Ask most Australian companies who’s responsible for AI governance and you’ll get a long pause followed by a vague answer about the CTO, the legal team, or “we’re working on that.” Meanwhile, these same companies are deploying AI systems that make decisions about customers, employees, and business operations every day.

The governance gap is real, and it’s getting riskier. Australia’s AI Ethics Framework provides voluntary principles. The EU AI Act, which affects Australian companies serving European customers, imposes mandatory requirements. Domestically, the government has signalled that binding AI regulation is coming, with consultations ongoing through 2026.

Waiting for regulation to force governance is the wrong approach. Companies that establish governance now shape their AI practices proactively rather than scrambling to retrofit compliance when rules arrive.

Why Existing Roles Aren’t Enough

“The CTO handles AI governance” is the most common answer I hear. It’s also the wrong one. CTOs are responsible for technology strategy and delivery. Adding governance responsibility creates a conflict of interest — the person driving AI adoption is also supposed to be the one applying the brakes.

Similarly, legal teams are essential for compliance but rarely have the technical depth to evaluate AI system behaviour, understand model risk, or assess algorithmic bias. They can tell you what the law requires; they can’t tell you whether your model is meeting those requirements in practice.

Privacy officers cover data handling but AI governance extends well beyond data privacy. It includes fairness, accountability, transparency, safety, and environmental impact.

Each of these existing functions contributes to AI governance. None of them covers it adequately alone.

The Roles That Need to Exist

Chief AI Officer (or VP of AI)

What they do: Sets the organisation’s AI strategy, including governance frameworks, ethical standards, risk appetite, and adoption roadmap. Reports to the CEO or board, not to the CTO — maintaining independence between AI governance and AI delivery.

Why it matters: Someone at the executive level needs to own the holistic AI picture. Not just the technology, not just the compliance, not just the ethics — all of it. Without executive ownership, governance fragments across departments and nobody has accountability.

Australian context: Very few Australian companies have this role today. It’s more common in the US and UK, particularly in financial services and healthcare. As Australian regulation materialises, expect this to change quickly.

What to look for: Someone who understands both the technical capabilities and limitations of AI and the business, ethical, and regulatory context in which AI operates. This is a rare combination, which is why the role is hard to fill.

AI Ethics Lead

What they do: Develops and implements ethical guidelines for AI development and deployment. Conducts ethical impact assessments for new AI systems. Reviews AI systems for bias, fairness, and potential harms. Manages the process for handling ethical concerns raised by employees or users.

Why it matters: Ethical considerations in AI aren’t abstract philosophical questions. They’re practical decisions with real consequences. Should your hiring algorithm consider address data? Should your credit model use social media data? Should your chatbot refuse certain requests? Someone needs to own these decisions systematically rather than having them made ad hoc by individual developers.

Skill profile: Background in applied ethics, technology ethics, or policy, combined with enough technical understanding to evaluate AI systems meaningfully. Philosophy PhDs who can’t read a confusion matrix aren’t useful here. Neither are engineers who dismiss ethics as “soft stuff.”

Model Risk Manager

What they do: Assesses and monitors the risks of AI models in production. This includes model validation (does the model perform as claimed?), ongoing monitoring (is performance degrading?), incident management (what happens when a model fails?), and model inventory management (what AI models are running and where?).

Why it matters: Financial services have had model risk management for years — APRA’s CPG 235 and similar frameworks require it. As AI models proliferate across industries, the same discipline needs to extend beyond banking. A retail company using AI for pricing, a healthcare company using AI for triage, and a logistics company using AI for routing all face model risks that need active management.

Australian context: APRA-regulated entities already have model risk frameworks, though they’re extending them to cover AI/ML models. Non-financial companies generally have nothing. This is the role that’s most urgently needed across Australian industry.

AI Compliance Analyst

What they do: Monitors the evolving regulatory landscape (Australian and international), maps regulatory requirements to the organisation’s AI systems, ensures documentation meets compliance standards, and prepares for audits.

Why it matters: The regulatory environment is moving fast. The EU AI Act classifies AI systems by risk level and imposes specific requirements for each. Australia’s approach is still forming, but the direction — toward mandatory requirements for high-risk AI — is clear. An AI compliance analyst translates abstract regulations into concrete requirements for development teams.

Skill profile: Regulatory compliance background with AI literacy. Doesn’t need to build models, but needs to understand what a model does, how it makes decisions, and what documentation is required to demonstrate compliance.

How to Start

Most Australian companies can’t (and don’t need to) hire all four roles immediately. Here’s a pragmatic phased approach:

Phase 1: Assign accountability

Pick someone senior to own AI governance. This can be a partial role initially — an existing executive takes on AI governance as an explicit responsibility. The key is that someone’s name is next to “AI governance” on the org chart.

Phase 2: Conduct an AI inventory

You can’t govern what you don’t know about. Audit every AI system in the organisation — purchased tools, internally built models, AI features embedded in vendor software, and employee use of generative AI tools. Many organisations are surprised by how much AI they’re already using without formal oversight.

Phase 3: Risk-assess existing systems

Not all AI systems carry equal risk. A model that recommends blog posts is lower risk than one that influences hiring decisions or credit approvals. Use a simple risk framework — the EU AI Act’s risk tiers provide a reasonable starting point even for Australian companies not directly subject to EU law.

Phase 4: Build governance processes

For high-risk systems, establish review processes: ethical impact assessments before deployment, ongoing monitoring after deployment, incident response procedures for when things go wrong. For lower-risk systems, lighter-touch governance is appropriate — you don’t need the same rigour for a meeting summariser as for a diagnostic tool.

Phase 5: Hire dedicated roles

As AI use matures and governance processes are established, dedicated roles become necessary. Start with the highest-priority gap — often model risk management or AI ethics, depending on the industry and the types of AI systems in use.

The Board’s Role

AI governance ultimately needs board-level visibility. Directors have a fiduciary duty to understand and manage material risks. AI systems that make consequential decisions about customers, employees, or operations represent material risk.

Boards don’t need to understand transformer architectures. They need to ask the right questions:

• What AI systems are we running and what decisions do they influence?
• What risks do these systems pose (bias, errors, data privacy, reputational)?
• Who is responsible for governing these systems?
• How do we know they’re performing as intended?
• What happens when they fail?

If the executive team can’t answer these questions clearly, governance is insufficient.

The Competitive Angle

Good AI governance isn’t just risk mitigation. It’s competitive advantage. Companies that can demonstrate responsible AI practices win contracts (particularly government contracts, where AI ethics requirements are increasingly common), build customer trust, and attract talent who want to work at organisations that take these issues seriously.

The companies that establish governance now — while it’s voluntary — will be better positioned when it becomes mandatory. They’ll have the processes, the expertise, and the organisational muscle memory. Companies that wait will face an expensive, disruptive scramble to catch up.

The time to act is now. Not because regulations require it today, but because the AI systems you’re already running demand it.