Australian Compliance and Cyber Resilience
Comprehensive alignment with ACSC Essential Eight, APRA CPS 234/230, Privacy Act 1988, incident response, board reporting, and Solurius training integration.
13.1 ACSC Essential Eight — Maturity Model Mapping
The Australian Cyber Security Centre (ACSC) Essential Eight provides a prioritised set of mitigation strategies to protect organisations against a range of adversaries. This volume maps each Essential Eight control to AI-specific risks, implementation requirements, and evidence standards suitable for audit, board reporting, and regulatory examination.
Organisations implementing this framework must achieve a target maturity level of at least Maturity Level Two for all eight strategies, with Maturity Level Three required for organisations classified as high-value targets or those processing sensitive personal information at scale. AI systems introduce unique attack surfaces that must be explicitly addressed within each control.
Maturity Model Overview
| Level | Description | AI-Specific Consideration |
|---|---|---|
| Level 0 | Not aligned with mitigation strategy | No AI-specific controls implemented |
| Level 1 | Partly aligned — basic controls in place | Basic application control and patching applied to AI infrastructure |
| Level 2 | Mostly aligned — comprehensive controls | AI model pipelines hardened, prompt injection defences active, MFA on all AI admin interfaces |
| Level 3 | Fully aligned — sophisticated controls | Continuous AI threat monitoring, adversarial testing, automated rollback, board-level AI risk dashboards |
Regulatory Alignment
APRA CPS 234 expects regulated entities to maintain information security controls commensurate with the criticality and sensitivity of their assets. The Essential Eight provides the baseline control set that APRA-regulated entities should exceed. AI systems processing financial data, insurance claims, or superannuation information are classified as critical assets under CPS 234.
13.2 Application Control
Application control prevents the execution of unauthorised software on endpoints and servers. For AI environments, this control extends to AI model binaries, inference engines, container images, Python packages, and third-party AI libraries.
AI-Specific Implementation Requirements
- Maintain an approved AI software register listing all permitted model frameworks (TensorFlow, PyTorch, ONNX Runtime, etc.), versions, and approved sources.
- Block execution of unsigned or unverified AI model files. All models must carry cryptographic signatures from approved training pipelines.
- Implement application control on AI development workstations to prevent execution of unapproved data science tools, notebook extensions, or package managers.
- Restrict execution of AI inference binaries to designated production hosts only. Development and test models must not execute on production infrastructure.
- Maintain allowlisting for AI container registries. Only images from approved registries with verified SBOMs may be deployed.
Evidence Required
13.3 Patch Applications
Applications, including AI frameworks, libraries, and middleware, must be patched within defined timeframes based on exploitability and criticality. AI systems often rely on complex dependency chains that expand the attack surface significantly.
AI-Specific Patching Requirements
| Category | Maximum Patch Window | Examples |
|---|---|---|
| Critical AI framework vulnerabilities | 48 hours | PyTorch arbitrary code execution, TensorFlow privilege escalation |
| High-risk AI library CVEs | 7 days | Hugging Face Transformers, LangChain, OpenAI SDK |
| AI middleware and APIs | 14 days | FastAPI, Flask, model serving proxies |
| General data science packages | 30 days | NumPy, Pandas, SciPy, Jupyter |
| Container base images | 14 days | CUDA runtime, NVIDIA drivers, Python base images |
Evidence Required
13.4 Configure Microsoft Office Macro Settings
Microsoft Office macros remain a significant vector for malware delivery, including payloads targeting AI development environments. Organisations must restrict macro execution to prevent compromise of data science workstations and AI model training infrastructure.
AI Environment Protections
- Block all macros in Office documents originating from the internet on any workstation with access to AI training data or model repositories.
- Disable macros entirely on dedicated AI training servers and high-performance compute clusters.
- Require digitally signed macros only on administrative workstations, with signer certificate verification against an approved list.
- Implement email gateway scanning to quarantine Office attachments with macros sent to AI engineering teams.
- Log all macro execution attempts on workstations with access to sensitive AI datasets for forensic analysis.
AI-Specific Risk
Data scientists frequently receive datasets in Excel or CSV format via email. Attackers may embed malicious macros in these files to establish persistence on workstations with access to AI training pipelines, enabling model poisoning or data exfiltration.
13.5 User Application Hardening
User application hardening reduces the attack surface of applications that interact with AI systems, including web browsers accessing AI platforms, IDEs, notebook environments, and collaboration tools.
Hardening Requirements for AI Users
- Disable browser extensions on workstations used to access AI admin consoles, model deployment platforms, and cloud AI services.
- Block web advertisements and untrusted JavaScript on AI engineering workstations to prevent drive-by downloads.
- Harden IDE configurations (VS Code, PyCharm, Jupyter) to prevent execution of untrusted code snippets or extensions.
