Skip to content

A personal site · Sydney · Written by Dr Zhitao Xiong

Notes on building, governing and auditing AI in Australian regulated industries

On 30 April 2026 APRA wrote to every regulated entity in Australia and New Zealand and named four failures in board oversight of AI. This site reads the regulator file slowly, from Sydney, and writes from the seat of someone who runs and audits a regulated AI estate: what the guidance demands, where the Consumer Data Right intersects it, and what production AI does to the shape of the teams that have to comply.

On my desk · Updated as the reading moves

What is on the desk this week.

All notes ↓
  1. APRA · 01 Reading

    Letter to industry on AI

    30 April 2026

    Four named failures across boards, AI inventory, post-deployment monitoring and decommissioning. The reading I am currently working through.

    No note yet

  2. EC · 02 Reference

    Digital Omnibus on AI

    Provisional agreement 7 May 2026

    Lowers the AI Act bar: Annex III high-risk obligations deferred from August 2026 to December 2027, and a narrower "safety component" test. Upcoming, not yet adopted; watching as it moves.

    No note yet

  3. DISR · 03 Reference

    Voluntary AI Safety Standard

    September 2024

    Ten guardrails. Treated by APRA-regulated entities as the de-facto AU minimum pending a mandatory framework.

    No note yet

  4. Treasury · 04 Reference

    CDR rules for non-bank lenders

    Product data from 13 July 2026

    Open finance expands to non-bank lenders. Product data sharing from 13 July 2026; consumer data sharing from 9 November 2026 for initial providers. Deadlines on the calendar.

    No note yet

Latest report · A single topic, in depth

The AI-reshaped organisation

A field reading of how AI is rewriting the technology function. Maps the four compounding forces behind the change, sets out three forward scenarios for 2026 to 2029, and projects the move from the org chart to the work chart.

Read the report → Request the PDF

How I read the shift

  1. 01Evidence first. Every load-bearing claim is anchored to a survey, a financial filing or a piece of academic work, and cited. Where the evidence is thin, I say so rather than round up.
  2. 02Three scenarios, not one forecast. I pair an evidence-first base case with a conservative and a radical scenario, and deliberately assign no probabilities. The point is to make decisions robust across all three.
  3. 03From org chart to work chart. The through-line is structural: humans set intent, set guardrails, review work and own decisions, while agent fleets do the coordination and execution that managers used to do.
  4. 04Personal capacity. Written under named authorship in a personal capacity, as the first in a series of field notes on governing, auditing and building AI.

Notes · On building, governing and auditing AI

A note follows one thread to one inference.

Notes are the main body of the writing: a single thread followed to a single inference, whether that thread is a clause in an APRA letter, a turn in the Consumer Data Right, or what an agentic workflow does to a three-lines-of-defence model when half the first line is software. They run to whatever length the subject needs, from a short reading to a long-form piece, and are free to read in full on the site. Each note sits under one of the seven topics.

All notes →

Recently published

  1. 2026-06-14 · AI third-party risk

    Three habits for the weekend when Fable 5 stopped working

    Note →

Digests · A monthly reading of the regulator surface

A monthly, dated reading of what actually changed.

Digests are a monthly, dated reading of what changed across the Australian regulator and AI surface, anchored to APRA, ASIC, OAIC, ACCC-CDR and DISR activity. The intent is the right things read carefully rather than breadth: this is not a general AI news feed.

See the digests →

Reports · Long-form artefacts

Some readings warrant a longer artefact than a note.

Reports are written as substantial pieces of work on a single topic. The abridged version is free to read in full on the site. The full PDF, with the complete citation set, data appendix and machine-readable annexes, is sent by email to readers who request it.

See the reports →

The cadence is unhurried, not absent. Notes appear when the reading is ready, not on anyone's content calendar.

If you would like to read the notes as they appear, leave an email below. The list is a quiet one: one message per fortnight, sometimes less. You can unsubscribe with one click at any time.

Subscribe by RSS Follow on LinkedIn Write to me