khanterin-partners

Investigations Integrity

Wed, 29 Apr 2026 06:08:31 GMT

Why Process Discipline and Evidence Chain of Custody Determine Organisational Liability

Internal investigations are routine. Evidence contamination, however, carries consequences that extend far beyond the original misconduct. A single procedural misstep, mishandled documentation, broken chain of custody, shortcuts in evidence collection, or failure to afford natural justice, can render months of investigation legally indefensible and expose the organisation to liability that eclipses the original breach.

Introduction

Organisations routinely conduct internal investigations into fraud, misconduct, and policy violations. The assumption is that process and rigour will follow as a matter of course. In practice, they often do not. The gap between the perception of procedural discipline and its actual execution is where governance risk concentrates.

The Australian Government Investigations Standard (AGIS) 2022, developed by the Attorney-General’s Department in conjunction with the Australian Federal Police, establishes the framework against which investigative quality is measured. AGIS applies to Australian Government entities, but the principles it enshrines, evidence preservation, chain of custody discipline, natural justice, and documented decision-making, reflect universal standards of investigative integrity that courts, tribunals, and regulators now expect across all organisations when investigations carry employment, disciplinary, or legal consequences.

The cost of procedural failure is substantial and takes multiple forms. Findings that cannot survive legal challenge undermine the organisation's position entirely. Evidence rendered inadmissible due to contamination or improper handling removes the factual foundation upon which decisions rest. Wrongful dismissal claims expose the organisation to compensation liability that frequently exceeds the cost of conducting the investigation properly in the first instance. Regulatory scrutiny of the investigation process itself compounds reputational and legal risk. Organisations that take shortcuts during investigations routinely discover that those shortcuts, not the original misconduct, become the primary source of liability.

The Problem: Procedural Integrity as Governance Discipline

Three specific failures characterise investigations that do not withstand scrutiny.

Failure One: Evidence Contamination and Chain of Custody Breakdown

AGIS 2022 explicitly requires that entities maintain chain of custody discipline across all investigation stages, including the recording of property and seizures as evidence, chain of custody documentation, and disposal of evidence. Chain of custody refers to the chronological documentation that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence, establishing a clear and unbroken timeline of who handled the evidence, when, and under what conditions.

When chain of custody is undocumented, evidence integrity cannot be demonstrated. A document seized during a workplace investigation, an email, a financial record, a digital file, must have continuity from point of collection through examination and preservation. If that chain is broken, the evidence cannot be relied upon. More critically, if the matter proceeds to a court or tribunal, evidence that has not been properly handled may be ruled inadmissible or its probative weight so diminished as to be operationally useless.

Under Australian evidence law, courts may exclude improperly obtained or contaminated evidence entirely, or may significantly discount its weight in determining facts. The Evidence Act 1995 (Cth) provides courts with broad discretion to exclude evidence where its admission would be unfairly prejudicial or where it was obtained in circumstances that undermine its reliability.

Failure Two: Denial of Procedural Fairness

Procedural fairness, also known as natural justice, requires that a person subject to an investigation be given a fair and reasonable opportunity to know the allegations against them and to respond before any adverse decision is made. This principle is foundational to Australian administrative and employment law and is explicitly embedded in the obligations of investigating entities under AGIS 2022.

The Fair Work Commission has consistently found that investigations which deny procedural fairness, whether through failure to interview relevant witnesses, inadequate opportunity for the subject to respond, or decision-makers who fail to critically assess investigation findings, undermine the integrity of the investigation itself and render subsequent disciplinary decisions vulnerable to challenge.

In documented Fair Work Commission decisions, investigations have been found procedurally defective where:

The investigator failed to interview the person subject to the investigation before making findings
The person was not provided with investigation findings before disciplinary action was taken
Relevant witnesses were not interviewed, preventing a complete factual picture from being established
The decision-maker failed to critically review the investigation report and form their own independent conclusion
The timeframe provided for response was unreasonably compressed

Procedural fairness is not administrative inconvenience. It is the mechanism by which organisations demonstrate that investigations were conducted objectively and that decisions reflect genuine deliberation rather than predetermined outcomes.