- Restrict clipboard and file-sharing functionality within AI collaboration tools to prevent accidental data leakage.
- Disable auto-run and auto-play features on all systems processing AI training data.
Evidence Required
13.6 Restrict Administrative Privileges
Administrative privileges must be restricted to the minimum necessary for role function. AI systems present elevated risk because administrative access to model training infrastructure, API gateways, or data pipelines can enable large-scale compromise.
AI-Specific Privilege Controls
| Role | Permitted Access | Prohibited Access |
|---|---|---|
| AI Model Engineer | Development environments, training pipelines (non-prod) | Production inference endpoints, customer data stores |
| ML Ops Engineer | Deployment pipelines, model registries, monitoring | Raw training data, model weights (read-only in registry) |
| Data Scientist | Notebook environments, sandbox datasets, experiment tracking | Production APIs, production databases, admin consoles |
| AI Product Manager | Dashboards, experiment results, project documentation | Code repositories, infrastructure, data pipelines |
| CISO / Security Officer | Security tooling, audit logs, policy enforcement | Model development, training data (without business case) |
Mandatory Controls
- Implement Privileged Access Management (PAM) for all administrative access to AI infrastructure.
- Require just-in-time (JIT) elevation for AI production environment access with automatic session termination.
- Segregate AI development, test, and production environments with separate administrative domains.
- Log all privileged actions in AI environments with immutable audit trails retained for 7 years.
- Review administrative access quarterly and remove dormant or excessive privileges within 48 hours of identification.
13.7 Patch Operating Systems
Operating systems hosting AI workloads — including training clusters, inference servers, and data science workstations — must be patched within defined timeframes. AI infrastructure often runs on specialised hardware (GPUs, TPUs) with proprietary drivers that require careful patch coordination.
AI Infrastructure Patching
- Maintain separate patch cycles for AI training clusters with scheduled maintenance windows that do not conflict with active model training runs.
- Test OS patches against GPU drivers, CUDA toolkits, and container runtimes before production deployment.
- Automate OS patching for non-production AI environments to validate compatibility.
- Maintain emergency patch procedures for OS vulnerabilities affecting AI container orchestration platforms (Kubernetes, OpenShift).
- Document and test rollback procedures for all AI infrastructure patches.
Evidence Required
13.8 Multi-factor Authentication
Multi-factor authentication (MFA) must be enforced for all access to AI systems, platforms, and data stores. AI systems are high-value targets for adversaries seeking to steal models, poison training data, or extract sensitive information through prompt injection.
MFA Requirements for AI Environments
| System Category | MFA Method | Frequency |
|---|---|---|
| AI model training platforms | Hardware token or phishing-resistant authenticator | Every session |
| Model registries and artifact stores | Hardware token or phishing-resistant authenticator | Every session |
| Production inference APIs (admin) | Hardware token or phishing-resistant authenticator | Every session |
| AI development environments | TOTP or hardware token minimum | Every session |
| AI data lakes and warehouses | Hardware token or phishing-resistant authenticator | Every session |
| Cloud AI services (AWS SageMaker, Azure ML, GCP Vertex) | Hardware token or phishing-resistant authenticator | Every session |
AI-Specific MFA Considerations
- Service account access to AI APIs must use certificate-based or workload identity authentication, not static credentials.
- Break-glass access to AI production systems requires dual-authorisation with real-time notification to the CISO and AI Steering Committee.
- MFA for AI platform admin consoles must be phishing-resistant (FIDO2/WebAuthn) where technically feasible.
- Monitor for anomalous MFA events on AI systems as an early indicator of targeted attack.
13.9 Regular Backups
Regular, tested backups are essential for AI systems to ensure business continuity, protect against ransomware, and enable rapid recovery from model corruption, data poisoning incidents, or infrastructure failure.
AI Asset Backup Requirements
- Maintain versioned backups of all trained model artifacts, including weights, configurations, and training hyperparameters.
- Backup AI training datasets with immutable snapshots at point of training commencement to enable forensic reconstruction.
- Backup AI pipeline configurations, infrastructure-as-code templates, and deployment manifests.
- Maintain offline or air-gapped backups of critical AI models and datasets to protect against ransomware.
- Test restoration of AI models to alternate infrastructure quarterly to validate recovery procedures.
Backup Schedule
| Asset Type | Frequency | Retention | Storage |
|---|---|---|---|
| Production model weights | Daily incremental, weekly full | 90 days | Encrypted, geo-redundant |
| Training datasets | Per-training run | 7 years | Immutable, air-gapped for sensitive data |
| Model configurations | Per-deployment | 7 years | Version control + encrypted backup |
| Inference logs | Continuous | 7 years | Immutable, tamper-evident |
| AI pipeline code | Per-commit | Permanent | Git + encrypted backup |
13.10 Essential Eight Implementation Checklist
The following checklist provides a practical implementation guide for organisations seeking to align their AI governance programme with the ACSC Essential Eight. Each item must be completed, evidenced, and reviewed annually.
