A serious data breach does not automatically mean governance failed.
The more important question is whether an organisation can demonstrate that it understood the risks, assessed the third party, monitored its controls and responded effectively...
APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…
When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.
Grant Thornton's 2026 AI Impact Survey, the AICD/HTI Director's Guide to AI Governance, and a March 2026 Meta AI agent incident all point the same way: organisations scaling AI without a standardised, risk-based assessment framework can't explain or defend their decisions when it matters.
HM Treasury's move to designate AI providers as UK critical third parties, a German court ruling that made a chatbot's words the company's legal liability, and the Character.AI/Google settlement all show the same pattern: vendor AI risk is now the deploying organisation's problem, not the vendor's. Here's what boards and risk teams need to check before the next case names them instead.
APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.
APRA's finalised reinsurance framework eases access to catastrophe bonds and shifts capital-treatment decisions to the appointed actuary, changing what boards need to evidence before the 1 January 2027 start date.
Grant Thornton's 2026 AI Impact Survey, Forrester and MIT research on failed AI pilots, and the EU AI Act's Article 26 deployer obligations all point to the same gap: boards are funding AI faster than they are assigning who owns it. Here's why business-led ownership, not another control layer, is what actually makes AI risk management work.