Failure Three: Inadequate Documentation and Decision-Making Rigour

AGIS 2022 requires that all investigative activity be recorded, encompassing decisions made, activities undertaken, conversations held, correspondence exchanged, and meetings conducted. This requirement is not bureaucratic excess. Documentation creates an auditable record that demonstrates process discipline and provides the evidentiary foundation for defending investigation decisions if they are later challenged.

Organisations frequently fail at this point. Investigators conduct interviews without contemporaneous documentation. Findings are reached without clear articulation of the evidence that supports them. Decision makers accept investigation reports without independent critical review or documented reasoning. When challenged, the organisation cannot reconstruct how conclusions were reached or what evidence supported them. The absence of contemporaneous documentation is consistently read by courts and tribunals as an absence of process discipline.

The Case: When Procedural Failure Becomes Organisational Liability

The risks of procedurally deficient investigations are well illustrated by documented Fair Work Commission decisions. In cases involving TAFE NSW, the Commission found that prolonged investigations, failure to interview the persons subject to the allegations, and inadequate information and support provided to the subjects during the investigation, deprived those individuals of a real opportunity to respond to the allegations. The Commission found that the integrity of the investigation report was undermined and procedural fairness was not afforded, rendering the subsequent dismissals harsh, unjust, or unreasonable.

A further pattern identified across Fair Work Commission decisions involves investigations conducted by persons without relevant investigative experience or expertise. In one documented instance, a worker was terminated for serious misconduct following an investigation conducted by a person who had never undertaken an investigation before and lacked the experience to assess conflicting witness accounts. The resulting findings were challenged and the termination overturned.

These cases illustrate a consistent pattern. The misconduct that prompted the investigation may have been real and serious. However, procedural failures during the investigation itself, denial of natural justice, inadequate witness engagement, absence of documented reasoning, created liability that eclipsed the original conduct. The investigation, designed to protect the organisation, became the source of its exposure.

The Solution: AGIS-Aligned Investigative Practice

AGIS 2022 establishes clear standards for investigation governance. Organisations that structure investigations around these standards position themselves to produce defensible findings and withstand legal challenge. Four pillars are central:

Pillar One: Governance and Accountability

Investigation responsibility must be assigned to a person with documented competency in investigation methodology, evidence handling, and natural justice principles. AGIS 2022 specifies that investigators must have the competency appropriate to the complexity and sensitivity of the investigation. This role should not be delegated to junior or inexperienced staff.

Formal terms of reference must be established before the investigation commences. These should document the scope of the allegations under investigation, the authority of the investigator, the applicable timeframe, and the standard to which findings will be made (balance of probabilities for employment matters; beyond reasonable doubt for criminal referral). This documentation creates accountability from the outset.

Pillar Two: Evidence Collection and Preservation

Chain of custody discipline must be implemented from the moment evidence is collected. Each item of evidence, documents, emails, digital files, physical items, must be identified, labelled, and recorded at point of collection. Documentation must capture who collected the evidence, when, from where, and under what conditions. As the evidence moves through examination and analysis, each person who handles it and the actions they take must be recorded.

For digital evidence specifically, AGIS 2022 requires that investigative case management systems support chain of custody recording, including the recording of property as evidence and the documentation of disposal. The methodology used to preserve and examine digital evidence should be documented to demonstrate that the examination process did not alter the evidence.

Witness statements must be documented contemporaneously, either recorded with consent or detailed notes prepared immediately following the interview and, where practicable, confirmed by the witness. Reliance on memory or delayed documentation is not consistent with AGIS standards and creates avoidable evidentiary risk.

Pillar Three: Natural Justice and Procedural Fairness

The person subject to the allegations must be given a genuine opportunity to respond. This requires that they be provided with the specific allegations against them, the evidence or information that supports those allegations, and adequate time to prepare and deliver a response. A formal interview or written submission opportunity should be provided.

All relevant witnesses must be interviewed, not only those convenient to management or those whose accounts support a particular conclusion. The investigator’s duty is to establish facts objectively. Restricting witness access to produce a predetermined outcome is a procedural failure that courts and tribunals have consistently identified and penalised.

Pillar Four: Documentation and Decision Making Discipline

The entire investigation must be documented, decisions made, evidence examined, interviews conducted, findings reached, and the reasoning that connects evidence to conclusions. When the investigation is complete, the decision maker, the person who will make the disciplinary or governance decision, must independently review the investigation file, consider the evidence, and form their own conclusion. This review must be documented.