Implementation Phases
- Establish Essential Eight governance: Assign accountable owner, define target maturity, allocate budget, and establish reporting to the AI Steering Committee.
- Conduct baseline assessment: Evaluate current maturity for all eight strategies as applied to AI environments, documenting gaps and prioritisation.
- Develop implementation plan: Create project plans with timelines, resources, and dependencies for each control, aligned with AI system deployment schedules.
- Implement application control: Deploy allowlisting, maintain software registers, and establish exception management processes.
- Implement patching regime: Deploy vulnerability scanning, define SLAs, and establish emergency patching procedures for AI frameworks.
- Configure Office macro settings: Deploy Group Policy, enforce blocking, and train staff on macro-related risks in data science workflows.
- Harden user applications: Deploy configuration baselines, restrict browser extensions, and harden IDEs and notebook environments.
- Restrict admin privileges: Deploy PAM, implement JIT elevation, and segregate AI environment administrative domains.
- Implement OS patching: Define patch cycles for AI infrastructure, test GPU driver compatibility, and establish rollback procedures.
- Enforce MFA: Deploy phishing-resistant authentication for all AI systems, implement service account certificate auth, and configure break-glass dual-authorisation.
- Implement backups: Deploy versioned model backups, immutable dataset snapshots, air-gapped storage, and quarterly restoration testing.
- Conduct internal audit: Verify control effectiveness, review evidence completeness, and report findings to the AI Steering Committee and Board.
AI-Specific Mapping Summary
| Essential Eight Strategy | AI Risk Addressed | Control Implementation | Evidence |
|---|---|---|---|
| Application Control | Malicious AI model execution, poisoned libraries | Allowlist AI frameworks, sign models | Software register, execution logs |
| Patch Applications | Exploitable AI framework vulnerabilities | Scan and patch ML libraries within 48 hours | Vulnerability reports, patch register |
| Office Macros | Macro-based compromise of data science workstations | Block macros on AI workstations | GPO exports, training records |
| User Hardening | Browser-based attacks on AI platforms | Harden browsers, IDEs, notebooks | Config baselines, scan results |
| Admin Privileges | Lateral movement in AI infrastructure | PAM, JIT, domain segregation | Access reviews, PAM logs |
| Patch OS | OS-level compromise of AI servers | Patch GPU hosts, test compatibility | Patch register, test results |
| MFA | Credential compromise of AI admin accounts | Phishing-resistant MFA everywhere | MFA configuration, audit logs |
| Backups | Ransomware, model corruption, data poisoning | Versioned models, immutable data | Backup logs, restoration test results |
Solurius Training Module Requirements by Control
| Essential Eight Strategy | Solurius Module | Target Audience | Completion Evidence |
|---|---|---|---|
| Application Control | Essential Eight Awareness — Application Control | IT, Security, AI Engineers | Certificate ID, quiz score ≥80% |
| Patch Applications | Essential Eight Awareness — Patch Management | IT, Security, ML Ops | Certificate ID, quiz score ≥80% |
| Office Macros | Essential Eight Awareness — Macro Security | All staff with Office access | Certificate ID, quiz score ≥80% |
| User Hardening | Essential Eight Awareness — Application Hardening | IT, Security, Engineering | Certificate ID, quiz score ≥80% |
| Admin Privileges | Essential Eight Awareness — Privileged Access | IT, Security, Infrastructure | Certificate ID, quiz score ≥90% |
| Patch OS | Essential Eight Awareness — OS Patching | IT, Infrastructure, ML Ops | Certificate ID, quiz score ≥80% |
| MFA | Essential Eight Awareness — Multi-Factor Authentication | All staff | Certificate ID, quiz score ≥80% |
| Backups | Essential Eight Awareness — Backup and Recovery | IT, Security, Operations | Certificate ID, quiz score ≥80% |
Training Integration
All Essential Eight training modules are delivered through Solurius with automatic enrolment, progress tracking, and completion certificate generation. Module completion is recorded in the Staff Training Completion Register and feeds into the Executive Compliance Dashboard.
13.11 APRA CPS 234 — Information Security
APRA Prudential Standard CPS 234 Information Security requires APRA-regulated entities to maintain information security capabilities commensurate with the criticality and sensitivity of their assets. AI systems processing financial data, making credit decisions, or supporting insurance operations are classified as critical assets under CPS 234.
Information Security Capability
- Maintain an AI-specific information security capability with dedicated personnel, budget, and authority to enforce security controls across AI systems.
- Define and maintain an AI asset inventory with classification (critical, important, standard) based on data sensitivity, regulatory exposure, and business impact.
