Australia and New Zealand AI adoption outpaces governance

The gap is widening as cyber insurance rates soften and AI exposures evolve

Australia and New Zealand AI adoption outpaces governance

Transformation

By Roxanne Libatique

Businesses across Australia and New Zealand are deploying autonomous AI tools faster than they are governing them, according to research from security awareness firm KnowBe4 – a gap widening at the same moment the region’s cyber insurance market is softening and insurers are still working out how AI-driven losses will be priced and paid. The study, reported by Security Brief Australia, found that 64% of organisations in the two markets use agentic AI tools that act without direct human instruction, above the global figure of 58%. Half of the organisations surveyed, or 50%, said their AI use was unapproved or ungoverned, and 59% of employees said they source their own agentic AI tools when sanctioned options are unavailable or seen as too restrictive.

A softening market meets a new exposure

The finding lands in a buyer-friendly market. Australia’s cyber class posted a positive insurance service result in each of the three most recent quarters, at $17 million in September 2025, $10 million in December 2025, and $10 million in March 2026, according to Australian Prudential Regulation Authority (APRA) data released May 29, 2026. Cyber gross written premium was $32 million in the March 2026 quarter, less than 0.2% of total industry premium, with 6,000 risks written. Cyber premiums fell approximately 10% through 2025, according to EBM Insurance and Risk’s May 2026 market outlook. For underwriters, the KnowBe4 findings point to exposure accumulating inside a line currently priced for benign claims experience. Unmanaged software does not appear on any asset register or application form, and 59% of both employees and security leaders in the survey said unauthorised software and AI applications had become a problem.

The governance gap

Dr Kawin Boonyapredee, chief information security officer advisor at KnowBe4 APJ, tied the trend to pressure on security teams. “Cybersecurity has entered a volatile phase where organisations are trying to secure a hybrid human and AI workforce that's changing more quickly than security leaders can keep up,” he said, as reported by Security Brief Australia. He added that leaving corporate AI use ungoverned amounts to “a massive open invitation to threat actors.”

The deepfake coverage question

The research recorded a divide over impersonation risk. In Australia and New Zealand, 85% of workers said deepfake voice and video content has become so realistic that it is impossible to know what to trust, and 68% said they could be tricked by a deepfake scam at work. Among leaders, 93% believed employees could identify impersonation messages sent through internal tools, and 88% said staff could identify deepfake content.

That exposure has a loss precedent. Engineering firm Arup lost approximately US$25 million in 2024 after an employee joined a video call with AI-generated versions of company executives. Arup chief information officer Rob Greig later told the World Economic Forum: “It wasn’t even a cyberattack in the purest sense. None of our systems were compromised and there was no data affected. People were deceived into believing they were carrying out genuine transactions that resulted in money leaving the organization.”

Cases of that kind sit awkwardly across cyber, crime, and social engineering wordings. Analysis by law firm Jones Walker notes that the “voluntary parting” exclusion in standard crime and fidelity policies is the primary coverage barrier, because coverage typically does not apply when a deceived employee knowingly authorises a transfer, and that social engineering sublimits of $100,000 to $250,000 are increasingly viewed as inadequate for AI-scale losses. Reinsurer Swiss Re, in its SONAR 2025 report, warned that deepfakes may increasingly be used in sophisticated cyberattacks and drive cyber insurance losses.

Insurers begin to respond

Product wordings are starting to move. In December 2025, Coalition added a Deepfake Response Endorsement to its cyber policies, and the company confirmed the endorsement is available to customers in Australia, among other markets, covering forensic analysis, legal takedown work, and crisis communications. “Businesses can do everything right – lock down networks, ignore fraudulent funds transfer requests, comply with privacy laws – only to have their reputation damaged by a deepfake,” said Tiago Henriques, chief underwriting officer at Coalition.

Regulatory pressure building

Regulators in both markets are signalling closer scrutiny. In Australia, the Insurance Council of Australia (ICA) in September 2025 called for an expansion of business cybersecurity obligations as AI-driven automated cyberattacks and other emerging risks threaten the cyber resilience of Australian businesses, in a submission to the Department of Home Affairs Horizon 2 consultation on the 2023-2030 Australian Cyber Security Strategy that identified AI, quantum computing, and consumer-managed personal data stores as key weaknesses. In New Zealand, the Office of the Privacy Commissioner’s 2024-25 annual report noted a 43% increase in serious privacy breaches notified to the regulator, and the government published its Cyber Security Strategy 2026-2030 on Feb. 27, with officials weighing a civil penalty regime under the Privacy Act 2020, which already requires notification of serious breaches. For insurers, the combination of rapid agentic AI adoption, ungoverned tool use, a perception gap over deepfakes, and softening rates points to exposures that application questions may not capture. As AI systems move further into routine operations, governance, staff awareness, and incident reporting remain central to how cyber risk in the region is assessed.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!