Managing AI as a WHS Risk: A Practitioner's Guide

Deploy AI at work and you create a hazard you have to manage. Mental-health claims are up 161% in a decade. A WHS practitioner's guide to governing AI risk.

12 min read
  • AI
  • WHS
  • AI Governance
  • Psychosocial Hazards
  • Workplace Safety
A team of professionals reviewing data charts and reports around a table, human oversight of AI risk at work

When you put AI into a workplace, you have introduced a new hazard. That sounds dramatic, but it is just the WHS framework applied honestly. The moment an algorithm allocates work, sets a pace, watches a worker or makes a call about them, it can affect their health and safety, and a PCBU has a duty to manage that risk like any other. The duty of care didn't change. The hazard did. This guide is about treating AI as a risk to be governed, not just a tool to be adopted.

I lead Zero Harm performance and programs across a workforce of around 50,000, and I also build AI tools grounded in WHS legislation. So I see both sides: the genuine value of these systems, and the quiet ways they create risk when no one is managing them. The reassuring part, which I'll keep coming back to, is that you already own the framework for this. You don't need a new methodology. You need to point your existing one at the AI you've deployed.

What does it mean to treat AI as a WHS risk?

It means running AI through the same risk process you use for any hazard: identify, assess, control, review. In early 2026 New South Wales made this explicit. The Work Health and Safety Amendment (Digital Work Systems) Act 2026, an Australian first, defines a "digital work system" as "an algorithm, artificial intelligence, automation or online platform" and requires a PCBU to ensure, so far as is reasonably practicable, that work allocated by such a system does not put health and safety at risk (Parliament of NSW, Act No 5 of 2026).

The Act passed on 12 February 2026 and was assented on 18 February, with the substantive duties commencing on proclamation once SafeWork NSW publishes guidelines. It names the risks a PCBU must weigh almost exactly as a safety professional would: excessive or unreasonable workloads, excessive or unreasonable performance metrics, excessive or unreasonable monitoring or surveillance, and unlawful discriminatory decision-making. That is a psychosocial risk assessment written into statute. For the detail of that law, I covered it in the NSW AI work health and safety law explainer.

You don't need to be in NSW for this to apply. The model WHS Act's primary duty already covers any risk arising from how work is carried out, and a digital system that shapes work is squarely inside it.

Is AI really a workplace hazard, or just a productivity tool?

The evidence says it is both, and the safety profession has been slow to say so. In 2025, 48% of EU workers reported that digital technologies set the speed or pace of their work, 30% said those systems left them working in isolation, and 28% reported a heavier workload (EU-OSHA, OSH Pulse 2025, surveying around 28,000 workers). Pace, isolation and workload are not abstractions. They are named psychosocial hazards.

How EU workers say workplace digital systems affect them (2025)
Digital systems set the pace of my work48%They leave me working in isolation30%They increased my workload28%
How EU workers say workplace digital systems affect them (2025)
CategoryValue (%)
Digital systems set the pace of my work48%
They leave me working in isolation30%
They increased my workload28%
Source: EU-OSHA, OSH Pulse 2025

The pattern holds when you look at who manages the work. EU-OSHA found 30% of workers are subject to systems that automatically assign their tasks, shifts or working time, and 25% to systems that monitor their work or behaviour. Where those allocation tools are used, 31% of workers report stress, depression or anxiety, rising to 34% where monitoring tools are used (EU-OSHA, OSH Pulse, 2022). And the harm scales with intensity. A 2025 editorial in the Scandinavian Journal of Work, Environment and Health put numbers on it. Each one-unit rise in algorithmic-management intensity was associated with a 21% increase in psychosocial risks and a 16.5% increase in health issues (Bowdler et al., 2025). These are associations, not proof of cause, but the dose-response shape is exactly what you'd expect of a real hazard.

Surveillance is the clearest case, because it touches physical safety too. A 2024 US survey found that among workers monitored constantly, 46% agreed they had to work faster than is healthy or safe, against 15% of unmonitored workers, and 9% reported a workplace injury in the past year, against 4% (Washington Center for Equitable Growth, 2024). Monitoring that pushes people to work unsafely is not a privacy problem. It is a safety one.

How does AI map onto the psychosocial hazards you already manage?

Almost one to one, which is why your existing framework does most of the work. Safe Work Australia's model Code of Practice names 14 psychosocial hazards, including high and low job demands, low job control, poor support, low role clarity, poor organisational justice and inadequate reward (Safe Work Australia, 2022). Each one has an AI failure mode sitting underneath it. SafeWork NSW already lists excessive surveillance and machine-paced work as drivers of low job control, and the Commonwealth's 2024 adaptation of the code adds intrusive surveillance as a named hazard in its own right.