- Ensure AI security personnel possess relevant qualifications (CISSP, CISM, GSEC) and AI-specific security training (adversarial ML, prompt injection defence).
- Document AI security roles and responsibilities in RACI matrices with clear accountability for each control domain.
Control Environment
| Control Domain | AI-Specific Requirement | Testing Frequency |
|---|---|---|
| Access Control | Role-based access to models, data, pipelines with least privilege | Quarterly |
| Cryptography | Encryption of model weights at rest, TLS 1.3 for inference APIs | Per-deployment |
| Threat Management | Adversarial testing, model poisoning detection, prompt injection monitoring | Monthly |
| Monitoring | Continuous monitoring of AI model behaviour, drift, and anomalous inputs | Continuous |
| Change Management | Security review of all AI model updates, retraining, and deployments | Per-change |
| Asset Management | Accurate inventory of all AI assets with ownership and classification | Monthly |
Testing Program
- Conduct annual penetration testing of AI systems, including model extraction attempts, prompt injection attacks, and API abuse scenarios.
- Perform vulnerability assessments of AI infrastructure quarterly, including container images, model serving platforms, and training environments.
- Execute adversarial robustness testing for all production AI models annually, with documented remediation of identified weaknesses.
- Validate backup and recovery procedures for AI systems through tabletop exercises and live restoration tests.
Incident Management and Notification
- Establish AI-specific incident response playbooks covering model poisoning, adversarial attacks, data leakage via prompt injection, and unauthorised model access.
- Define materiality thresholds for AI security incidents requiring APRA notification within 72 hours.
- Maintain an incident register with root cause analysis, remediation actions, and lessons learned for all AI security events.
- Test incident response procedures through quarterly simulations involving AI Steering Committee members and relevant executives.
APRA Notification Process
- Incident discovery and initial assessment: Within 1 hour of detection, the Incident Response Lead determines whether the incident involves an AI system and assesses preliminary materiality.
- Internal escalation: Critical and high-severity incidents are escalated to the CISO, CIO, and General Counsel within 15 minutes. The AI Steering Committee Chair is notified within 1 hour.
- APRA eligibility assessment: The Compliance Officer assesses whether the incident triggers APRA notification requirements under CPS 234 paragraph 36 (material information security incidents) within 4 hours.
- APRA notification: If eligible, APRA is notified within 72 hours of discovery using the approved APRA incident notification template, including incident summary, systems affected, containment status, and estimated impact.
- Privacy Act assessment: Concurrently, the Privacy Officer assesses whether the incident constitutes an eligible data breach under the Notifiable Data Breaches scheme within 24 hours.
- Board notification: The Board Risk Committee is notified at the next scheduled meeting, or earlier if the incident is critical or has attracted regulatory or media attention.
- Remediation and closure: The incident is tracked through to closure with documented remediation actions, control improvements, and lessons learned. Evidence is retained for 7 years.
Third-Party and Service Provider Risk
- Assess all third-party AI vendors (model providers, cloud AI platforms, data providers) against CPS 234 requirements before onboarding.
- Include CPS 234-aligned security clauses in all AI vendor contracts, with right-to-audit provisions.
- Monitor third-party AI vendor security posture through annual assessments, SOC 2 reports, and vulnerability disclosures.
- Maintain a register of all AI service providers with risk ratings, contract review dates, and escalation contacts.
Board and Senior Management Accountability
- The Board must receive quarterly reports on AI information security posture, including control effectiveness, incident summary, and testing outcomes.
- Senior management must attest annually to the adequacy of AI information security controls and the accuracy of the AI asset inventory.
- The CISO must present AI security risk assessments to the Risk Committee with recommended treatment actions and residual risk acceptance decisions.
- Board members must receive AI security awareness briefings annually to maintain sufficient understanding for effective oversight.
CPS 234 Evidence Register
| Evidence Item | Owner | Frequency | Format |
|---|---|---|---|
| AI asset inventory | CISO / Data Office | Monthly | Spreadsheet / CMDB export |
| Control test results | Security Testing Team | Quarterly | Test report with findings |
| Penetration test report | External Tester | Annual | Formal report with remediation plan |
| Incident register | Incident Response Lead | Continuous | Ticketing system export |
| Third-party risk assessments | Vendor Management | Annual | Assessment questionnaire + report |
| Board security reports | CISO | Quarterly | Executive presentation + minutes |
| Policy attestations | HR / Compliance | Annual | Signed attestations |
CPS 234 Audit Checklist
13.12 APRA CPS 230 — Operational Risk Management
APRA Prudential Standard CPS 230 Operational Risk Management requires regulated entities to manage operational risks comprehensively, including those arising from AI systems. AI failures, model drift, data quality issues, and third-party AI dependencies are all operational risks subject to CPS 230.
Operational Risk Management Framework
- Integrate AI operational risks into the enterprise operational risk management framework with clear risk taxonomy, assessment methodology, and appetite statements.
