Rolling Out AI at Work? Under NSW Law, That's Now a Psychosocial Risk Event

The Legal Landscape Has Shifted - Permanently

On 12 February 2026, the NSW Parliament passed the Work Health and Safety Amendment (Digital Work Systems) Act 2026 (NSW) - the first law in any Australian jurisdiction to explicitly name artificial intelligence, algorithms, automation and online platforms as potential sources of workplace harm. The Act amends the Work Health and Safety Act 2011 (NSW) to make one thing unambiguous: if your organisation deploys a digital work system and workers are harmed, the PCBU (Person Conducting a Business or Undertaking) is responsible.

For WHS and HR leaders, this is not an incremental refinement. It is a reclassification. An AI rollout - previously understood as a technology project - is now, as a matter of statute, a psychosocial risk event requiring the same disciplined identification, assessment, control and review cycle that applies to any other workplace hazard.

The primary duty provisions and the new Digital Work System Duty under section 21A will commence on a date to be proclaimed. But that is not a reason to wait. The underlying obligations under section 19 of the WHS Act - the primary duty of care - have always applied. The 2026 amendments remove any remaining doubt. SafeWork NSW inspectors now have explicit legislative text to point to when they arrive.

What the Act Actually Requires

The Act introduces two distinct obligations that sit on top of (and reinforce) the existing psychosocial risk framework.

The Primary Duty Extension

Section 19 of the WHS Act has always required PCBUs to ensure worker health and safety so far as is reasonably practicable. The 2026 Act makes it express that this duty includes ensuring the health and safety of workers is not put at risk from the use of a digital work system. This covers any algorithm, artificial intelligence, automation or online platform deployed in the workplace - including systems supplied by third-party vendors. If the system creates or amplifies risk, the PCBU cannot delegate that responsibility to the software provider.

The Digital Work System Duty (Section 21A)

The new section 21A introduces a specific further duty: a PCBU must ensure, so far as is reasonably practicable, that worker health and safety is not put at risk from the allocation of work by a digital work system. This targets the specific mechanism - algorithmic task distribution, automated rostering, AI-driven performance metric setting - that research consistently identifies as a primary psychosocial stressor.

Expanded Right of Entry

WHS entry permit holders - including union officials - now have the right to require reasonable assistance to access and inspect digital work systems where a WHS breach is suspected. At least 48 hours notice is required, but no more than 14 days. These entry powers will not commence until SafeWork NSW publishes its guidelines (currently in development and subject to public consultation). When they do commence, your AI systems become auditable safety infrastructure - not proprietary IT.

Penalties

Failure to provide a WHS entry permit holder with reasonable assistance to access and inspect a digital work system carries a penalty of 121 penalty units ($13,310) for an individual and 607 penalty units ($66,770) for a body corporate. These are access penalties only. Underlying WHS breaches carry substantially higher exposure: up to $11.8 million for companies and $2.37 million plus imprisonment for individuals under the principal Act.

The Psychosocial Hazard Taxonomy of an AI Rollout

Understanding the Act requires understanding which psychosocial hazards an AI implementation characteristically triggers. The Managing Psychosocial Hazards at Work Code of Practice - mandatory in NSW from 1 July 2026 - identifies hazards that must be proactively identified and controlled. An AI rollout typically activates several simultaneously.

1. Job Demands and Cognitive Overload

Algorithmic scheduling, AI-generated workload allocation and automated task queuing can impose sustained high cognitive demand without the natural pacing signals that human managers provide. Where an AI system assigns work faster than workers can process it, or generates performance targets derived from optimised averages rather than individual capacity, the result is a classic job demands hazard. The risk is amplified during transition periods, when workers must manage both legacy processes and new AI-mediated workflows simultaneously.

2. Job Displacement Anxiety and Role Ambiguity

The psychological literature on AI-induced occupational threat identifies a layered sequence of disruption: acute shock at announcement, followed by identity erosion as the worker's sense of professional value is destabilised, compounded by perceptions of organisational betrayal where the implementation process is experienced as opaque or managed without genuine consultation. A 2026 Mercer survey of 12,000 workers and business leaders found 40% of employees now fear losing their job to AI - and BCG research confirms that anxiety intensifies significantly as AI deployment moves from conceptual to operational. Workers at organisations in active AI-driven redesign are materially more worried about job security than those at earlier-stage companies. Fear itself becomes a hazard; it drives disengagement, increases presenteeism and erodes team cohesion regardless of whether actual displacement occurs.

