AI Adoption in Telecommunications
The Australian telecommunications sector is at the forefront of AI adoption, driven by the scale and complexity of network operations, the volume of customer interactions, and the intense competitive pressure among carriers. Telstra, Optus, TPG Telecom (Vodafone, iiNet, TPG), and a growing number of MVNOs and infrastructure providers are deploying AI across virtually every business function.
AI applications in telecommunications span network optimisation and management, using AI to dynamically allocate resources, optimise routing, and manage spectrum across mobile, fixed-line, and satellite networks; predictive network maintenance, where AI analyses equipment telemetry to predict failures before they cause service outages; customer churn prediction and retention, using machine learning to identify at-risk customers and personalise retention offers; customer service automation, with AI-powered chatbots, virtual assistants, and intelligent call routing handling millions of customer interactions annually; fraud detection, identifying SIM swap fraud, subscription fraud, and international revenue share fraud in real time; network security and threat detection, using AI to identify DDoS attacks, network intrusions, and anomalous traffic patterns; and 5G network slicing and orchestration, where AI manages dynamic network slice allocation for different service tiers and use cases.
The commercial case for AI in telco is compelling. Telstra alone handles over 20 million customer contacts annually — AI-powered automation of even a fraction of these interactions delivers massive cost savings. Optus, following its devastating 2022 data breach that exposed the personal information of 9.8 million customers, has invested heavily in AI-powered security and monitoring capabilities. TPG Telecom is using AI to optimise its converged fixed-mobile network following the Vodafone-TPG merger.
However, telecommunications companies occupy a unique position in the Australian regulatory landscape. As critical infrastructure operators under the SOCI Act, carriers of communications that may be subject to lawful interception obligations, custodians of extraordinarily sensitive metadata and communications data, and entities subject to the Telecommunications Sector Security Reforms (TSSR), telcos face AI governance obligations that go well beyond standard enterprise requirements. The 2022 Optus breach — and the subsequent regulatory and legislative response including significantly increased privacy penalties — underscored that telecommunications data security is a matter of national importance.
Key AI Security Risks in Telecommunications
Telecommunications companies face AI security risks driven by the exceptional sensitivity of their data, critical infrastructure status, and the scale of their operations.
Communications Metadata and AI Privacy Risks: Telecommunications metadata — who called whom, when, for how long, from which location, which websites were visited, which applications were used — is among the most sensitive data in the Australian economy. Under the mandatory data retention provisions of the Telecommunications (Interception and Access) Act 1979, telcos must retain specified metadata for two years. AI systems that process, analyse, or learn from this metadata create significant privacy risks. Call detail records reveal social networks and associations. Location data tracks physical movements. Browsing metadata exposes interests, beliefs, and vulnerabilities. AI analysis of this data at scale can produce detailed profiles of individuals' lives that go far beyond any individual data point. The Privacy Act and telecommunications-specific privacy provisions impose strict obligations on how this data can be used, and AI processing that goes beyond authorised purposes risks regulatory enforcement.
Network Security AI and Adversarial Risks: AI systems used for network security — intrusion detection, DDoS mitigation, anomaly detection — are themselves high-value targets for adversaries. If an attacker can manipulate the AI-powered threat detection system (through adversarial inputs, data poisoning, or model evasion), they can operate undetected on the network. This is particularly concerning given that telecommunications networks carry communications for government agencies, critical infrastructure operators, and defence organisations. Adversarial attacks on telco security AI could enable broader attacks on national security.
TSSR Compliance Risks from AI: The Telecommunications Sector Security Reforms require carriers and carriage service providers to do their best to protect networks and facilities from unauthorised interference and unauthorised access, and to notify the government of planned changes that could have a material adverse effect on security. AI deployments that alter network management, monitoring, or access control may trigger TSSR notification obligations. AI systems developed by or incorporating components from high-risk vendors (per government determinations) create additional TSSR compliance risks.
Shadow AI Across Distributed Workforces: Telecommunications companies operate large, geographically distributed workforces — retail store staff, field technicians, network operations centre staff, call centre agents, and corporate employees. Each group has different data access and different AI adoption patterns. Call centre agents may use AI to summarise customer interactions (exposing customer data). Field technicians may use AI to troubleshoot network equipment (exposing network configuration data). Retail staff may use AI to process customer information for sales and activations. The distributed nature of telco operations makes centralised Shadow AI control exceptionally challenging.
Customer Data at Scale: Australian telcos collectively hold personal information on virtually the entire adult population. Customer databases contain identity verification documents (passport, driver's licence, Medicare numbers), contact details and addresses, financial information (billing, credit checks), usage data (calls, data, browsing), location data, and complaint and vulnerability information (including family violence flags). AI systems processing this data at any point in the customer lifecycle — acquisition, service delivery, billing, retention, or complaints — must meet Privacy Act requirements including the enhanced protections triggered by the 2022 penalty increases.
