AI Ethics Must Be Tangible, Turning Principles into Practical Risk Controls

I didn’t know we had it do that“.

ASIC has called it the “Year of Accountability and APRA has named governance failures it found inside Australia’s largest banks, insurers and super funds. The message from every regulator paying attention to Artificial Intelligence (AI) is the same: AI ethics is not a values statement, it’s our accountability.

Who owns an AI decision, how it’s monitored, and what happens when it goes wrong – as a director or executive you don’t want a slide deck on this, you want embedded and operating AI governance and ethics.


The 30-second take

Ethical AI principles matter if they survive contact with how the business actually runs

Australian regulators have found boards lack the technical literacy to challenge AI risk, governance frameworks exist on paper but not in practice, and assurance functions are checking AI systems the same way they’d check a static IT system (point-in-time, sample-based, and structurally unsuited to a model that learns and drifts). Some regulators even went further, tying AI-related cyber failures directly to existing enforcement precedent.

The practical task for boards, executives and risk and compliance teams is to convert “fairness, transparency and accountability” into named owners, testable controls, and evidence a regulator can actually inspect.


What the regulators are actually finding

APRA — four failures, named directly. APRA’s letter to industry followed targeted engagement with large banks, insurers and superannuation trustees in late 2025. It found boards taking AI vendor briefings at face value rather than interrogating them; identity and access management that has not adapted to non-human actors such as AI agents; governance frameworks that exist at the policy level but have no operational teeth — no AI inventory, unclear lifecycle ownership, weak post-deployment monitoring; and assurance functions relying on one-off testing for systems that change after they’re deployed. APRA was explicit that where entities fail to manage AI risk proportionately, it will move to stronger supervisory action and enforcement.

ASIC — cyber resilience and the FIIG precedent. ASIC’s open letter to AFS licensees and market participants called for urgent action on AI-driven cyber threats, and explicitly referenced its enforcement case against FIIG Securities Limited as the standard regulated entities will be held to: cyber risk management must be “demonstrably effective and proportionate to the size, nature and complexity of a business.” ASIC’s position is that businesses shouldn’t wait for legislative clarity — the existing licensee obligations already cover AI-related failures.

AUSTRAC — human oversight as a non-negotiable. AUSTRAC has flagged that criminals are already using AI to fabricate identities, forge documents and disguise the proceeds of scams, while expecting AML/CTF programs to document how any AI used in transaction monitoring is trained, validated and calibrated. Its position is unambiguous: human oversight of AI-assisted decisions in compliance programs is mandatory, not best practice.

Questions to take to your next risk committee

  • Do we have a current inventory of every AI system in use across the business, including ones procured by individual teams without a formal sign-off?
  • Who owns the outcome of each AI-assisted decision — not who built the model, but who is accountable if it’s wrong?
  • Can our access management framework actually see and control what an AI agent is doing, or was it built only with human users in mind?
  • When did we last test an AI system specifically for AI-native risks — prompt injection, data exfiltration, model drift — rather than running a conventional penetration test against it?
  • If a regulator asked for evidence of human oversight on our highest-risk AI use case tomorrow, what would we actually be able to show them?
  • Does our board have enough technical literacy to challenge an AI vendor’s claims, or are we taking briefings at face value?

The takeaway

None of this requires waiting for an Australian AI Act. Regulators have said the existing prudential and licensing obligations already apply, and both have signalled enforcement intent.

The organisations in the strongest position aren’t the ones with the best-written AI policy — they’re the ones who can show a regulator the inventory, the ownership, the monitoring and the human-in-the-loop evidence behind it.

Want to see how your organisation’s AI governance stacks up? Head to the Innovation of Risk for a risk readiness snapshot.


Free 3–5 minute AI diagnostic

Know where your AI governance stands in five minutes.

Use a short diagnostic to test practical AI governance, oversight and risk controls. Get an immediate visual result and suggested next focus areas.

Practical tools for boards, executives, auditors and risk professionals.

10 questions Visual result Local browser storage
Learn more Visit reading room
Privacy note: your individual results are not stored by Innovation of Risk. Results stay in your browser; we only track aggregate usage such as page views and average score once you leave our page.

More from the Reading Room

Using AI Risk Management to Accelerate Innovation

New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.

AI Risk Management Must Shift from Advisory to Driving Informed Risk Taking

Commonwealth Bank's 2026 AI transparency report, Deloitte's board AI-literacy data and PwC's 2026 AI Performance Study all point the same way: risk teams stuck in a purely advisory role are becoming a competitive liability, not a safeguard. Here's what separates governance that enables from governance that only gates.