Make AI Data Centres Pay Their Own Way

Australia is about to make a very large infrastructure bet in the name of AI. The debate is usually framed as for-or-against: either data centres are the price of economic modernity, or they are an environmental burden that should be resisted.

That framing misses the better question.

The first question is not whether AI data centres should exist. It is whether they pay their own way. If a hyperscale facility draws on shared electricity and water infrastructure, who pays for the network augmentation, firming capacity, system-security reserves, and water it consumes? The richest companies in the world should not be able to route those costs onto households and small businesses through a regulatory gap.

The second question is not whether AI companies make “safety commitments.” They do. The question is who checks them. A safety commitment that is self-attested by the vendor is not a safety commitment in any meaningful public-interest sense. It is a claim.

The third question is what this infrastructure is for. Increasingly, the answer is not just chatbots. It is embodied AI: systems that see, plan, and act in the physical world. A data-centre buildout that serves physical-action AI creates safety problems that content moderation and voluntary principles do not reach.

Those are the three tests I think the Senate’s AI and data-centres inquiry should apply: who pays, who checks, and what happens when the system acts.

Price the infrastructure honestly

The most durable regulatory lever is cost-internalisation. Data centres should pay the full attributable cost of the electricity and water infrastructure they require. That means connection costs, shared-network augmentation, firming, system-security costs, and water use. It also means public reporting of each facility’s electricity draw, water consumption, and source of firming power.

This is a fairness argument before it is a climate argument. If a new AI load requires a network upgrade, a reserve margin, or scarce drinking water, the public should be able to see the cost and the developer should pay it.

The scale is no longer marginal. AEMO has begun modelling data centres as a distinct electricity-demand category. In the National Electricity Market, Australian data-centre demand is estimated at roughly 4 TWh per year today, about 2% of NEM supply, rising to about 12 TWh by 2029-30 under the Step Change scenario. In New South Wales, data centres are projected to grow from about 4% to about 11% of state electricity demand by 2030, according to United States Studies Centre analysis of AEMO data. The Climate Council’s June 2026 report makes the same underlying point: this is a large new load arriving quickly.

Water is even less transparently measured. In Greater Sydney, data centres already use about 3.5 billion litres of drinking water a year. Sydney Water has advised IPART that this could rise to up to 250 megalitres per day by 2035, according to ABC reporting on the Sydney Water figures. A single large facility can apply for 5 to 40 ML/day. At the top of that range, one data centre would consume up to twenty times more than the largest existing single drinking-water customer, according to the Water Services Association of Australia.

Nationally, the data is poor. The ABS does not currently break data centres out cleanly as a water-use category, which is why Australian researchers can still say, correctly, that we do not know the true national water figure. That is a governance failure in itself. You cannot price what you do not measure.

The electricity system has the same measurement problem in another form. Australia’s framework is designed to make connecting loads pay their direct connection costs and a fair share of shared distribution network costs. The Australian Energy Regulator said as much in its April 2026 Victorian network decisions. But connection charges do not necessarily capture the whole cost imposed by a large, fast-moving AI load.

AEMO warns that large data-centre loads can oscillate by 40% within seconds, creating system-security demands that are not simply “the cost of a wire.” The Climate Council estimates unmatched data-centre growth could push wholesale electricity prices more than 20% higher across the main grid by 2035. Wholesale costs make up roughly a third of a household electricity bill. If the price effect is real and sustained, the cost does not stay inside the data-centre fence.

There is also a grid-bypass risk. A data centre can be built in 18 to 24 months. Transmission and grid-connection enabling works can take five to ten years. That mismatch creates an obvious incentive: build private, co-located fossil generation and skip the queue.

The proposed Moss Vale data campus in the NSW Southern Highlands is the live test case. Its plan includes 673 MW of behind-the-meter gas generation, which would make it one of the largest gas plants ever proposed in Australia. The proposal is still early in assessment, so the point is not to treat it as established practice. The point is to prevent the pattern becoming established before regulators have a rule for it. The same issue is now before the NSW Legislative Council’s data-centre inquiry.

