---
title: "ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List."
description: "ASIC's May 2026 letter on frontier AI raises the bar for cyber resilience across Australia and New Zealand. What boards must do, and where to start."
type: blog
version: 2
version_id: "7528b113-f6ed-409f-8ff1-705054443198"
generated_at: "2026-05-11T00:18:10.799Z"
author: "Insicon Cyber"
date_published: "2026-05-11T00:16:25.000Z"
date_modified: "2026-05-11T00:16:51.245Z"
language: en
reading_time: "11 min"
word_count: 2008
keywords: ["What ASIC actually said", "From baseline to practice"]
url: "https://insiconcyber.com/blog/asic-frontier-ai-letter"
---

# ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List.

> ASIC's May 2026 letter on frontier AI raises the bar for cyber resilience across Australia and New Zealand. What boards must do, and where to start.

## Key Takeaways

- What ASIC actually said
- The line ASIC has drawn
- Where most organisations actually are
- Two ways to use a Cyber Gap Analysis
- From baseline to practice

## Contents

- [What ASIC actually said](#what-asic-actually-said)
- [The line ASIC has drawn](#the-line-asic-has-drawn)
- [Where most organisations actually are](#where-most-organisations-actually-are)
- [Two ways to use a Cyber Gap Analysis](#two-ways-to-use-a-cyber-gap-analysis)
- [From baseline to practice](#from-baseline-to-practice)
- [The trans-Tasman view](#the-trans-tasman-view)
- [The next board meeting](#the-next-board-meeting)
- [Take the next step](#take-the-next-step)

6 min read

# ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List.

 [Insicon Cyber](https://insiconcyber.com/blog/author/insicon-cyber) : Updated on May 11, 2026

[Cyber Security](https://insiconcyber.com/blog/tag/cyber-security) [ISO 27001](https://insiconcyber.com/blog/tag/iso-27001) [Governance](https://insiconcyber.com/blog/tag/governance) [Essential Eight](https://insiconcyber.com/blog/tag/essential-eight) [APRA](https://insiconcyber.com/blog/tag/apra) [AI](https://insiconcyber.com/blog/tag/ai) [Managed Security Services](https://insiconcyber.com/blog/tag/managed-security-services) [Insicon Cyber](https://insiconcyber.com/blog/tag/insicon-cyber) [ISO 42001](https://insiconcyber.com/blog/tag/iso-42001)

ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List.

11:34

On 8 May 2026, ASIC Commissioner Simone Constant issued an open letter to AFS licensees and market participants. It runs to four pages. It is not a discussion paper. It is not a consultation. It is a statement of expectation, and it should be read by every board across Australia and New Zealand whose business relies on regulated trust.

The subject is frontier artificial intelligence. The message is straightforward: do not wait for perfect clarity to address the threat posed by new AI models. Act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.

This is the second formal regulatory signal from a major Australian regulator in less than ten days. APRA wrote to its regulated population on 30 April 2026. ASIC has now followed. Read together, the two letters describe a regulatory environment in which frontier AI is no longer a future agenda item. It is a present supervisory concern.

> ### What is frontier AI?
> 
> The leading edge. Frontier AI refers to highly capable, general-purpose AI models at or near the limits of current capability. They are typically foundation models trained at significant scale, with broad capabilities across language, reasoning, code generation, and agentic action. Think of the most advanced systems publicly available, plus the next generation already in development.
> 
> The term entered formal usage around the UK AI Safety Summit at Bletchley Park in November 2023. It is now standard language for the Australian Signals Directorate, ASIC, APRA, and the OECD. ASD's advisory, *Frontier models and their impact on cyber security,* is the reference point ASIC directs entities to.
> 
> What makes them a cyber concern is dual-use. The same capability that accelerates productivity accelerates reconnaissance, social engineering, vulnerability discovery, and multi-stage attack orchestration. Speed and scale increase. Control cycles built for slower, human-led threats are tested under conditions they were never designed for. That is the shift ASIC is responding to.

## What ASIC actually said

ASIC's framing is precise. Frontier AI models are accelerating both capability and accessibility of cyber activity, lowering the barrier for sophisticated attack, and increasing the speed and scale at which existing weaknesses are tested. This does not create entirely new categories of risk. It places existing controls under greater pressure, more often, and under conditions that traditional point-in-time assurance was never built to handle.

