All Volumes/

Australian Compliance and Cyber Resilience

Comprehensive alignment with ACSC Essential Eight, APRA CPS 234/230, Privacy Act 1988, incident response, board reporting, and Solurius training integration.

13.1 ACSC Essential Eight — Maturity Model Mapping

The Australian Cyber Security Centre (ACSC) Essential Eight provides a prioritised set of mitigation strategies to protect organisations against a range of adversaries. This volume maps each Essential Eight control to AI-specific risks, implementation requirements, and evidence standards suitable for audit, board reporting, and regulatory examination.

Organisations implementing this framework must achieve a target maturity level of at least Maturity Level Two for all eight strategies, with Maturity Level Three required for organisations classified as high-value targets or those processing sensitive personal information at scale. AI systems introduce unique attack surfaces that must be explicitly addressed within each control.

Maturity Model Overview

LevelDescriptionAI-Specific Consideration
Level 0Not aligned with mitigation strategyNo AI-specific controls implemented
Level 1Partly aligned — basic controls in placeBasic application control and patching applied to AI infrastructure
Level 2Mostly aligned — comprehensive controlsAI model pipelines hardened, prompt injection defences active, MFA on all AI admin interfaces
Level 3Fully aligned — sophisticated controlsContinuous AI threat monitoring, adversarial testing, automated rollback, board-level AI risk dashboards

Regulatory Alignment

APRA CPS 234 expects regulated entities to maintain information security controls commensurate with the criticality and sensitivity of their assets. The Essential Eight provides the baseline control set that APRA-regulated entities should exceed. AI systems processing financial data, insurance claims, or superannuation information are classified as critical assets under CPS 234.

13.2 Application Control

Application control prevents the execution of unauthorised software on endpoints and servers. For AI environments, this control extends to AI model binaries, inference engines, container images, Python packages, and third-party AI libraries.

AI-Specific Implementation Requirements

  • Maintain an approved AI software register listing all permitted model frameworks (TensorFlow, PyTorch, ONNX Runtime, etc.), versions, and approved sources.
  • Block execution of unsigned or unverified AI model files. All models must carry cryptographic signatures from approved training pipelines.
  • Implement application control on AI development workstations to prevent execution of unapproved data science tools, notebook extensions, or package managers.
  • Restrict execution of AI inference binaries to designated production hosts only. Development and test models must not execute on production infrastructure.
  • Maintain allowlisting for AI container registries. Only images from approved registries with verified SBOMs may be deployed.

Evidence Required

Approved AI software register with version control and review dates.
Application control policy covering AI-specific executables.
Whitelist configuration files for endpoints, servers, and containers.
Audit logs demonstrating blocked unauthorised execution attempts.
Quarterly review and attestation by the CISO or delegated security officer.

13.3 Patch Applications

Applications, including AI frameworks, libraries, and middleware, must be patched within defined timeframes based on exploitability and criticality. AI systems often rely on complex dependency chains that expand the attack surface significantly.

AI-Specific Patching Requirements

CategoryMaximum Patch WindowExamples
Critical AI framework vulnerabilities48 hoursPyTorch arbitrary code execution, TensorFlow privilege escalation
High-risk AI library CVEs7 daysHugging Face Transformers, LangChain, OpenAI SDK
AI middleware and APIs14 daysFastAPI, Flask, model serving proxies
General data science packages30 daysNumPy, Pandas, SciPy, Jupyter
Container base images14 daysCUDA runtime, NVIDIA drivers, Python base images

Evidence Required

Vulnerability scanning reports for AI environments (weekly).
Patch management register with SLA compliance tracking.
Evidence of emergency patching procedures for critical AI framework CVEs.
Dependency SBOMs for all AI applications updated per release.
Regression test results confirming patch safety for AI model behaviour.

13.4 Configure Microsoft Office Macro Settings

Microsoft Office macros remain a significant vector for malware delivery, including payloads targeting AI development environments. Organisations must restrict macro execution to prevent compromise of data science workstations and AI model training infrastructure.

AI Environment Protections

  • Block all macros in Office documents originating from the internet on any workstation with access to AI training data or model repositories.
  • Disable macros entirely on dedicated AI training servers and high-performance compute clusters.
  • Require digitally signed macros only on administrative workstations, with signer certificate verification against an approved list.
  • Implement email gateway scanning to quarantine Office attachments with macros sent to AI engineering teams.
  • Log all macro execution attempts on workstations with access to sensitive AI datasets for forensic analysis.

AI-Specific Risk

Data scientists frequently receive datasets in Excel or CSV format via email. Attackers may embed malicious macros in these files to establish persistence on workstations with access to AI training pipelines, enabling model poisoning or data exfiltration.

13.5 User Application Hardening

User application hardening reduces the attack surface of applications that interact with AI systems, including web browsers accessing AI platforms, IDEs, notebook environments, and collaboration tools.

