from incidents, and improves. The danger is not imperfect governance. The danger is confident governance with no operating proof.
The 2026 outlook
The 2026 outlook for ANZ enterprise AI governance is clear: adoption will continue, governance expectations will sharpen, and evidence will become more valuable. Organisations will use more AI even if they do not call every capability AI. Agents will move from experiments into controlled production. Vendors will embed AI more deeply into enterprise software. Boards will ask sharper questions after incidents and media scrutiny. Internal audit will begin testing AI control chains. Regulators will continue applying existing obligations while new AI-specific guidance develops.
The organisations that do well will not necessarily be the ones with the largest AI teams. They will be the ones that build practical governance infrastructure early. They will know where AI is used. They will classify risk. They will connect privacy, security, vendor, operational, legal, and audit review. They will limit agent authority. They will retain evidence. They will report honestly to boards. They will learn from incidents. They will let low-risk adoption move while controlling high-risk use.
The organisations that struggle will mistake AI ambition for AI readiness. They will allow vendor AI and shadow AI to sprawl. They will rely on policy without operational control. They will assume human oversight exists because a document says so. They will discover data leakage, provider dependency, or evidence gaps after the fact. They will treat AI governance as compliance theatre until an incident turns it into crisis work.
Conclusion: proof is becoming the product of governance
The state of enterprise AI governance in ANZ in 2026 can be summarised in one sentence: the conversation has moved from principles to proof. Responsible AI principles still matter. Frameworks still matter. Legal and regulatory analysis still matter. But enterprises now need operating proof: proof of inventory, proof of ownership, proof of risk assessment, proof of provider control, proof of human review, proof of runtime enforcement, proof of incident response, and proof of remediation.
Australia and New Zealand will continue to develop distinct policy and regulatory pathways. Enterprises should not wait passively. The shared governance capabilities are already visible. Build the inventory. Define risk tiers. Review privacy and security. Govern vendors. Control agents. Test resilience. Capture evidence. Report to boards. Improve through audit and incidents. These steps are useful now and adaptable later.
AI adoption in ANZ will be won by organisations that can move quickly without losing accountability. That requires governance that is practical, proportionate, evidence-led, and connected to real workflows. The best AI governance will not feel like a document library. It will feel like infrastructure: always present, quietly enforcing boundaries, and ready to prove what happened when trust is tested.
Enterprise checklist
- Maintain a live AI inventory covering internal AI, SaaS AI, vendor AI, model APIs, copilots, agents, data sources, owners, and risk tiers.
- Create adoption lanes for low-risk productivity, internal workflow support, customer impact, regulated decisions, critical operations, and autonomous agents.
- Map Australian and New Zealand obligations separately while maintaining shared governance capabilities across the enterprise.
- Use NIST AI RMF, ISO/IEC 42001, ISO/IEC 23894, Australian guardrails, New Zealand privacy guidance, and sector expectations as a crosswalk, not a substitute for controls.
- Define agent delegation boundaries, tool permissions, human review gates, runtime monitoring, and evidence retention before production use.
- Connect AI governance to privacy, security, procurement, operational resilience, enterprise risk, legal, compliance, and internal audit.
- Run AI incident and continuity exercises for material AI dependencies and AI-enabled critical workflows.
- Report governed adoption to boards: high-risk use cases, exceptions, incidents, vendor dependencies, evidence completeness, maturity movement, and remediation.
- Retain evidence designed for independent review for approvals, policy decisions, blocked actions, exceptions, incidents, vendor changes, and audit testing where risk justifies it.
- Reassess governance after model changes, vendor changes, regulatory updates, incidents, audit findings, and expansion of agent autonomy.
Frequently asked questions
Is there one AI governance law for Australia and New Zealand?
What is the biggest enterprise AI governance shift in 2026?
Which frameworks matter most for ANZ enterprises?
What should boards ask about AI governance in 2026?
How does Helixar help ANZ AI governance?
References
- Australia Voluntary AI Safety Standard
- Australia Guidance for AI Adoption
- Australia National AI Plan
- Australia to establish new AI Safety Institute
- New Zealand's AI Strategy: Investing with confidence
- New Zealand's AI strategy and guidance for business
- APRA, Operational Risk Management CPS 230
- APRA Prudential Standard CPS 230 Operational Risk Management
- APRA final targeted amendments to CPS 230
- OAIC guidance on privacy and commercially available AI products
- OAIC Australian Community Attitudes to Privacy Survey 2026, digital technologies
- Office of the Privacy Commissioner, AI and the Information Privacy Principles
- Australia Voluntary AI Safety Standard, 10 guardrails
- New Zealand Public Service AI Framework
- New Zealand Responsible AI Guidance for the Public Service: GenAI
- New Zealand Public Service AI Toolkit
- New Zealand Privacy Act 2020
- APRA Prudential Standard CPS 234 Information Security
- NIST AI Risk Management Framework
- ISO/IEC 42001:2023, AI management systems
- ISO/IEC 23894:2023, AI risk management guidance
- OECD Recommendation of the Council on Artificial Intelligence
- Helixar research: Enterprise AI Readiness Assessment
- Helixar research: APRA CPS 230 and AI Governance
- Helixar research: APRA CPS 234 and Autonomous AI
- Helixar research: NZ Privacy Act and Enterprise AI Agents
- Helixar research: AI Governance Maturity Model