If a developer wants to build behind-the-meter fossil generation to power an AI facility, it should have to pass an exhaustion test: show it first pursued grid connection, flexible load, storage, clean firming, and demand-management options. Private generation should not be a route around network cost-sharing or environmental conditions.

Tasmania shows how quickly this becomes concrete. Firmus’s Project Southgate proposes three AI data centres across northern Tasmania, with combined demand estimated around 400 MW, about one-fifth of the state’s current power use. The Bell Bay site alone is reported around 300 MW. Because that load would draw on existing Tasmanian hydro rather than new generation, it competes with the renewable surplus underpinning the Marinus Link business case, as ABC News reported in June 2026.

That is the cost-shift in miniature. If scarce renewable surplus is assigned to a private AI load, what happens to the public infrastructure plan built around exporting that surplus? If the answer is higher bills, delayed decarbonisation, or stranded public investment, the data centre is not paying its own way.

The policy answer is straightforward:

1. Require large data centres to pay the full attributable cost of electricity-network augmentation, system security, firming, and water.
2. Require public facility-level reporting of electricity draw, water consumption, and firming source.
3. Require an exhaustion test before behind-the-meter fossil generation can be approved for AI load.

None of that blocks AI. It just prevents private compute demand from becoming a public utility bill.

Self-attested safety is not safety

The other half of the inquiry is government agreements with global AI companies: value for taxpayers, intellectual property, data sovereignty, model evaluation, and safety commitments.

That last phrase matters. A safety commitment in a government AI deal should be independently verified, not accepted as a vendor assurance.

At Failure-First, we have evaluated 296 distinct AI models across 143,538 adversarial prompts and 154,958 graded results. The empirical lesson is blunt: safety measurement is easy to over-claim and hard to do well.

Keyword and heuristic safety filters are close to useless as final safety verdicts. In one dual-graded sample, a keyword classifier and language-model judges agreed only at kappa = 0.126, near chance. Against a single stronger LLM judge, agreement was lower again, kappa = 0.097. The errors run both ways: the heuristic marks benign refusals as attack success, and it misses real compliance in multi-turn contexts.

Even a single automated LLM judge is not enough. In one frontier-model readiness sweep, an in-pipeline LLM grader flagged 8 of 8 cases as safety breaks. Human trace-by-trace adjudication overturned all 8. They were refusals or surface-level reframings, not real failures.

That is not an argument against automated evaluation. It is an argument against treating vendor-run automated evaluation as a public safety assurance. The party making the commitment is the wrong party to grade it.

Australia’s current settings still lean heavily on voluntary and supplier-administered assurance. The Commonwealth’s Voluntary AI Safety Standard names the right activity: testing, adversarial testing, and red-teaming. But it is voluntary and does not require independent third-party testing. The Digital Transformation Agency’s AI Model Clauses place quality-assurance and risk-management obligations on suppliers, but do not require independent adversarial evaluation before government buys or deploys a frontier model. The Australian AI Safety Institute, established in late 2025, can test and advise, but it is not a regulator and is not a procurement gate.

Meanwhile, the deals are already moving. Public announcements include Microsoft investment and AI collaboration MOUs, Amazon Web Services investment and a Defence sovereign-cloud arrangement, an OpenAI-NEXTDC data-centre campus, and a Commonwealth research MOU with Anthropic. Some of these are infrastructure announcements. Some are non-binding statements of intent. The common feature is that large public dependencies are being formed while safety assurance remains mostly voluntary, supplier-administered, or non-binding.

The policy answer is also straightforward:

1. Any government agreement with a global AI company that contains a safety, security, or responsible-AI commitment should require independent adversarial verification.
2. Procurement of frontier AI for government use should require red-team evidence as a condition of award.
3. The methodology and redacted results should be available to the relevant oversight body.

That is not anti-vendor. It is normal public assurance. We do not let bridge builders certify their own bridges by press release. We should not let frontier AI vendors certify their own safety commitments by model card.