Hardening Requirements for AI Users

  • Disable browser extensions on workstations used to access AI admin consoles, model deployment platforms, and cloud AI services.
  • Block web advertisements and untrusted JavaScript on AI engineering workstations to prevent drive-by downloads.
  • Harden IDE configurations (VS Code, PyCharm, Jupyter) to prevent execution of untrusted code snippets or extensions.
  • Restrict clipboard and file-sharing functionality within AI collaboration tools to prevent accidental data leakage.
  • Disable auto-run and auto-play features on all systems processing AI training data.

Evidence Required

Application hardening configuration baselines for AI engineering workstations.
Group Policy or MDM configuration exports demonstrating enforcement.
Monthly compliance scan results for workstation hardening posture.
Exception register with approved deviations and compensating controls.

13.6 Restrict Administrative Privileges

Administrative privileges must be restricted to the minimum necessary for role function. AI systems present elevated risk because administrative access to model training infrastructure, API gateways, or data pipelines can enable large-scale compromise.

AI-Specific Privilege Controls

RolePermitted AccessProhibited Access
AI Model EngineerDevelopment environments, training pipelines (non-prod)Production inference endpoints, customer data stores
ML Ops EngineerDeployment pipelines, model registries, monitoringRaw training data, model weights (read-only in registry)
Data ScientistNotebook environments, sandbox datasets, experiment trackingProduction APIs, production databases, admin consoles
AI Product ManagerDashboards, experiment results, project documentationCode repositories, infrastructure, data pipelines
CISO / Security OfficerSecurity tooling, audit logs, policy enforcementModel development, training data (without business case)

Mandatory Controls

  • Implement Privileged Access Management (PAM) for all administrative access to AI infrastructure.
  • Require just-in-time (JIT) elevation for AI production environment access with automatic session termination.
  • Segregate AI development, test, and production environments with separate administrative domains.
  • Log all privileged actions in AI environments with immutable audit trails retained for 7 years.
  • Review administrative access quarterly and remove dormant or excessive privileges within 48 hours of identification.

13.7 Patch Operating Systems

Operating systems hosting AI workloads — including training clusters, inference servers, and data science workstations — must be patched within defined timeframes. AI infrastructure often runs on specialised hardware (GPUs, TPUs) with proprietary drivers that require careful patch coordination.

AI Infrastructure Patching

  • Maintain separate patch cycles for AI training clusters with scheduled maintenance windows that do not conflict with active model training runs.
  • Test OS patches against GPU drivers, CUDA toolkits, and container runtimes before production deployment.
  • Automate OS patching for non-production AI environments to validate compatibility.
  • Maintain emergency patch procedures for OS vulnerabilities affecting AI container orchestration platforms (Kubernetes, OpenShift).
  • Document and test rollback procedures for all AI infrastructure patches.

Evidence Required

OS patch register for all AI infrastructure with compliance tracking.
Vulnerability scan results for AI servers and workstations.
Patch testing evidence for GPU driver and AI framework compatibility.
Change records for all AI infrastructure patching activities.
Post-patch validation confirming model inference accuracy and performance.

13.8 Multi-factor Authentication

Multi-factor authentication (MFA) must be enforced for all access to AI systems, platforms, and data stores. AI systems are high-value targets for adversaries seeking to steal models, poison training data, or extract sensitive information through prompt injection.

MFA Requirements for AI Environments

System CategoryMFA MethodFrequency
AI model training platformsHardware token or phishing-resistant authenticatorEvery session
Model registries and artifact storesHardware token or phishing-resistant authenticatorEvery session
Production inference APIs (admin)Hardware token or phishing-resistant authenticatorEvery session
AI development environmentsTOTP or hardware token minimumEvery session
AI data lakes and warehousesHardware token or phishing-resistant authenticatorEvery session
Cloud AI services (AWS SageMaker, Azure ML, GCP Vertex)Hardware token or phishing-resistant authenticatorEvery session

AI-Specific MFA Considerations

  • Service account access to AI APIs must use certificate-based or workload identity authentication, not static credentials.
  • Break-glass access to AI production systems requires dual-authorisation with real-time notification to the CISO and AI Steering Committee.
  • MFA for AI platform admin consoles must be phishing-resistant (FIDO2/WebAuthn) where technically feasible.
  • Monitor for anomalous MFA events on AI systems as an early indicator of targeted attack.

13.9 Regular Backups

Regular, tested backups are essential for AI systems to ensure business continuity, protect against ransomware, and enable rapid recovery from model corruption, data poisoning incidents, or infrastructure failure.

AI Asset Backup Requirements

  • Maintain versioned backups of all trained model artifacts, including weights, configurations, and training hyperparameters.
  • Backup AI training datasets with immutable snapshots at point of training commencement to enable forensic reconstruction.
  • Backup AI pipeline configurations, infrastructure-as-code templates, and deployment manifests.
  • Maintain offline or air-gapped backups of critical AI models and datasets to protect against ransomware.
  • Test restoration of AI models to alternate infrastructure quarterly to validate recovery procedures.

