How the Health Check works
The obligation library
The engine behind this assessment is a curated library of duties drawn from Australian and EU law that bear on organisational AI use: the Privacy Act 1988 and its 2024 amendments, APRA prudential standards CPS 230 and CPS 234, the EU AI Act, the Australian Consumer Law, Commonwealth anti-discrimination legislation, state workplace surveillance laws, the Spam Act, the Security of Critical Infrastructure Act, directors' duties under the Corporations Act, and the current government guidance landscape including the National AI Centre's Guidance for AI Adoption and ISO/IEC 42001.
Each entry records the instrument, the specific provision, the responsible regulator, any commencement or transition date, and a concrete remediation action. Entries are maintained against primary sources using the same verification standard as the AIRiskAware library: claims are checked word-by-word against legislation, regulator publications and official guidance, and corrected when the law moves. When the December 2025 National AI Plan set aside the proposed mandatory guardrails, this library was updated to match.
How your answers are mapped
The questionnaire establishes facts about your organisation: sector, regulatory perimeter, how AI is actually used, what data it touches, and which governance controls exist today. Each obligation in the library carries trigger conditions over those facts. An obligation appears in your report only when your answers satisfy its triggers. The mapping is deterministic: the same answers always produce the same report, and nothing in the report is generated or improvised.
Scoring
The governance maturity score is a weighted measure across eight control areas: policy, AI inventory, training, vendor assessment, incident readiness, board reporting, human oversight, and privacy transparency. Weights reflect how heavily each control features in regulator guidance. The exposure rating combines the number of critical obligations triggered with your maturity score: many critical duties plus low maturity rates Critical; few duties or strong controls rate lower. The 90-day plan sequences remediation with governance foundations first, then critical obligations, then material and advisory ones.
Standards alignment
The control areas assessed align with the National AI Centre's six essential practices (AI6), the structure of ISO/IEC 42001 AI management systems, and the NIST AI Risk Management Framework's govern-map-measure-manage cycle. Completing this assessment is a sensible first step toward any of those frameworks, not a substitute for them.
Limitations
This is a self-assessment: it sees what you tell it. It cannot verify your systems, read your contracts, or weigh facts you haven't provided, and it covers common obligations rather than every duty that could apply to your circumstances. The output is general information to structure a conversation with your board and your advisers. It is not legal advice, and acting on it without qualified counsel is acting on your own judgement.