The problem is bigger than a rogue chatbot

The Jobs and Skills Australia report, Our Gen AI Transition: Implications for Work and Skills, is a serious piece of work, and its findings on covert use deserve employers’ attention. Drawing on a range of studies, it found that roughly a quarter of workers are using Gen AI tools without their employer knowing or approving. The detail is worth dwelling on. The report does not paint shadow users as a workforce of rule-breakers. Some of them are, in its words, “hidden leaders” driving innovation from the bottom up. Many hide what they are doing not because they are doing anything malicious, but because they are worried about how it will look. They fear being seen as lazy, as cutting corners, or as leaning on a tool the organisation never blessed.

That fear tells you something about your governance. When there is no policy, no training and no permission, capable people do not give up the productivity gains. They just stop mentioning them. Every prompt that goes undisclosed might be carrying client data, personal information or privileged material into a system the organisation has no control over.

Remote and hybrid work has quietly made this harder. When people are working from home, often on personal devices and personal AI accounts, the informal checks that exist in an office – a colleague glancing at a screen, a quick “should we be putting that in there?” – disappear. The work still gets done, and AI often helps do it, but it happens in a space the organisation has even less visibility over. For most employers, the realistic question is not whether staff are using AI off the books, but how much, and on what.

Why ‘no AI Act’ does not mean ‘no obligation’

Australia has chosen a path of legal continuity, and it has done so deliberately. The mandatory guardrails for high-risk AI that were floated back in 2024 have gone quiet, and the National AI Plan puts off any broad AI statute until there is evidence that the existing approach has failed. The Government wants to lift productivity through AI while managing the risks through the laws we already have, a handful of targeted reforms, and a new AI Safety Institute.

This is not for want of warning. In November 2024, the Senate Select Committee on Adopting Artificial Intelligence concluded that Australia’s voluntary, principles-based approach was not enough for high-risk uses, and recommended a comprehensive AI Act with mandatory guardrails. The Government has not adopted that recommendation. So the gap the Committee identified is still open — and while it stays open, the exposure does not sit with Parliament. It sits with you.

For organisations, this produces a result that catches a lot of people off guard. The lack of new legislation does not buy you a grace period. AI use is already governed by laws that were enacted long before anyone was typing prompts into a browser, and because those laws were not written with AI in mind, applying them is harder to predict rather than easier to escape. Regulators and the courts have not waited for Parliament; they have started reading the old doctrines onto the new technology.

You can see where this is heading from the enforcement and reform activity already on the record. The Office of the Australian Information Commissioner found that Clearview AI breached the Australian Privacy Principles when it scraped Australians’ facial images. In ACCC v Trivago, the Federal Court accepted that an algorithm’s ranking could mislead consumers. Targeted reforms are landing wherever the harm is specific enough to legislate for: automated decision-making transparency obligations under the Privacy Act 1988 (Cth) begin on 10 December 2026, New South Wales has passed AI-specific work health and safety duties, and the eSafety Commissioner’s Age-Restricted Material Codes, some of the first binding rules aimed squarely at generative AI providers in this country, commenced in March 2026.

Your compliance obligations: the current landscape

To put some substance behind the point, here is a non-exhaustive list of the compliance obligations that already regulate AI use by Australian organisations.

1. Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the statutory tort for serious invasions of privacy. Collect and use personal information only with consent or a lawful basis; store it securely; do not repurpose it without permission. The OAIC’s 2024 AI guidance expects privacy-by-design, Privacy Impact Assessments and proper vetting of AI vendors. The Notifiable Data Breaches scheme requires you to notify the OAIC and affected individuals if AI causes an eligible breach.
2. Security of Critical Infrastructure Act 2018 (Cth). Responsible entities must meet their positive security obligations and cyber-incident reporting duties, consistent with their wider critical infrastructure obligations.
3. Competition and Consumer Act 2010 (Cth) — Australian Consumer Law (s 18). How you use, decline to use, or market AI-enabled products and services must not be false or misleading.
4. Corporations Act 2001 (Cth). Directors and officers are expected to oversee AI risk with the care and diligence their role demands.
5. Model litigant rules. Government at every level carries a common-law duty to act as a model litigant (Melbourne Steamship Co Ltd v Moorehead (1912) 15 CLR 333).
6. Health privacy laws. State and territory health-records legislation governs any health data an AI system touches.
7. Additional standards may apply, including APRA Prudential Standard CPS 230 (Operational Risk Management) and CPS 234 (Information Security).
8. Government safeguards may apply, including the Protective Security Policy Framework and the Defence Industry Security Program.
9. Confidentiality obligations. Keep confidential information out of public AI tools, use only approved tools for client matters, and get consent where it is required. A breach can waive confidentiality and even legal professional privilege.
10. Employment and workplace. Under the Fair Work Act 2009 (Cth), AI-assisted HR decisions need to be fair, free of discrimination, and consulted on where they affect people’s jobs. Anti-discrimination laws require you to keep bias out of any tool that touches a protected attribute. WHS and OHS duties extend to psychosocial hazards such as the stress of being monitored -see the Work Health and Safety Amendment (Digital Work Systems) Act 2026 (NSW). And workplace surveillance laws set state-based notice and consent rules you have to meet before AI does any monitoring.
11. Vendor contracts and third-party obligations. Whenever you use AI, someone with the right expertise needs to read the contract. Public and enterprise AI tools come with terms that decide who owns your inputs and outputs, whether your data is used to train the model, where it is stored, and who is liable when something goes wrong. Many standard terms are squarely at odds with your own privacy, confidentiality and security obligations. You need a team – legal and technical – to review vendor contracts and data-handling terms before a tool is adopted, to confirm the tool can be used correctly, and to keep checking that you are meeting the obligations those contracts impose on you.
12. Government policies and procedures. If you are a government agency, statute is only part of the picture. Non-corporate Commonwealth entities must comply with the Policy for the Responsible Use of AI in Government (version 2.0, effective 15 December 2025), which requires designated accountable officials, public AI transparency statements, internal use-case registers, staff training, and risk-based impact assessments for AI use cases. It sits alongside existing obligations such as the APS Code of Conduct, the Protective Security Policy Framework and privacy law, and there is specific Commonwealth guidance on AI procurement. State and territory governments have their own AI policies and assurance frameworks. For any public sector body, complying with these existing internal policies and procedures is not optional.

