Key takeaways
- “My robot did it” is not a defence. When AI produces a poor outcome, someone will be held accountable - and it will be the organisation, its directors, or its officers, not the machine.
- Existing laws will do the heavy lifting. Australia has abandoned AI-specific legislation, meaning the existing frameworks (Privacy Act, Australian Consumer Law, Corporations Act, ASIC Act and common law etc) will be stretched to address AI disputes. In-house counsel should map AI use against these existing frameworks now.
- Novel disputes. Novel disputes and test cases are expected, as well as a surge in AI-assisted claims.
- Privilege and confidentiality are at stake. Using open AI tools (like public ChatGPT) to handle privileged or confidential material may result in waiver and breach of confidentiality. Recent UK and US decisions underscore this risk. In-house teams should ensure AI policies are in place and followed.
- Directors’ and officers’ duties extend to AI oversight. AI cannot replace informed human judgment and AI use in the boardroom should be monitored carefully. Directors must also oversee AI deployment across business operations.
- Governance frameworks must keep pace with deployment. ASIC’s Report 798 flagged governance gaps in how licensees manage AI risks, particularly with third-party platforms. ASIC expects governance frameworks to develop in parallel with AI adoption - not after. Proactively adopting the Government’s AI6 principles (accountability, risk management, testing, human control) provides a practical starting point.
“My robot did it” will not be a viable defence. When AI produces a poor outcome, someone will be held accountable - and it will not be the machine.
Introduction
AI adoption in Australia has been swift and significant. Over 50% of organisations and nearly half of all Australians now use GenAI. Yet governance is struggling to keep pace. The Australian Government has deferred plans for AI-specific legislation, leaving existing frameworks to address the legal, regulatory and accountability questions AI creates. Public confidence also remains fragile: 65% of Australians believe AI will create more problems than it solves. Against this backdrop, novel disputes and test cases are inevitable.
Globally, AI-related litigation is accelerating and Australia will be no exception. Copyright owners are suing. Customers and shareholders are demanding greater transparency and accountability. Regulators are circling. The Australian Competition and Consumer Commission (ACCC) has highlighted the need for continued monitoring of emerging technologies like AI. The Office of the Australian Information Commissioner’s (OAIC) enforcement priorities include privacy rights in AI use. The Australian Securities and Investments Commission (ASIC) has signalled enforcement action of “poor use of AI” and issued an urgent call to action to Boards and Executives to prepare for AI accelerated cyber threats. The Australian Prudential Regulation Authority (APRA) has issued warnings in an open letter to industry. The conversation has even reached the Vatican. One thing is clear: when a dispute arises, “my robot did it” will not be an answer.
Sources: Shoosmiths LLP, Litigation Risk 2026 Report; Oxford Economics, ‘The AI share of enterprise tech budgets is set to rise sharply worldwide’; Australian Trade and Investment Commission, ‘Unlocking potential with Australian AI – Industry Capability Report’; Department of Industry, Science and Resources, National AI Plan; Mandala Partners, Empowering Australia’s Digital Future .
Australia has abandoned dedicated AI legislation – at least for now. Existing “technology-neutral” legal frameworks and regulators will do the heavy lifting.
The regulatory pivot: no new law, but more enforcement
The Australian Government’s National AI Plan, released in December 2025, confirms that it will rely on “Australia’s robust existing legal and regulatory frameworks” rather than introduce new legislation or mandatory AI guardrails previously proposed. There will be no Australian equivalent of the EU AI Act in the near term. Instead, reliance will be placed on “strong existing, largely technology-neutral legal frameworks, including sector-specific guidance and standards, that can apply to AI and other emerging technologies”. This will be supplemented with AI-specific voluntary guidance. The Government will monitor this position as AI evolves, supported by a new $30 million AI Safety Institute.
That decision is not supported by some. The Australian Human Rights Commission has consistently advocated for enforceable AI standards. Even Pope Leo XIV’s first encyclical, Magnifica Humanitas (published on 25 May 2026), calls for “robust legal frameworks, independent oversight, informed users and a political system that does not abdicate its responsibility.” However, the Government’s approach reflects a pragmatic reliance on existing enforcement mechanisms, no doubt driven by the difficulty of legislating for a rapidly evolving technology.
