What Australian directors need to understand about AI
Directors of Australian companies don't need to understand how large language models work, what gradient descent is, or how transformer architectures process text. They do need to understand that AI represents a material governance risk in most organisations of any scale, and that their duties of care and diligence under the Corporations Act extend to that risk.
The governance question for directors is not technical β it is the same question directors ask about any material operational risk: does our organisation have appropriate structures, accountability, and oversight to manage this risk? For AI, in 2026, many Australian organisations cannot answer that question satisfactorily.
The legal framework for director AI obligations
Corporations Act duties: Directors' duties under sections 180β184 of the Corporations Act apply to AI risk. The duty of care and diligence (s180) requires directors to exercise the care and diligence that a reasonable person in that position would. A reasonable director in 2026 is aware that AI creates material governance risks, and takes appropriate steps to ensure those risks are managed. This doesn't require personal technical expertise β it requires ensuring that management has the expertise and the mandate to govern AI appropriately.
ASX Corporate Governance Principles: ASX Corporate Governance Principle 7 and its associated recommendations require listed companies to establish a sound risk management framework and periodically review whether it remains sound. Recommendation 7.4 specifically addresses material risk disclosure. For organisations where AI materially affects operations, financial results, or conduct obligations, AI risk may meet the materiality threshold that triggers disclosure and board oversight obligations.
ASIC enforcement history: ASIC has pursued director liability in technology risk contexts before β cybersecurity incidents where board oversight was found to be inadequate have attracted ASIC scrutiny. The extension of this enforcement focus to AI risk is a reasonable expectation as AI becomes more operationally significant.
What 'appropriate AI oversight' looks like at board level
Board-level AI governance is not about reviewing model outputs or approving algorithms. It is about ensuring the organisation has the structures, accountability, and information flows needed to manage AI risk. Specifically, a board demonstrating appropriate AI oversight should be able to evidence: a named executive accountable for AI risk; a framework that identifies and classifies the organisation's AI systems by risk; regular reporting to the board on significant AI risks and incidents; management's attestation that AI systems are operating within approved parameters; and a process for escalating significant AI concerns.
This is the same governance architecture that applies to any material operational risk. The content is AI-specific; the structure is not novel.
The Robodebt lesson for corporate directors
The Robodebt Royal Commission's findings are not directly applicable to private sector directors. But the Commission's analysis of how automated decision-making can cause systematic harm β and how governance failures allowed that harm to continue β has changed the regulatory and reputational context for Australian AI governance. 'We delegated to the algorithm' is not a governance defence. 'We didn't know the system was producing harmful outcomes because we didn't have monitoring in place' is a governance failure. Directors who treat AI as a technical matter for management to handle without board oversight are taking on avoidable governance risk.
