Australian boards and audit committees in 2026 face an AI risk question they did not have in 2023. AI is now embedded enough in operations that an absence of board-level oversight is itself a finding for the next external audit. A working AI risk register gives the board the line of sight it needs without becoming a paper exercise that nobody reads after the meeting.
For a tier-1 AU listed company, AI-related risk events that could trigger an ASX continuous disclosure obligation, a privacy regulator notification, or a class action exposure can run into the tens of millions. A risk register that surfaces the right risks early is cheap by comparison; the same Sydney-based listed companies that have shipped this discipline in 2026 typically spend $45,000 to $120,000 on building their first register and far less in ongoing maintenance.
What the risk register actually covers
Most early AI risk registers fail because they list every possible AI risk and rank none of them. The right register is short, ranked, and tied to action. The categories worth tracking, each with a likelihood, impact, owner, and mitigation status:
Privacy and data risks (Privacy Act, data residency, third-party processing).
Model behaviour risks (hallucination, bias, drift, eval coverage).
Cybersecurity risks (prompt injection, model supply chain, exfiltration).
Regulatory and compliance risks (sector-specific obligations, evolving guidance).
Vendor and concentration risks (single-vendor dependence, financial health).
Workforce and ethics risks (job displacement, dignity at work, transparency).
Risk descriptions that survive review
A risk register entry that the board can act on includes a specific risk (not a generic category), the trigger conditions, the current control state and any gaps, the named owner accountable for the control, and the next review date. A register full of "AI hallucination is a risk" entries is not actionable. A register entry that says "the customer support agent could provide incorrect refund information; current control is human review on any refund over $500; gap is no control on refund under $500" is actionable and gets traction at the audit committee.
Reporting cadence
A working cadence for AU boards has four layers, each with a different audience and different signal-to-noise ratio. The board sees the rolled-up view. The platform team owns the detail.
Quarterly risk register update to the audit committee.
Monthly operational review at the executive committee.
Weekly review by the AI governance group at the platform team level.
Real-time alerting on incident-level events to a defined response group.
Common mistakes Sydney boards make on first registers
Listed company boards in Sydney that have shipped a second-generation AI risk register can usually point to the mistakes they made on the first one. The pattern is consistent enough that any board starting now can skip them by acknowledging them in scoping.
Treating AI risk as a separate workstream from the existing risk framework, then duplicating effort.
Letting the register be owned by technology rather than risk, which makes it invisible to the audit committee.
Listing every possible AI risk with equal weighting rather than ranking by likelihood and impact.
Setting controls without naming a specific owner with cross-functional authority.
Failing to revisit the register quarterly, so it becomes a one-off compliance artefact.
Each of these is a fixable error if surfaced in the first review cycle. Each compounds if not surfaced.
Connection to existing risk frameworks
The AI risk register should integrate with the organisation's existing enterprise risk framework, not exist as a parallel artefact. AU boards in regulated sectors (financial services under APRA CPS 230, healthcare under safety and quality standards, energy under AEMC obligations) need to see AI risks alongside their existing risk view. Two practical patterns work: AI risks tagged within the enterprise risk register with a clear AI-related flag, or a separate AI risk register that feeds into the enterprise register at the high-impact level. Either can work if the board sees a coherent picture and the same risk officer owns both. Running them as fully separate processes produces parallel reporting that nobody trusts.
What to ship in the first 90 days
A practical 90-day starting plan keeps the register from becoming a 12-month theoretical exercise. Sydney listed companies that have shipped this work in 2026 follow this rhythm and have a defensible artefact in front of the audit committee at the end of the first quarter.
Inventory the AI use across the business with the current sponsor for each.
Identify the top 12 to 20 risks across the categories above.
Assign owners and current control status.
Surface the top 5 risks to the board with proposed mitigations.
If your board is sizing an AI risk register, book a governance review at cal.com/automataai/brainstorm-ai-solutions
