AI Governance: A Practical Guide for Boards and Executives
Boards are being asked to govern AI without a rulebook. This guide explains what AI governance actually means, the real risks, the standards emerging globally, and what Australian directors should be doing right now — without the hype.
Your first entity is free. No credit card required.
AI Governance: A Practical Guide for Boards and Executives
Boards are being asked to govern AI without a rulebook. This guide explains what AI governance actually means, the real risks, the standards emerging globally, and what Australian directors should be doing right now — without the hype.
Join BetaWhat AI governance actually means
AI governance is the system of policies, controls, accountabilities and oversight mechanisms an organisation uses to manage how artificial intelligence is built, bought, deployed and monitored. It sits alongside data governance, cyber, privacy and risk — but it is not the same as any of them. At its simplest, AI governance answers four questions: Who decides which AI systems we use? Who is accountable when they go wrong? How do we know they are doing what we think they are doing? And how do we prove all of that to a regulator, auditor or customer? For most Australian mid-market organisations, AI governance today is informal at best. ChatGPT, Copilot, Gemini and dozens of embedded vendor AI features are already in use — usually without a register, without a risk assessment, and without any board visibility. That is the gap this guide is written for.
Why boards are now on the hook
Australian directors already owe duties of care, diligence and good faith under sections 180–183 of the Corporations Act. ASIC has been explicit that these duties extend to AI: in its October 2024 report (REP 798) and subsequent statements, the regulator has warned that boards cannot delegate AI risk to IT and that existing governance frameworks are often not keeping pace with deployment. The Australian Government's Voluntary AI Safety Standard (published September 2024 by the Department of Industry, Science and Resources) sets out ten guardrails covering accountability, risk management, data governance, testing, transparency, human oversight, contestability, supply chain, records and stakeholder engagement. It is voluntary today — but it is widely understood to be the template for forthcoming mandatory guardrails for "high-risk" AI use. In parallel, the Privacy and Other Legislation Amendment Act 2024 introduced new transparency obligations for automated decisions affecting individuals, taking effect from December 2026. APRA-regulated entities should also read CPS 230 and CPS 234 as effectively applying to AI-driven operational and information security risks.
The real risks — beyond the headlines
Most AI risk is not a Terminator scenario. It is mundane and operational: • Confidentiality leakage — staff pasting client data, contracts or board papers into public LLMs that may use it for training. • Hallucination in regulated outputs — AI-drafted advice, disclosures or compliance documents that sound authoritative but are wrong. • Bias in decisions — credit, hiring, pricing or eligibility decisions that systematically disadvantage protected groups, breaching anti-discrimination and consumer law. • Shadow AI — tools adopted by individual teams without procurement, security or legal review. • Vendor lock-in and opacity — AI features bundled into core SaaS where the model, training data and update cadence are invisible to the customer. • Intellectual property contamination — generated content that infringes third-party copyright, or organisational IP being absorbed into vendor models. • Audit trail gaps — decisions influenced by AI with no record of which model, prompt, version or human reviewer was involved. These are the risks regulators, insurers and customers will ask about first.
Frameworks worth knowing
Three frameworks dominate the global conversation and any credible AI governance program will reference at least one: • ISO/IEC 42001:2023 — the first international management system standard for AI. Certifiable, modelled on ISO 27001, and increasingly being requested in enterprise procurement. • NIST AI Risk Management Framework (AI RMF 1.0) — a US government voluntary framework structured around Govern, Map, Measure and Manage. Practical, free, and widely adopted as a maturity model. • EU AI Act — the world's first horizontal AI law. In force from August 2024, with a tiered risk model (unacceptable, high, limited, minimal). It applies extraterritorially to any organisation placing AI systems on the EU market, including Australian SaaS vendors with EU customers. For Australian organisations, the practical layer is the Voluntary AI Safety Standard's ten guardrails, which map cleanly onto both ISO 42001 and NIST AI RMF.