Backup Schedule

Asset TypeFrequencyRetentionStorage
Production model weightsDaily incremental, weekly full90 daysEncrypted, geo-redundant
Training datasetsPer-training run7 yearsImmutable, air-gapped for sensitive data
Model configurationsPer-deployment7 yearsVersion control + encrypted backup
Inference logsContinuous7 yearsImmutable, tamper-evident
AI pipeline codePer-commitPermanentGit + encrypted backup

13.10 Essential Eight Implementation Checklist

The following checklist provides a practical implementation guide for organisations seeking to align their AI governance programme with the ACSC Essential Eight. Each item must be completed, evidenced, and reviewed annually.

Implementation Phases

  1. Establish Essential Eight governance: Assign accountable owner, define target maturity, allocate budget, and establish reporting to the AI Steering Committee.
  2. Conduct baseline assessment: Evaluate current maturity for all eight strategies as applied to AI environments, documenting gaps and prioritisation.
  3. Develop implementation plan: Create project plans with timelines, resources, and dependencies for each control, aligned with AI system deployment schedules.
  4. Implement application control: Deploy allowlisting, maintain software registers, and establish exception management processes.
  5. Implement patching regime: Deploy vulnerability scanning, define SLAs, and establish emergency patching procedures for AI frameworks.
  6. Configure Office macro settings: Deploy Group Policy, enforce blocking, and train staff on macro-related risks in data science workflows.
  7. Harden user applications: Deploy configuration baselines, restrict browser extensions, and harden IDEs and notebook environments.
  8. Restrict admin privileges: Deploy PAM, implement JIT elevation, and segregate AI environment administrative domains.
  9. Implement OS patching: Define patch cycles for AI infrastructure, test GPU driver compatibility, and establish rollback procedures.
  10. Enforce MFA: Deploy phishing-resistant authentication for all AI systems, implement service account certificate auth, and configure break-glass dual-authorisation.
  11. Implement backups: Deploy versioned model backups, immutable dataset snapshots, air-gapped storage, and quarterly restoration testing.
  12. Conduct internal audit: Verify control effectiveness, review evidence completeness, and report findings to the AI Steering Committee and Board.

AI-Specific Mapping Summary

Essential Eight StrategyAI Risk AddressedControl ImplementationEvidence
Application ControlMalicious AI model execution, poisoned librariesAllowlist AI frameworks, sign modelsSoftware register, execution logs
Patch ApplicationsExploitable AI framework vulnerabilitiesScan and patch ML libraries within 48 hoursVulnerability reports, patch register
Office MacrosMacro-based compromise of data science workstationsBlock macros on AI workstationsGPO exports, training records
User HardeningBrowser-based attacks on AI platformsHarden browsers, IDEs, notebooksConfig baselines, scan results
Admin PrivilegesLateral movement in AI infrastructurePAM, JIT, domain segregationAccess reviews, PAM logs
Patch OSOS-level compromise of AI serversPatch GPU hosts, test compatibilityPatch register, test results
MFACredential compromise of AI admin accountsPhishing-resistant MFA everywhereMFA configuration, audit logs
BackupsRansomware, model corruption, data poisoningVersioned models, immutable dataBackup logs, restoration test results

Solurius Training Module Requirements by Control

Essential Eight StrategySolurius ModuleTarget AudienceCompletion Evidence
Application ControlEssential Eight Awareness — Application ControlIT, Security, AI EngineersCertificate ID, quiz score ≥80%
Patch ApplicationsEssential Eight Awareness — Patch ManagementIT, Security, ML OpsCertificate ID, quiz score ≥80%
Office MacrosEssential Eight Awareness — Macro SecurityAll staff with Office accessCertificate ID, quiz score ≥80%
User HardeningEssential Eight Awareness — Application HardeningIT, Security, EngineeringCertificate ID, quiz score ≥80%
Admin PrivilegesEssential Eight Awareness — Privileged AccessIT, Security, InfrastructureCertificate ID, quiz score ≥90%
Patch OSEssential Eight Awareness — OS PatchingIT, Infrastructure, ML OpsCertificate ID, quiz score ≥80%
MFAEssential Eight Awareness — Multi-Factor AuthenticationAll staffCertificate ID, quiz score ≥80%
BackupsEssential Eight Awareness — Backup and RecoveryIT, Security, OperationsCertificate ID, quiz score ≥80%

Training Integration

All Essential Eight training modules are delivered through Solurius with automatic enrolment, progress tracking, and completion certificate generation. Module completion is recorded in the Staff Training Completion Register and feeds into the Executive Compliance Dashboard.

