AI governance: existing obligations, regulatory expectations and increased scrutiny

Australian regulators have substantially increased their rhetoric on how regulated entities and their boards are expected to govern AI-related risk. Recent comments from the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) suggest that AI governance will be a key focus of regulatory supervision and enforcement. The absence of AI-specific legislation does not mean organisations are free from regulatory obligations. Regulators expect regulated entities, their boards and management teams to apply existing governance, risk management and compliance frameworks to AI and to address any gaps that emerge.

• In March 2026, then-ASIC Chair Joe Longo, speaking at the AICD Australian Governance Summit, emphasised directors’ responsibilities in managing their organisations’ AI-related risks, observing that ASIC's review of AI use by financial services licensees 18 months earlier had revealed a growing governance gap.
• On 8 May 2026, ASIC issued a media release and an accompanying open letter to licensees and market participants, calling for urgent strengthening of cyber resilience measures as frontier AI models intensify the global cyber risk environment.
• In April 2026, APRA published a letter to APRA-regulated entities outlining findings from a targeted engagement with large banks, insurers and superannuation trustees in late 2025, which identified material weaknesses in governance, risk management and operational resilience relating to AI adoption.

Further, in late May 2026 at the Harold Ford Memorial Lecture, Chief Justice Bell examined how existing directors’ duties doctrines apply to directors’ use of AI.

The collective message is clear: organisations and their directors cannot treat AI governance as a future compliance issue. Existing frameworks apply in the context of AI and require organisations and their boards to implement appropriate governance to identify, assess and manage AI-related risks.

Quick refresher

Existing Australian regulatory frameworks require regulated entities and their directors to implement processes and procedures to manage AI-related risks, including under:

• directors' duties under the Corporations Act 2001 (Cth) (Corporations Act) and Workplace Health and Safety laws
• obligations on APRA-regulated institutions under various APRA Prudential Standards
• obligations on Australian Financial Services Licence holders under the Corporations Act and Australian Securities and Investments Commission Act 2001 (Cth)
• the Privacy Act 1988 (Cth)
• the Security of Critical Infrastructure Act 2018 (Cth)
• various consumer protection provisions.

