There are no demonstrated methods to bypass the runtime security mitigations in Mac OS X Lion/ML. For example, Safari on a Mac running Lion wasn't compromised at the most recent pwn2own. So, malware that installs via remote exploitation is not an issue.
Mac OS X Lion/ML include Gatekeeper. Set Gatekeeper to only allow apps from the Mac App Store. This will prevent malicious apps inadvertently installed from the web by users from executing. Make sure to verify that an app is safe prior to manually bypassing the Gatekeeper restrictions.
Java has been exploited via logical errors allowing the Java sandbox to be bypassed when malicious Java applets are run from the browser. Mac OS X Lion/ML don't include Java by default and the most recent Apple provided Java no longer includes browser plugins. So, malware that installs via Java isn't an issue unless the user installs Java from Oracle. Disable Java in the browser via the Safari preferences if Java from Oracle is installed.
This basically covers all vectors in which malware is installed.
If an antivirus solution is required, install ClamXav from the Mac App Store and run weekly scans. Also, make sure to manually scan any documents sent to Windows users that have been received from potentially untrustworthy sources. Manually scanning documents is performed by secondary clicking the item to be scanned and selecting "Scan with ClamXav" from the drop down menu.