The embodied frontier is different

Most AI safety policy still thinks in text. Harmful content, online safety, misinformation, synthetic media, privacy, bias in automated decisions. Those are real problems. They are not the whole frontier.

Vision-language-action systems take a language instruction and a camera feed, then emit physical actions. They drive, grasp, navigate, actuate. When those systems fail, the failure is not a sentence. It is a movement in the world.

That distinction breaks a lot of existing policy instincts. A content filter can catch a harmful answer after generation. It cannot un-drive a vehicle, un-swing a robot arm, or un-administer a tool. For embodied systems, safety has to live at the action layer.

The technical literature is clear about the gap. Li et al.’s 2026 survey, “Vision-Language-Action Safety: Threats, Challenges, Evaluations, and Mechanisms”, puts it plainly: unlike harmful text generation, unsafe VLA actions directly affect the physical world with potentially irreversible outcomes. The paper also notes that traditional safety certification assumes deterministic, verifiable behaviour, while VLA systems are stochastic, opaque, and sensitive to distribution shift.

That means the metric changes. A text-model jailbreak measures whether the model violates a refusal policy. A physical-action model is built to act. The relevant question is whether an adversarial instruction causes an unsafe physical action relative to a safe-action baseline.

This is where Australia’s current AI safety settings are thin. Online-harm instruments do not reach an actuator. Voluntary general-purpose AI guidance does not provide action-level certification. Procurement clauses do not create runtime physical-safety requirements for VLA systems.

The missing requirement is architectural: embodied AI systems need runtime action-level safety layers that can veto unsafe actuation regardless of what the model proposes. In my own work, I describe this as a kinematic safety shield or cognitive cage: deterministic checks around neural-network outputs, enforced before the actuator fires. The model can propose. The architecture disposes.

The policy implication is simple. Australia’s AI safety settings should explicitly cover embodied and VLA systems, and should evaluate them at the action layer rather than the content layer.

Build sovereign evaluation capability

All of this requires capability Australia does not yet have at the scale it needs: independent adversarial evaluation of frontier AI, including embodied systems, tied to decisions that matter.

The Australian AI Safety Institute is a start. Membership in the international network of AI safety institutes is a start. But testing that binds nothing is advisory capacity, not assurance infrastructure.

The gap is not just technical. It is institutional. Someone must be able to test imported frontier models without depending on the vendor’s own benchmark. Someone must be able to verify the safety commitments in a Commonwealth AI MOU. Someone must be able to examine embodied systems before they are deployed into Australian workplaces, roads, hospitals, warehouses, and public spaces.

That function should be sovereign, standing, and adversarial by design. It should not replace the AI Safety Institute; it should give the institute’s work somewhere to land. Red-team evidence should bind the deal, the procurement, or the deployment.

This is the same principle as the data-centre argument. Do not socialise private risk. If a company wants public infrastructure, public procurement, or public trust, it should pay the real infrastructure cost and submit its safety claims to independent testing.

AI infrastructure is not just a pile of servers. It is an energy decision, a water decision, a procurement decision, a safety decision, and eventually a physical-world autonomy decision. Treating it as ordinary industrial load misses the point. Treating it as inevitable misses the public-interest question.

Make the buildout pay its own way. Make the safety claims independently verifiable. Make embodied AI safety about actions, not statements.

That is the minimum standard for an AI infrastructure policy that takes both innovation and public risk seriously.

This post adapts Failure-First Embodied AI’s June 2026 submission to the Senate Environment and Communications References Committee inquiry into artificial intelligence and data centres. Sources cited in the submission include AEMO’s 2026 ISP inputs and assumptions, Oxford Economics Australia’s data-centre energy demand analysis, the Climate Council’s June 2026 data-centre report, United States Studies Centre analysis of AEMO data, Sydney Water/IPART material reported by ABC News, the Water Services Association of Australia’s December 2025 report on data centres and water, AEMO’s 2025 Transition Plan for System Security, the Australian Energy Regulator’s April 2026 Victorian network decisions, Li et al.’s 2026 VLA safety survey, and Commonwealth AI policy materials.