The Privacy Act, Australian Consumer Law (ACL), Corporations Act, ASIC Act, Online Safety Act, Copyright Act and workplace legislation will form the backbone of enforcement, alongside the common law and equitable remedies. Malleable existing causes of action are expected to be deployed to address nuanced and novel situations – for example, where a customer is misled by an AI chatbot or a self-driving vehicle causes harm. Each regime has a regulator paying close attention, plaintiff law firms waiting in the wings, and a rising cohort of AI-assisted litigants. AI is already democratising access to litigation for many, with the Fair Work Commission reporting a dramatic surge in claims attributed to AI tools, enabling litigants to file sophisticated-sounding claims at low cost.
These frameworks will be tested and expanded until a coherent body of law emerges, or the Government steps in to legislate.
The litigation landscape: six dispute fronts to watch
"The use of technology may assist comprehension, but it cannot displace judgment. The statutory obligation imposed by s 180(1) remains personal, and it requires informed human judgment."
1. Director and officer duties
In the recent landmark directors’ duties case of ASIC v Bekier [2026] FCA 196, Justice Lee took the opportunity to comment on AI use in preparing and reviewing board papers. While acknowledging AI’s potential to help directors digest high volumes of information, his Honour observed that it cannot replace informed and ethical human judgment and requires proper governance. Use should be controlled and transparent – including through formal policies – rather than lurking in the shadows.
Technology may assist comprehension but cannot displace the personal duty of care under s 180(1). The judgment also affirms that citing “the complexity and volume of information” will not be an acceptable excuse. Boards can and should control the information they receive.
Directors’ and officers’ duties extend beyond personal AI use: they must oversee the company’s AI deployment across business operations. If a company is held liable for AI misuse, that liability can extend to directors and officers, which relevantly could include General Counsel.
As the Chief Justice of New South Wales recently observed, directors and officers face the challenge of maximising AI’s “positive features…whilst avoiding or minimising AI related risks to the extent possible from both a legal and ethical perspective”. It is clear that avoiding AI is “no longer an option” and boards and executives must engage with it proactively, not reactively.
2. AFSL duties: efficient, honest and fair?
For Australian financial services licensees, the stakes are higher still. Existing obligations under s 912A(1) of the Corporations Act apply regardless of whether decisions are made by humans or algorithms. This includes the duty to ensure financial services are provided efficiently, honestly and fairly (s 912A(1)(a)). AI does not create a safe harbour from these obligations; it creates new ways to breach them. An AI tool that produces biased lending decisions, miscalculates payments or generates misleading client communications is not a technology failure but a compliance failure capable of breaching s 912A(1)(a) (among other laws), which can attract significant civil penalties.
Section 912A(1)(a) does not demand “absolute perfection” but it does demand reasonable performance. Crucially, it is forward-looking: licensees must take steps to achieve compliance, not merely react when things go wrong. In the age of AI, that likely means building governance frameworks, supported by appropriate training, before deploying the AI.
In October 2024, ASIC released Report 798 Beware the gap: Governance arrangements in the face of AI innovation, which highlighted governance gaps in how licensees manage AI risks, notwithstanding accelerating adoption, particularly of third-party platforms. ASIC expressed concerns that not all licensees are well positioned to manage the challenges of expanding AI use. ASIC clearly expects licensees to maintain governance frameworks in parallel with AI adoption, without lag.
Relatedly, the Federal Court has already confirmed that inadequate cyber risk management can breach ss 912A(1)(a) and (h) (having adequate risk management systems). In February 2026, the Court ordered the first civil penalties for such a breach, requiring FIIG Securities Limited to pay $2.5 million for failing to protect clients from cyber threats over four years. This compounds the AI risk for licensees.
3. AI washing: greenwashing’s new sibling
AI washing (exaggerating AI capabilities for commercial gain) is the latest form of corporate overstatement to attract regulatory attention. While the label is new, the cause of action is not: regulators are policing these claims through established false, misleading or deceptive conduct laws. The practice mirrors greenwashing, but with a critical distinction. The inherent opacity and fast-evolving nature of AI systems makes claims harder to both substantiate and disprove. This creates conditions favourable to costly and protracted disputes.
