AI Governance for ASX Listed Companies: Board and Director Obligations
If your company is listed on the ASX, your board is facing a governance question that didn’t exist three years ago: what are we actually responsible for regarding AI? The answer has become clearer—and the liability stakes are real.
ASX Principle 7 Now Explicitly Includes AI
The ASX Corporate Governance Council’s Principle 7 (risk management) requires the board to ensure the company has a sound risk management framework. Since late 2024, this explicitly includes oversight of artificial intelligence risks. The board must understand AI systems used in critical operations, assess the risks they create, and ensure appropriate controls are in place.
This isn’t optional. Listing Rule 4.10.3 requires ASX-listed entities to benchmark their practices against the ASX recommendations and either comply or explain why they haven’t. If your board hasn’t documented AI governance, you’ll need to disclose why—or implement it.
In practice, this means: your board should have a documented AI governance policy, understand which AI systems are material to operations, receive regular updates on AI-related risks, and be satisfied that management has appropriate oversight mechanisms in place.
Director Duties Under the Corporations Act
Beyond ASX recommendations, directors face statutory duties under the Corporations Act. These duties—to act with care, skill and diligence, to act in good faith in the company’s best interests, and to not misuse position or information—apply directly to AI governance.
Here’s what this means practically:
Due Diligence on AI Systems
If your company uses AI to make material decisions—credit approvals, recruitment screening, pricing, claims assessment—directors must ensure they understand what the system does, what risks it creates, and how it’s being monitored. The “black box” defence doesn’t hold. A director can’t say, “I don’t know how our AI credit model works.” That’s a breach of your duty to act with proper care and diligence.
You need to know: What data does the system use? How is bias tested? Who approves decisions it flags? What’s the audit trail? Have we assessed for regulatory risk (Privacy Act, discrimination law, consumer protection)? This knowledge should inform board discussions and decisions.
Oversight of AI-Related Risks
AI systems create distinct risks: model drift (where accuracy degrades over time), data poisoning (corrupted training data), regulatory change (new AI laws), reputational risk (biased decisions revealed publicly), and operational risk (system failure). Your audit and risk committee should track these. Your board should satisfy itself that management has documented and mitigated these risks.
AI Incidents and Director Liability
If your company’s AI system produces biased lending decisions and the company is exposed to regulatory action, the question becomes: did the board and executives understand the risk beforehand? If the answer is no, directors can face personal liability for breach of their statutory duty of care. If the answer is yes, and appropriate controls were in place, the company is in a stronger position to argue the incident was a reasonable system failure rather than negligent oversight.
ASX Disclosure Obligations
The continuous disclosure regime (ASX Listing Rule 3.1 and Section 674A of the Corporations Act) requires prompt disclosure of material information. The question: is AI-related risk material?
Material is defined as information that a reasonable investor would regard as important in deciding whether to buy, hold, or sell shares. If your company relies on an AI system for core revenue (e.g., an algorithmic trading firm, a lending platform), and that system experiences failure or regulatory action, that’s material. If a significant portion of hiring decisions are made by AI and that AI is found to discriminate, that’s material.
Under the continuous disclosure regime, you’re required to disclose without delay. Delaying disclosure of an AI-related incident while you assess the situation can itself be a breach. The standard is: what would a reasonable investor want to know immediately?
What a Board-Level AI Governance Agenda Looks Like
If you’re building (or rebuilding) AI governance for an ASX-listed company, here’s the agenda:
Quarter 1: Board approval of AI governance policy. Document: AI systems in scope, risk categorization (high/medium/low), assigned accountability (which executive owns AI risk?), and the framework for oversight (quarterly reporting, incident escalation, audit frequency).
Quarter 2: Management presents AI risk register. For each material AI system, present: purpose, data sources, risk assessment (bias, drift, regulatory, operational), current controls, and assurance approach. Board questions it rigorously. This is where you separate governance from theatre.
Quarter 3: Audit committee reviews AI audit scope. Internal audit should be empowered to audit AI systems independently. External audit should understand your AI landscape and report on governance maturity to the board. Are auditors asking the right questions?
Quarter 4: Board receives management report on AI incidents, near-misses, and lessons learned. This reinforces that the board cares about AI governance actively, not as a compliance checkbox.
Ongoing: Regulatory horizon scanning. ASIC has signalled increasing scrutiny of algorithmic decision-making in financial services. APRA now expects banks to understand their AI vendors’ practices. Your company should track emerging regulatory expectations and update governance proactively.
ASIC’s Expectations for Algorithmic Decision-Making
ASIC has published guidance on algorithmic decision-making in financial services. Key expectations: clear accountability, bias testing and reporting, user consent where appropriate, audit trail for decisions, and rapid escalation of system anomalies. If your company uses AI in financial advice, lending, or claims assessment, ASIC expects governance aligned with this guidance—and breaches can result in enforcement action.
Director Liability: What’s at Stake
Here’s the reality check: if your company’s AI system fails in a way that materially harms the company—through regulatory enforcement, litigation, or reputational damage—and it emerges that the board didn’t understand or appropriately oversee that system, directors can face personal liability for breach of their statutory duty of care.
This doesn’t require gross negligence. It requires only that a reasonable person would have exercised greater care in the circumstances. Given the board’s responsibility under ASX Principle 7 and Corporations Act duties, the bar for “reasonable care” in AI governance is now clearly established. Ignorance isn’t a defence—it’s an aggravating factor.
FAQ
What does ASX Principle 7 mean for AI governance?
ASX Principle 7 requires the board to ensure a sound risk management framework that includes long-term risks like climate and environmental risks. AI is now explicitly recognised as a material risk requiring board oversight, governance, and documented risk management.
What are director duties under the Corporations Act regarding AI?
Directors must act with care, skill and diligence and in good faith in the company’s best interests. This extends to understanding AI systems used in decision-making (credit, hiring, pricing), AI-related risks (bias, data breach, regulatory), and ensuring appropriate oversight and controls.
When must ASX-listed companies disclose AI-related risks?
Under ASX Listing Rules 3.1 and the continuous disclosure regime, material information must be disclosed to the market without delay. If AI failure could materially affect business outcomes (revenue, cost, reputation, regulatory), disclosure is required.
The Board’s Moment
AI governance for ASX-listed companies is no longer aspirational—it’s a statutory and listing obligation. Directors who take this seriously today will avoid the liability exposure that inevitably comes to those who don’t. The board’s job is to ask the hard questions: What AI are we using? What could go wrong? How do we know we’re managing it well?
If your board is ready to establish or strengthen AI governance, reach out to discuss a tailored governance framework.