What regulators are saying

• Existing governance obligations apply to AI use today: in its Report REP 798, ASIC reinforced its view that existing regulatory frameworks apply to AI. Financial services licensees must consider their regulatory obligations before deploying AI and governance foundations must account for risks not only from a business lens, but also from the perspective of potential consumer impact. APRA’s principle-based prudential framework similarly requires regulated entities to have appropriate AI risk management in place, including setting a risk appetite, managing risk exposures and ensuring appropriate oversight and accountability.
• Boards must actively oversee AI: Mr Longo’s comments highlighted the importance of directors engaging with AI and AI-related risk, stating that "every board needs to have a conversation about AI use and determine their risk appetite and policies rather than turning a blind eye to the issue and hoping it all sorts itself out". The message is not that boards must become technical experts, but that they must be sufficiently informed to exercise effective oversight and challenge management where appropriate.
• Regulators see a board capability gap: while APRA observed strong board interest in AI’s strategic potential, it found that many boards are still developing the technical literacy required to provide effective challenge and oversight of AI use and AI-related risks. APRA noted an overreliance on vendor presentations without sufficient examination of key AI risks, such as unpredictable model behaviour and its potential impact on critical operations. Boards are expected to maintain sufficient AI literacy to set strategic direction and provide effective oversight, consistent with the entity’s risk appetite and tolerance settings, supported by effective monitoring and reporting. Mr Longo also flagged that board composition has an important role to play. He highlighted that almost 80% of board members of the organisations reviewed had a background in legal, finance and general management, while those with a technology background represented less than 8%. This raises questions about whether boards are sufficiently equipped to oversee increasingly technology-dependent organisations.
• Directors cannot delegate their responsibilities to AI tools: Mr Longo cited Justice Lee’s observations on the standard of engagement expected of directors, noting that directors cannot substitute reliance upon management advice for their own attention and examination of important matters falling specifically within the board’s responsibilities (see judgement at 370 – 371). Bell CJ similarly rejected any notion that directors can outsource their responsibilities directly to AI. He observed that the Corporations Act only contemplates delegation to other ‘persons’ (see Section 189 of the Corporations Act) and even where management use AI in preparing reports and recommendations, directors remain responsible for informing themselves and exercising independent judgment (see Section 180 of the Corporations Act). The central proposition is that AI may inform a director’s decision-making process, but it cannot replace the director’s duty to exercise their own judgment. In practical terms, Bell CJ suggested boards may wish to require management to disclose whether AI was used in preparing board materials, how AI-generated information was obtained and verified and whether management considers the output reliable and accurate. He also cautioned against directors failing to embrace AI where it could improve decision-making. The future challenge for directors may be balancing independent responsibility for decisions with appropriate use of technology that materially improves access to information and analysis. ASIC also highlighted that entities should consider the use of AI in key functions when assigning accountable persons and establish clear lines of reporting and safeguards against inappropriate delegations. All of this is directly relevant to both the discharge of directors’ duties and the availability of various safe harbours under the Corporations Act.
• AI governance frameworks remain immature: APRA noted a tendency to treat AI as simply another technology risk, overlooking the distinct characteristics of AI systems and their management across the AI lifecycle. APRA observed reliance on point-in-time and sample-based assurance methods, despite these being ill-suited to probabilistic models that learn, adapt and degrade over time. Few entities had continuous validation or monitoring in place to detect issues such as model drift, bias, failure modes or control breakdowns in a timely manner. Internal audit and risk functions often lack the specialist skills and tools to assess AI, particularly where agentic behaviour, automated decision-making or AI-assisted code generation is involved. APRA also flagged concerns about staff use of enterprise AI tools outside approved control frameworks. In many cases, preventative controls were lacking, with entities relying primarily on policy direction or detective measures rather than enforceable technical restrictions.
• AI is increasing cyber resilience expectations: APRA observed that identity and access management capabilities have not yet adjusted to non-human actors such as AI agents. It is also noted that the volume and speed of AI-assisted software development are straining change and release management controls and that security remediation timelines are not consistently aligned with the accelerated threat environment. ASIC’s open letter amplifies this message, warning that the rapid evolution of frontier AI models is accelerating both the capability and accessibility of cyber threats. This is lowering the barrier to sophisticated cyber activity and exposing cyber security vulnerabilities at unprecedented speed, scale and sophistication. ASIC Commissioner Simone Constant emphasised that cyber resilience is a core part of licensee and market participant obligations, urging entities to act now to uplift their cyber security fundamentals with a 12-point call to action. ASIC noted recent enforcement action against FIIG Securities Limited for its failure to implement effective and proportionate cyber risk management for the size, nature and complexity of its business.
• Focus on fundamentals, not novel tools: ASIC’s open letter is clear that strengthening cyber resilience does not require entities to adopt new technology or reinvent their approach. Rather, it requires consistent execution of well-established controls, supported by clear governance and adequate resourcing. ASIC expects boards to be satisfied that measures are proportionate to the evolving threat environment, that reporting reflects end-to-end control effectiveness (not merely activity) and that governance is supported by evidence – including test results, audit findings and independent validation – rather than relying on assurances alone.
• Third-party and concentration risk: APRA observed that some entities are heavily dependent on a single provider for multiple AI use cases, with few demonstrating robust contingency planning or tested exit and substitution strategies where third parties are involved in the delivery of critical AI services. Contractual arrangements often lacked specific provisions enabling the APRA-regulated entity to implement governance arrangements that provide sufficient transparency and assurance over AI services.
• Caution on the use of AI in board meetings: Bell CJ raised concerns about the use of AI-powered recording and transcription tools, noting that while AI may increase efficiency in minute-taking, fully recorded and searchable conversations generated using AI tools may create legal risks and inhibit robust debate. Bell CJ quoted Gilbert + Tobin’s own Simon Burns, who cautioned that AI transcription tools may create surveillance law, privilege and discoverability risks, while also potentially discouraging frank and open boardroom discussion.

Looking forward

Both ASIC and APRA have signalled that agentic AI raises the stakes further, while also engaging across the sector on the potential for increased cyber threats from high-capability AI frontier models.

While neither regulator is proposing additional regulatory requirements at this stage, their message is clear: the regulatory framework already applies and they expect significant improvement to address compliance gaps. Where entities fail to adequately identify, manage or control AI risks and threats in a manner proportionate to their size, scale and complexity, regulators will take stronger supervisory action and, where appropriate, pursue enforcement.

In light of this, regulated entities should consider matters such as whether:

• the organisation’s risk appetite expressly addresses AI use, as well as the risks arising from how others are using AI, including competitors, consumers and potential malicious actors
• AI use cases across the organisation have been identified, appropriately classified and subjected to governance controls proportionate to their risk profile
• management reporting provides meaningful visibility of AI use, AI-related risks and incidents
• cyber resilience frameworks and controls have been reviewed and validated to address AI-enabled threats and incident response plans and playbooks are maintained and exercised
• directors have developed sufficient understanding of AI’s capabilities and limitations, established clear governance frameworks for its use by directors and their delegates and ensured that AI remains a tool that informs directors’ judgment rather than replacing it
• accountability for AI governance is clearly assigned, with defined escalation paths.

Organisations and boards that cannot demonstrate effective, proportionate AI governance backed by evidence, rather than policy alone, face increasing supervisory scrutiny and enforcement risk.