69% invest, 1% ready: The AI governance paradox in Australian security

Australian organisations are investing heavily in AI governance, yet few are ready to deliver on it.

While 69% of CISOs identify governance as a top priority, only 1% believe their organisation is fully prepared to harness AI safely.

The paradox lies in how governance is being treated: as a compliance requirement rather than a performance system that drives business resilience.

At ADAPT’s Security Edge, technology and security leaders agreed that this growing gap between policy ambition and operational readiness is being driven by fragmented ownership, unreliable data, and behavioural blind spots.

These forces interact in ways that make governance look mature on paper but shallow in execution, producing what one leader described as “a perception of control without accountability.”

Governance without ownership is accelerating risk

Gabby Fredkin, Head of Analytics and Insights at ADAPT, revealed that although most organisations are allocating resources to strengthen AI governance, few have embedded it operationally.

Only 3% of enterprises have automated decision-making within governance frameworks, and 62% still operate at basic or minimal control maturity.

He noted that the pace of governance design is far ahead of its operational reality, leaving many leaders with detailed frameworks but no consistent oversight.

This structural weakness is compounded by fragmentation at the top.

Daryl Pereira, Head of the CISO Office for APJ at Google Cloud, and David Gee, former CIO and CISO, both observed that governance maturity depends less on technology and more on cultural alignment across the C-suite.

They emphasised that accountability must be shared between security, risk, and business functions, otherwise frameworks multiply without genuine ownership.

Tara Dharnikota, CISO at Victoria University, added that compliance fatigue is becoming a serious barrier.

Balancing CPS 230, the SOCI Act, and university-specific reporting demands has turned governance into a bureaucratic process.

In her experience, many leaders are spending more time maintaining documentation than embedding controls.

The cumulative effect is a widening gap between how mature frameworks appear and how little they influence real-world security outcomes.

Back to top

AI risk is becoming indistinguishable from data risk

As AI becomes woven into business operations, the distinction between AI and data risk has almost disappeared.

ADAPT’s national survey shows that uncontrolled data access is now the most common risk cited by Australian CISOs, underscoring that governance gaps are often data gaps in disguise.

Andrew Dell, General Manager for Customer Security Management at Microsoft, explained that enterprise resilience cannot be engineered without unified ownership of data.

He observed that many boards still treat data governance as an operational matter for IT teams, even though it underpins every aspect of AI assurance.

The result is a disconnection between strategic intent and technical capability, a problem that multiplies as data volumes expand.

In the higher education and defence sectors, the challenge becomes even more complex.

Bruce Northcote, Chief Compliance and Chief Security Officer at the University of Adelaide, described the difficulty of applying uniform governance across decentralised research environments.

He explained that while defence-grade programs demand stringent controls, the academic environment resists uniformity due to its culture of autonomy and open collaboration.

This reality creates a dual-speed governance model, where maturity in one domain can mask risk in another.

Across industries, leaders are realising that the integrity of AI models depends on the trustworthiness of the data beneath them.

When that foundation is weak, governance becomes theoretical, a crucial a layer of policy that signals control without ensuring it.

Back to top

Human behaviour is the blind spot in AI governance

Despite advances in frameworks and controls, the behavioural dimension of governance remains the most underdeveloped.

Garrett O’Hara, Senior Director Sales Engineering APAC at Mimecast highlighted that roughly 8% of employees account for 80% of security incidents, demonstrating that risk is concentrated in small pockets of behaviour rather than spread evenly across organisations.

Technology may reinforce compliance, but human inconsistency still undermines it.

Emily Mailes, Chief eHealth Strategy Officer at the Victorian Department of Health, illustrated how these dynamics play out in critical environments.

In healthcare, clinicians often bypass security controls when they interfere with patient care, not out of negligence but necessity.

Similarly, Samrat Seal, Head of Transformation and Governance at Kmart Group, described how retail teams struggle when security controls conflict with customer experience.

His organisation responded by adopting adaptive authentication and embedded support tools that reduce cognitive friction, ensuring that security becomes invisible rather than obstructive.

Darren Argyle, former Group Chief Information Security Officer at Standard Chartered Bank, reframed the issue as a leadership challenge rather than a technical one.

Having worked in multiple boardrooms across financial institutions, he argued that recurring cyber failures stem from weak communication between boards and security leaders.

When CISOs lack influence or struggle to translate technical risk into business language, governance collapses at the point of interpretation.

His view was echoed by many at Security Edge who believe that the future of cyber maturity depends as much on emotional intelligence and influence as on frameworks and compliance metrics.

These insights expose the behavioural blind spot in AI governance: a failure to connect trust, education, and leadership to the systems designed to enforce them.

Back to top

Closing the governance–performance gap

Australia’s AI governance landscape is now at a turning point.

Investment and attention are surging, but operational maturity has barely moved.

Frameworks have been built, committees formed, and policies published, yet most organisations remain reactive rather than adaptive.

To evolve from compliance-driven governance to performance-led governance, leaders must focus on execution rather than expansion.

Recommended actions for security leaders

• Operationalise accountability – Map ownership of AI and data risks across all executive functions. Align incentives so accountability is collective, measurable, and directly linked to performance outcomes.
• Automate oversight – Use telemetry from AI models, SOCs, and cloud systems to replace static reporting with continuous assurance. Real-time feedback loops will turn governance from a retrospective audit into an active control system.
• Humanise governance – Integrate behavioural analytics and executive education to close the cultural gap between board expectations and frontline behaviour. Make governance a living process that reinforces trust rather than compliance fatigue.

Governance should be treated as a dynamic capability: one that measures real impact, drives consistent behaviour, and adapts to the pace of innovation.

The next year will determine whether Australian organisations can bridge the gap between ambition and execution.

Those that do will transform governance from a record-keeping exercise into a performance discipline: one that embeds accountability, trust, and intelligence at the centre of enterprise resilience in the algorithmic era.