AI and directors’ duties: Navigating cyber risk and responsible governance

Artificial intelligence (AI) is now creating two distinct governance challenges for directors. First, boards must respond to the rising cyber risks associated with increasingly sophisticated AI models. Secondly, directors and executives are beginning to use AI themselves to digest information and support decision-making, raising important questions about how that use can occur consistently with their duties.

In May 2026, the Australian Securities and Investments Commission (ASIC) issued an open letter to AFS licensees and market participants, warning that frontier AI models are accelerating the speed, scale and sophistication of cyber attacks and setting out its expectations for stronger cyber resilience.

The Federal Court considered the use of AI in the context of directors performing their duties in Australian Securities and Investments Commission v Bekier [2026] FCA 196 (Bekier). In that decision, Justice Lee addressed the practical challenge of directors being required to review large volumes of board material and indicated that emerging technology may assist, provided its use is principled and transparent.

ASIC’s open letter and the Bekier decision make clear that directors should be thinking about AI as both a source of enterprise risk, and as a governance tool that must be used carefully, transparently and with independent judgment.

Cyber attacks, AI and duties of directors

ASIC’s open letter suggests its current focus is on companies strengthening their cyber resilience as AI accelerates the speed and sophistication of cyber attacks. It urges directors and executives not to wait for perfect clarity to address the threat posed by new AI models, but to act immediately and with discipline to strengthen cyber resilience. ASIC encourages companies to take a number of measures, which are set out in further detail here.

Boards are now on notice of ASIC’s expectations that they strengthen cyber resilience in the context of cyber risks posed by increasingly sophisticated AI models proportionate to the size, nature and complexity of their business. Directors and executives should carefully consider the cyber resilience of their businesses in the context of this rapidly emerging risk. Failures by businesses to implement proper policies and controls to increase cyber resilience may ultimately expose directors and officers to breaches of law, including their statutory duties to act with care and diligence under section 180(1) of the Corporations Act 2001 (Cth) (Act).

ASIC has already taken action against a financial services licensee for cybersecurity failures, securing a $2.5m pecuniary penalty against FIIG Securities Limited (FIIG) earlier this year. ASIC’s case was that FIIG failed to have in place adequate cybersecurity measures and thereby contravened its obligations under section 912A(1)(a) of the Act to do all things necessary to ensure that the financial services covered by its licence were provided efficiently, honestly and fairly.

ASIC’s open letter provides both an encouragement and warning to directors and executives to increase cybersecurity capabilities as AI capabilities advance. ASIC notes that small weaknesses can have serious consequences and outlines its clear expectations that regulated entities must actively prepare for cyber attacks, ensure they respond promptly and effectively when attacks occur and recover in a way which restores critical services, minimises harm and strengthens future resilience.

Use of AI by directors, executives, and their advisers and delegates

The prudent use of AI by directors and executives while performing their duties is also something which directors should be keenly aware of.

In Bekier, in relation to whether it is reasonable for directors to be expected to review and digest hundreds of pages of board papers prior to board meetings, his Honour Justice Lee observed that:

• directors (both executive and non-executive) are “required to take reasonable steps to place themselves in a position to guide and monitor the management of the company, and [are] expected to take a diligent and intelligent interest in the information available to them, understand that information, and apply an enquiring mind to their responsibilities”. They cannot simply “rely on an inability to cope with the volume of information they received”; and
• a way of addressing information overload “could be through the principled and transparent use of emergent technology” to assist with analysing and understanding information provided by management.

Critically, his Honour also observed that:

• any use of such emergent technology by directors must be principled and transparent; and
• it is the responsibility of directors to ensure that the way they receive and analyse this material occurs in a responsible way, including through the formal adoption of policies. Proper governance will require transparency about how the information is being reduced and relied on either in the preparation of the board packs themselves, or their digestion by directors.

Justice Lee suggests that directors might make proactive use of AI to summarise and digest information provided to them (and indeed, it may be incumbent upon them to do so if they cannot otherwise digest large volumes of material in a timely manner prior to Board meetings). At the same time, his Honour’s decision highlights that directors should be cautious when doing so. The use of AI by a director to summarise, analyse or otherwise process material must be principled, transparent and allow for independent thinking to occur.

ASIC has not yet released any guidance to industry on the use of AI by boards in this context. However, the Australian Institute of Company Directors has published a paper outlining its early insights and observations regarding the use of AI by boards and directors, which Justice Lee referred to in his decision. The AICD notes that while AI tools can potentially offer accelerated information gathering or enhanced insights, they may introduce ethical, governance and regulatory risks which must be appropriately managed.

Using AI to review voluminous board material

If relying on AI to summarise and digest information in board packs, or in relation to other decision-making or analysis conducted in their capacity as a director, we suggest that directors keep in mind the following:

• In practice, directors often rely on others when carrying out their duties. If a director relies on information or expert advice given by specified persons, that advice is presumed, under section 189 of the Act, to be reasonable, and reliance on the information is presumed to be in good faith (provided the director has made an independent assessment of the information). That presumption is rebuttable by evidence, and the reasonableness of the director’s reliance on information or advice received can be the subject of proceedings brought to determine whether the director has properly exercised his duties. Information provided directly by AI is most unlikely to constitute the professional or expert advice contemplated by this provision. Further, directors should remain vigilant and cautious if they rely on information provided by employees, advisers or experts who themselves have used AI to generate such information. This might include papers or summaries included in board packs provided to directors by natural persons who have relied on AI for their preparation.
• The Act allows directors to delegate duties to others under section 198D. Directors remain responsible for the exercise of their delegate’s power but have some protections if they meet the ‘safe harbour’ test set out in section 190(2) of the Act. To rely on this provision, the Director must believe on reasonable grounds that (a) the delegate would exercise the powers delegated to them in conformity with the duties of the director; and (b) in good faith and after making proper inquiry, that the delegate was reliable and competent. When delegating to others, directors and officers should maintain awareness regarding the extent to which those delegates are using AI to assist in the performance of their duties, and to what extent that may or may not be appropriate in the circumstances. Inappropriate use of AI by a delegate may put directors at risk of not having the protections set out in section 190(2).
• AI summaries or analysis of board material may not be covered by legal professional privilege, even if the material summarised may have been initially subject to LPP. Further, summaries and other materials generated by AI to assist directors are likely to form business records (and as such, cannot be deleted, and may ultimately be discoverable should the relevant matter subsequently become subject to legal proceedings).

Next steps

Prudent directors and executives must be aware of the various benefits and risks associated with the use of AI, both within and externally to their businesses.

Directors should ensure that their companies have in place policies and guidance that not only set out protocols to manage AI risk, but also address the responsible use of AI.

Ensuring appropriate policies, procedures and controls are in place will assist directors and officers to limit their exposure to potential breaches of their statutory duties to exercise due care and diligence.

If you have any questions regarding this article, please contact us here.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Jessica Tilbury

Alana Giles

Rachele Troup, Julia Townley

Share this