Government or Non-government, Turning Uncontrolled Usage into a Risk-Managed Advantage

A NSW government contractor uploaded a spreadsheet of 12,000 rows containing the names, contact details and health information of up to 3,000 flood victims into ChatGPT. The data belonged to Northern Rivers homeowners applying for buyback assistance after the 2022 floods. Nobody approved the tool. Nobody assessed the risk. It just happened, the way Shadow AI always does — one well-intentioned person trying to get through a workload, with a free AI tool open in another tab.


The 30-second take

Shadow AI is when staff use AI tools without formal approval, oversight, or risk assessment. It is now a live enforcement priority, not a hypothetical: the OAIC has flagged Shadow AI as a focus area for early action, APRA has told banks, insurers and super trustees their AI governance is not keeping pace with adoption, and ASIC has urged licensees to lift cyber resilience against AI-driven threats.

The fix isn’t a ban. It’s ownership, practical policy, and evidence — built into the existing AI governance framework rather than bolted on after an incident.


Real scenarios, real outcomes

NSW Reconstruction Authority — ChatGPT and flood victim data. A contractor working on the Northern Rivers Resilient Homes Program uploaded an Excel file of applicant data, including health information, to ChatGPT between March 12 and 15. The breach wasn’t revealed publicly for more than six months. The Authority has since notified the NSW Privacy Commissioner and introduced new internal protocols restricting AI platform use — a reactive fix that a basic Shadow AI policy would have made unnecessary.

APRA — a step-change demanded of financial services. In its 30 April 2026 Letter to Industry, APRA reported that governance, risk management and operational resilience practices across banks, insurers and superannuation trustees are not keeping pace with the scale and speed of AI adoption. It set out minimum expectations for boards: documented frameworks, clear reporting lines, and genuine AI literacy at the top — not just at the desks where the tools are actually being used.

ASIC — cyber resilience as an AI problem, not just an IT one. ASIC’s 8 May 2026 Letter to Industry urged licensees and market participants to urgently strengthen cyber resilience in response to threats from frontier AI models. The regulator’s message: AI isn’t only a productivity question for the business side, it’s a live attack surface, and unmanaged or unsanctioned use widens it.

Questions to ask your organisation

  • Do we have an accurate inventory of every AI tool in use across the business, including the free and informal ones?
  • Who owns AI risk in each business unit, and is that ownership written down anywhere?
  • What happens, today, if a staff member uploads a customer spreadsheet to a public AI tool — would we even know?
  • Have our AI use policies been communicated in plain language, or do they sit unread in a compliance folder?
  • What evidence do we require from free or third-party AI tools before staff are allowed to use them with company data?
  • If APRA or ASIC asked for our AI governance framework tomorrow, could we produce one?

Shadow AI isn’t going away, and banning it has never worked. The organisations getting ahead of it are the ones treating it as a governance problem with an owner, a policy and an evidence trail — not an IT problem to be discovered after the fact.

Get a read on where your organisation stands with a free readiness snapshot.

Free 3–5 minute AI diagnostic

Know where your AI governance stands in five minutes.

Use a short diagnostic to test practical AI governance, oversight and risk controls. Get an immediate visual result and suggested next focus areas.

Practical tools for boards, executives, auditors and risk professionals.

10 questions Visual result Local browser storage
Learn more Visit reading room
Privacy note: your individual results are not stored by Innovation of Risk. Results stay in your browser; we only track aggregate usage such as page views and average score once you leave our page.

More from the Reading Room

Using AI Risk Management to Accelerate Innovation

New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.

AI Risk Management Must Shift from Advisory to Driving Informed Risk Taking

Commonwealth Bank's 2026 AI transparency report, Deloitte's board AI-literacy data and PwC's 2026 AI Performance Study all point the same way: risk teams stuck in a purely advisory role are becoming a competitive liability, not a safeguard. Here's what separates governance that enables from governance that only gates.