So the mapping is not a stretch. It is a checklist you mostly already have.

AI feature you deployPsychosocial hazard it can feedA control that helps
Algorithmic work allocation and pacingHigh job demands, low job controlLet workers alter the pace or pause the task
Automated performance metrics and targetsInadequate reward, poor organisational justiceKeep a person in the appeal loop; explain the metric
Opaque automated decisions on pay or shiftsLow role clarity, poor organisational justiceGive the reason and a genuine right to review
Continuous monitoring and surveillanceLow job control, intrusive surveillanceMake it proportionate, and consult before you deploy

That "let workers alter the pace or pause the task" line isn't mine. It is SafeWork NSW's own recommended control for machine-paced work (SafeWork NSW, Low job control). The regulator is already telling you how to control an algorithmic hazard. The point is that managing AI risk doesn't ask you to learn a new discipline. It asks you to run the discipline you have, on a hazard you may not have logged yet.

Why judgement has to stay human

Because the duty can't be delegated, and because the evidence shows human skill erodes when it is. The strongest recent example comes from medicine. In a 2025 study, 19 experienced endoscopists saw their own unassisted detection rate fall from 28.4% to 22.4% after routine exposure to AI assistance, a roughly 20% relative decline in their own skill (The Lancet Gastroenterology and Hepatology, 2025). The authors call it observational and hypothesis-generating, not settled cause. But the warning is plain: lean on the machine and the human capability you were relying on as a backstop quietly fades.

That is why accountability has to stay with a person. Under section 27 of the model WHS Act, an officer must exercise due diligence, which includes keeping up to date on the hazards and risks of the operation and verifying the business has resources and processes to manage them (Safe Work Australia, officer duty interpretive guideline). You cannot delegate due diligence to an algorithm, any more than you could delegate it to a contractor and walk away.

This is the same line I keep drawing across this work, and it is the spine of the practitioner's field guide: AI belongs around the safety decision, not on it.

The governance gap: everyone sees the risk, few control it

Most organisations recognise AI risk and then fail to act on it, which is precisely the gap a risk process is built to close. Stanford's AI Index recorded 233 reported AI incidents in 2024, a record high and a 56.4% jump on the year before (Stanford HAI, 2025). Adoption climbed to 78% of organisations over the same period. The same report found organisations acknowledge responsible-AI risks faster than they move to mitigate them, with awareness consistently running ahead of action.

The Australian picture is sharper still. An EY survey of just over 1,000 Australian workers found 68% use AI at work and 72% worry about breaching data or regulatory rules, yet only 35% had received any formal AI training from their employer (EY Australia, 2025). Deploying a tool to most of your workforce while training barely a third of them is, in WHS terms, an uncontrolled rollout.

AI at work in Australia: adoption is ahead of support (2025)
Use AI at work68%Worried about breaching data or rules72%Lack confidence using AI54%Have had any formal AI training35%
AI at work in Australia: adoption is ahead of support (2025)
CategoryValue (%)
Use AI at work68%
Worried about breaching data or rules72%
Lack confidence using AI54%
Have had any formal AI training35%
Source: EY Australia

The maturity data says the same thing from the top down. Deloitte found only 21% of organisations have a mature model for governing autonomous AI agents, and McKinsey's 2026 work put average responsible-AI maturity at just 2.3 out of 4 (Deloitte, 2026; McKinsey, 2026). Workers feel the gap and want it closed: in the KPMG and University of Melbourne global study, 70% said AI regulation is necessary while only 43% believed current laws are adequate (University of Melbourne and KPMG, 2025). Recognising a risk and not controlling it is the exact failure mode the hierarchy of controls exists to prevent.

How do you actually govern AI as a WHS risk?

Run your normal risk-management cycle, with consultation built in. Here is the order I'd follow, and none of it is novel to a safety professional.

  1. Identify. Inventory where AI, automated decisions or monitoring touch a worker: rostering, allocation, performance scoring, productivity tracking, screening. You cannot manage a hazard you have not mapped.
  2. Assess. Run each use against the psychosocial hazards in the table above, and consult the workers who are actually affected. Consultation is a legal duty, not a courtesy, and it surfaces the work-as-done harms a vendor demo never shows.
  3. Control. Apply the hierarchy of controls. Can you eliminate the riskiest feature, or substitute a less intrusive one? Engineering-style controls keep a human in the loop, let workers alter pace, and make decisions explainable. Administrative controls cover policy, training and transparency. A sign on the wall is the weakest control here, just as it is everywhere else.
  4. Govern and review. Wrap the lot in a management system. ISO/IEC 42001, the first AI management system standard, requires an AI impact assessment that explicitly considers physical, psychological and discriminatory harm, which sits naturally alongside your ISO 45001 system (ISO/IEC 42001:2023). Then review it, because the model and the work both change.