- Define AI-specific operational risk categories: model failure, data quality degradation, vendor dependency, skill concentration, regulatory change, and ethical breach.
- Require operational risk assessment for all AI projects prior to deployment, with sign-off from Risk, Legal, and Operations functions.
- Maintain an AI operational risk register with risk owners, controls, key risk indicators (KRIs), and trigger thresholds.
Critical Operations
| AI Operation | Criticality | RTO | RPO |
|---|---|---|---|
| Real-time credit scoring model | Critical | 1 hour | Zero |
| Insurance claims triage AI | Critical | 4 hours | 1 hour |
| Anti-money laundering detection | Critical | 2 hours | Zero |
| Customer service chatbot | Important | 8 hours | 4 hours |
| Internal document summarisation | Standard | 24 hours | 24 hours |
| Marketing personalisation | Standard | 48 hours | 24 hours |
Service Provider Management
- Identify all AI service providers critical to operations and map dependencies, including nested dependencies (e.g., cloud provider → model API → data provider).
- Assess service provider operational resilience through due diligence, contractual SLAs, and annual resilience testing.
- Require AI service providers to disclose their own operational risk management practices, business continuity plans, and incident history.
- Maintain exit strategies for all critical AI service providers, including transition plans, data portability arrangements, and alternative vendor identification.
Business Continuity and Tolerance Levels
- Define tolerance levels for AI service disruption by criticality, with explicit board-approved thresholds for maximum acceptable outage duration and data loss.
- Develop business continuity plans for AI operations with documented recovery procedures, alternative processing arrangements, and communication protocols.
- Test business continuity plans for critical AI operations annually through simulation exercises.
- Review and update tolerance levels following material changes to AI operations, vendor landscape, or regulatory requirements.
Disruption Response and Scenario Testing
- Establish disruption response procedures for AI system failures, including automatic failover, manual override protocols, and customer communication templates.
- Conduct scenario testing for AI operational risks: major cloud provider outage, model vendor API failure, mass data quality degradation, adversarial attack causing model misbehaviour.
- Document scenario testing outcomes, identify gaps, and assign remediation actions with deadlines and accountable owners.
- Report scenario testing results to the Board Risk Committee annually.
Incident Escalation and Recovery Procedures
| Severity | Criteria | Escalation | Response Time |
|---|---|---|---|
| Critical | AI system failure affecting customer safety, financial loss >$1M, or regulatory breach | CEO, Board Chair, APRA | 15 minutes |
| High | AI system failure affecting critical operations, financial loss $100K-$1M | CIO, CRO, General Counsel | 1 hour |
| Medium | AI degradation affecting non-critical operations, financial loss <$100K | AI Steering Committee Chair | 4 hours |
| Low | AI performance issue with minimal business impact | AI Operations Manager | 24 hours |
Integration with Volume 6
CPS 230 incident escalation procedures must align with the AI Incident Response Plan documented in Volume 6. Organisations should maintain a single incident taxonomy with CPS 230 severity mapping to avoid confusion during crisis response.
13.13 Privacy Act 1988 and Australian Privacy Principles
The Privacy Act 1988 and the Australian Privacy Principles (APPs) govern the handling of personal information by Australian organisations. AI systems that process personal information — whether for training, inference, or decision-making — must comply with all 13 APPs.
AI-Specific Privacy Obligations
| APP | AI Relevance | Control Requirement |
|---|---|---|
| APP 1: Open and transparent | AI decision-making must be documented and explainable to individuals | Publish AI privacy notice, maintain model documentation |
| APP 2: Anonymity and pseudonymity | Where feasible, AI systems should operate on de-identified data | De-identification protocols, data minimisation |
| APP 3: Collection | AI training data collection must be lawful, fair, and necessary | Collection notices, purpose specification, consent where required |
| APP 4: Unsolicited personal information | AI systems must not ingest unsolicited personal data without assessment | Data ingestion review process |
| APP 5: Notification | Individuals must be informed when AI processes their personal information | Collection notices, privacy policy updates |
| APP 6: Use and disclosure | AI use of personal information must be within collection purpose or permitted by law | Purpose limitation, use register, secondary use assessment |
| APP 7: Direct marketing | AI-driven personalisation for marketing requires opt-out and consent compliance | Marketing consent register, opt-out mechanisms |
| APP 8: Cross-border disclosure | AI models trained on Australian data and hosted overseas require disclosure and safeguards | Cross-border assessment, contractual safeguards |
| APP 9: Government identifiers | AI systems must not use government identifiers as primary keys or training features | Identifier restriction policy |
| APP 10: Quality | AI training data and outputs must be accurate, complete, and up-to-date | Data quality framework, model accuracy monitoring |
| APP 11: Security | AI systems must protect personal information from misuse, loss, and unauthorised access | Encryption, access control, adversarial defences |
| APP 12: Access | Individuals may request access to personal information held or processed by AI systems | Access request procedure, model output extraction |
| APP 13: Correction | Individuals may request correction of personal information used by AI systems | Correction procedure, model retraining trigger |
Privacy by Design for AI
- Conduct Privacy Impact Assessments (PIAs) for all AI systems processing personal information before development commencement.