A "simple" phishing email can now provide access to critical platforms or sensitive data. A weakness that in isolation would be remote from being a conduit for an incident can now be drawn together with other weaknesses into one. Small things compound. Cumulative impact is the new operating reality.

The letter then lists twelve actions ASIC expects entities to take:

1.  Reassess cyber plans.

2.  Confirm governance frameworks consider cumulative vulnerabilities.

3.  Identify and protect critical assets.

4.  Strengthen the fundamentals.

5.  Minimise attack surfaces.

6.  Review user access.

7.  Patch promptly.

8.  Strengthen patch management.

9.  Implement layered, defence-in-depth architectures that assume breach.

10.  Prepare for incident response.

11.  Manage third-party risks.

12.  Use AI for defensive purposes.

None of these are new expectations. The environment in which they must operate has changed.

## The line ASIC has drawn

The letter cites the court's judgment in [ASIC v FIIG Securities Limited](/blog/fiig-25m-cyber-penalty-board-lessons) as the standard. Cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of the business. Built on consistent execution of well-established controls. Supported by clear governance and adequate resourcing.

That single sentence is the line. Demonstrably effective. Proportionate. Consistent. Governed. Resourced.

ASIC then makes the board-level test explicit.

> Boards and senior executives are expected to understand their organisation's position, ask the right questions, and be able to evidence the basis for their assurance. Governance should not rely on assurances. It should be supported by evidence. Test results. Audit findings. Lessons from incidents. Independent validation.

For directors, this is the harder sentence. It is one thing to receive a green dashboard from the CISO. It is another to evidence that the dashboard reflects end-to-end control effectiveness, not just activity.

## Where most organisations actually are

In our work across Australia and New Zealand, the same pattern appears. A board paper that summarises cyber posture in a single colour-coded slide. A risk register that lists "AI" as an emerging risk without controls. A penetration test from eighteen months ago. A managed service contract with a quarterly report. Policies written for a threat environment that no longer exists.

None of that is negligent. It is the legacy of how cyber risk used to be managed. ASIC is saying it is no longer sufficient.

This is where the gap between what the board has been told and what the regulator now expects becomes uncomfortable. Closing it requires a structured, evidence-based view of where the organisation actually stands against the obligations that matter. Not an opinion. Not a vendor assessment. A defensible baseline.

## Two ways to use a Cyber Gap Analysis

This is what our [Cyber Gap Analysis](https://insiconcyber.com/cyber-gap-analysis) is built for, and ASIC's letter sharpens the case for it in two distinct ways.

### As a starting point.

For organisations that have not recently tested their position against the current threat environment, the Cyber Gap Analysis is the structured first step. It maps the entity's posture against the obligations that apply, including APRA CPS 230 and CPS 234, the Privacy Act 1988, the Essential Eight, ISO 27001, ISO 42001, and, for New Zealand entities, NZISM. It identifies where controls are absent, where they are present but undocumented, and where they exist on paper but cannot be evidenced in practice. The output is a prioritised view of risk, ranked by what matters most to the business and to the regulator, with a remediation pathway the board can defend.

### As an independent third-party review.

For organisations that believe they already have a robust posture, the Cyber Gap Analysis serves a different purpose. ASIC is explicit that governance should be supported by independent validation. A CISO's view of their own program is necessary but not sufficient. An external, structured review by an experienced cybersecurity professional who has built and audited security programs across regulated Australian and New Zealand entities provides the second pair of eyes the regulator is looking for. It tests assumptions. It challenges the dashboard. It produces evidence that the position has been examined by someone who is not paid to defend it.

In either case, the deliverable is the same: a clear, prioritised, evidence-based view of where the organisation stands and what it needs to do next. That is the document a director can carry into a board risk committee meeting with confidence.

## From baseline to practice

For most regulated entities, the Cyber Gap Analysis is the first piece of work. What follows depends on what it finds.

Where the gaps relate specifically to AI, our [AI Security and Governance](https://insiconcyber.com/ai-security-governance) practice is built around three connected services that map directly to ASIC's expectations.