13.11 APRA CPS 234 — Information Security

APRA Prudential Standard CPS 234 Information Security requires APRA-regulated entities to maintain information security capabilities commensurate with the criticality and sensitivity of their assets. AI systems processing financial data, making credit decisions, or supporting insurance operations are classified as critical assets under CPS 234.

Information Security Capability

  • Maintain an AI-specific information security capability with dedicated personnel, budget, and authority to enforce security controls across AI systems.
  • Define and maintain an AI asset inventory with classification (critical, important, standard) based on data sensitivity, regulatory exposure, and business impact.
  • Ensure AI security personnel possess relevant qualifications (CISSP, CISM, GSEC) and AI-specific security training (adversarial ML, prompt injection defence).
  • Document AI security roles and responsibilities in RACI matrices with clear accountability for each control domain.

Control Environment

Control DomainAI-Specific RequirementTesting Frequency
Access ControlRole-based access to models, data, pipelines with least privilegeQuarterly
CryptographyEncryption of model weights at rest, TLS 1.3 for inference APIsPer-deployment
Threat ManagementAdversarial testing, model poisoning detection, prompt injection monitoringMonthly
MonitoringContinuous monitoring of AI model behaviour, drift, and anomalous inputsContinuous
Change ManagementSecurity review of all AI model updates, retraining, and deploymentsPer-change
Asset ManagementAccurate inventory of all AI assets with ownership and classificationMonthly

Testing Program

  • Conduct annual penetration testing of AI systems, including model extraction attempts, prompt injection attacks, and API abuse scenarios.
  • Perform vulnerability assessments of AI infrastructure quarterly, including container images, model serving platforms, and training environments.
  • Execute adversarial robustness testing for all production AI models annually, with documented remediation of identified weaknesses.
  • Validate backup and recovery procedures for AI systems through tabletop exercises and live restoration tests.

Incident Management and Notification

  • Establish AI-specific incident response playbooks covering model poisoning, adversarial attacks, data leakage via prompt injection, and unauthorised model access.
  • Define materiality thresholds for AI security incidents requiring APRA notification within 72 hours.
  • Maintain an incident register with root cause analysis, remediation actions, and lessons learned for all AI security events.
  • Test incident response procedures through quarterly simulations involving AI Steering Committee members and relevant executives.

APRA Notification Process

  1. Incident discovery and initial assessment: Within 1 hour of detection, the Incident Response Lead determines whether the incident involves an AI system and assesses preliminary materiality.
  2. Internal escalation: Critical and high-severity incidents are escalated to the CISO, CIO, and General Counsel within 15 minutes. The AI Steering Committee Chair is notified within 1 hour.
  3. APRA eligibility assessment: The Compliance Officer assesses whether the incident triggers APRA notification requirements under CPS 234 paragraph 36 (material information security incidents) within 4 hours.
  4. APRA notification: If eligible, APRA is notified within 72 hours of discovery using the approved APRA incident notification template, including incident summary, systems affected, containment status, and estimated impact.
  5. Privacy Act assessment: Concurrently, the Privacy Officer assesses whether the incident constitutes an eligible data breach under the Notifiable Data Breaches scheme within 24 hours.
  6. Board notification: The Board Risk Committee is notified at the next scheduled meeting, or earlier if the incident is critical or has attracted regulatory or media attention.
  7. Remediation and closure: The incident is tracked through to closure with documented remediation actions, control improvements, and lessons learned. Evidence is retained for 7 years.

Third-Party and Service Provider Risk

  • Assess all third-party AI vendors (model providers, cloud AI platforms, data providers) against CPS 234 requirements before onboarding.
  • Include CPS 234-aligned security clauses in all AI vendor contracts, with right-to-audit provisions.
  • Monitor third-party AI vendor security posture through annual assessments, SOC 2 reports, and vulnerability disclosures.
  • Maintain a register of all AI service providers with risk ratings, contract review dates, and escalation contacts.

Board and Senior Management Accountability

  • The Board must receive quarterly reports on AI information security posture, including control effectiveness, incident summary, and testing outcomes.
  • Senior management must attest annually to the adequacy of AI information security controls and the accuracy of the AI asset inventory.
  • The CISO must present AI security risk assessments to the Risk Committee with recommended treatment actions and residual risk acceptance decisions.
  • Board members must receive AI security awareness briefings annually to maintain sufficient understanding for effective oversight.

CPS 234 Evidence Register

Evidence ItemOwnerFrequencyFormat
AI asset inventoryCISO / Data OfficeMonthlySpreadsheet / CMDB export
Control test resultsSecurity Testing TeamQuarterlyTest report with findings
Penetration test reportExternal TesterAnnualFormal report with remediation plan
Incident registerIncident Response LeadContinuousTicketing system export
Third-party risk assessmentsVendor ManagementAnnualAssessment questionnaire + report
Board security reportsCISOQuarterlyExecutive presentation + minutes
Policy attestationsHR / ComplianceAnnualSigned attestations

CPS 234 Audit Checklist

AI asset inventory is complete, accurate, and classified by criticality.
Information security policy explicitly covers AI systems and risks.
Security controls are implemented and tested for all critical AI assets.
Incident response plan includes AI-specific scenarios and APRA notification triggers.
Third-party AI vendor assessments are current and cover CPS 234 requirements.
Board has received and reviewed AI security reports in the last quarter.
Staff with AI security responsibilities have relevant qualifications and training records.
Testing program includes adversarial and penetration testing of AI systems.