- Implement data minimisation in AI training: collect only the personal information necessary for the specific AI purpose, and delete when no longer required.
- Deploy differential privacy, federated learning, or synthetic data generation where feasible to reduce privacy risk.
- Maintain data lineage for all personal information used in AI training to support access, correction, and deletion requests.
- Document AI model decisions affecting individuals to support APP 12 access requests and APP 1 transparency obligations.
Notifiable Data Breaches
AI-related data breaches — including model inversion attacks extracting training data, prompt injection causing leakage of personal information, or unauthorised access to AI systems containing personal data — may trigger the Notifiable Data Breaches scheme. Organisations must assess AI incidents for NDB eligibility within 30 days of discovery.
13.14 Cyber Incident Response and Board Reporting
Cyber incidents involving AI systems demand specialised response capabilities. The board expects timely, accurate, and actionable reporting on AI-related cyber incidents with clear materiality assessments and remediation progress.
AI Cyber Incident Categories
| Category | Description | Board Notification |
|---|---|---|
| Model extraction | Adversary successfully extracts model weights or architecture | Within 24 hours |
| Data poisoning | Training data compromised causing model misbehaviour | Within 24 hours |
| Prompt injection | Successful prompt injection causing data leakage or harmful outputs | Within 48 hours if material |
| Adversarial evasion | Attack bypasses AI security controls (e.g., malware detection) | Within 48 hours |
| Credential compromise | AI admin or service account credentials compromised | Within 24 hours |
| Supply chain compromise | AI vendor or open-source component compromised | Within 24 hours |
| Insider threat | Employee misuses AI access for unauthorised purposes | Within 72 hours if material |
Board Reporting Template
- Incident summary: What happened, when, systems affected, data involved.
- Materiality assessment: Financial impact, regulatory exposure, customer impact, reputational risk.
- Root cause: Technical and procedural failures that enabled the incident.
- Containment status: Current state of containment, eradication, and recovery.
- Regulatory implications: APRA notification status, Privacy Act breach assessment, other regulator engagement.
- Remediation plan: Actions taken, actions planned, accountable owners, deadlines.
- Lessons learned: Process improvements, control enhancements, training needs.
- Steering Committee recommendation: Risk acceptance, additional investment, policy change, or other action.
Executive and Board Expectations
- The Board expects to be notified of all critical and high-severity AI cyber incidents within the timeframes specified above.
- The Board expects quarterly cyber resilience briefings covering AI threat landscape, control effectiveness, and emerging risks.
- The Board expects annual attestations from the CISO and CTO confirming AI security control adequacy and incident response readiness.
- The Board expects to review and approve AI cyber incident response plans and business continuity arrangements annually.
13.15 Solurius Training Integration
Solurius is the designated learning, awareness, policy acknowledgement, and evidence platform for the Corporate AI Governance Framework. Solurius delivers mandatory training modules, captures staff attestations, maintains completion records, and generates compliance evidence suitable for internal audit and regulatory examination.
Mandatory Training Modules
| Module | Audience | Frequency | Duration |
|---|---|---|---|
| AI Awareness Foundation | All staff | Annual | 45 minutes |
| Essential Eight Awareness | IT, Security, Engineering, AI teams | Annual | 60 minutes |
| APRA CPS 234 for AI | Risk, Compliance, Security, Executives | Annual | 90 minutes |
| APRA CPS 230 Operational Resilience | Operations, Risk, Business Continuity | Annual | 75 minutes |
| Privacy and Data Handling | All staff with data access | Annual | 60 minutes |
| Incident Response Simulation | Incident Response Team, AI Operations | Semi-annual | 120 minutes |
| Phishing and Social Engineering | All staff | Quarterly | 30 minutes |
| AI Acceptable Use | All staff using AI tools | Annual | 45 minutes |
| Prompt Security | AI engineers, data scientists, prompt engineers | Annual | 60 minutes |
| Executive Board Reporting | Board members, C-suite, senior executives | Annual | 90 minutes |
Policy Acknowledgement Workflow
- Policy upload: The Governance Office uploads the current Corporate AI Policy and subordinate policies into Solurius.
- Role assignment: Policies are assigned to staff based on role, department, and risk exposure. Board members receive executive summaries; engineers receive technical controls.
- Acknowledgement request: Solurius pushes notifications to assigned staff with a defined completion deadline (typically 14 days).
- Staff review: Staff review the policy in Solurius, with progress tracking and time-on-page monitoring.
