Level 40, 140 William St, Melbourne VIC 3000 +61 3 7064 5507 contact@cyberimpact.com.au

Services

Seven engagements. Built for executives, boards, CROs and CISOs.

Independent advisory led by senior practitioners. Every engagement is scoped to leave the client with evidence a regulator, an auditor, or an insurer will recognise. Five of the seven have an end point. The two ongoing services, AI Governance as a Service and Data Governance & Privacy, keep going at the cadence the regulator and the auditor expect.

1. AI Compliance for APRA Regulated Entities

Eight to twelve weeks. Built for APRA regulated banks and insurers, ASX listed entities, AUSTRAC regulated firms, and government departments. Designed around what the regulator actually asks for, not what reads well in a slide pack.

  • AI agent register tied to CPS 230 critical operations and CPS 234 information assets
  • AI Governance framework aligned to ISO/IEC 42001 and the entity’s risk appetite statement
  • Control review against APRA, ASIC, AUSTRAC, OAIC and SOCI obligations
  • Adversarial testing of priority systems: prompt injection, jailbreaks, data exfiltration, decision bypass
  • Documented decision authority and audit trails for customer affecting AI (lending, advice, claims, onboarding)
  • Material service provider review covering AI vendors and downstream model providers
  • Board Risk Committee paper, evidenced and audit ready
  • Costed remediation roadmap aligned to the entity’s existing risk appetite statement

Typical duration: 8 to 12 weeks. Output: Audit ready Board Risk Committee paper, AI register, remediation plan.

Speak to the firm

2. AI Safety Assessment

A targeted assessment of the AI now operating across critical operations, vendor platforms, and shadow deployments, ending with a written, board defensible position.

  • Discovery of current state AI usage, tooling, models, agents, and policy gaps
  • AI Governance baseline and control framework anchored to ISO/IEC 42001 and existing cyber controls
  • Targeted threat modelling and risk assessment for generative, copilot, agentic, and application level AI
  • Technical guardrails for prompt injection, model abuse, data leakage, and decision authority
  • C-Suite and board education sessions calibrated to the directors’ actual exposure
  • Written target state and a costed, sequenced roadmap

Typical duration: 4 to 8 weeks. Output: Board paper, control framework, prioritised remediation plan.

Speak to the firm

3. AI Enablement

For organisations that have not yet meaningfully started with AI, or have started in a way that is creating more risk than value. We sit with the leadership team and define the smallest moves to start without creating compliance exposure.

  • Where AI should be creating value, and an honest read on why you have not moved on it
  • AI Governance foundations sized to the maturity of the organisation
  • The first one or two initiatives worth doing, with a measurable business case
  • A named executive owner, a written action list, and a 90 day plan
  • Vendor and platform short list informed by the controls you already have

Typical duration: 2 to 4 weeks. Output: 90 day enablement plan, executive owner, costed first move.

Speak to the firm
Ongoing service

4. AI Governance as a Service

Continuous oversight of the AI estate, delivered as a managed service. The work doesn’t end with the engagement. It continues at the cadence the regulator, the auditor, and the insurer expect.

  • Live AI agent register, maintained as the estate changes
  • Monthly drift testing, decision integrity sampling, and adversarial probing of priority systems
  • Quarterly Board Risk Committee pack with findings, remediation, and exposure trajectory
  • Material service provider reattestation on the cadence the regulator expects
  • Direct contact with the Cyber Impact team for incidents, regulator queries, and AI-related crisis comms
  • Named partner accountable for the relationship, supported by the firm’s specialist team
  • Quarterly board education on emerging AI risk, regulatory change, and lessons from the firm’s research

Engagement model: Monthly retainer, scaled to the size and complexity of the AI estate. Output: Continuous, audit ready evidence rather than a snapshot.

Speak to the firm
Ongoing service

5. Data Governance & Privacy

Cyber Impact’s data governance and privacy practice. Data classification and lineage, Privacy Act compliance (including the December 2026 ADM rules), OAIC engagement, and the data side controls that AI now depends on. Delivered on an ongoing basis because data and privacy obligations don’t pause.

  • Data classification, ownership, and lineage across critical operations
  • Privacy Act compliance, including ADM (automated decision making) obligations from December 2026
  • Privacy Impact Assessments and OAIC engagement
  • Cross border data flow assessment and standard contractual clauses
  • Data minimisation, retention, and lawful basis review for AI training and inference
  • Subject Access Request response, breach notification, and incident remediation
  • Ongoing assessment of data elements within the data governance estate as new systems land

Engagement model: Monthly retainer or fixed scope assessment. Output: Living data and privacy posture, evidenced for OAIC, the regulator, and the audit committee.

Speak to the firm

6. Fractional CISO & GRC

Embedded executive level cyber leadership for organisations that need senior CISO capability without the full time hire. Scaled to the size of the problem.

  • Strategy, target operating model, and security architecture aligned to business priorities
  • Board reporting, regulator engagement, and incident communications
  • End to end GRC oversight: ISO 27001, Essential Eight, NIST CSF, APRA CPS 230 / 234
  • Third party risk programme and material service provider obligations
  • Incident response, crisis management, and tabletop exercises
  • Recruitment and uplift of the in house security function when the time comes

Typical engagement: 1 to 3 days a week, 6 to 18 months. Output: A working security function the board, regulators, and insurers will recognise.

Speak to the firm

7. Third Party Security Reviews

Independent security review of vendors, partners, and material service providers. Scoped to the contractual rights, the data exposure path, and the regulatory obligations the entity carries when it does not carry the risk itself.

  • Pre contract due diligence on cyber, AI, data residency, and sub processor exposure
  • Periodic review of in flight material service providers, scoped to the regulatory regime that applies (APRA CPS 230 where relevant)
  • Evidence the regulator, auditor, or insurer will recognise
  • Findings written for boards, not for vendors
  • Remediation prioritised by exposure, not by procurement convenience
  • Walk away criteria documented before the next contract cycle

Typical duration: 2 to 6 weeks per review. Output: Independent, board grade assurance on each material provider.

Speak to the firm

Want a private briefing on which engagement fits?

Discreet, off the record, no obligation. We’ll surface the AI and cyber exposures the board hasn’t been shown yet, and tell you which of the seven fits the gap.

Book a Briefing