3. Low Job Control and Reduced Autonomy

When work is allocated, sequenced, paced and evaluated by an algorithm, workers' capacity to exercise discretion over how they do their jobs diminishes. The psychosocial research is consistent: low job control is one of the most robustly established antecedents of psychological harm at work. AI systems that replace managerial judgment with automated decision-making can strip away the informal autonomy that workers rely on to modulate their cognitive and emotional load across a shift.

4. Surveillance Stress and Erosion of Trust

Performance monitoring AI - productivity tracking software, keystroke analytics, location monitoring in field roles - generates a sustained sense of being observed. The ILO's April 2026 analysis of AI in the psychosocial work environment identifies intrusive surveillance as one of the clearest mechanisms through which AI generates occupational risk, and notes it is not yet well captured by most existing OSH frameworks. In Australia, it now is. The Code of Practice explicitly addresses low job control and lack of recognition; surveillance systems that quantify output without contextualising effort fall squarely within these hazard categories.

5. Opaque Decision-Making and Procedural Injustice

When an AI system influences performance ratings, promotion decisions, shift allocations or redundancy selections, workers who cannot understand or challenge those decisions experience a form of procedural injustice. The absence of explainability is not merely an AI ethics concern - it is a psychosocial hazard. Perceived unfairness in how decisions are made is a well-established driver of psychological distress at work. The new NSW Act specifically identifies discriminatory decision-making by biased AI systems as a risk PCBUs must manage.

6. Inadequate Support and Skill Obsolescence Fear

Workers who lack the training and ongoing support to work effectively alongside AI systems experience a compounding hazard: inadequate job resources combined with a creeping fear that their existing skills are becoming irrelevant. The absence of clear pathways to upskilling, or the perception that training is performative rather than substantive, reinforces the identity threat component of AI-induced distress.

The Enforcement Signal: UTS and What It Means for AI Change Processes

If there is a case study that crystallises what the new regime means in practice, it is the University of Technology Sydney.

In September 2025, SafeWork NSW issued a prohibition notice halting UTS's planned academic restructure - a process involving the potential redundancy of 150 academic and 250 operational staff. The notice was issued after an investigation triggered by an anonymous complaint. SafeWork's inspector concluded that workers "are and will be exposed to a serious and imminent risk of psychological harm" based on the way the change process was being conducted: meetings with approximately 800 affected staff had been called with one day's notice, change proposal language was assessed as "finalistic," and the consultation on psychosocial risks had not been completed before the proposal was to be released.

The UTS case is not primarily about AI. But it establishes the regulatory standard against which every change process - including an AI implementation - will now be measured. Several elements of the prohibition notice are directly instructive:

• Consultation must precede release of change proposals, not run concurrently with them. UTS's position that it could not consult meaningfully until the proposal was formally released was explicitly rejected by the regulator.
• Evidence of psychosocial risk assessment is required before the change proceeds. Intention to consult is not compliance. A risk assessment must be conducted, its findings documented, and controls identified before workers are exposed to the change event.
• The process costs of getting this wrong are severe. Analysis of the UTS situation estimated monthly costs of $3-4 million from the notice: frozen payroll savings, ongoing consultant and legal expenditure, and deferred restructure benefits. For an AI rollout, the cost of a stop-work order mid-implementation would be comparable.

Employment lawyers watching the UTS outcome have been direct: the case "is a warning to employers" and will be used as leverage by workers and unions in a range of scenarios extending well beyond formal redundancy processes - including, explicitly, the introduction of new technology.

What "Reasonably Practicable" Looks Like for an AI Rollout

The WHS Act does not require organisations to abandon AI implementation. It requires them to manage the risks arising from it so far as is reasonably practicable. In the context of a digital work system deployment, the following represents the minimum evidential floor that a competent risk management process should produce.

Before Implementation: Hazard Identification and Risk Assessment

Conduct a specific psychosocial risk assessment for the AI implementation before workers are exposed to it. This assessment should identify which hazards are activated by this specific deployment (not AI generically), in which roles and teams, and at what intensity. Document the methodology, the data sources and the controls proposed in response to each identified hazard. This is not a desktop exercise - the Code of Practice requires consultation with workers and their health and safety representatives as a component of the identification process, not a follow-up step.

During Consultation: Genuine, Not Performative

The UTS prohibition notice makes clear that consultation must be substantive, must occur before material decisions are finalised, and must actually influence the implementation design. Workers must have adequate time and information to participate meaningfully. Their concerns must be assessed and addressed - or, where controls are not implemented, the reasons documented. A survey distributed after the go-live date is not consultation. A town hall with one day's notice is not consultation. A recorded, evidenced process of identifying concerns, assessing them and adjusting controls accordingly is.

