Australia spent most of 2025 debating what to do about AI.
In September, the government outlined ten mandatory guardrails covering accountability, risk management, data governance, human oversight, and supply chain visibility. Three months later, it scrapped them. The National AI Plan, released in December 2025, dropped all proposed mandatory requirements in favour of voluntary frameworks and existing legislation.
No new AI-specific laws. No enforceable standards. A voluntary safety framework, some updated guidance, and a commitment to monitor things as they develop.
For most startups, that headline reads like a reprieve. For Dovetail Software, selling into regulated enterprise markets on the other side of the world, it changes nothing at all.
Signed, Sealed, Undelivered
The enterprise buying process has its own regulatory layer, and it does not wait for government to act.
A global consultancy handling client data across dozens of jurisdictions, or a financial institution operating under its own compliance regime, does not evaluate software vendors on what the law currently requires. They evaluate on what the vendor can prove. Independent certifications, documented data handling policies, third-party audited controls. The due diligence questionnaire arrives before any commercial conversation gets serious, and the absence of a completed answer is the end of that conversation.
Benjamin Humphrey, CEO and co-founder of Dovetail Software, states that “You can’t really do business in the enterprise without it.”
The “it” in that sentence is certification. For Dovetail Software, that has meant building toward ISO 42001, the international standard for AI management systems, alongside a broader compliance stack assembled well before Australia made any of it formally necessary. The customers pushing for that investment were not asking because regulators required them to ask. They were asking because their own procurement obligations required them to ask.
No Law, No Problem (For Now)
ISO 42001, published in December 2023, is the first certifiable international standard for AI management systems. It covers accountability, risk management, data governance, and transparency across an organisation’s AI activities. It is not an Australian requirement. In many respects, it is more demanding than what Australia has proposed.
According to procurement data,ISO 42001 certification or a credible implementation roadmap is now appearing in roughly 40% of enterprise AI vendor RFPs in the EU and around 25% in North America. Fortune 500 buyers have been adding certified or committed clauses to vendor questionnaires since 2025. The standard is becoming a procurement gate in markets where regulation either already exists or is visibly coming.
Australia’s voluntary framework places it at the permissive end of the international regulatory spectrum. The practical effect, for vendors selling into global enterprise markets, is that the compliance bar is set by those customers’ jurisdictions, not Australia’s. A Sydney-founded SaaS company selling to a regulated financial institution in New York or a multinational professional services firm in London has to meet that firm’s requirements regardless of what Canberra has decided.
The government’s December 2025 plan opted for existing legal frameworks over new ones. Australian Competition and Consumer Commission Senior Investigator Rosie Evans had anticipated the problem earlier that year, writing for the IAPP that without an enforceable regime specifically for AI, Australia may struggle to achieve the regulatory cohesion it was aspiring to. The voluntary approach creates different outcomes for different companies: larger ones absorb compliance costs as a cost of doing business internationally; smaller ones discover the requirements when it is too late to meet them.
Compliance Finds You Eventually
Most startups building with AI are not thinking about ISO 42001 in their first two years. They are thinking about product, distribution, and keeping things moving. Compliance gets treated as something to address when it becomes unavoidable, which usually means the moment a meaningful enterprise deal requires it.
Building compliance infrastructure after a procurement process has already started is like filling in a fire escape after someone asks to see it. The certification exists to demonstrate a sustained, auditable commitment to responsible AI governance, not a box ticked under commercial pressure.
Enterprise buyers can tell the difference.
Dovetail Software built that infrastructure because its customers told it to, not because it was required to. The clients working through Dovetail’s platform handle sensitive data at scale: large professional services firms, regulated financial institutions, enterprise technology organisations with their own security and compliance obligations. Each of those relationships came with requirements the Australian government had not yet thought to impose. So the compliance work happened anyway.
That is the more useful argument for why voluntary frameworks fall short. The companies that need compliance infrastructure most are the ones least likely to build it unprompted. The ones that build it anyway do so because they have found their way into markets where the question has already been asked. Many startups never get that far.
Export Anywhere, Audit Everywhere
There is a version of Australia’s voluntary approach that works. If a company builds primarily for domestic customers in sectors without their own compliance regimes, the regulatory gap may never surface in a material way. The National AI Plan’s ambition to position Australia as an AI-enabled economy also relies on that.
The version that does not work as well is the export model: a company that builds in Sydney and sells to enterprise customers in North America and Europe, where regulators and procurement teams have already moved ahead. Twenty percent of Fortune 500 companies use software built on Dovetail Software’s platform. Every one of those relationships involves a customer operating in a jurisdiction where AI governance expectations are substantially higher than what Australia currently requires.
The compliance investment Dovetail Software made was not made speculatively. It was made because that is what the enterprise market asked for. A company hoping to replicate that path without making the same investment will find the procurement process asks the question regardless of what domestic law has chosen not to require.
Voluntary frameworks hand that decision to the founder. Founders working through early-stage hiring, product development, and capital raising will not make it until the first major enterprise deal is already on the table. The work should already be done before that conversation starts.