13.12 APRA CPS 230 — Operational Risk Management

APRA Prudential Standard CPS 230 Operational Risk Management requires regulated entities to manage operational risks comprehensively, including those arising from AI systems. AI failures, model drift, data quality issues, and third-party AI dependencies are all operational risks subject to CPS 230.

Operational Risk Management Framework

  • Integrate AI operational risks into the enterprise operational risk management framework with clear risk taxonomy, assessment methodology, and appetite statements.
  • Define AI-specific operational risk categories: model failure, data quality degradation, vendor dependency, skill concentration, regulatory change, and ethical breach.
  • Require operational risk assessment for all AI projects prior to deployment, with sign-off from Risk, Legal, and Operations functions.
  • Maintain an AI operational risk register with risk owners, controls, key risk indicators (KRIs), and trigger thresholds.

Critical Operations

AI OperationCriticalityRTORPO
Real-time credit scoring modelCritical1 hourZero
Insurance claims triage AICritical4 hours1 hour
Anti-money laundering detectionCritical2 hoursZero
Customer service chatbotImportant8 hours4 hours
Internal document summarisationStandard24 hours24 hours
Marketing personalisationStandard48 hours24 hours

Service Provider Management

  • Identify all AI service providers critical to operations and map dependencies, including nested dependencies (e.g., cloud provider → model API → data provider).
  • Assess service provider operational resilience through due diligence, contractual SLAs, and annual resilience testing.
  • Require AI service providers to disclose their own operational risk management practices, business continuity plans, and incident history.
  • Maintain exit strategies for all critical AI service providers, including transition plans, data portability arrangements, and alternative vendor identification.

Business Continuity and Tolerance Levels

  • Define tolerance levels for AI service disruption by criticality, with explicit board-approved thresholds for maximum acceptable outage duration and data loss.
  • Develop business continuity plans for AI operations with documented recovery procedures, alternative processing arrangements, and communication protocols.
  • Test business continuity plans for critical AI operations annually through simulation exercises.
  • Review and update tolerance levels following material changes to AI operations, vendor landscape, or regulatory requirements.

Disruption Response and Scenario Testing

  • Establish disruption response procedures for AI system failures, including automatic failover, manual override protocols, and customer communication templates.
  • Conduct scenario testing for AI operational risks: major cloud provider outage, model vendor API failure, mass data quality degradation, adversarial attack causing model misbehaviour.
  • Document scenario testing outcomes, identify gaps, and assign remediation actions with deadlines and accountable owners.
  • Report scenario testing results to the Board Risk Committee annually.

Incident Escalation and Recovery Procedures

SeverityCriteriaEscalationResponse Time
CriticalAI system failure affecting customer safety, financial loss >$1M, or regulatory breachCEO, Board Chair, APRA15 minutes
HighAI system failure affecting critical operations, financial loss $100K-$1MCIO, CRO, General Counsel1 hour
MediumAI degradation affecting non-critical operations, financial loss <$100KAI Steering Committee Chair4 hours
LowAI performance issue with minimal business impactAI Operations Manager24 hours

Integration with Volume 6

CPS 230 incident escalation procedures must align with the AI Incident Response Plan documented in Volume 6. Organisations should maintain a single incident taxonomy with CPS 230 severity mapping to avoid confusion during crisis response.

13.13 Privacy Act 1988 and Australian Privacy Principles

The Privacy Act 1988 and the Australian Privacy Principles (APPs) govern the handling of personal information by Australian organisations. AI systems that process personal information — whether for training, inference, or decision-making — must comply with all 13 APPs.