5G and Network Slicing AI Risks: AI-driven 5G network slicing introduces new security challenges. AI systems managing network slice allocation, resource orchestration, and service level enforcement must ensure isolation between network slices (preventing cross-slice data leakage), secure AI-driven admission control decisions, protection against AI manipulation that could degrade service for critical users, and compliance with TSSR requirements for network architecture changes.
Telecommunications Regulatory Framework for AI
The telecommunications regulatory framework in Australia creates specific obligations for AI governance that go beyond general privacy and security requirements.
Telecommunications Act 1997: The Telecommunications Act establishes the broad regulatory framework for the sector. Part 13 (telecommunications data, privacy and protection) imposes specific obligations on carriers and carriage service providers regarding customer information. AI systems must comply with restrictions on use and disclosure of telecommunications data, obligations to protect the confidentiality of communications, and requirements to provide information to emergency services and law enforcement in authorised circumstances. AI that processes telecommunications data for purposes beyond those authorised under the Act creates compliance risk.
Telecommunications (Interception and Access) Act 1979 (TIA Act): The TIA Act governs lawful interception and access to stored communications and metadata. AI systems must not interfere with lawful interception capabilities — this means AI encryption, data processing, or network management must not prevent or frustrate authorised interception. AI systems that process retained metadata must comply with the data retention obligations (Section 187AA) and access restrictions (Section 178). Any AI processing that effectively constitutes access to or disclosure of communications content without authorisation violates the TIA Act.
Telecommunications Sector Security Reforms (TSSR): The TSSR, implemented through amendments to the Telecommunications Act, require carriers to notify the government of planned changes to networks, facilities, or services that could have a material adverse effect on security capability. AI deployments that materially change network security posture, management processes, or data handling may trigger notification obligations. Carriers must also do their best to protect networks from security threats — AI systems must support, not undermine, this obligation. The government retains powers to issue directions restricting or prohibiting actions that pose security risks, which could extend to AI deployments.
SOCI Act Obligations: As critical infrastructure, telecommunications networks and systems are subject to SOCI Act requirements including the Critical Infrastructure Risk Management Program (CIRMP) — AI systems must be included in risk identification and mitigation, enhanced cybersecurity obligations — AI security must meet the enhanced requirements for critical infrastructure, government assistance and intervention powers — the government can direct actions regarding AI systems that pose risks to critical infrastructure, and mandatory cyber incident reporting — AI-related security incidents must be reported within prescribed timeframes.
Privacy Act and Telco-Specific Privacy: Beyond the general Privacy Act obligations, telecommunications providers are subject to industry-specific privacy requirements. The Telecommunications Consumer Protections Code (TCP Code) mandates specific privacy practices for telco retail operations. The recent Privacy Act penalty increases (up to $50 million or 30% of adjusted turnover) apply to telcos — the Optus breach demonstrated that these penalties are not theoretical. AI systems processing customer data must comply with both general APPs and telecommunications-specific privacy obligations.
Consumer Data Right (CDR) Extension: The CDR is being extended to the telecommunications sector. When operative, the CDR will give consumers the right to direct their telco to share their data with accredited data recipients. AI systems in telcos must be prepared to support CDR data sharing obligations, ensure CDR data is handled in accordance with privacy safeguards, and maintain data standards required by the CDR framework.
Building an AI Governance Framework for Telecommunications
Telecommunications organisations need AI governance frameworks that address the unique combination of critical infrastructure obligations, telecommunications-specific regulation, and massive data sensitivity.
Telecommunications AI Governance Committee: Establish governance reflecting the breadth of telco AI risk. Include the Chief Information Security Officer and cyber security leadership, Chief Technology Officer and network operations, Chief Customer Officer and retail operations, Regulatory affairs and government relations, Privacy and data protection, Legal counsel, and Network security and intelligence. This committee must have authority to approve AI systems for network-touching deployments, assess TSSR implications of AI changes, mandate privacy impact assessments, and escalate critical infrastructure AI risks to the board.
AI System Classification for Telecommunications: Implement a classification reflecting telecommunications-specific risk profiles. Zone 1 (Network Critical) includes AI systems directly managing, monitoring, or securing network infrastructure — these require TSSR assessment, SOCI CIRMP inclusion, independent security review, and board-level risk acceptance. Zone 2 (Data Critical) includes AI systems processing customer metadata, communications data, or retained data — these require Privacy Impact Assessment, TIA Act compliance verification, and stringent access controls. Zone 3 (Customer Operations) includes AI systems in customer-facing operations (chatbots, billing, churn prediction) — these require Privacy Act compliance, TCP Code alignment, and customer data protection assessment. Zone 4 (Corporate Operations) includes AI systems for general corporate functions with no network or sensitive customer data exposure — these require standard enterprise security review.