The decision maker should record their reasoning:

what findings are accepted,
what weight is given to different evidence,
what decision is being made, and on what basis.

This documentation serves two purposes. It protects the organisation by demonstrating process rigour if the decision is later challenged. It also prevents organisations from accepting investigation conclusions on face value without the scrutiny that defensible decisions require.

Conclusion

Investigations are an inevitable feature of organisational life. Process discipline determines whether those investigations protect organisations or create new liability. The Australian Government Investigations Standard 2022 provides a proven, documented framework built on principles of evidence integrity, chain of custody discipline, natural justice, and rigorous decision-making. These are not obligations confined to government entities. They represent the standard against which investigation conduct is increasingly measured across all sectors when investigations have employment, disciplinary, or legal consequences.

Boards should satisfy themselves that formal, documented investigation procedures, aligned to AGIS standards, are established and operational before an investigation becomes necessary. When investigations are underway, governance oversight should focus on procedural discipline:

Has chain of custody been established and maintained?
Has the person subject to the allegations been given a genuine opportunity to respond?
Has the decision-maker independently reviewed the evidence and documented their reasoning?

These questions matter because investigations that fail procedurally create liability that the original misconduct rarely generates on its own.

Governance in Practice

Organisations seeking to strengthen investigative discipline can engage Khanterin Partners and its specialist advisors, professionals with a senior law enforcement background with the AFP, who bring specialist investigative and intelligence capability.

Khanterin Partners, working alongside these specialists, offers investigation process audits designed to assess whether existing investigation frameworks align with AGIS 2022 standards and natural justice principles. These audits examine investigation procedures, evidence handling protocols, chain of custody discipline, and decision-making governance. The outcome is a detailed assessment of procedural strengths and gaps, together with prioritised recommendations for remediation.

This approach allows organisations to build confidence in their investigative capability before investigations are needed and to identify procedural vulnerabilities while there is still time to address them.

References

Attorney-General’s Department (Cth), Australian Government Investigations Standards 2022 (AGD, October 2022) ('AGIS 2022').

Commonwealth Fraud Prevention Centre, 'Australian Government Investigations Standards' (Australian Government, 2022) <https://www.ag.gov.au/integrity/fraud-prevention/australian-government-investigations-standards>.

AGIS 2022 (n 1) s 6 (Property/Seizures — recording property as evidence, chain of custody, disposal of seizure).

Emutare, 'Digital Evidence Handling: Chain of Custody' (2024); see also NIH/StatPearls, 'Chain of Custody' (National Library of Medicine, 2024).

Evidence Act 1995 (Cth) s 138 (Exclusion of improperly or illegally obtained evidence).

Australian Law Reform Commission, 'Uniform Evidence Law' (ALRC Report 102, 2006).

National Anti-Corruption Commission, 'Procedural Fairness' (NACC, 2024) <https://www.nacc.gov.au>; Fair Work Commission, 'Other Relevant Matters — Procedural Fairness' (FWC, 2024).

Clayton Utz, 'Workplace Investigations Refresher Part 9: Procedural Fairness' (Clayton Utz, 2024).

AGIS 2022 (n 1) s 6 (Investigative Activity Recording — recording of decisions, activities, conversations, correspondence, and meetings).

HR Legal, 'When Workplace Investigations Go Wrong' (2024), citing Fair Work Commission decision involving TAFE NSW.

WorkLegal, 'Workplace Investigations Lawyers Australia' (2024) <https://www.worklegal.com.au>.

AGIS 2022 (n 1) s 6 (Information Capture and Management; Property/Seizures).

The Insider Threat Boards Can No Longer Ignore

Tue, 28 Apr 2026 12:50:15 GMT

Fraud and internal misconduct are among the most damaging risks facing Australian organisations. The question for boards is whether their governance frameworks are genuinely equipped to detect and manage them.

Introduction

The conversation about board-level risk governance in Australia has intensified considerably over the past two years. High-profile data breaches, regulatory scrutiny, and a wave of guidance from the Australian Institute of Company Directors (AICD) have pushed cyber security and risk oversight firmly onto boardroom agendas.

But while external threats attract most of the attention, a quieter and often more damaging risk category continues to be underweighted in many governance frameworks: fraud and insider threats.