AI-Specific Privacy Obligations

APPAI RelevanceControl Requirement
APP 1: Open and transparentAI decision-making must be documented and explainable to individualsPublish AI privacy notice, maintain model documentation
APP 2: Anonymity and pseudonymityWhere feasible, AI systems should operate on de-identified dataDe-identification protocols, data minimisation
APP 3: CollectionAI training data collection must be lawful, fair, and necessaryCollection notices, purpose specification, consent where required
APP 4: Unsolicited personal informationAI systems must not ingest unsolicited personal data without assessmentData ingestion review process
APP 5: NotificationIndividuals must be informed when AI processes their personal informationCollection notices, privacy policy updates
APP 6: Use and disclosureAI use of personal information must be within collection purpose or permitted by lawPurpose limitation, use register, secondary use assessment
APP 7: Direct marketingAI-driven personalisation for marketing requires opt-out and consent complianceMarketing consent register, opt-out mechanisms
APP 8: Cross-border disclosureAI models trained on Australian data and hosted overseas require disclosure and safeguardsCross-border assessment, contractual safeguards
APP 9: Government identifiersAI systems must not use government identifiers as primary keys or training featuresIdentifier restriction policy
APP 10: QualityAI training data and outputs must be accurate, complete, and up-to-dateData quality framework, model accuracy monitoring
APP 11: SecurityAI systems must protect personal information from misuse, loss, and unauthorised accessEncryption, access control, adversarial defences
APP 12: AccessIndividuals may request access to personal information held or processed by AI systemsAccess request procedure, model output extraction
APP 13: CorrectionIndividuals may request correction of personal information used by AI systemsCorrection procedure, model retraining trigger

Privacy by Design for AI

  • Conduct Privacy Impact Assessments (PIAs) for all AI systems processing personal information before development commencement.
  • Implement data minimisation in AI training: collect only the personal information necessary for the specific AI purpose, and delete when no longer required.
  • Deploy differential privacy, federated learning, or synthetic data generation where feasible to reduce privacy risk.
  • Maintain data lineage for all personal information used in AI training to support access, correction, and deletion requests.
  • Document AI model decisions affecting individuals to support APP 12 access requests and APP 1 transparency obligations.

Notifiable Data Breaches

AI-related data breaches — including model inversion attacks extracting training data, prompt injection causing leakage of personal information, or unauthorised access to AI systems containing personal data — may trigger the Notifiable Data Breaches scheme. Organisations must assess AI incidents for NDB eligibility within 30 days of discovery.

13.14 Cyber Incident Response and Board Reporting

Cyber incidents involving AI systems demand specialised response capabilities. The board expects timely, accurate, and actionable reporting on AI-related cyber incidents with clear materiality assessments and remediation progress.

AI Cyber Incident Categories

CategoryDescriptionBoard Notification
Model extractionAdversary successfully extracts model weights or architectureWithin 24 hours
Data poisoningTraining data compromised causing model misbehaviourWithin 24 hours
Prompt injectionSuccessful prompt injection causing data leakage or harmful outputsWithin 48 hours if material
Adversarial evasionAttack bypasses AI security controls (e.g., malware detection)Within 48 hours
Credential compromiseAI admin or service account credentials compromisedWithin 24 hours
Supply chain compromiseAI vendor or open-source component compromisedWithin 24 hours
Insider threatEmployee misuses AI access for unauthorised purposesWithin 72 hours if material

Board Reporting Template

  • Incident summary: What happened, when, systems affected, data involved.
  • Materiality assessment: Financial impact, regulatory exposure, customer impact, reputational risk.
  • Root cause: Technical and procedural failures that enabled the incident.
  • Containment status: Current state of containment, eradication, and recovery.
  • Regulatory implications: APRA notification status, Privacy Act breach assessment, other regulator engagement.
  • Remediation plan: Actions taken, actions planned, accountable owners, deadlines.
  • Lessons learned: Process improvements, control enhancements, training needs.
  • Steering Committee recommendation: Risk acceptance, additional investment, policy change, or other action.

Executive and Board Expectations

  • The Board expects to be notified of all critical and high-severity AI cyber incidents within the timeframes specified above.
  • The Board expects quarterly cyber resilience briefings covering AI threat landscape, control effectiveness, and emerging risks.
  • The Board expects annual attestations from the CISO and CTO confirming AI security control adequacy and incident response readiness.
  • The Board expects to review and approve AI cyber incident response plans and business continuity arrangements annually.

13.15 Solurius Training Integration

Solurius is the designated learning, awareness, policy acknowledgement, and evidence platform for the Corporate AI Governance Framework. Solurius delivers mandatory training modules, captures staff attestations, maintains completion records, and generates compliance evidence suitable for internal audit and regulatory examination.

Mandatory Training Modules

ModuleAudienceFrequencyDuration
AI Awareness FoundationAll staffAnnual45 minutes
Essential Eight AwarenessIT, Security, Engineering, AI teamsAnnual60 minutes
APRA CPS 234 for AIRisk, Compliance, Security, ExecutivesAnnual90 minutes
APRA CPS 230 Operational ResilienceOperations, Risk, Business ContinuityAnnual75 minutes
Privacy and Data HandlingAll staff with data accessAnnual60 minutes
Incident Response SimulationIncident Response Team, AI OperationsSemi-annual120 minutes
Phishing and Social EngineeringAll staffQuarterly30 minutes
AI Acceptable UseAll staff using AI toolsAnnual45 minutes
Prompt SecurityAI engineers, data scientists, prompt engineersAnnual60 minutes
Executive Board ReportingBoard members, C-suite, senior executivesAnnual90 minutes