Network AI Security Architecture: AI systems in the network domain require security architecture aligned with telecommunications standards. Implement network segmentation ensuring AI systems in corporate IT cannot directly access network management systems. Deploy AI monitoring and analytics capabilities within network operations centres under existing security controls. Use encrypted, authenticated data feeds from network elements to AI systems — never expose raw network management interfaces. Maintain manual override capability for all AI-assisted network management decisions. Implement AI model integrity monitoring to detect data poisoning or adversarial manipulation of network AI.
TSSR Compliance Process for AI: Establish a formal process for assessing whether AI deployments trigger TSSR notification obligations. Screen all AI changes affecting network management, security, or data handling against TSSR materiality thresholds. Engage with the Department of Home Affairs proactively on significant AI deployments. Document TSSR assessments in the AI governance record. Include TSSR compliance in AI vendor assessment, particularly for vendors with foreign ownership or development teams.
Customer Data AI Governance: Implement specific governance for AI processing of customer data reflecting telco sensitivity. Require Privacy Impact Assessments for all AI systems processing customer personal information. Implement purpose limitation controls ensuring AI processes customer data only for authorised purposes under the Privacy Act and Telecommunications Act. Deploy data minimisation — AI systems should receive only the minimum customer data necessary for their function. Maintain comprehensive audit trails of AI access to customer data for regulatory inspection. Implement enhanced protections for sensitive categories — family violence flags, vulnerability indicators, law enforcement data — ensuring AI systems treat these with appropriate care.
Vendor and Supply Chain AI Governance: Telecommunications companies must assess AI embedded in vendor products and services. Include AI governance requirements in procurement standards and vendor contracts. Assess vendor AI systems against TSSR requirements, particularly for network-touching products. Evaluate data handling practices of AI-powered managed services and outsourced operations. Monitor vendor AI updates and changes for security and compliance implications. Maintain visibility of AI in the telecommunications supply chain, particularly for critical network equipment.
Shadow AI Prevention in Telecommunications
Shadow AI in telecommunications is particularly dangerous due to the sensitivity of telco data and the critical infrastructure context. The large, distributed workforce across retail, field operations, network operations, and corporate functions creates multiple vectors for ungoverned AI adoption.
Common Shadow AI Scenarios in Telecommunications: Call centre agents pasting customer account information, complaint details, and identity verification data into AI tools to draft responses and summaries. Network operations centre staff using AI to interpret alarm data, network performance metrics, and fault diagnostics. Field technicians uploading network configuration information, site details, and equipment serial numbers to AI troubleshooting tools. Retail store staff using AI to process customer identity documents and account information during sales interactions. Marketing teams feeding customer segmentation data, churn indicators, and usage patterns into AI for campaign development. Cyber security analysts inputting threat intelligence, network logs, and incident data into AI for analysis.
The Call Centre Challenge: Telecommunications call centres represent one of the highest-risk environments for Shadow AI. Agents handle hundreds of interactions per day, each involving access to sensitive customer data. The productivity appeal of AI tools for call summarisation, response drafting, and information retrieval is enormous. Many call centre operations are outsourced — adding a layer of complexity to AI governance as outsource providers may have different AI policies and controls. Post-Optus-breach, the regulatory consequences of customer data exposure from call centre AI misuse are severe.
Technical Controls for Telecommunications: Implement DLP rules configured for telecommunications-specific data patterns — mobile numbers, IMSI/IMEI identifiers, account numbers, network element identifiers, IP address ranges. Deploy network-level blocking of unapproved AI services across all operational environments, including call centres and network operations centres. Use endpoint management with AI application controls on all corporate and contractor devices. Monitor for AI API traffic from network management systems and customer platforms. Implement browser isolation in environments processing sensitive customer data. Deploy CASB controls for cloud AI service usage across the enterprise.
Providing Approved Alternatives for Telco Workflows: Deploy approved AI tools designed for telecommunications use cases. Provide call centre AI with customer data protection — summarisation, response drafting, and knowledge retrieval that keeps data within controlled environments. Offer network operations AI integrated with network management systems and existing security controls. Supply approved customer analytics AI with Privacy Act-compliant data handling and purpose limitation. Create approved AI troubleshooting tools for field technicians that don't transmit network configuration data to external services. Deploy approved security analytics AI within the security operations centre with appropriate classification and handling controls.
Training and Cultural Controls: Telecommunications-specific AI training should emphasise the exceptional sensitivity of telco data. Connect AI governance to the Optus breach — every employee understands the consequences of customer data exposure. Train call centre agents (including outsourced staff) on approved AI tools and prohibited practices, with regular refresher sessions. Educate network operations staff on the national security implications of network data exposure through AI. Include AI governance in field technician safety and security briefings. Conduct regular Shadow AI audits, including spot checks of browser history and application usage on corporate devices.