At Implementation: Control Measures Matched to Hazards

The hierarchy of controls applies to psychosocial hazards. Elimination is rarely practicable for an AI system that has been adopted for legitimate operational reasons. Substitution might involve choosing a less algorithmically opaque system, or one with lower monitoring intensity. Engineering controls include configuring the system to avoid unreasonable performance benchmarks, building in human override points for consequential decisions, and capping automated task allocation at levels consistent with sustainable workload. Administrative controls include clear role clarity communications, training that builds genuine competence rather than checkbox compliance, and escalation pathways for workers who experience distress. Reliance on training and policy alone - as the most downstream control measure - will not satisfy a SafeWork inspector who is assessing whether the organisation applied the hierarchy.

Ongoing: Review and the Evidentiary Record

The risk management cycle is not completed at go-live. Psychological injury claims arising from AI implementations are likely to emerge weeks or months after deployment, when sustained exposure to new hazards produces measurable harm. The evidentiary record of risk assessment, consultation, control implementation and monitoring must exist before that claim arrives - not be reconstructed in response to it. An RFC 3161 timestamp on each document in the risk file establishes the chronology of your compliance effort in a form that cannot be retrospectively fabricated.

The Broader Compliance Architecture

The NSW Digital Work Systems Act does not operate in isolation. It layers onto a compliance architecture that has been substantially reinforced across 2025 and 2026.

From 1 April 2023, the model WHS Regulations introduced specific obligations on PCBUs to manage psychosocial risks - regulations 55A to 55D - placing psychosocial risk management on the same statutory footing as physical hazard control. Every Australian jurisdiction has now adopted equivalent provisions.

From 1 July 2025, SafeWork NSW became an independent statutory regulator with a dedicated SafeWork Commissioner, a newly formed SafeWork Advisory Council, and increased enforcement funding. The Psychological Health and Safety Strategy 2024-2026 directs SafeWork inspectors to conduct psychological WHS checks at workplaces with 200 or more employees. SafeWork has already executed over 500 compliance notices in the current enforcement cycle.

From 1 July 2026, NSW Codes of Practice - including the Managing Psychosocial Hazards at Work Code - become mandatory compliance benchmarks rather than evidentiary guidance. A deviation from the Code will require affirmative justification that equivalent or superior control has been achieved by another means. The Code's treatment of work design, algorithmic management, and the hierarchy of controls will be the standard against which AI implementations are assessed.

From 1 March 2026, unions acquired the power to initiate civil penalty proceedings for WHS breaches in NSW. This expands the field of parties who can trigger enforcement action, specifically in contexts involving psychosocial hazards or inadequate risk controls - including AI implementations contested by employee representatives.

Safe Work Australia has been tasked with examining whether the national model WHS laws should be updated to address digital work systems. If the national framework adopts provisions substantially similar to the NSW Act, the NSW-specific amendments will be reviewed for consistency. The direction of travel - AI as an explicit psychosocial risk category - is national.

The Evidentiary Gap Most Organisations Will Discover Too Late

The psychosocial risk obligations that apply to an AI rollout are not, in principle, different from those that apply to any other significant workplace change. The problem is that most organisations treat AI implementation as a technology project governed by IT change management protocols - not as a WHS change event requiring a parallel risk management process.

When a claim is filed, or a SafeWork inspector arrives, or a union exercises its right of entry to inspect the digital work system, the question will not be whether the organisation had good intentions. It will be: what did you document, when did you document it, and does the evidence demonstrate a genuine, reasonably practicable effort to identify, assess and control the psychosocial risks this system created?

The gap between "we ran training sessions and sent a communication" and "we have a timestamped risk assessment, documented consultation outcomes, a control register with assigned owners and a review cadence" is the gap between a reasonable WHS response and a prosecution or prohibition notice.

AI is not coming to your workplace. For most organisations, it is already there. The compliance obligation is not prospective. It is present-tense. The question is whether the evidentiary record of how you managed the psychosocial risks of that deployment exists - or needs to be built, quickly, before the next SafeWork inspection cycle begins.

---

PsychProof is purpose-built to create the evidentiary record that the new NSW framework demands. Every risk assessment is RFC 3161 timestamped and SHA-256 hashed at the moment of completion - producing a forensic record of your compliance posture that is verifiable and cannot be backdated. If you are implementing AI and need to demonstrate that you managed the psychosocial risks, the Change Risk Assessment is the place to start.