Most boards think they’re managing AI risk.
The Diligent Institute, conducted with the Governance Institute of Australia (GIA) and the Singapore Institute of Directors (SID), data says otherwise:
61% of Australian organisations have restricted how employees use AI, yet only 13% have a director who actually understands it, and just 37% have ever audited how AI is being used inside their own operations.
That gap — restriction without visibility, ambition without capability — is exactly the mode regulators are warning about.
AI risk management done well is not a brake. It is the mechanism that lets an organisation move faster with confidence, because someone has actually looked before it leaps.
The 30-second take
The reflex to treat AI risk management as friction is backwards.
The real friction comes from vague ownership, missing evidence requirements, and vendors nobody has actually tested.
Global standards bodies and regulators are converging on the same answer: structured, risk-tiered workflows with clear accountability move faster than either a blanket ban or a free-for-all. Organisations that build this now will approve safe AI use cases in days; those that don’t will keep discovering shadow AI after the fact.
Our AI Signal Box provides a simple, effective approach without the need for expensive consultants, and it empowers your people, not theirs; contact us to find out more.
Where the evidence says organisations are getting this wrong
The 2026 survey by the Diligent Institute found 43% of Australian governance leaders now rank AI as a top strategic priority. But the follow-through isn’t there: only 13% of boards have appointed a director with real AI expertise, just 21% require any AI training for directors, and a mere 37% have ever audited how staff are actually using AI day to day.
Meanwhile 61% of Australian organisations have imposed restrictions or guidelines on employee AI use — more than double the 30% rate seen across Asian boards in the same survey, where organisations are also more than twice as likely to have recruited an AI-literate director. Restriction is not the same as risk management.
Without visibility into actual use, a ban is just a more expensive way of not knowing what’s happening.
What the standards are already telling us to do
NIST’s AI Risk Management Framework has spent 2025 and 2026 filling in exactly the gaps that survey exposes.
Its four functions — Govern, Map, Measure, Manage — give organisations a repeatable way to triage AI use cases by risk rather than treat every request the same.
A March 2025 update added explicit coverage of generative AI and supply-chain risk, and in April 2026 NIST issued a concept note extending the framework into a dedicated profile for AI use in critical infrastructure. The direction of travel is consistent: don’t slow every use case down — build the triage and evidence requirements that let the low-risk ones move fast and the high-risk ones get real scrutiny.
The accountability clock is already running
For any organisation with EU exposure, or vendors who have it, the EU AI Act’s third-party provisions are no longer theoretical.
High-risk AI systems need conformity assessments finalised, technical documentation complete, CE marking affixed, and EU database registration done by 2 August 2026. Critically, if a vendor’s AI can influence system behaviour, the deploying organisation stays accountable for the outcome — echoing the same logic now embedded in ISO 42001. Generic vendor assurances (“we take AI safety seriously”) will not hold up against that standard.
Organisations need the evidence checklist this site has argued for: privacy and cyber assessments, data flow diagrams, model governance detail, and a documented incident response plan, verified rather than taken on faith.
Questions to ask your organisation
- Who owns each AI use case from intake through deployment and ongoing monitoring — and would that name survive an audit?
- Has your organisation actually audited how staff are using AI today, or are you relying on the policy to describe reality?
- Does at least one director have real AI expertise, and is that expertise reflected in how AI decisions get escalated?
- What evidence do you require from third-party AI vendors, and have you verified it independently rather than accepted their word?
- Is your AI risk workflow built to fast-track well-evidenced, low-risk use cases, or does everything move at the same slow pace?
- If a vendor’s AI system changes materially, would you know — and who is responsible for finding out?
Restriction without visibility isn’t governance — it’s guesswork with extra paperwork.
Run your organisation’s AI risk setup through the Innovation of Risk AI Snapshot for a practical readiness snapshot.

