VAISS
Voluntary AI Safety Standards
Overview
Australia initially considered mandatory AI guardrails but ultimately adopted a voluntary standards-based approach, aligning with the UK and Japan's soft law models. The Voluntary AI Safety Standards (VAISS) and the National AI Plan provide strategic direction for responsible AI development without imposing binding legal obligations.
The decision to reject mandatory regulation followed extensive consultation with industry, which raised concerns about compliance burdens for small and medium enterprises (SMEs) and the risk of stifling innovation in Australia's growing AI sector.
The government has indicated it will monitor the effectiveness of the voluntary approach and may revisit mandatory regulation if voluntary compliance proves insufficient. Existing laws — including the Privacy Act, consumer protection law, and anti-discrimination legislation — continue to apply to AI systems.
Scope
VAISS applies to all organisations developing, deploying, or using AI systems in Australia, on a voluntary basis. The National AI Plan covers government investment priorities, research funding, skills development, and international cooperation. Existing mandatory laws (Privacy Act, Competition and Consumer Act) continue to apply to AI systems irrespective of VAISS adoption.
Key Provisions
VAISS establishes ten guardrails covering: accountability, transparency, fairness, privacy, security, human oversight, reliability, contestability, environmental sustainability, and inclusive design. Organisations are encouraged to adopt them proportionate to risk.
Sets strategic priorities for Australia's AI ecosystem including research investment, skills development, international partnerships, government AI adoption, and ethical AI innovation.
Provides simplified guidance, toolkits, and resources to help small and medium enterprises adopt AI responsibly without disproportionate compliance burden.
Clarifies how existing laws — including the Privacy Act 1988, Competition and Consumer Act 2010, and anti-discrimination legislation — apply to AI systems, without creating new AI-specific legal obligations.
Implementation Timeline
2024
Public consultation on mandatory guardrails approach
Early 2025
Government abandons mandatory guardrails approach
Mid 2025
VAISS and National AI Plan released
2026
First review of voluntary standards effectiveness
2027
Potential reconsideration of mandatory regulation
Compliance Requirements
- Voluntary: adopt the ten VAISS guardrails proportionate to AI system risk
- Comply with the Privacy Act for AI systems processing personal information
- Comply with the Competition and Consumer Act for AI-powered products and services
- Comply with anti-discrimination law for AI-driven decisions
- Consider sector-specific requirements (e.g., APRA guidelines for financial services AI)
- Document AI governance practices for stakeholder transparency
Enforcement Mechanism
VAISS has no enforcement mechanism. Existing regulators enforce applicable laws: the Office of the Australian Information Commissioner (OAIC) for privacy, the ACCC for consumer protection, and the Australian Human Rights Commission for discrimination. The government has stated it will review the effectiveness of the voluntary approach and may consider mandatory requirements if adoption is insufficient.
Practical Implications
Australia's approach provides maximum flexibility for organizations but limited certainty about future regulatory direction. Organizations should adopt VAISS as a best-practice framework while ensuring compliance with existing mandatory laws. The potential for future mandatory regulation means organizations should build compliance infrastructure that can scale to binding requirements. Companies operating in both Australia and the EU should use EU AI Act compliance as their baseline standard.
Relation to EU AI Act
Australia's voluntary approach is far less prescriptive than the EU AI Act. There is no risk classification, no conformity assessment, and no mandatory reporting. The VAISS principles broadly align with the EU's objectives but without binding force. Organizations compliant with the EU AI Act will exceed VAISS requirements. The main practical implication is that Australia-only operations face minimal AI-specific regulation, but organisations serving EU markets from Australia must still comply with the EU AI Act's extraterritorial provisions.