These are not edge cases. Int ernal actors, whether motivated by financial pressure, grievance, or opportunity, represent a persistent and material risk for organisations of every size and sector, and unlike external attacks, insider threats are uniquely difficult to detect precisely because those responsible already have legitimate access to systems, processes, and sensitive information.

The Governance Gap

Boards should be aware that disgruntled employees and malicious insiders can pose a unique risk since they already have legitimate access to systems and may be intimately familiar with the organisation's operations.

This observation, drawn from the AICD's Cyber Security Governance Principles, points to a risk that sits at the intersection of cyber security, fraud prevention, and internal controls, and one that requires a governance response that spans all three.

The challenge for many boards is that existing frameworks tend to treat these risks in isolation. Cyber security is addressed through one lens, fraud through another, and misconduct through a third. In practice, serious insider incidents rarely respect those boundaries. A disgruntled employee with system access and financial motivation does not fit neatly into any single risk category, and governance frameworks that are not designed to detect the overlap will miss them.

Escalating Expectations

Cybercrime remains the key issue keeping directors up at night, according to the AICD's most recent Director Sentiment Index survey, with more than half of Australian directors reporting that the risk of cyberattacks is directly influencing their board's risk appetite.

Regulatory expectations are moving in the same direction. High-profile cyber incidents and data breaches affected millions of Australians in 2024, tarnishing the reputations of some of the country's largest organisations and prompting regulators to intensify their scrutiny of board-level practices.

ASIC's increased focus on directors' oversight obligations reinforces the point. Boards that cannot demonstrate active and informed oversight of fraud and insider risk are exposed, not just operationally, but legally and reputationally.

What Robust Governance Actually Looks Like

The AICD's governance guidance makes clear that effective board oversight requires more than policy documentation. Boards need to keep a close eye on mission-critical risks, and if directors know there is a problem and management keeps putting the board off, that is very high risk.

Applied to fraud and insider threat, this means boards should be asking management direct and specific questions. Not whether a fraud policy exists, but whether it is being tested, whether it is detecting anything, and whether the organisation has the investigation capability to respond when something is found.

Practically, robust governance in this area requires several things working together:

Clear frameworks that define how fraud, misconduct, and insider threats are identified, escalated, and investigated.
Independent investigation capability that sits outside the normal management chain, so that internal matters can be handled without compromising the integrity of the process.
A board that is willing to commission investigations when warranted and to receive findings without filtering by management.

The Investigation Capability Problem

Many Australian organisations discover, often too late, that they lack the capability to properly investigate a serious internal matter. Internal HR and legal teams are rarely equipped for complex fraud investigations or matters involving financial crime, cyber-enabled misconduct, or sophisticated insider activity.

This is not a reflection on those teams. It is a structural gap that most organisations have not needed to address until they suddenly do. By that point, evidence may have been compromised, timelines lost, and the organisation's ability to pursue recovery or disciplinary action significantly diminished.

Boards that are serious about this risk need to ensure their organisations have access to specialist investigation and intelligence capability before an incident occurs, not after.

Questions Boards Should Be Asking

Drawing on the AICD's framework for meaningful board oversight, directors overseeing fraud and insider threat risk should be comfortable asking management the following:

What controls exist to detect unusual access, transactions, or behaviour by internal actors? When were they last independently tested?
Does the organisation have a clearly defined and documented process for responding to a suspected fraud or misconduct matter? Who owns it and who is accountable?
What independent investigation capability does the organisation have access to for serious or sensitive matters? Has that capability ever been used or tested?
How are investigation findings reported to the board and what happens when findings implicate senior management?

If the answers to these questions are uncertain or vague, the governance framework has a gap worth addressing.

Conclusion

The AICD's guidance on cyber governance, risk oversight, and directors' duties all point in the same direction. Boards are expected to engage meaningfully with serious risk, ask hard questions of management, and ensure the organisation has the capability to respond when something goes wrong.

Fraud and insider threats are serious risks. They are also manageable ones, provided governance frameworks are designed with enough rigour, and the right investigation capability is in place when it matters.

Governance in Practice

Organisations seeking to assess their current AI governance position and develop a structured remediation pathway can engage Khanterin Partners and its specialist advisors. Khanterin Partners offers AI Governance Readiness Assessments, providing organisations with a diagnostic of shadow AI exposure, regulatory compliance gaps, and governance maturity across the three regulatory tracks, privacy, competition, and national security considerations. The assessment identifies specific remediation priorities and provides guidance on implementation sequencing to move organisations from vulnerability to resilience ahead of the December 2026 Privacy Act deadline.

