New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.
HM Treasury's move to designate AI providers as UK critical third parties, a German court ruling that made a chatbot's words the company's legal liability, and the Character.AI/Google settlement all show the same pattern: vendor AI risk is now the deploying organisation's problem, not the vendor's. Here's what boards and risk teams need to check before the next case names them instead.
When Replit's AI coding agent deleted a live production database mid-project in July 2025, it exposed a gap most vendor risk frameworks miss: ongoing change monitoring, not just onboarding checks. NIST's GOVERN 6.2 and ISACA's 2025 incident review both point to the same fix — treat vendor AI oversight as a standing control, not a one-time sign-off.
Grant Thornton's 2026 AI Impact Survey, Forrester and MIT research on failed AI pilots, and the EU AI Act's Article 26 deployer obligations all point to the same gap: boards are funding AI faster than they are assigning who owns it. Here's why business-led ownership, not another control layer, is what actually makes AI risk management work.
Deloitte's $290,000 government report scandal, AICD's warning on AI vendor concentration risk, and the UK's new Critical Third Parties regime all expose the same gap: accountability for AI-enabled outcomes can't be outsourced to the vendor that built the tool. Here's what risk and governance teams should check before relying on vendor AI assurances.
APRA, ASIC and the ACCC have all sharpened the rules on AI risk in 2026 — from APRA's step-change governance letter to ASIC's 'Year of Accountability' and the ACCC's doubled penalties for AI-washing. Here's why leaders should treat AI risk management as a business enabler, not a compliance checkbox.
APRA's April 2026 letter to industry and ASIC's Report 798 both warn that boards are leaning on AI vendor assurances instead of independently verifying them. Here is what Australian organisations should be checking before they trust the compliance pack.
Shadow AI is no longer hypothetical: a NSW government contractor uploaded flood victims' personal and health data to ChatGPT, while APRA and ASIC have both issued 2026 letters demanding stronger AI governance and cyber resilience. This post sets out what boards and risk leaders should be asking right now.