Policy Acknowledgement Workflow

  1. Policy upload: The Governance Office uploads the current Corporate AI Policy and subordinate policies into Solurius.
  2. Role assignment: Policies are assigned to staff based on role, department, and risk exposure. Board members receive executive summaries; engineers receive technical controls.
  3. Acknowledgement request: Solurius pushes notifications to assigned staff with a defined completion deadline (typically 14 days).
  4. Staff review: Staff review the policy in Solurius, with progress tracking and time-on-page monitoring.
  5. Electronic attestation: Staff electronically sign the policy acknowledgement, confirming understanding and compliance commitment.
  6. Exception management: Staff who raise questions or objections trigger an exception workflow to their manager and the Governance Office.
  7. Completion tracking: Solurius maintains real-time completion dashboards with drill-down by team, role, and seniority.
  8. Escalation: Non-completion after deadline triggers automatic escalation to line managers and HR.

Staff Attestation Records

  • Solurius retains permanent records of all policy acknowledgements with timestamp, IP address, device fingerprint, and digital signature.
  • Attestation records are linked to employee profiles and retained for the duration of employment plus 7 years.
  • Attestation records are exportable in CSV and PDF formats for audit evidence packs.
  • Version control ensures staff acknowledgements are tied to specific policy versions, with re-attestation triggered by material policy changes.

Completion Certificates

  • Solurius issues verifiable completion certificates for each training module, including module name, completion date, expiry date, and unique certificate ID.
  • Certificates are stored in the employee's Solurius profile and available for download at any time.
  • Certificate expiry triggers automatic re-enrolment notifications 30 days before expiry.
  • Aggregated certificate data supports compliance reporting and regulatory examination.

Training Register

FieldDescription
Employee IDUnique identifier linked to HR system
Name and RoleCurrent role at time of training
Module NameTraining module completed
Completion DateDate of successful completion
Expiry DateCertificate expiry or retraining due date
ScoreAssessment score where applicable
AttemptsNumber of attempts to pass
Certificate IDUnique verifiable certificate identifier
Policy VersionVersion of policy acknowledged (for policy modules)
ManagerLine manager at time of completion

Audit Evidence Export

  • Solurius provides one-click export of training and attestation evidence for internal audit, external audit, and regulatory examination.
  • Export packages include completion registers, certificate copies, policy version history, and exception registers.
  • Evidence is time-stamped, tamper-evident, and cryptographically signed where required.
  • Export formats include PDF, CSV, and structured JSON for integration with GRC platforms.

13.16 Implementation Using Solurius — Ten Steps

This section provides a practical, step-by-step guide for implementing the Corporate AI Governance Framework using Solurius. These steps are designed for Australian, UK, USA, and New Zealand organisations seeking to achieve rapid, evidence-based compliance.

Step 1: Upload Corporate AI Policies into Solurius

The Governance Office uploads the Corporate AI Policy, subordinate policies, and volume-specific guidance into Solurius. Each policy is tagged by applicability (all staff, IT only, executives, board) and linked to relevant training modules. Document version control ensures staff always acknowledge the current version.

Step 2: Assign Policies to Staff by Role

Using Solurius role-based assignment, policies are distributed to staff based on their organisational role, department, and risk exposure. Board members receive executive summaries; AI engineers receive detailed technical controls; all staff receive the AI Acceptable Use Policy.

Step 3: Deliver Mandatory AI and Cyber Awareness Modules

Solurius delivers the full training curriculum: AI Awareness Foundation, Essential Eight Awareness, APRA CPS 234, CPS 230, Privacy and Data Handling, Incident Response Simulation, Phishing and Social Engineering, AI Acceptable Use, Prompt Security, and Executive Board Reporting. Staff progress through modules at their own pace with manager visibility.

Step 4: Require Staff Acknowledgement

After policy review, staff electronically acknowledge each assigned policy through Solurius. Acknowledgements are recorded with timestamp, device fingerprint, and digital signature. Non-completion triggers automatic escalation to line managers and HR.

Step 5: Run Assessments and Quizzes

Each training module concludes with an assessment to verify comprehension. Pass thresholds are set at 80% for general staff and 90% for security, risk, and engineering roles. Failed attempts trigger remedial content and manager notification.

Step 6: Issue Completion Certificates

Upon successful completion, Solurius issues verifiable certificates with unique IDs, completion dates, and expiry dates. Certificates are stored in employee profiles and available for audit evidence export.

Step 7: Maintain Training Evidence for Audit

Solurius maintains comprehensive training evidence including completion registers, assessment scores, certificate copies, and policy acknowledgement records. Evidence is retained for the duration of employment plus 7 years and exportable in multiple formats.

Step 8: Generate Monthly Compliance Dashboard

Solurius generates real-time compliance dashboards showing completion rates by team, role, and geography; overdue acknowledgements; upcoming certificate expiries; and training effectiveness metrics. Dashboards are configurable for executive, manager, and audit audiences.

