Risk Management

Why AI Risk Management Must Move Beyond Traditional Model Risk Frameworks

APRA and ASIC both issued 2026 letters to industry warning that AI governance hasn't kept pace with adoption, flagging vendor concentration risk and director accountability gaps. ASIC's enforcement action against FIIG shows what inadequate controls cost in practice. This post sets out what to ask your organisation before a regulator asks first.

Governance risk is not theoretical

The better question is whether the organisation can show how conflicts are identified, declared, challenged, escalated and evidenced before an external inquiry, regulator or media story exposes the gap.

Government or Non-government, Turning Uncontrolled Usage into a Risk-Managed Advantage

Shadow AI is no longer hypothetical: a NSW government contractor uploaded flood victims' personal and health data to ChatGPT, while APRA and ASIC have both issued 2026 letters demanding stronger AI governance and cyber resilience. This post sets out what boards and risk leaders should be asking right now.

Why Clear AI Use-Case Lifecycle Management Is Your Best Risk Defense

Without a clear AI use-case lifecycle—from identification through retirement—organisations risk fragmented governance, hidden risks, and missed control opportunities. Executives and risk managers must demand disciplined visibility and stage-gate controls to keep AI aligned with strategy and risk appetite.

Geopolitical shocks must be treated as a live risk

APRA has written to banks, insurers and superannuation trustees setting out minimum expectations for readiness to geopolitical shocks, including sanctions, trade restrictions and armed conflict. The letter highlights practical gaps in scenario planning, business strategy,…

OAIC determination puts insider privacy risk back in the spotlight

The OAIC found an organisation breached APP 11.1 after an employee accessed customer personal information without authorisation. With the Medibank civil penalty case before the Federal Court, OAIC enforcement on internal access controls is active and escalating.

AI Signal Box: a simpler way to think about AI governance

AI is already moving through most organisations. Sometimes it is visible. Sometimes it is hidden inside software, vendor tools, workflows or staff experimentation.

Pricing governance is a customer trust control, not just a marketing decision

Coles, Woolworths and IAG each faced regulatory action over pricing for the same reason: a gap between what customers were told and what the pricing system actually did. This post uses those cases to ask whether your organisation can show how pricing decisions are owned, challenged and tested for customer outcomes — before a regulator does it for you.

Recent posts

Popular categories