A global survey showing technology risk has nearly doubled in perceived impact among business leaders is finding direct corroboration in Australia, where the prudential regulator has independently identified the same governance deficit – and put the country’s banks, insurers, and superannuation trustees on formal notice. Two separate exercises, conducted through different methodologies and released weeks apart, have arrived at the same conclusion: AI adoption is outpacing the governance frameworks meant to contain it.
Clyde & Co’s Corporate Risk Radar 2026, published June 25, 2026, surveyed 700 senior decision-makers across eight regions and 10 sectors, including CEOs, CFOs, COOs, general counsel, and board members from organisations with an average annual turnover of $14.7 billion. Every major risk category tracked posted year-on-year increases, but the technology finding is the most striking: the proportion of leaders rating it high impact rose to 86% from 46% in 2025 – a 40-percentage-point shift in 12 months.
On April 30, 2026 – less than two months before the Clyde & Co report – the Australian Prudential Regulation Authority (APRA) issued a letter to regulated entities saying current approaches to governance, risk management, assurance, and operational resilience are not keeping pace with the “scale, speed, and complexity” of AI adoption across the financial system, based on a targeted supervisory review undertaken in late 2025 across insurance, banking, and superannuation.
APRA member Therese McCarthy Hockey said: “What we’ve observed from our supervisory engagement is that while AI adoption is continuing apace, the systems and processes required to safely govern its use aren’t keeping up. Likewise, the speed at which entities can identify and patch vulnerabilities needs to operate much faster, commensurate with the AI-accelerated threat.”
APRA observed that AI adoption is materially changing the cyber threat landscape, with common attack pathways including prompt injection, data leakage, insecure integrations, and the manipulation or misuse of autonomous AI agents. The Australian Securities & Investments Commission (ASIC) has also issued an open letter to all AFS licensees and market participants calling for urgent action to strengthen cyber resilience, reinforcing by reference to its enforcement action against FIIG Securities Limited that cyber risk management must be “demonstrably effective and proportionate to the size, nature, and complexity of a business.” For insurance professionals, the regulatory signal is unambiguous: AI governance has moved from a future concern to a present supervisory expectation.
The Clyde & Co data reflects the same internal tension. Three in four organisations surveyed – 76% – acknowledged that AI, data privacy, and cybersecurity requirements are shifting faster than their teams can absorb, while only 68% reported having a mature AI governance framework in place. Rebecca Kelly, managing partner at Clyde & Co Australia, described the shift as one of governance rather than adoption. “The challenge for clients has shifted from implementation to control. They are asking what to deploy to keep pace, but equally how to govern its use. If you look back ten years, there were no whistleblower regimes, no governance overhauls, no ESG frameworks. Those are now embedded in a sound corporate governance structure. AI governance is moving in the same direction,” Kelly said.
For brokers advising commercial clients whose AI governance posture is immature, the combination of a healthy cyber market, falling premiums, and rising underlying exposure creates a direct distribution conversation. APRA quarterly data released on May 29, 2026, shows the cyber class posted a positive insurance service result in each of the three most recent quarters: $17 million in September 2025, $10 million in December 2025, and $10 million in March 2026.
Yet the market’s scale remains disproportionately small relative to the risk landscape. Cyber gross written premium has never exceeded $73 million in a single quarter in the APRA dataset. In the March 2026 quarter, it was $32 million – less than 0.2% of total industry GWP – with just 6,000 risks written, compared with 4.78 million domestic motor risks. Premiums fell approximately 10% through 2025, according to EBM Insurance and Risk’s May 2026 market outlook. The underlying threat is moving in the opposite direction: the Australian Cyber Security Centre’s Annual Cyber Threat Report 2024-25 recorded 84,700 cybercrime reports – one every six minutes – with average costs of $56,600 for small businesses, up 14% year on year, and $202,691 for large organisations.
The compliance burden findings in the Clyde & Co research – 85% of leaders rating it high impact, up from 54% in 2025 – are already producing measurable effects in D&O. The Australian D&O market experienced premium reductions of 15% to 40% in 2025, but a shift away from shareholder class action filings toward shareholder derivative action claims is anticipated for 2026, driven by governance and compliance issues, with higher claims frequency and severity, rising defence costs, and reduced underwriting appetite for certain sectors expected to follow. Insurers may reduce derivative action cover and apply smaller sub-limits for D&Os of companies that have faced prosecution by ASIC, ACCC, APRA, and AUSTRAC.
The regulatory pipeline is compounding that exposure. Australia’s Financial Accountability Regime extended to insurance entities and superannuation trustees from March 15, 2025, meaning directors and executives now face tougher rules, greater scrutiny, larger penalties, and higher legal costs. KPMG’s General Insurance Insights 2026 described CPS 230: Operational Risk Management – which also took effect in 2025 – as “a foundational positive regulatory shift in how general insurers must now manage their risk, resilience, and compliance programs.”
Kelly pointed to disclosure obligations as the fault line where regulatory and reputational risk converge. “Most serious regulatory breaches arise from failures to disclose. Companies face very short timeframes to disclose and act in the company’s best interests. The reputational risk is equally significant, as consequences can be immediate and played out publicly,” Kelly said.
The Clyde & Co finding that 72% of organisations are experiencing direct commercial impact from geopolitical volatility – up from 49% in 2025 – is being taken up at the regulatory level. In its November 2025 System Risk Outlook, APRA stated that risks to the Australian financial system from overseas are heightened and the geopolitical environment is expected to remain volatile, with APRA and the Council of Financial Regulators launching a dedicated geopolitical risk work programme. Kelly noted that geopolitical pressures resist the frameworks organisations typically apply to compliance-driven risk. “Process-driven compliance is manageable – you establish the framework and follow it. The challenge for clients is preparing for geopolitical risk, which arises without warning and affects parts of the business you would not anticipate,” Kelly said.
Close to six in 10 respondents identified the complexity of overlapping risks – rather than any single threat – as the primary barrier to effective risk management. Operational challenges rated high impact among 86% of leaders, up from 61% in 2025, with technology implementation and systems integration the leading pressure point at 72%.
That structural finding carries direct implications for insurance product design. Coverage frameworks built around discrete, bounded perils become less fit for purpose when the actual claims environment is driven by cascading, cross-category events – a technology failure that produces a regulatory breach that generates a D&O claim, for example. The survey data, read alongside the APRA and RBA materials, suggests that pressure on those frameworks is not easing.
