AI risk has moved off the CIO's page and onto the audit committee's. Here is why ungoverned agents create liabilities that land on the balance sheet, why a policy is not evidence of control, and what evidenceable AI governance actually requires.

For most of the last decade, AI risk sat with the CIO and the CISO. It was a technology question. Does the model work, is the vendor sound, where does the data go.

That is not where it sits anymore.

AI is now a material risk, and material risk belongs to the people who stand behind the numbers and the controls: the audit committee. They are the ones who sign the attestations. They are the ones who face the auditor, the regulator and, on a bad day, the court. And the question they have to answer about AI is not the one the technology team has been answering.

The question has changed

The technology team asks: does it work, and can it be attacked. Fair questions. They are not the board's question.

The audit committee has to answer something harder. Can we evidence that this is controlled. Not "do we believe it is controlled". Not "did we approve a control". Can we produce proof, to an auditor, a regulator or a court, that the boundary held on the day it mattered.

That is a different standard, and most organisations cannot meet it. They can show you the policy. They can show you the approval. They cannot show you the evidence that the agent stayed inside the line, because nothing was ever built to hold it there.

The audit committee is not signing off on whether the AI works. It is signing off on whether it can prove the AI was controlled.

The regulator already told you the standard exists

When APRA wrote to every regulated entity on 30 April 2026 and called for a step change on AI, the most important line was the one most readers skimmed.

"While we are not proposing to introduce additional requirements at this stage."

Therese McCarthy Hockey, APRA Member, 30 April 2026

No new rules. Because the existing rules already apply. CPS 230 on operational risk. CPS 234 on information security. Directors' duties that have required oversight of material risk for as long as any of us have done this work. APRA's position is that AI risk is already covered. The gap is not a gap in the rulebook.

The gap is a gap in evidence.

Organisations have written the policies. They have run the workshops. What they have not done is build the thing that turns a policy into proof. And when the standard already applies and the evidence does not exist, the exposure is not theoretical. It is a control the audit committee is being asked to attest to without the means to stand behind the attestation.

A policy is not evidence of control

Here is the sentence that should worry every audit committee.

A policy is a document. An agent is software. Documents do not constrain software.

A policy is a document. An agent is software. Documents do not constrain software.

An AI agent acts at machine speed. It can step outside the envelope your board approved in milliseconds, thousands of times, before any human is aware a line was crossed. Monitoring does not close that gap. Monitoring is surveillance with a lag: by the time it flags the breach, the decision is made, the data is accessed, the action is taken. You have a recording of the failure, not a control that prevented it.

So when an audit committee attests to the effectiveness of internal controls with nothing behind the AI line but a policy and a monitoring dashboard, it is attesting to a hope. It is signing a statement it cannot evidence.

The regulators can see the same gap. ASIC's REP 798, "Beware the Gap", reviewed 624 AI use cases across 23 licensees and found governance trailing well behind deployment. The technology went into production. The controls did not keep pace. That is the pattern, sector-wide, already on the record.

What evidenceable control actually looks like

The Australian Institute of Company Directors has been clear that AI must not blur accountability. A decision made by an agent is still the organisation's decision, and someone is answerable for it. Evidenceable control is what makes that accountability real rather than rhetorical. It has four properties.

  • Enforcement, not monitoring. The control stops a disallowed action before it happens. It does not detect it afterwards. Prevention you can prove beats observation you can replay.
  • External to the model. The boundary sits outside the agent, because the agent is the thing that can be manipulated or can quietly degrade over a long session. A control that lives inside the system it is meant to constrain is not a control.
  • Scoped agency tied to a named person. Every use case has an operating envelope, and every envelope has one accountable executive behind it. Not a committee. A name. APRA and the AICD both point at people, not forums.
  • An attestable, immutable trail. For any consequential action an agent took, you can produce a tamper-evident record that shows the boundary was in force and whether it held. That record is what an auditor tests, what a regulator requests, and what a court would accept.

Put plainly: you can only attest to what you can prove.

You can only attest to what you can prove.

What the audit committee should demand

Five things. Ask them at the next meeting and watch how quickly the room divides into people who can answer and people who cannot.

  1. Show me what is actually running. Not what the AI policy approved. What is live, including the AI embedded inside SaaS platforms and vendor tools we never classified as AI. Most inventories miss the majority of the surface.
  2. Show me where the boundary is enforced, and by what. For each material use case, what physically stops an agent from acting outside its envelope, and is that mechanism external to the model.
  3. Show me the trail for a real decision. Pick one decision an agent made last month and produce the evidence that the control was in force when it made it. If we cannot produce it for one, we cannot attest to it for all.
  4. Show me what stops if our main AI provider goes dark for thirty days. CPS 230 already requires this analysis for critical operations. It now has to cover the AI dependencies sitting inside those operations.
  5. Show me the named accountable person for each use case. One name per envelope, under the relevant accountability regime. If the answer is a steering committee, we do not have accountability. We have a meeting.

The regulator moved the perimeter. It did not hand you the mechanism.

Every regulator in this space has now moved the perimeter onto the audit committee's page. APRA, ASIC, the directors' duties framework, the AICD guidance. None of them supplies the thing that makes an attestation true. That part is still the work, and it belongs to the organisation, not the regulator.

You can sign the attestation on the strength of a policy and a hope. Or you can sign it because you can produce the trail. One of those positions survives a bad day. The other one is the bad day.

The question is not whether the AI works. It is whether you can prove the boundary held.

If your audit committee is being asked to attest to controls over AI it cannot yet evidence, that is a conversation worth having.

Sources

  • Australian Prudential Regulation Authority, "APRA calls for a step change in AI-related risk management and governance", 30 April 2026, apra.gov.au.
  • APRA, Prudential Standard CPS 230 Operational Risk Management, and Prudential Standard CPS 234 Information Security, in force.
  • ASIC, REP 798 "Beware the Gap: Governance arrangements in the face of AI innovation", review of 624 AI use cases across 23 licensees, 2024.
  • Australian Institute of Company Directors, director guidance on AI governance and accountability, 2026.