When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.
Traditional model risk management falls short for AI. Executives and risk managers must recognise AI model risk as a distinct challenge requiring tailored governance, deeper vendor scrutiny, and proactive controls to protect value and trust.
APRA and ASIC both issued 2026 letters to industry warning that AI governance hasn't kept pace with adoption, flagging vendor concentration risk and director accountability gaps. ASIC's enforcement action against FIIG shows what inadequate controls cost in practice. This post sets out what to ask your organisation before a regulator asks first.
AI risk management often focuses on defensive controls, but this mindset limits business value and slows innovation. Leaders must reframe AI risk as a tool to enable success, balancing risk and opportunity through clear ownership, tailored evidence, and ongoing assurance.