- Electronic attestation: Staff electronically sign the policy acknowledgement, confirming understanding and compliance commitment.
- Exception management: Staff who raise questions or objections trigger an exception workflow to their manager and the Governance Office.
- Completion tracking: Solurius maintains real-time completion dashboards with drill-down by team, role, and seniority.
- Escalation: Non-completion after deadline triggers automatic escalation to line managers and HR.
Staff Attestation Records
- Solurius retains permanent records of all policy acknowledgements with timestamp, IP address, device fingerprint, and digital signature.
- Attestation records are linked to employee profiles and retained for the duration of employment plus 7 years.
- Attestation records are exportable in CSV and PDF formats for audit evidence packs.
- Version control ensures staff acknowledgements are tied to specific policy versions, with re-attestation triggered by material policy changes.
Completion Certificates
- Solurius issues verifiable completion certificates for each training module, including module name, completion date, expiry date, and unique certificate ID.
- Certificates are stored in the employee's Solurius profile and available for download at any time.
- Certificate expiry triggers automatic re-enrolment notifications 30 days before expiry.
- Aggregated certificate data supports compliance reporting and regulatory examination.
Training Register
| Field | Description |
|---|---|
| Employee ID | Unique identifier linked to HR system |
| Name and Role | Current role at time of training |
| Module Name | Training module completed |
| Completion Date | Date of successful completion |
| Expiry Date | Certificate expiry or retraining due date |
| Score | Assessment score where applicable |
| Attempts | Number of attempts to pass |
| Certificate ID | Unique verifiable certificate identifier |
| Policy Version | Version of policy acknowledged (for policy modules) |
| Manager | Line manager at time of completion |
Audit Evidence Export
- Solurius provides one-click export of training and attestation evidence for internal audit, external audit, and regulatory examination.
- Export packages include completion registers, certificate copies, policy version history, and exception registers.
- Evidence is time-stamped, tamper-evident, and cryptographically signed where required.
- Export formats include PDF, CSV, and structured JSON for integration with GRC platforms.
13.16 Implementation Using Solurius — Ten Steps
This section provides a practical, step-by-step guide for implementing the Corporate AI Governance Framework using Solurius. These steps are designed for Australian, UK, USA, and New Zealand organisations seeking to achieve rapid, evidence-based compliance.
Step 1: Upload Corporate AI Policies into Solurius
The Governance Office uploads the Corporate AI Policy, subordinate policies, and volume-specific guidance into Solurius. Each policy is tagged by applicability (all staff, IT only, executives, board) and linked to relevant training modules. Document version control ensures staff always acknowledge the current version.
Step 2: Assign Policies to Staff by Role
Using Solurius role-based assignment, policies are distributed to staff based on their organisational role, department, and risk exposure. Board members receive executive summaries; AI engineers receive detailed technical controls; all staff receive the AI Acceptable Use Policy.
Step 3: Deliver Mandatory AI and Cyber Awareness Modules
Solurius delivers the full training curriculum: AI Awareness Foundation, Essential Eight Awareness, APRA CPS 234, CPS 230, Privacy and Data Handling, Incident Response Simulation, Phishing and Social Engineering, AI Acceptable Use, Prompt Security, and Executive Board Reporting. Staff progress through modules at their own pace with manager visibility.
Step 4: Require Staff Acknowledgement
After policy review, staff electronically acknowledge each assigned policy through Solurius. Acknowledgements are recorded with timestamp, device fingerprint, and digital signature. Non-completion triggers automatic escalation to line managers and HR.
Step 5: Run Assessments and Quizzes
Each training module concludes with an assessment to verify comprehension. Pass thresholds are set at 80% for general staff and 90% for security, risk, and engineering roles. Failed attempts trigger remedial content and manager notification.
Step 6: Issue Completion Certificates
Upon successful completion, Solurius issues verifiable certificates with unique IDs, completion dates, and expiry dates. Certificates are stored in employee profiles and available for audit evidence export.
Step 7: Maintain Training Evidence for Audit
Solurius maintains comprehensive training evidence including completion registers, assessment scores, certificate copies, and policy acknowledgement records. Evidence is retained for the duration of employment plus 7 years and exportable in multiple formats.
Step 8: Generate Monthly Compliance Dashboard
Solurius generates real-time compliance dashboards showing completion rates by team, role, and geography; overdue acknowledgements; upcoming certificate expiries; and training effectiveness metrics. Dashboards are configurable for executive, manager, and audit audiences.
Step 9: Report to Executives and Board
Monthly compliance reports are automatically distributed to the AI Steering Committee, CISO, and Board Risk Committee. Reports include completion status, incident trends, control effectiveness, and recommendations for improvement.
