Using AI Risk Management to Accelerate Innovation

Most boards think they’re managing AI risk.

The Diligent Institute, conducted with the Governance Institute of Australia (GIA) and the Singapore Institute of Directors (SID), data says otherwise:

61% of Australian organisations have restricted how employees use AI, yet only 13% have a director who actually understands it, and just 37% have ever audited how AI is being used inside their own operations.

That gap — restriction without visibility, ambition without capability — is exactly the mode regulators are warning about.

AI risk management done well is not a brake. It is the mechanism that lets an organisation move faster with confidence, because someone has actually looked before it leaps.


The 30-second take

The reflex to treat AI risk management as friction is backwards.

The real friction comes from vague ownership, missing evidence requirements, and vendors nobody has actually tested.

Global standards bodies and regulators are converging on the same answer: structured, risk-tiered workflows with clear accountability move faster than either a blanket ban or a free-for-all. Organisations that build this now will approve safe AI use cases in days; those that don’t will keep discovering shadow AI after the fact.

Our AI Signal Box provides a simple, effective approach without the need for expensive consultants, and it empowers your people, not theirs; contact us to find out more.


Where the evidence says organisations are getting this wrong

The 2026 survey by the Diligent Institute found 43% of Australian governance leaders now rank AI as a top strategic priority. But the follow-through isn’t there: only 13% of boards have appointed a director with real AI expertise, just 21% require any AI training for directors, and a mere 37% have ever audited how staff are actually using AI day to day.

Meanwhile 61% of Australian organisations have imposed restrictions or guidelines on employee AI use — more than double the 30% rate seen across Asian boards in the same survey, where organisations are also more than twice as likely to have recruited an AI-literate director. Restriction is not the same as risk management.

Without visibility into actual use, a ban is just a more expensive way of not knowing what’s happening.

What the standards are already telling us to do

NIST’s AI Risk Management Framework has spent 2025 and 2026 filling in exactly the gaps that survey exposes.

Its four functions — Govern, Map, Measure, Manage — give organisations a repeatable way to triage AI use cases by risk rather than treat every request the same.

A March 2025 update added explicit coverage of generative AI and supply-chain risk, and in April 2026 NIST issued a concept note extending the framework into a dedicated profile for AI use in critical infrastructure. The direction of travel is consistent: don’t slow every use case down — build the triage and evidence requirements that let the low-risk ones move fast and the high-risk ones get real scrutiny.

The accountability clock is already running

For any organisation with EU exposure, or vendors who have it, the EU AI Act’s third-party provisions are no longer theoretical.

High-risk AI systems need conformity assessments finalised, technical documentation complete, CE marking affixed, and EU database registration done by 2 August 2026. Critically, if a vendor’s AI can influence system behaviour, the deploying organisation stays accountable for the outcome — echoing the same logic now embedded in ISO 42001. Generic vendor assurances (“we take AI safety seriously”) will not hold up against that standard.

Organisations need the evidence checklist this site has argued for: privacy and cyber assessments, data flow diagrams, model governance detail, and a documented incident response plan, verified rather than taken on faith.

Questions to ask your organisation

  • Who owns each AI use case from intake through deployment and ongoing monitoring — and would that name survive an audit?
  • Has your organisation actually audited how staff are using AI today, or are you relying on the policy to describe reality?
  • Does at least one director have real AI expertise, and is that expertise reflected in how AI decisions get escalated?
  • What evidence do you require from third-party AI vendors, and have you verified it independently rather than accepted their word?
  • Is your AI risk workflow built to fast-track well-evidenced, low-risk use cases, or does everything move at the same slow pace?
  • If a vendor’s AI system changes materially, would you know — and who is responsible for finding out?

Restriction without visibility isn’t governance — it’s guesswork with extra paperwork.

Run your organisation’s AI risk setup through the Innovation of Risk AI Snapshot for a practical readiness snapshot.

More from the Reading Room

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.

AI Risk Management Must Shift from Advisory to Driving Informed Risk Taking

Commonwealth Bank's 2026 AI transparency report, Deloitte's board AI-literacy data and PwC's 2026 AI Performance Study all point the same way: risk teams stuck in a purely advisory role are becoming a competitive liability, not a safeguard. Here's what separates governance that enables from governance that only gates.

Why Standardised AI Risk Assessment Is Critical for Scalable, Responsible AI Use

Grant Thornton's 2026 AI Impact Survey, the AICD/HTI Director's Guide to AI Governance, and a March 2026 Meta AI agent incident all point the same way: organisations scaling AI without a standardised, risk-based assessment framework can't explain or defend their decisions when it matters.