What good looks like in practice
A workable AI governance program for a mid-market group typically includes: 1. An AI policy approved by the board, distinguishing permitted, restricted and prohibited use cases. 2. An AI inventory or register — every AI system in use, who owns it, what data it touches, what decisions it influences, and its risk tier. 3. A risk assessment process triggered before any new AI tool is procured or deployed, proportionate to risk tier. 4. Clear human-in-the-loop requirements for any AI output that affects customers, employees, regulatory filings or financial reporting. 5. Contractual controls with vendors covering training data use, model updates, incident notification, IP indemnities and exit. 6. Logging and audit trails capturing model, version, prompt, output and human review for high-risk use cases. 7. Training so staff know what they can and cannot put into AI tools. 8. Board reporting — at minimum quarterly — covering inventory changes, incidents, near-misses and regulatory developments. None of this requires new technology. Most of it requires a register, a policy, and someone accountable.
What to watch in the next 12–24 months
• Mandatory guardrails — the Australian Government has signalled that the voluntary standard will be made mandatory for high-risk AI use. A proposals paper closed for consultation in late 2024; legislation is expected to follow. • Automated decision transparency — from December 2026, organisations using automated decisions that significantly affect individuals must disclose this in their privacy policies and explain the decision on request. • ASIC enforcement posture — REP 798 was a warning shot. Expect ASIC to test director duties in the AI context through targeted reviews, not just guidance. • Sector-specific guidance — APRA, ACCC, OAIC and the Fair Work Commission are each developing AI-specific positions. Financial services, healthcare and recruitment will see the most movement. • Procurement-driven adoption of ISO 42001 — large enterprises and government buyers are already starting to require it from vendors. • Copyright litigation — global cases against major AI developers will shape the IP landscape for organisations using generative tools.
How EntityFlo helps
EntityFlo is corporate governance software, not an AI compliance tool — but the discipline is the same. We help boards and company secretaries maintain the registers, decisions, audit trails and accountability mappings that AI governance frameworks require. Rebecca AI, our governance assistant, operates inside the authenticated platform: she only sees the data the user is authorised to see, every action she takes is logged, and her outputs are drafts for human approval, not autonomous decisions. That is the model regulators are asking for: AI used as a productivity layer, with humans accountable for the decisions, and a defensible record of who decided what, when, and on what basis.
Explore related features
See how EntityFlo connects across the platform.
Frequently asked questions
Is AI governance mandatory in Australia yet?
Not as a standalone regime. The Voluntary AI Safety Standard published in September 2024 is voluntary, but existing director duties, privacy law, anti-discrimination law and sector regulation already apply to AI use. Mandatory guardrails for high-risk AI are expected to follow.
What is the difference between AI governance and data governance?
Data governance covers how data is collected, stored, used and protected. AI governance covers how models built on that data are designed, deployed, monitored and held accountable. You need both — AI governance assumes data governance exists.
Do we need ISO 42001 certification?
Not for most organisations today. But if you sell to enterprise or government, expect it to appear in procurement questionnaires within 12–24 months. Using ISO 42001 as a maturity model — without certifying — is a sensible starting point.
Who should own AI governance internally?
Accountability sits with the board. Day-to-day ownership usually sits with a cross-functional group — typically the company secretary or general counsel chairing, with risk, IT, privacy and a business sponsor. Pure IT ownership is a red flag.
How does the EU AI Act affect Australian companies?
It applies extraterritorially. If you provide an AI system or AI-enabled service to users in the EU, or your AI output is used in the EU, you are likely in scope regardless of where you are headquartered.
What about staff using ChatGPT on their own?
This is the most common AI risk in Australian organisations today. The minimum controls are a written acceptable use policy, a list of approved tools, mandatory training, and explicit prohibitions on entering confidential or personal information into public models.
Take control of your entity portfolio.
Your first entity is free. No credit card, no lock-in. Set up in under 15 minutes.
Live Register
Every entity, officer and shareholder in one live register.
ExploreBoardroom
Run board meetings, papers, resolutions and minutes from one place.
ExploreActions
From board decision to registered outcome. Every step tracked.
ExploreCompliance Hub
Continuous compliance monitoring across every entity.
ExploreOwnership 360
Live ownership chains, control maps and UBO traces.
ExploreWe use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.