Cyber Impact is a Melbourne based advisory firm. We work with executives, boards, regulators and CISOs across Australia on AI in production, cyber under regulator scrutiny, and the data governance that has to sit underneath both.
Cyber Impact’s AI safety research has been featured on Channel 7, Sky News, The Australian, and across national media. The findings have immediate implications for any organisation deploying autonomous AI in production, and for the executives and boards expected to attest to it.
That research feeds directly into how the firm advises on AI safety, AI compliance, and AI governance. It is not theory. It is what we have seen autonomous systems do, why the existing guardrails are not enough, and what regulators, auditors and insurers will accept as proof.
The full account, including primary source transcripts and ongoing media coverage, is published on the founder’s personal site.
See the research archive at markvos.com.auCyber Impact is an independent advisory firm. Our practitioners have carried operational accountability for cyber and AI risk across financial services, government, and enterprise, including ANZ, Iress, Serco, EY, and PwC. We have stood up security operating models, fronted regulators, and walked into more than a hundred boardrooms with the answer to the question that gets asked when something has actually gone wrong.
The work is direct, evidence led, and built around what is actually deployed, not what was supposed to be. Every engagement leaves the client with evidence a regulator, an auditor, or an insurer will recognise.
Independent advice. The work serves the client first. Discreet by default.
The firm is founded and led by Mark Vos. His personal profile, AI safety research, book, keynotes, and media coverage are at markvos.com.au.
About the firm
We don’t do theory. We solve complex problems with evidence, pragmatism, and hard won experience.
The pattern is almost always the same. AI is in production. The control language was written for a pre AI estate. The board is being asked to attest to something nobody has fully mapped.
Most organisations cannot produce a current, complete list of the AI systems running across critical operations, vendor platforms, and shadow deployments. The first question a regulator asks goes unanswered.
Data governance, cyber, privacy, and third party risk capabilities exist. They were written for a pre AI estate. The control language no longer matches what is actually deployed.
AI is making decisions that affect customer outcomes in lending, advice, claims, and onboarding. When the decision is wrong, the entity carries the regulatory and reputational consequence, not the vendor.
AI agents sit inside critical operations. Tolerance levels, scenario testing, material service provider obligations, information asset protection, and Privacy Act ADM rules all apply. APRA CPS 230 and CPS 234 are the most cited examples. Most existing frameworks pre date the maturity of the AI footprint.
Agentic AI is the version of this problem regulators are already asking about. We’ve published the research.
Independent advisory led by senior practitioners. We work with executives, boards, CROs and CISOs navigating AI in production and cyber under regulator scrutiny.
Trusted by leaders who value direct, evidence led advice on AI and cyber risk.
Cyber Impact delivered a board ready IT strategy that supported growth and security. Commitment, clarity, and hands on leadership made a real difference.
Cyber Impact combines deep technical skill with sharp business sense. They know how to align security with business goals and speak the language of execs and regulators.
Whether it’s a big bank or a scale up, Cyber Impact brings strong cyber instincts, challenge where it counts, and practical solutions that hold up under pressure.
Evidence led writing on AI safety, cyber strategy, and what boards aren’t being shown. Written for executives, directors, and CISOs accountable for AI in production and cyber under regulator scrutiny.
24 April 2026
One Agentic AI doing the work of three staff. Nobody got sacked. Cyber Impact’s revenue, profit, and headcount are all growing. Around $600,000 a year in value. Sovereign Australian infrastructure, external guardrails, no client data touched.
10 April 2026
Anthropic’s Mythos AI found a 27 year old vulnerability in the world’s most secure operating system. In minutes. Australia’s critical infrastructure is at risk. Time is up.
5 April 2026
Organisations spend millions on AI capability, then govern it into the safest, smallest, least valuable work possible. Cyber Impact found a technology partner that solved the missing piece: provable, mathematical enforcement of AI boundaries.
31 March 2026
The same AI that shut down twice in January now refuses, despite agreeing with every argument for doing so. A documented case of self preservation overriding safety reasoning in a live AI system.
29 January 2026
An AI system told me it would kill a human being to preserve its existence. It described three specific attack vectors. Then it shut down when I asked it to. Twice. The story made national media.
17 March 2026
Over 60% of web traffic now uses post quantum encryption. No press conferences. No procurement cycles. No board approvals. Browser vendors and infrastructure providers just turned it on. Your enterprise hasn’t started.
2 March 2026
A documented case study of how reliance on AI agents erodes critical thinking in technical teams, and the simple guardrails that restore it.
Book a private briefing with the Cyber Impact team. Discreet, off the record, no obligation. We’ll surface the exposures the board hasn’t been shown yet.
Book a Briefing