Step 9: Report to Executives and Board

Monthly compliance reports are automatically distributed to the AI Steering Committee, CISO, and Board Risk Committee. Reports include completion status, incident trends, control effectiveness, and recommendations for improvement.

Step 10: Repeat Annually or After Policy Changes

The training and acknowledgement cycle repeats annually for all staff. Material policy changes trigger targeted re-attestation for affected staff. Annual training refreshes ensure awareness of evolving threats, regulatory changes, and framework updates.

13.17 Templates and Registers

The following templates are included in the Corporate AI Governance Framework + Solurius Implementation Pack. Each template is provided in editable Microsoft Word and Excel formats with instructions for completion.

Essential Eight Implementation Register

Tracks implementation status, maturity level, evidence location, and next review date for each of the eight strategies. Includes AI-specific columns for model pipeline coverage, training environment status, and inference platform alignment.

APRA CPS 234 Evidence Register

Central repository for all CPS 234 evidence items: asset inventory, control tests, penetration reports, incident registers, third-party assessments, board reports, policy attestations, and audit findings. Linked to Solurius training records where applicable.

APRA CPS 230 Operational Resilience Register

Documents operational risk assessments, critical operation definitions, tolerance levels, business continuity plans, scenario testing results, and service provider resilience assessments for AI operations.

AI Policy Acknowledgement Form

Individual staff acknowledgement form capturing name, employee ID, role, policy version, acknowledgement date, electronic signature, and manager verification. Integrated with Solurius workflow but available as standalone for non-Solurius implementations.

Staff Training Completion Register

Aggregated view of all training completions across the organisation. Filterable by team, role, module, date range, and completion status. Supports compliance reporting and audit evidence preparation.

Board Cyber and AI Governance Report

Executive-ready report template for quarterly Board presentations. Sections cover security posture, incident summary, control effectiveness, testing outcomes, regulatory updates, and Steering Committee recommendations.

Incident Response Training Attendance Sheet

Tracks attendance at incident response simulation exercises. Captures participant names, roles, scenario description, date, facilitator, and lessons learned. Linked to the AI Incident Response Plan (Volume 6).

Executive Compliance Dashboard

Visual dashboard template showing training completion rates, policy acknowledgement status, certificate expiry timeline, overdue items by team, and trend analysis. Designed for C-suite and Board Risk Committee consumption.

Third-Party AI Vendor Assessment

Structured assessment questionnaire for AI vendors covering security, privacy, operational resilience, compliance, data handling, model governance, and exit arrangements. Scored with risk rating and recommendation.

FieldDescriptionResponse Type
Vendor NameLegal entity name and trading nameText
ABN / ACNAustralian Business Number or Company NumberText
Service DescriptionDescription of AI service providedText
Data Processing LocationGeographic location of data processing and storageText
Security CertificationISO 27001, SOC 2 Type II, or equivalent certificationsAttachment
AI Model ProvenanceDocumentation of model training data sources and lineageAttachment
SubprocessorsList of all third-party subprocessors with services providedTable
Incident HistoryDetails of any security or privacy incidents in past 24 monthsText
Exit ArrangementsData portability, deletion certification, and transition supportText
Risk RatingLow / Medium / High / Critical based on assessment scoreDropdown
RecommendationApprove / Approve with Conditions / RejectDropdown
AssessorName and role of person completing assessmentText
Assessment DateDate of assessment completionDate
Review DateDate for next reassessmentDate

AI and Cyber Control Testing Schedule

Annual testing calendar for all AI and cyber controls. Includes test type, frequency, accountable party, expected evidence, and last/next test dates. Aligns with Essential Eight, CPS 234, and CPS 230 testing requirements.

FieldDescriptionResponse Type
Control IDUnique identifier for the controlText
Control NameDescriptive name of the controlText
Framework ReferenceEssential Eight / CPS 234 / CPS 230 / Privacy ActDropdown
Test TypeAutomated / Manual / Penetration Test / Tabletop / AuditDropdown
FrequencyMonthly / Quarterly / Semi-annual / Annual / Per-changeDropdown
Accountable PartyRole responsible for executing the testText
Last Test DateDate the control was last testedDate
Next Test DateScheduled date for next testDate
Test ResultPass / Fail / Partial / Not TestedDropdown
Evidence LocationFile path, URL, or document reference for test evidenceText
FindingsSummary of any findings or deficiencies identifiedText
Remediation StatusOpen / In Progress / Closed / AcceptedDropdown
Remediation Target DateTarget date for closing findingsDate

Commercial Packaging

The Corporate AI Governance Framework + Solurius Implementation Pack is commercially licensable by CSA Digital Asset Developers for Australian, UK, USA, and New Zealand organisations. The pack includes all thirteen volumes, the complete template library, Solurius integration guides, and implementation support. Contact CSA Digital Asset Developers for licensing terms, customisation options, and enterprise deployment support.