ASIC's AI Warning to Directors

Is your GRC framework is risk-ready, not just audit-ready?

Independent GRC audits and maturity assessments

Table of Content

Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), has sent a direct message to every licensed entity: the era of frontier AI has materially changed the cyber threat environment, and boards can no longer treat this as a future risk to monitor. It is a present risk to manage.

“Do not wait for perfect clarity to address the threat posed by new AI models. Act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.”

— Simone Constant, Commissioner, Australian Securities and Investments Commission

What ASIC is actually saying

In a letter addressed directly to licensees and directors, ASIC Commissioner Simone Constant made clear that this is not a call for panic — it is a call for urgency and accountability. The emergence of frontier AI models is not creating entirely new categories of risk, but it is dramatically lowering the bar for sophisticated attacks, accelerating exploitation of known vulnerabilities, and making previously isolated weaknesses far easier to chain together into serious incidents.

The enforcement context matters. ASIC’s case against FIIG Securities Limited established that cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of an entity. Boards that cannot evidence this face real regulatory exposure.

The 12 actions ASIC expects of regulated entities

Reassess cyber plans and refocus on the most critical risks in today’s threat environment
Confirm governance and risk frameworks account for the cumulative impact of interrelated vulnerabilities
Identify and protect critical assets with clarity on what matters most to the business and customers
Strengthen cyber security fundamentals by regularly reviewing and validating core controls
Minimise attack surfaces by reducing exposure to untrusted networks
Regularly review user access — insider threats are increasing and privileges must be actively managed
Patch systems promptly — AI is accelerating both vulnerability discovery and exploitation
Implement layered, defence-in-depth architectures that assume breach and restrict lateral movement
Maintain and exercise incident response plans including business continuity and recovery protocols
Actively manage third-party risks, particularly where services introduce concentration or systemic exposure
Use AI for defensive purposes — identifying vulnerabilities and securing software before release
Review patch management processes to address the governance challenges daily patching creates

The governance question boards must answer

ASIC is explicit that governance should not rest on assurances alone. Boards are expected to receive meaningful reporting on end-to-end control effectiveness — not just activity metrics — and to be able to evidence the basis for their assurance through test results, audit findings, incident lessons, and independent validation.

Cyber capability must be adequately resourced, prioritised, and qualified to the standard appropriate for the services and risk footprint of the organisation. This is not a technology question delegated to the CIO. It sits with the board and senior executive leadership.

ASIC has also called for this letter to be formally tabled and discussed at the ultimate board and risk governance committees of every licensed entity.

Commissioner’s note

Simone Constant

Commissioner, Australian Securities and Investments Commission

Commissioner Constant’s letter closes with a clear instruction: the path forward is not reinvention, but discipline. Entities that have established robust plans across the full cyber incident lifecycle — and that keep those plans current, tested and embedded — will be materially better placed to manage what frontier AI now makes possible for threat actors. ASIC will continue to engage with international regulators, the Council of Financial Regulators, the Department of Home Affairs, and the Australian Signals Directorate. Regulated entities are expected to do the same.

How Risk Associates can help

As AI becomes central to how Australian businesses operate, the governance, risk and accountability obligations that come with it are growing just as fast. Risk Associates helps boards and leadership teams assess and manage AI-related risk through structured, independent assurance — from evaluating AI management systems under ISO/IEC 42001 to conducting Risk Assessments that surface the specific exposures AI introduces into your environment.

Read the original ASIC open letter ASIC’s full open letter to AFS licensees and market participants on AI and cyber resilience — issued by Commissioner Simone Constant, May 2026. Download the ASIC open letter (PDF) →

FAQs – Frequently Asked Questions

What did ASIC say about AI and cyber security in 2026?

In May 2026, ASIC Commissioner Simone Constant issued a direct open letter to all AFS licensees and market participants warning that frontier AI models have materially changed the cyber threat landscape. ASIC stated that AI is lowering the barrier to sophisticated attacks, accelerating vulnerability exploitation, and enabling threat actors to chain previously isolated weaknesses into serious incidents. The regulator called for immediate action — not a reinvention of cyber strategy, but a disciplined strengthening of existing fundamentals — and directed that the letter be tabled at every board and risk governance committee.

What are Australian boards legally required to do about AI cyber threats?

ASIC has established through its case against FIIG Securities Limited that cyber risk management must be demonstrably effective and proportionate to an entity’s size, nature and complexity. Boards are expected to ensure cyber capability is adequately resourced and qualified; receive meaningful reporting on end-to-end control effectiveness; and actively oversee how emerging risks from AI are being integrated into risk management frameworks. Governance must be supported by evidence — test results, audit findings, and independent validation — not assurances alone. Failure to meet this standard carries real regulatory exposure under Australian financial services law.

How is AI being used in cyber attacks against Australian businesses?

Frontier AI models are being used by threat actors to automate and scale attacks that previously required significant technical expertise. This includes generating highly convincing phishing emails personalised at scale, rapidly identifying and exploiting software vulnerabilities, and combining multiple small weaknesses into a single coordinated attack. ASIC specifically noted that a simple phishing email can now more easily provide access to critical platforms, and that previously remote vulnerabilities can now be drawn together with others to produce a serious incident. AI is also compressing the time available between a vulnerability being discovered and it being exploited in the wild.

What is a cyber resilience assessment and does my organisation need one?

A cyber resilience assessment is an independent evaluation of an organisation’s ability to prepare for, withstand, respond to, and recover from cyber incidents — going beyond a point-in-time compliance check to examine end-to-end control effectiveness. Given ASIC’s expectation that regulated entities demonstrate proportionate and evidenced cyber risk management, an independent assessment is one of the most direct ways boards can obtain the assurance the regulator requires.

Which Australian cybersecurity frameworks apply to ASIC-regulated entities?

ASIC-regulated entities typically operate across a range of frameworks depending on their sector and risk profile. The Australian Signals Directorate’s Essential Eight is the baseline reference for most Australian organisations. Financial services entities may also be subject to APRA’s CPS 234 information security standard, and international entities or those handling sensitive data may need to align with ISO/IEC 27001,ISO/IEC 42001, NIST CSF, or SOC 2. ASIC specifically recommends entities consult ASD guidance on emerging threats and new technologies. Risk Associates assesses against all of these frameworks — visit our Australian Frameworks page to learn more.