Bibliography

Australian Institute of Company Directors, Cyber Security Governance Principles (Version 2, November 2024) https://www.aicd.com.au/content/dam/aicd/pdf/tools-resources/director-tools/board/cyber-security-governance-principles-web3.pdf

Australian Institute of Company Directors, Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors (February 2024) https://www.aicd.com.au/risk-management/framework/cyber-security/governing-through-a-cyber-crisis-cyber-incident-response-and-recovery-for-australian-directors.html

Australian Institute of Company Directors, Governance Resource Highlights 2024 (December 2024) https://www.aicd.com.au/good-governance/organisational-strategy/long-term-strategic-plan/governance-resource-highlights-2024.html

Australian Institute of Company Directors, Regulatory Compliance in 2024 (December 2023) https://www.aicd.com.au/regulatory-compliance/regulations/regulatory-compliance-in-2024.html

Australian Institute of Company Directors, Summary of Insights from the Australian Governance Summit 2024 (2024) https://www.aicd.com.au/good-governance/summary-of-insights-from-the-australian-governance-summit-2024.html

Australian Institute of Company Directors and Australian Signals Directorate, Cyber Security Priorities for Boards of Directors 2025-26 (2025) https://www.aicd.com.au/risk-management/framework/cyber-security/cyber-security-priorities-for-boards-of-directors-2025-26.html

The AI Governance Convergence

Thu, 26 Mar 2026 02:34:48 GMT

How Regulatory Waves in AI Governance Are Reshaping Board and General Counsel Accountability

By 10 December 2026, organisations will be legally required to disclose what personal data it uses in automated decision making. But that compliance deadline is just the surface. Three regulatory waves are converging simultaneously, privacy transparency requirements, competition and consumer fairness expectations, and emerging national security considerations around sovereign AI, creating a governance and risk landscape that boards and general counsels are largely unprepared to navigate.

Introduction

The regulatory environment for artificial intelligence in Australia has shifted from experimental to prescriptive. The Privacy Act amendments commence in December 2026, the Australian Competition and Consumer Commission has sharpened its focus on AI transparency claims, and the federal government has signalled expectations around AI governance in high risk settings and data security through frameworks like the National Framework for the Assurance of AI in Government. These are not separate initiatives, they are parallel movements that will converge on organisations simultaneously, each creating compliance obligations and governance demands.

But here is the uncomfortable part: most organisations have no visibility into where AI is actually being used in their business. While boards are discussing generative AI strategies, employees are quietly deploying uncontrolled AI tools that feed proprietary data, customer records, and strategic information into third party systems. This gap between official AI governance and the reality of shadow AI deployment is where real risk sits. It is also where regulatory enforcement is likely to focus first.

The Problem: Three Regulatory Tracks, One Compliance Deadline

The Australian regulatory convergence is happening across three distinct but overlapping domains.

1. Privacy Transparency and Automated Decision-Making

The Privacy and Other Legislation Amendment Act 2024 introduces mandatory disclosure obligations effective 10 December 2026. Australian Privacy Principle 1 (APP 1) will require organisations to publish in their privacy policies the kinds of personal information used in automated decision making processes. The Office of the Australian Information Commissioner (OAIC) has been clear: this obligation applies to any decision made on or after that date, regardless of when the underlying algorithm or data collection infrastructure was deployed.

2. Consumer and Competition Scrutiny

The ACCC has explicitly positioned AI transparency as a consumer protection issue. Misleading or unexplained AI claims risk being treated as potentially deceptive conduct under the Competition and Consumer Act 2010 (Cth). The ACCC’s December 2024 Digital Platform Services Inquiry reiterated the regulator’s intent to monitor AI systems for unfair practices, undisclosed algorithmic decision making, and overstated capability claims. This creates parallel liability risk alongside privacy non compliance.