If anyone doubts these obligations have teeth, the case law settles it. Handa & Mallick, Dayal and Valu v Minister for Immigration and Multicultural Affairs (No 2) all show what happens when AI-generated authorities are relied on without being checked. And these are not abstract risks: in a Victorian matter, a child protection worker entered the details of a live case – concerning sexual offences against a child – into ChatGPT.

The fragmentation problem, and why it pushes use underground

The harder issue is that all of this is spread across different statutes and regulators, varies from state to state, and in some sectors shifts the moment work crosses a border. There is still no single national accountability mechanism and no central register of high-risk systems. The framework is a good deal more substantial than “no AI Act” makes it sound, but it is a patchwork, and finding your way through it takes real effort.

That effort is not just an employer’s burden; it feeds the shadow AI problem directly. When the rules are unclear, inconsistent or unwritten, people cannot work out what good use looks like, so they fall back on using AI quietly and hoping it goes unnoticed. The thing that brings AI back into the open, where it can actually be governed, is clarity rather than a ban.

The legal profession is a useful illustration. Courts and regulators in several jurisdictions have put out sensible guidance asking practitioners to disclose when they have used AI, to check that the authorities they cite are real, and to keep confidential material away from public tools. It is good guidance. But it is not consistent across the country.

What a defensible position looks like

Waiting for legislation is not a plan. Where the law leaves gaps, your own governance must close them, and the organisations that come through both the current law and whatever guardrails arrive later will be the ones governing AI now, on a risk-based foundation. In practice that means the following:

• Find out what is already in use. You cannot govern shadow AI you cannot see, so start by understanding which tools your employees are using and for which tasks.
• Write the policy down and make it clear. Say what is allowed, what is off-limits, and what must never go into a public tool. Vagueness is what drives people to hide what they are doing.
• Train people rather than just banning things. Bans push use underground. Practical training on safe use, handling data and disclosing AI use brings it back into the light.
• Scale the controls to the risk. A light touch is fine for low-stakes drafting; decisions that affect someone’s rights, job or safety need a human firmly in the loop.
• Check the contracts before you commit. Have the right lawyers review every AI vendor’s terms and data-handling arrangements before a tool goes anywhere near live work, and keep checking that you are meeting the obligations those contracts put on you. The convenience of a tool is no defence if its terms quietly sign away your data or your clients’.
• Get ahead of the tender question. AI governance is fast becoming something organisations are asked to prove, not just something they are expected to have. Tenders, supplier questionnaires and procurement processes increasingly ask whether you have an AI policy, how you manage AI risk, and whether your use of AI is documented and defensible. For organisations bidding for government or large private-sector work, a clear governance position is turning into a commercial prerequisite as much as a legal safeguard.
• Own it and keep watching. Treat AI governance as a standing compliance function, with someone accountable, regular review, and sufficient records that you could defend a given use if you were ever asked to.

The questions worth asking now

• What AI is already running inside your organisation, or being used across it, with and without approval?
• If a regulator, court or client asked you tomorrow to defend a particular AI-assisted decision, could you?
• Are your people using AI in the shadows simply because your governance has not yet given them a way to use it in the open?

The absence of an AI Act is not a free pass. It is a responsibility that has quietly shifted onto you. Organisations that start treating AI governance as a present legal obligation, rather than something to deal with when Parliament gets around to it, will be in a far stronger position, both to meet the law as it stands and to turn shadow AI into the kind of innovation the report says it can be. If you are not sure where your organisation stands, that is exactly the right time to start the conversation.

If you would like to discuss the issues raised in this article, or your organisation’s AI governance and compliance position more broadly, please contact Dr Guzyal Hill or other members of the IP, Technology an Media team at HWLE.

This article was written by Guzyal Hill, Special Counsel.