1.  [AI Assurance](/ai-assurance) tests AI systems and agents for prompt injection, exfiltration and agentic privilege escalation, which is the defensive use of AI that ASIC's letter explicitly endorses.

2.  [ISO 42001](/iso-42001-compliance) implementation establishes the AI Management System that integrates AI risk into the broader risk framework, with auditable evidence the board can present.

3.  [Managed Compliance](/managed-compliance) maintains the controls and produces the monthly evidence record that replaces annual point-in-time assurance.

We summarise the practice as a three-stage journey: Test it. Certify it. Maintain it. ASIC has now provided the supervisory rationale for each stage.

Where the gaps are broader, our [Board Cyber Advisory](/board-cyber-advisory), [CISO-as-a-Service](/ciso-as-a-service), and [Adaptive SOC](/security-operations-centre) services close them, with the same emphasis on evidence over assurance.

## The trans-Tasman view

ASIC's letter is addressed under Australian law. The threat environment is not. The NCSC New Zealand Cyber Threat Report 2025 documents the same acceleration of AI-enabled threats. The Reserve Bank of New Zealand and the Financial Markets Authority will read the ASIC letter as a signal of regulatory direction across the Tasman.

For New Zealand boards, the mapping is the same. ISO 42001 is jurisdiction-neutral. NZISM compliance sits inside the Managed Compliance scope. The Cyber Gap Analysis runs the same way for an FMA-regulated entity in Auckland as for an APRA-regulated entity in Sydney. The regulators may differ. The expectations are converging.

## The next board meeting

ASIC closed its letter with a directive. Boards and risk governance committees are expected to table and discuss the letter. That meeting is coming. The question every director should be asking before it is simple: can we evidence, with documents in the room, that our cyber resilience is demonstrably effective and proportionate to our size, nature and complexity?

If the honest answer is yes, an independent Cyber Gap Analysis confirms it and gives the board the third-party validation ASIC has asked for.

If the honest answer is no, the Cyber Gap Analysis is where the work begins.

Either way, the time to act is now. Not by reinventing the approach, as ASIC notes, but by ensuring the basics are robust, resourced, and working effectively.

* * *

## Take the next step

[Start with a Cyber Gap Analysis](https://insiconcyber.com/cyber-gap-analysis) or talk to Insicon Cyber about how our team can support your response to the ASIC letter.

[Contact Insicon Cyber](https://cta-ap1.hubspot.com/web-interactives/public/v1/track/click?encryptedPayload=AVxigLLkQk3hGJxf%2FqON%2B%2FrI9rEzX7d9yiigIcXm%2BsKOlDN5jXA%2FOcxwRXoWGBU5qLIOKd8f0BgfRkm1gogHVxPpenTZNKl5nbmpTxzHT9ts3TBpl3c3tzKdJp4CblOnUIeXI%2BC%2BUtImgpi4CKyQimduEy2TEwHVddaNaDo3PmlR3KY6V5y%2B&portalId=22526539)

* * *

**Background Reading**

-   ASIC Open Letter to AFS Licensees and Market Participants on Frontier AI (26-092MR), 8 May 2026: [https://download.asic.gov.au/media/xhrf1w0e/26-092mr-open-letter-to-afs-licensees-and-market-participants.pdf](https://download.asic.gov.au/media/xhrf1w0e/26-092mr-open-letter-to-afs-licensees-and-market-participants.pdf)
-   ASIC v FIIG Securities Limited (26-021MR): [https://asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-021mr-asic-court-judgment-fiig-securities](https://asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-021mr-asic-court-judgment-fiig-securities)
-   APRA Letter to Industry on Artificial Intelligence (AI), 30 April 2026: [https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai](https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai)
-   ASD: Frontier models and their impact on cyber security: [https://www.cyber.gov.au/about-us/view-all-content/news/frontier-models-and-their-impact-on-cyber-security](https://www.cyber.gov.au/about-us/view-all-content/news/frontier-models-and-their-impact-on-cyber-security)
-   ISO/IEC 42001:2023 Information Technology – Artificial Intelligence – Management System: [https://www.iso.org/standard/42001](https://www.iso.org/standard/42001)
-   NCSC New Zealand Cyber Threat Report 2025: [https://www.ncsc.govt.nz/publications/cyber-threat-report-2025/](https://www.ncsc.govt.nz/publications/cyber-threat-report-2025/)
-   Insicon Cyber Cyber Gap Analysis: [https://insiconcyber.com/cyber-gap-analysis](https://insiconcyber.com/cyber-gap-analysis)
-   Insicon Cyber AI Security and Governance: [https://insiconcyber.com/ai-security-governance](https://insiconcyber.com/ai-security-governance) 