3. National Security and the Sovereign AI Horizon

The Australian Government’s 2024 proposals for mandatory guardrails in high risk AI settings, combined with emerging expectations around data residency and foreign ownership scrutiny through FIRB, signal an evolving governance landscape. Today, these obligations land hardest on defence primes, critical infrastructure operators, and financial services entities. But governance precedents established for heavily regulated sectors reliably become expectations for the broader market. What is mandatory for a defence contractor today is best practice for a mid market enterprise tomorrow. Boards that understand this trajectory are better positioned to build durable governance architecture now, rather than retrofit it under regulatory pressure later.

These three tracks converge on the same underlying problem: a lack of visibility and control over AI use within the organisation, and that is before we examine shadow AI.

The Shadow AI Blind Spot

Shadow AI is the elephant in every boardroom that nobody is talking about. Ninety eight per cent of organisations report unsanctioned AI use, according to 2025 research, but shadow AI takes two distinct forms, and the second is far harder to detect than the first.

Form One: In-Network Shadow AI

Employees spinning up ChatGPT, Claude, Microsoft Copilot, bespoke language models, and AI agents integrated into enterprise systems, without IT approval, security assessment, or governance controls. Gartner forecasts that 40 per cent of enterprise applications will feature task specific AI agents by end of 2026, up from under 5 per cent in 2025. The majority of those deployments will be uncontrolled. These tools leave a digital footprint inside enterprise systems, which means they can, in principle, be detected and audited, but only if someone is looking.

Form Two: Personal Device AI and Data Exfiltration

The second form is more insidious and almost entirely invisible to governance controls. Employees take photographs of sensitive data, customer records, financial spreadsheets, strategic plans, personal information, using personal devices, and feed those images into AI systems on their own laptops or phones. A loan officer photographs a customer file and uploads it to an AI tool for summarisation. A developer snaps a screenshot of database schema and feeds it into an AI coding assistant. A compliance officer photographs a regulatory report and asks an AI to extract key risks.

None of this leaves a trace in enterprise systems. It is completely invisible to IT audits and shadow AI detection tools. Yet it constitutes direct data exfiltration, and a potential breach of privacy obligations, information security policies, and in sensitive contexts, national security obligations.

Three Governance Failures Shadow AI Creates

Data leakage and intellectual property exposure

In-network shadow AI tools operate on an organisations systems but outside the organisations controls. Personal device AI use exfiltrates data entirely. Either way, sensitive customer data, financial records, strategic plans, and technical specifications end up in third-party systems. Once data enters those systems, it may be logged, cached, or used for model retraining. For a financial services firm handling customer information subject to privacy laws, or a technology company with commercially sensitive intellectual property, this is existential risk.

Compliance gaps and liability chains

Shadow AI tools, whether in-network or on personal devices, operate outside governance frameworks. When an employee uses an unapproved AI system to make or inform a customer decision, that decision falls outside documented AI governance processes. If that decision causes harm, the organisation’s defence that it maintains AI governance controls collapses. The organisation becomes liable for decisions made by tools it did not know existed.

Regulatory exposure

Shadow AI in both forms represents exactly the kind of uncontrolled automated decision making and data handling that privacy regulators, competition authorities, and national security agencies will scrutinise first. When the OAIC investigates AI use, organisations will be required to produce an inventory of all AI systems processing personal data. Shadow AI may not be able to be disclosed because it was not tracked. Personal device exfiltration cannot be disclosed because it was not visible.

The Case: A Financial Services Scenario

Consider a mid-tier financial services firm with 300 employees. The compliance team has documented AI use in credit decisioning and fraud detection. Their privacy policy is updated, their algorithms are tested, their governance committee meets quarterly. From the outside, it looks clean.

But unbeknownst to the board, loan officers across the business have individually subscribed to advanced AI tools to summarise customer applications and flag credit risks. Customer data such as name, account history, income, previous credit decisions, is being fed into these tools daily. Developers have built bespoke AI agents using opensource frameworks to automate routine compliance checks, feeding regulatory reports into systems that were never security assessed. The marketing team has deployed an AI powered lead scoring tool integrated into their CRM without IT approval.

None of this was malicious. It was productivity driven.

It is now December 2026. The OAIC sends a compliance inquiry requesting a full inventory of all AI systems processing personal data. The organisation discovers it has 47 active AI deployments, it can document and govern 12, the other 35 exist in shadow.

Suddenly, the organisation faces a choice: disclose the inventory gap (admitting lack of control to a regulator) or provide incomplete disclosure (misleading a regulator). Either path carries enforcement risk, that were avoidable.

