Skip to content

About · In a personal capacity

Dr Zhitao Xiong.

A short list of true things

  • · builds and audits AI systems inside a CDR eco-system
  • · writes on AI governance, audit, and how AI reshapes the teams that run it
  • · years spent building and running production AI estates

In a personal capacity

I write here in a personal capacity about regulating, governing, auditing and building AI in Australian regulated industries. It began with APRA's 30 April 2026 letter to industry. The failures it named, no inventory of AI in use, monitoring without thresholds, no plan to decommission, assurance that has not kept pace, are not failures of banks in particular. They are where almost every organisation putting AI into production already is. So whatever business you are in, treat yourself as a regulated one: it is the cheapest way to see where you are and where you are going, and it starts with an honest inventory of every system in use and who owns it. The site is a record of my reading and thinking on the subject, and a place to share it.

What I work on

By day I have been leading data, analytics and AI engineering and governance at CDR-licensed firms in Sydney, occasionally with a transitional CTO scope covering security and system access. Along the way I have built and audited CDR-compliant AI estates against ISO 27001 controls and data-release risk assessments. I hold a PhD in Transport Studies from the University of Leeds, and a Bachelor and a Master of Engineering from the Beijing Institute of Technology.

What this site is

The site is a reading record. I publish in three shapes: notes, occasional reports for readers who want the complete artefact, and a monthly newsletter on what changed across the Australian regulatory and AI surface. The throughline is the operator-auditor-builder's view: what the documents actually demand of the people building and running AI estates, and what those estates demand back of the teams that run them. A recurring argument here is that an engagement with a model, building it, governing it, auditing it, is also the cheapest senior training a team will ever get, so long as you keep the judgement and not only the control conclusion. Reader correspondence is welcome and read.

What this site is not

Not legal, financial or regulatory advice. Not academic research, though I try to hold the quality close to that bar. The subject may drift occasionally with my own interest, but the seat does not: everything here is read as an operator who builds and audits AI, even when the subject is the workforce rather than a regulator file. The seat is narrow on purpose; the subjects it can see are not. Where the writing draws on any job, it draws on the thinking, the lessons learnt and the practice of running and auditing AI estates, never on confidential material. Please read these as field notes, not an audit opinion.

Reader correspondence is welcome at me@xiongzhitao.me.