In the US, AI washing has already generated 51 AI-related securities class actions filed in the last five years, and the US Securities Exchange Commission (SEC) has been investigating such claims since late 2023. No such action has been commenced in Australia yet, though both ASIC and the ACCC have signalled concern. Investors are also increasingly sceptical of AI-related claims, particularly where companies cite AI adoption as a driver of workforce reductions, which may actually be masking profitability issues or underlying management failures.
4. Misconduct by AI systems and algorithms
Where autonomous AI systems or algorithms make or inform decisions, there is a real risk of customer harm, giving rise to potential claims and arguments about who is at fault: designers, developers or deployers of AI? As the Tech Council of Australia observed, attribution of liability is complicated by the distribution of responsibilities across the "tech stack" that develops and deploys AI.
Organisations deploying customer-facing AI chatbots which provide inaccurate information face real risks of misrepresentation claims. This type of misconduct operates regardless of intention - which is particularly significant in an AI context, where inaccurate outputs may be generated without any deliberate act by the deploying organisation.
In Moffatt v Air Canada 2024 BCCRT 149, a Canadian Tribunal rejected Air Canada’s “remarkable” argument that its chatbot, which provided incorrect bereavement fare information to a customer, was a separate legal entity. The airline was responsible for all information on its website, whether from a static page or a chatbot, and thus liable for negligent misrepresentation. Australian courts are likely to take a similar approach under misleading or deceptive conduct laws.
The prohibitions on misleading or deceptive conduct have already been applied to algorithmic systems – even before the advent of AI – in cases like ACCC v Trivago NV [2020] FCA 16, where the Federal Court held that Trivago's algorithm, which prioritised results by the higher cost-per-click fees rather than the purported cheapest price for consumers, constituted misleading conduct.
Robodebt is another key example. An algorithm used to determine social security overpayments miscalculated or incorrectly raised welfare debts against welfare recipients, resulting in a class action grounded in negligence and unjust enrichment. The causes of action were conventional. The technology was not. The system was also the subject of a Royal Commission, which described it as “a shameful chapter in the administration of the Commonwealth social security system and a massive failure of public administration”.
AI presents significant challenges for traditional product liability frameworks. In October 2025, Treasury published its final report on the Review of AI and the Australian Consumer Law, concluding that an AI-specific overhaul is not required but some targeted technical amendments are recommended, including clarifying the definition of “goods” to more clearly capture digital products and software-enabled goods.
Tesla vehicles illustrate how AI blurs the distinction between traditional manufacturing defects and software decisions. In Australia, Tesla faces a class action based on phantom braking, battery range concerns and misleading Autopilot claims, rather than only strict product liability claims.
Class actions against Tesla in the US have also tended to focus on misrepresentation claims. Notably, however, in August 2025, a Miami jury returned a USD243 million verdict against Tesla in a fatal Autopilot crash. Although the driver was primarily at fault for driving through an intersection while searching for his phone, the jury attributed 33% responsibility to Tesla for Autopilot system failures. The verdict was upheld in February 2026.
5. Confidentiality and privacy
AI tools give rise to material confidentiality and privacy risks. Data entered into these tools may be stored, analysed or used to train future models. It may also become accessible to third parties. This raises concerns about client confidentiality, compliance with privacy laws and the protection of trade secrets. Where the inputs concern litigation material, issues with the Harman undertaking may also arise.
The Privacy Act regulates certain entities’ (“APP entities”) use of personal information and applies in all AI contexts - whether in training, testing or deployment. In October 2024, the OAIC published separate guidance for developers of GenAI systems and users of commercial AI products. The OAIC recommends, as best practice, that organisations avoid entering personal information (particularly sensitive information) into publicly available GenAI tools given the complex risks involved.
Transparency, disclosure and consent remain central to the OAIC’s guidance. Australians care deeply about these issues. Research shows that 83% believe companies should obtain consent before using personal data to train AI models. This sentiment is likely to drive AI-related privacy claims and complaints about alleged misuse of personal information, which is an OAIC enforcement priority.
Recent Privacy Act reforms add to this pressure, including the new statutory tort for serious invasions of privacy, opening a new front for individual claims.
The rise of agentic AI amplifies these risks. Agentic AI operates autonomously to take certain actions to achieve defined objectives. Risks arise when an agent acquires broader access rights than necessary. The Australian Cyber Security Centre and its global counterparts have published guidance recommending that organisations adopt agentic AI with security in mind. Organisations should avoid granting broad or unrestricted access (especially to sensitive data or critical systems) and confine its use to low-risk or non-sensitive tasks.