Step 10: Repeat Annually or After Policy Changes
The training and acknowledgement cycle repeats annually for all staff. Material policy changes trigger targeted re-attestation for affected staff. Annual training refreshes ensure awareness of evolving threats, regulatory changes, and framework updates.
13.17 Templates and Registers
The following templates are included in the Corporate AI Governance Framework + Solurius Implementation Pack. Each template is provided in editable Microsoft Word and Excel formats with instructions for completion.
Essential Eight Implementation Register
Tracks implementation status, maturity level, evidence location, and next review date for each of the eight strategies. Includes AI-specific columns for model pipeline coverage, training environment status, and inference platform alignment.
APRA CPS 234 Evidence Register
Central repository for all CPS 234 evidence items: asset inventory, control tests, penetration reports, incident registers, third-party assessments, board reports, policy attestations, and audit findings. Linked to Solurius training records where applicable.
APRA CPS 230 Operational Resilience Register
Documents operational risk assessments, critical operation definitions, tolerance levels, business continuity plans, scenario testing results, and service provider resilience assessments for AI operations.
AI Policy Acknowledgement Form
Individual staff acknowledgement form capturing name, employee ID, role, policy version, acknowledgement date, electronic signature, and manager verification. Integrated with Solurius workflow but available as standalone for non-Solurius implementations.
Staff Training Completion Register
Aggregated view of all training completions across the organisation. Filterable by team, role, module, date range, and completion status. Supports compliance reporting and audit evidence preparation.
Board Cyber and AI Governance Report
Executive-ready report template for quarterly Board presentations. Sections cover security posture, incident summary, control effectiveness, testing outcomes, regulatory updates, and Steering Committee recommendations.
Incident Response Training Attendance Sheet
Tracks attendance at incident response simulation exercises. Captures participant names, roles, scenario description, date, facilitator, and lessons learned. Linked to the AI Incident Response Plan (Volume 6).
Executive Compliance Dashboard
Visual dashboard template showing training completion rates, policy acknowledgement status, certificate expiry timeline, overdue items by team, and trend analysis. Designed for C-suite and Board Risk Committee consumption.
Third-Party AI Vendor Assessment
Structured assessment questionnaire for AI vendors covering security, privacy, operational resilience, compliance, data handling, model governance, and exit arrangements. Scored with risk rating and recommendation.
| Field | Description | Response Type |
|---|---|---|
| Vendor Name | Legal entity name and trading name | Text |
| ABN / ACN | Australian Business Number or Company Number | Text |
| Service Description | Description of AI service provided | Text |
| Data Processing Location | Geographic location of data processing and storage | Text |
| Security Certification | ISO 27001, SOC 2 Type II, or equivalent certifications | Attachment |
| AI Model Provenance | Documentation of model training data sources and lineage | Attachment |
| Subprocessors | List of all third-party subprocessors with services provided | Table |
| Incident History | Details of any security or privacy incidents in past 24 months | Text |
| Exit Arrangements | Data portability, deletion certification, and transition support | Text |
| Risk Rating | Low / Medium / High / Critical based on assessment score | Dropdown |
| Recommendation | Approve / Approve with Conditions / Reject | Dropdown |
| Assessor | Name and role of person completing assessment | Text |
| Assessment Date | Date of assessment completion | Date |
| Review Date | Date for next reassessment | Date |
AI and Cyber Control Testing Schedule
Annual testing calendar for all AI and cyber controls. Includes test type, frequency, accountable party, expected evidence, and last/next test dates. Aligns with Essential Eight, CPS 234, and CPS 230 testing requirements.
| Field | Description | Response Type |
|---|---|---|
| Control ID | Unique identifier for the control | Text |
| Control Name | Descriptive name of the control | Text |
| Framework Reference | Essential Eight / CPS 234 / CPS 230 / Privacy Act | Dropdown |
| Test Type | Automated / Manual / Penetration Test / Tabletop / Audit | Dropdown |
| Frequency | Monthly / Quarterly / Semi-annual / Annual / Per-change | Dropdown |
| Accountable Party | Role responsible for executing the test | Text |
| Last Test Date | Date the control was last tested | Date |
| Next Test Date | Scheduled date for next test | Date |
| Test Result | Pass / Fail / Partial / Not Tested | Dropdown |
| Evidence Location | File path, URL, or document reference for test evidence | Text |
| Findings | Summary of any findings or deficiencies identified | Text |
| Remediation Status | Open / In Progress / Closed / Accepted | Dropdown |
| Remediation Target Date | Target date for closing findings | Date |
Commercial Packaging
The Corporate AI Governance Framework + Solurius Implementation Pack is commercially licensable by CSA Digital Asset Developers for Australian, UK, USA, and New Zealand organisations. The pack includes all thirteen volumes, the complete template library, Solurius integration guides, and implementation support. Contact CSA Digital Asset Developers for licensing terms, customisation options, and enterprise deployment support.