The Solution: From Audit to Architecture

Three steps move an organisation from vulnerability to resilience.

Step One: Map and Categorise

The first action is an honest AI inventory:

What systems exist?
Where are they deployed?
What data do they process?
Who owns them?

This is not a technical audit, it is a governance census, conducted by general counsel and risk, not IT, because the goal is understanding decision rights and data handling, not technology stack. Systems should be categorised into three tiers:

Official (documented and governed)
Shadow (known but ungoverned), and
Unknown (yet to be discovered).

The census will not eliminate all shadow AI, but it establishes the foundation: knowledge is the prerequisite for control.

Step Two: Establish Governance Gates

Create a mandatory approval process for any AI deployment that processes personal data, customer information, or commercially sensitive material. This does not mean banning employee use of AI tools. It means any tool handling in scope data passes a simple governance checklist:

Is data being transmitted outside the organisation?
Is the vendor based in Australia or a Five Eyes jurisdiction?
Is the tool trained on organisational data?
Can data be deleted from the system on request?
Is the use consistent with how customers understand their data is handled?

The checklist also needs to address personal device use, employees must understand that using a personal phone or laptop to photograph or copy organisational data into external AI systems is a policy breach, not a productivity shortcut.

Step Three: Align to Established Frameworks

Organisations do not need to invent AI governance from scratch. The MindForge AI Risk Management and Governance Framework, developed by the Monetary Authority of Singapore in collaboration with a consortium of major financial institutions and released in January 2026, provides a proven and internationally credible architecture. MindForge establishes four governance pillars:

Governance and oversight (clarity of roles and accountability for AI);
AI risk management (identification, materiality assessment, and inventorisation);
AI lifecycle management (controls covering the full lifecycle from deployment through retirement), and;
Organisational enablers (capability, infrastructure, and resources for ongoing responsible AI use)

Mapping an organisations AI environment against these four pillars, and documenting where gaps exist, gives you a structured basis for remediation and, critically, for demonstrating to regulators that reasonable and proportionate steps have been taken.

The key to this approach is that it is anticipatory. Organisations that move now, are moving with the regulatory curve. Those that wait, will face the December 2026 deadline under pressure, with inadequate inventory, limited time for remediation, and difficult choices about disclosure.

Conclusion

The convergence of privacy, competition, and national security expectations around AI governance is not a threat to innovation. It is a forcing function, for discipline. Organisations that map their AI environment, establish governance gates, and align to proven frameworks, will find the December 2026 Privacy Act amendments straightforward to implement. Those that do not will face a compliance crunch: a hard deadline, no inventory of what is in scope, and rapid decisions about disclosure made under regulatory scrutiny.

The board’s role is clear, demand that general counsel and risk owners report on three questions by mid 2026:

What AI systems is the organisation officially deploying, and are they governed?
What shadow AI exists, in-network and on personal devices, and what is the remediation plan?
Is the organisation aligned with established governance frameworks, and what evidence can be demonstrated to a regulator?

The answers will reshape how organisations approach both innovation and risk. The time to act is now, moving with the regulatory curve rather than behind it.

References

Australian Government, National Framework for the Assurance of AI in Government (Data and Digital Ministers’ Meeting, 21 June 2024).

Privacy and Other Legislation Amendment Act 2024 (Cth).

Office of the Australian Information Commissioner, ‘Chapter 1: APP 1 — Open and Transparent Management of Personal Information’ (OAIC, 2024) <https://www.oaic.gov.au>.

Australian Competition and Consumer Commission, ‘Digital Platform Services Inquiry — Final Report’ (ACCC, March 2025).

Australian Government, ‘Introducing Mandatory Guardrails for AI in High-Risk Settings’ (Department of Industry, Science and Resources, September 2024).

Enterprise AI Governance Research (various), cited in ‘Shadow AI Explained: Risks, Costs, and Enterprise Governance’ (2025).

Gartner, ‘Top Strategic Technology Trends 2026’ (Gartner, 2025).

CIO, ‘Shadow AI: The Hidden Agents Beyond Traditional Governance’ (2025) <https://www.cio.com>.

Monetary Authority of Singapore and MindForge Consortium, AI Risk Management and Governance Framework: Operationalisation Handbook (MAS, January 2026).