AI Washing in Australia: The Compliance Risk Hiding in Your Marketing

Every week, another Australian business adds "AI-powered" to its website. Some of those claims are genuine. A lot of them aren't.

Overstating how artificial intelligence works in your product or organisation is called AI washing, and it is quietly becoming one of the more pressing risks on the GRC agenda in Australia right now. Regulators are paying attention, scrutiny is increasing, and the gap between what organisations say about their AI and what it actually does is widening.

What Is AI Washing?

AI washing is the practice of exaggerating or misrepresenting how AI is used in a product, service, or business. It doesn't have to be deliberate. Often it's just a marketing team describing something more impressively than the technology actually warrants.

Some common examples:

• Calling a basic rules engine "machine learning"

• Claiming a product is "AI-driven" when human review does most of the heavy lifting

• Using terms like "deep learning" or "neural networks" to describe simple automation

• Making forward-looking AI capability claims without any real basis for them

  
  

The most famous international example is Amazon's "Just Walk Out" checkout technology. Amazon marketed it as using computer vision and deep learning, but it was later reported to rely on over 1,000 workers in India manually reviewing around 70% of transactions. The product existed. The AI framing was significantly overstated.

Why It's on the Regulatory Radar in Australia

Australian regulators have made clear that AI washing is not a grey area. ASIC Chair Joe Longo has publicly described it as a "serious emerging issue" and put Australian companies and their directors on notice. Australia does not yet have a confirmed, clean AI washing enforcement case, but the regulatory intent is unambiguous and the first test case is widely expected to be a matter of when, not if.

The international precedents are already stacking up. In the United States, regulators have taken action against companies that claimed AI-driven capabilities backed by offshore manual labour, and shareholders have brought class actions against firms for overstating AI in investor communications. Australian regulators and plaintiff firms are watching those cases closely.

The pattern mirrors how greenwashing enforcement evolved. Guidance came first. Scrutiny followed. Then came enforcement action. AI washing appears to be following the same trajectory, and organisations that wait for specific AI legislation before taking it seriously may find themselves behind the curve.

The Gap Nobody Is Managing

Here's the uncomfortable truth: AI washing usually doesn't happen because someone is deliberately misrepresenting their technology. It happens because the people describing the technology don't fully understand what it actually does.

Engineering teams tend to be precise about capabilities and limitations. Marketing, sales, and investor relations teams are focused on communicating value. The gap between those two functions is exactly where governance risk lives, and in most organisations, nobody owns that gap.

A recent global study found that 44% of senior Australian business decision makers reported only a moderate understanding of the frameworks governing AI. That's not a technology problem. That's a governance problem, and it sits squarely in the scope of any GRC function.

What Good AI Governance Looks Like Here

GRC teams don't need to be AI experts to reduce AI washing risk. They need to ask the right questions and put the right controls in place.

Understand what you're actually deploying. Before any AI-related claim goes external, someone in the organisation should be able to explain what the technology does, what its limitations are, and how much human involvement is required to make it work.

Review external AI claims as part of your risk process. Marketing copy, pitch decks, investor communications, and product descriptions that reference AI should be reviewed against what the technology actually delivers. This is a governance control, not just a communications exercise.

Don't let capability claims get ahead of reality. Describing what your AI will do in the future, without a sound basis for that claim, creates risk. Forward-looking AI statements deserve the same scrutiny as any other forward-looking claim.

Document your AI inventory. Organisations that know what AI they are using, how it works, and where it is deployed are better placed to make accurate claims, and better placed to respond if those claims are ever questioned.

A Deadline to Know: December 2026

From December 2026, Australian businesses that use automated decision-making will be required to disclose in their privacy policies how AI is used to make decisions that significantly affect individuals. That obligation requires organisations to understand and accurately describe their AI in plain language.

For GRC teams, this is both a compliance deadline and a useful internal forcing function. If your organisation can't clearly describe how its AI works for a privacy disclosure, it probably can't accurately describe it in marketing either.

The Bottom Line

AI washing is not primarily a legal problem for GRC teams to hand off to counsel. It is a governance problem that sits at the intersection of risk, compliance, and how an organisation represents itself to customers, regulators, and investors.

The organisations that get ahead of this are the ones building internal processes now, before regulatory scrutiny intensifies, to make sure what they say about AI matches what their AI actually does.

That's always been good governance. It just now applies to a new and very noisy buzzword.