DefenceXinso Research Note

The “Black Box” is Getting a Law

Five takeaways from Australia’s bold move to regulate AI — viewed through a research lens focused on governance, accountability, democracy, and the rule of law.

AI Safety
Law
Cyber Risk
Democracy
Governance
AI Regulation Cybersecurity Responsible AI AI Governance High-Risk AI Australia Democracy

Introduction: The Ghost in the Machine

From the moment we wake up and check our phones or glance at our wearable devices, we are influenced by Artificial Intelligence. Yet this technology now permeates our institutions and infrastructure in ways that are increasingly autonomous and often go entirely undetected. The “ghost in the machine” has become a permanent resident.

The core problem is one of timing: Australia’s current legal frameworks were built for a 20th-century world of static software and human decision-makers. They were never designed for 21st-century autonomous, self-learning algorithms that can evolve after they leave the developer’s hands. From my research perspective, this is where AI governance becomes more than a technical question: it becomes a question of institutional readiness.

Recognising that our laws are being aggressively outpaced, the Department of Industry, Science and Resources has signalled a major shift: Australia is moving from “voluntary” ethical suggestions to mandatory “guardrails” for high-risk AI.

Takeaway 1: Moving Beyond the “Pinky Swear”

The Australian Government is transitioning from the “Voluntary AI Safety Standard” to a proposed set of mandatory guardrails. For years, the tech industry has operated under a “pinky swear” model of voluntary ethics. However, the government’s consultation process has made one thing clear: voluntary compliance is no longer sufficient to build the public trust necessary for AI adoption.

As a policy matter, the government is embracing the Precautionary Principle. This principle, often used in climate change and pharmaceutical regulation, suggests that when a technology carries the potential for catastrophic or system-wide risks, we cannot afford to wait for harm to occur.

Australia is shifting toward ex ante preventative measures rather than relying on ex post after-the-fact litigation. For research in AI compliance and cyber policy, this matters because the legal burden is moving upstream: governance has to be designed before harm appears, not explained afterward.

“Voluntary compliance is no longer enough in high-risk settings. Effective regulation and enforcement are needed to create the right settings for AI innovation and adoption.”

Takeaway 2: It’s Not Just the Tech, It’s the Setting

Australia is adopting a risk-based approach, meaning a chatbot used for recipe suggestions is treated differently from a resume-scanning algorithm. High-risk designation is determined by context — the setting in which the AI is deployed.

A primary example is AI in employment. An automated CV scanner used for hiring is considered high-risk because it can inadvertently perpetuate social biases or discriminate against candidates, directly impacting a person’s livelihood.

Crucially, the Australian proposal differentiates itself by emphasising the risk of adverse impacts on the collective rights of cultural groups and First Nations people, communities, and Country. This is especially important for my research lens because it shows that AI risk cannot be reduced to individual privacy alone; collective rights, Indigenous Data Sovereignty, and cultural protocols also have to be part of the governance model.

Potential High-Risk AI Domains

BiometricsIdentification, behaviour assessment, and emotional monitoring.
Critical InfrastructureWater, gas, electricity, and traffic-flow management.
EducationAdmissions, training outcomes, and learning evaluation.
EmploymentRecruitment, promotion, and termination decisions.
Essential ServicesHealthcare, banking, insurance, and social security.
Justice & Law EnforcementProfiling, recidivism risk, evidence evaluation, and court support.

Takeaway 3: General-Purpose AI and Systemic Risk

Powerful, multi-use models known as General-Purpose AI, or GPAI, are under intense scrutiny. Unlike narrow AI designed for a single task, GPAI models are versatile and can be adapted for a variety of purposes, many of which are unforeseeable at the time of development.

Because these models have agentic potential — the ability to pursue multi-step goals with little human oversight — they pose what the government calls systemic risk. These are risks that can be propagated at scale across the entire supply chain.

For this reason, the government proposes to capture these advanced models as high-risk by default. This is a major research signal: the law is beginning to treat model capability, supply-chain reach, and downstream misuse as connected governance problems.

Why GPAI Changes the Risk Model

A narrow AI system is easier to assess because its purpose is limited. A general-purpose model can be reused, integrated, extended, automated, and connected to tools in ways the original developer may not fully predict.

General-Purpose AI means an AI model capable of being used or adapted for a variety of purposes, either directly or through integration into other systems.

Takeaway 4: The “Black Box” vs. The Rule of Law

Regulating AI is uniquely difficult due to opacity and high realism.

Opacity, often called the “black box” problem, refers to the fact that advanced AI decision-making is often not traceable. From a policy perspective, this is a direct barrier to administrative law. If a decision-making process is opaque, a citizen cannot exercise their right to a procedural review.

Traceability is the bedrock of the rule of law. Without it, there is no accountability when an AI system makes a life-altering error.

Furthermore, AI has reached a level of high realism where it can emulate human behaviour so closely that it effectively passes the Turing Test in daily interactions. This ability to create hyper-realistic synthetic outputs — whether text, audio, or video — fundamentally complicates our perception of truth and makes it difficult for users to know whether they are interacting with a human or a machine.

Takeaway 5: Protecting the Soul of Democracy

The government is deeply concerned with how AI can be used to manipulate democratic processes. International examples highlight the urgency.

Democracy Risk Examples

  • Slovakia: Deepfake audio of a political leader discussing election interference circulated just days before a vote.
  • India: AI-generated “resurrections” of deceased politicians were used for endorsements.
  • Pakistan: An imprisoned leader used an AI-generated video to claim election victory.

To counter this, the government identifies seven dimensions of AI’s impact on democracy:

  1. Connectedness vs. Polarisation: The potential for AI to drive social division.
  2. Transparency vs. Opacity: Lack of clarity in how data and algorithms influence democratic decisions.
  3. Decentralisation vs. Consolidated Control: The risk of power being concentrated among a small number of players.
  4. Democratising voices vs. Narrowing voices: The risk of AI excluding or silencing perspectives.
  5. Truth and deliberation vs. Deception: The increasing prevalence of deceptive synthetic content.
  6. Public good vs. Private gain: AI serving corporate interests over the broader public interest.
  7. Information engagement vs. Information transmission: Prioritising rapid information supply over actual deliberation and discussion of ideas.

Conclusion: Toward an Australian AI Act?

The government is currently weighing three regulatory paths:

  • Option 1: A domain-specific approach, updating existing individual laws.
  • Option 2: A framework approach, introducing light-touch overarching legislation.
  • Option 3: A whole-of-economy approach, creating a brand-new Australian AI Act.

From a research perspective, the important question is not whether AI regulation slows innovation. The sharper question is whether public institutions can build enough trust, traceability, and accountability for AI systems to be used in settings where rights, services, and democratic processes are at stake.

As Australia moves toward a more formal AI governance framework, the defining question remains: can we embrace the speed of the 21st century without losing the legal protections that define our democracy?

AI is moving fast. Research needs to stay close to the law.

These notes follow the policy, governance, and cybersecurity questions emerging around high-risk AI systems.

Reading List