What boards should know about AI, automation and cyber security

By Kapil Kukreja, HLB Mann Judd Melbourne

Artificial intelligence (AI), automation and cyber security are now firmly at the forefront of business strategy. And while some companies have made significant progress in embracing these technologies, many are still navigating a complex and rapidly evolving environment.

For boards, the challenge is no longer simply understanding these trends but governing them effectively.

The adoption of AI and automating processes to improve operational performance has become a central topic in boardrooms across Australia. Recent research highlights that 78 per cent of respondents identified AI and machine learning as the defining technology trend for 2026, up from 67 per cent a year earlier. However, alongside this rapid uptake, governance remains a critical concern.

Further research also flagged a growing gap between the pace of technology deployment and the strength of governance oversight. Many businesses are accelerating implementation without fully addressing the associated risks, regulatory implications and ethical considerations.

In the current operating environment, both risk and technology are evolving faster than existing governance frameworks. Generative AI tools such as ChatGPT and Microsoft Copilot have changed the way employees work, automation is reshaping workflows, and cyber threats are becoming more sophisticated and more frequent.

Against this backdrop, it is essential that governance strategies also evolve. Boards can’t simply take the approach of passive oversight but must provide active stewardship and integrate AI, automation and cyber security into strategic, legal and fiduciary responsibilities. This includes:

• Boards must ensure they have the right mix of skills and experience, including members who understand technology, risk management and ethical implications. While not every director needs to be a technical expert, the board as a whole must be capable of asking the right questions and challenging management.
• AI and automation shouldn’t be pursued just because they are ‘on trend’. Using such technologies must be the result of a clear business case and demonstrate how they contribute to strategic goals, operational efficiency or customer outcomes.
• Legal and compliance implications must be carefully considered. The use of AI can create risks around privacy, data protection, intellectual property and discrimination. Boards should ensure there are policies in place to identify and manage potential breaches. Enterprise risk management frameworks should define risk appetite, identify key risk indicators and ensure regular reporting to the board on AI, automation and cyber security risks. IF AI and automation are to be successfully incorporated into a business, then workforce training and change management are essential.
• AI is not only a tool for improving productivity – it is also being used to conduct more advanced cyberattacks. Businesses must ensure that cyber security and data protection frameworks can respond to this.

Effectively managing AI risks requires oversight, governance and critical thinking. Boards that recognise both the opportunities and the risks of AI, and govern accordingly, will be best positioned to take advantage of the new technologies while at the same time meet their legal responsibilities.