If you want the same rigour applied to the analytics side of this, I wrote about using AI for safety analytics and leading indicators, and for grounding a model in the actual law rather than its memory, how I encoded the WHS Act into an AI skill.

Where are the rules heading?

Towards making this governance mandatory, fast. NSW has moved first, and Safe Work Australia is reviewing whether the national model laws should follow: its Best Practice Review drew 1,055 responses and flagged digital work and AI as emerging risks, with a final report due to WHS ministers in August 2026 (Safe Work Australia, 2025). For now the national position is that principles-based laws already adapt, which is why a low-control AI rollout is already a duty-of-care problem, not a future one.

The direction is the same offshore. The EU AI Act classifies AI used to manage workers as high-risk, with obligations like human oversight and conformity assessment phasing in through 2026 and 2027. Australian regulators are circling worker surveillance specifically: a 2025 Victorian parliamentary inquiry found employers monitoring staff without their knowledge, some using tools that infer mood and attention, and recommended dedicated controls (ADM+S, 2025). Even the market is being pushed to govern: Gartner predicts that by 2027, 40% of enterprises will demote or decommission autonomous AI agents because of governance gaps found only after something went wrong in production (Gartner, 2026).

Reactive governance is the expensive kind. Finding the failure after the incident is the opposite of how safety is supposed to work.

Govern the hazard you already know how to manage

AI is a genuinely useful set of tools, and it is also a hazard that creates real, measurable, mostly psychosocial risk. Those two things are true at once, and holding both is the whole job. The good news for any safety professional is that you are not starting from zero. The duty of care, the psychosocial hazard framework, the hierarchy of controls, the consultation duty and officer due diligence already give you everything you need. Point them at the AI you've deployed, keep the judgement and the accountability human, and you are doing the work the new laws are about to require anyway.

If this framing is useful, the field guide sets out where AI helps and harms safety work, the NSW law explainer covers the statute in detail, and AI for incident investigation applies the same human-in-the-loop test to ICAM. If you're working out how to govern AI in your own organisation, reach out. I'm always happy to compare notes.

Frequently asked questions

Is AI a work health and safety risk?
It can be. When AI allocates work, sets the pace, monitors workers or makes decisions about them, it can create psychosocial hazards like high job demands, low job control and surveillance stress. EU-OSHA found 31% of workers under automated task-allocation tools report stress, depression or anxiety, rising to 34% under monitoring tools.
Does WHS law require me to manage AI as a risk?
Yes, in principle everywhere and explicitly in NSW. The model WHS Act's primary duty already covers any hazard a system creates. The NSW Work Health and Safety Amendment (Digital Work Systems) Act 2026, an Australian first, names algorithms, AI and automation directly and requires a PCBU to ensure work allocated by them does not put health and safety at risk.
What psychosocial hazards does AI create at work?
Mainly low job control, high job demands, poor organisational justice, low role clarity and surveillance stress. SafeWork NSW lists excessive surveillance and machine-paced work as drivers of low job control. In 2025, 48% of EU workers said digital systems set the pace of their work (EU-OSHA, OSH Pulse 2025).
Who is accountable for AI risk in a workplace?
The PCBU holds the primary duty, and it cannot be transferred to a vendor or a tool. Under section 27 of the model WHS Act, officers must also exercise personal due diligence, which includes keeping up to date on AI-related risks and verifying the business has resources and processes to manage them. An algorithm cannot hold that duty.
How do I start governing AI as a WHS risk?
Use the risk process you already run. Inventory where AI touches workers, assess it against the psychosocial hazards, consult the workers affected, then apply the hierarchy of controls. A standard like ISO/IEC 42001 and your existing ISO 45001 system give you the governance scaffolding. Only 21% of organisations have mature AI governance (Deloitte, 2026), so starting now is an advantage.
All articlesSay hi

More from the blog

The Claude Fable wordmark and orange starburst logo on a cream background, with the tagline: next generation of intelligence for the hardest knowledge work and coding problems
Inspiration

Claude Fable 5 for Safety Work: What Changes, What Doesn't

15 min read
A safety professional reviewing live operational data on a tablet on an industrial site
Inspiration

AI in Workplace Safety: A Practitioner's Field Guide (WHS & OHS)

5 min read