[](https://insiconcyber.com/blog/asic-frontier-ai-letter)

#### [ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List.](https://insiconcyber.com/blog/asic-frontier-ai-letter)

 [Insicon Cyber](https://insiconcyber.com/blog/author/insicon-cyber): 11/05/26 10:16 AM

On 8 May 2026, ASIC Commissioner Simone Constant issued an open letter to AFS licensees and market participants. It runs to four pages. It is not a...

[Cyber Security](https://insiconcyber.com/blog/tag/cyber-security) [ISO 27001](https://insiconcyber.com/blog/tag/iso-27001) [Governance](https://insiconcyber.com/blog/tag/governance) [Essential Eight](https://insiconcyber.com/blog/tag/essential-eight) [APRA](https://insiconcyber.com/blog/tag/apra) [AI](https://insiconcyber.com/blog/tag/ai) [Managed Security Services](https://insiconcyber.com/blog/tag/managed-security-services) [Insicon Cyber](https://insiconcyber.com/blog/tag/insicon-cyber) [ISO 42001](https://insiconcyber.com/blog/tag/iso-42001)

[Read More](https://insiconcyber.com/blog/asic-frontier-ai-letter)

[](https://insiconcyber.com/blog/microsoft-edge-cleartext-passwords-anz-boards)

#### [Microsoft Edge's Cleartext Password Design: What Australian and New Zealand Boards Should Direct Now](https://insiconcyber.com/blog/microsoft-edge-cleartext-passwords-anz-boards)

 [Insicon Cyber](https://insiconcyber.com/blog/author/insicon-cyber): 7/05/26 4:16 PM

Board Cyber Advisory Microsoft has confirmed Edge stores every saved password in process memory as cleartext. They have classified the behaviour as...

[Cyber Security](https://insiconcyber.com/blog/tag/cyber-security) [Governance](https://insiconcyber.com/blog/tag/governance) [CPS 230](https://insiconcyber.com/blog/tag/cps-230) [Insicon Cyber](https://insiconcyber.com/blog/tag/insicon-cyber)

[Read More](https://insiconcyber.com/blog/microsoft-edge-cleartext-passwords-anz-boards)

[](https://insiconcyber.com/blog/apra-ai-governance-letter-2026)

#### [APRA Has Named Four AI Governance Failures. Every Regulated Entity in Australia and New Zealand Is in Scope.](https://insiconcyber.com/blog/apra-ai-governance-letter-2026)

 [Insicon Cyber](https://insiconcyber.com/blog/author/insicon-cyber): 1/05/26 1:52 PM

On 30th April 2026, APRA published a letter to all regulated entities on artificial intelligence. It is not a discussion paper. It is not a...

[Cyber Security](https://insiconcyber.com/blog/tag/cyber-security) [ISO 27001](https://insiconcyber.com/blog/tag/iso-27001) [Governance](https://insiconcyber.com/blog/tag/governance) [Essential Eight](https://insiconcyber.com/blog/tag/essential-eight) [CPS 230](https://insiconcyber.com/blog/tag/cps-230) [APRA](https://insiconcyber.com/blog/tag/apra) [AI](https://insiconcyber.com/blog/tag/ai) [Insicon Cyber](https://insiconcyber.com/blog/tag/insicon-cyber) [ISO 42001](https://insiconcyber.com/blog/tag/iso-42001)

[Read More](https://insiconcyber.com/blog/apra-ai-governance-letter-2026)

---

## About This Content

**Source:** [ASIC Has Drawn the Line on Frontier AI. Australian and New Zealand Boards Now Have a Reading List.](https://insiconcyber.com/blog/asic-frontier-ai-letter)
**Author:** Insicon Cyber
**Published:** May 11, 2026

*This content is provided for informational purposes. Please visit the original source for the most up-to-date information.*