AI use amplifies cyber risk and, consequently, the risk of privacy breaches. AI systems that process large volumes of personal data are high-value targets for attackers and attract heightened regulatory scrutiny and class action exposure. At the same time, AI is enabling cyberattacks that are faster, more scalable and more sophisticated.
In 2025, Australian Clinical Labs became the first entity to face civil penalties under the Privacy Act, fined $5.8 million for failing to protect personal information and notify the OAIC following a 2022 ransomware attack. A class action has since followed, underscoring the risk of collateral litigation following regulatory scrutiny and data breaches.
Recent statistics underscore the scale of this threat:
- For the period January to June 2025, the OAIC observed that malicious or criminal attacks remained the leading source of data breaches, accounting for 59% of notified incidents.
- According to IBM’s 2024 data, the average cost of a data breach for Australian businesses reached $4.26 million.
- In 2025, phishing attacks increased by 1,265%, attributed to growth of generative AI tools. The number of reported AI-enabled cyber attacks increased 47% globally.
In May 2026, ASIC issued an open letter to industry calling for “urgent cyber uplift as AI accelerates cyber threats”. APRA has similarly warned that many regulated entities’ information security practices are failing to keep pace with evolving threats.
6. AI in the Courtroom
Courts and practitioners are already embracing some of AI’s benefits in disputes, such as technology-assisted review in discovery, while confronting its risks, such as hallucinated cases and evidentiary deepfakes.
Most Australian courts and tribunals have issued guidance on AI use, though without uniformity. The NSW Supreme Court has prohibited GenAI in preparing the content of affidavits, witness statements and other evidentiary material intended to reflect a person’s own evidence. Other courts, including the Federal Court, permit such use with appropriate caution and disclosure.
Discovery battles over production of AI materials are an emerging frontier. AI use materially increases both the potential volume and complexity of discovery and other document productions. The exposure runs in both directions: poor governance means key evidence may not exist when needed, while over-retention or careless use creates records with unforeseen risks. Disputes will also arise over possession, custody or control of AI-related materials, with production requests for inputs, outputs and audit logs becoming fertile battlegrounds. Businesses should have a clear understanding of what AI records are being created, how they are maintained and how they are retrievable.
Privilege waiver is a topical issue. AI tools that lack adequate confidentiality safeguards give rise to privilege waiver risk. This makes the distinction between open and closed systems important. An open AI system that externally stores, collates and replicates user inputs is fundamentally inconsistent with the element of confidentiality required for legal professional privilege. A UK tribunal recently found that uploading confidential documents to an “open-source” AI tool such as ChatGPT is effectively equivalent to publishing them online.
In United States v Heppner, a US federal court found that AI-generated documents were not protected by privilege, holding that there was no legal agency (Claude is not a lawyer); the material was not directed by the lawyer and, importantly, there was no reasonable expectation of confidentiality given Claude’s operating terms. For Australian practitioners, the lesson is clear: privilege still turns on confidentiality and dominant purpose. Discourse with a public AI chatbot satisfies neither. We will explore privilege waiver risks in detail in our next article.
Looking ahead
AI disputes are no longer a matter of ‘if’ but ‘when’ and ‘how’. As AI adoption accelerates and regulators sharpen their focus, the strategic priority for boards and in-house counsel is clear: put governance in place before disputes arise.
Given the inevitable gap between rapid technological advancement and regulatory responses, organisations should proactively take all reasonable steps to implement sound AI governance practices.
The Government’s Guidance for AI Adoption (2025), published by the National AI Centre, offers a practical, principles-based framework for responsible AI use. It sets out six essential practices (known as “AI6”) in two guides, depending on an organisation’s complexity and maturity: “Foundations” provides practical governance for low-risk and early AI use, while “Implementation Guidance” is designed to strengthen governance for complex high-risk AI use.
The AI6 principles are:
- Decide who is accountable.
- Understand impacts and plan accordingly.
- Measure and manage risks.
- Share essential information.
- Test and monitor.
- Maintain human control.
Our next instalments will examine legal professional privilege and AI use, and directors’ and officers’ duties and board considerations, with further topics to come. If there is a particular topic you would like us to cover in future articles, please let us know.