Board Governance
How boards should understand privacy, data, cyber, AI, and regulatory exposure before the issue becomes an incident, penalty, or public failure.
It is about the decisions boards, executives, and governance leaders face when regulation, technology, incidents, and accountability collide.
PII is an IT security concept; personal data and personal information are legal concepts. Confusing them weakens privacy, data and AI governance.
AI governance tests whether privacy, data, vendor and risk controls can reach weak AI pathways before the business starts depending on them.
Boards can mistake framework adoption for changed behaviour. The harder test is whether the business now makes different risk decisions.
AI governance cannot be solved by hiring one specialist role. It needs existing privacy, data, risk and technology capability to work together.
Boards miss privacy risk when reporting preserves internal boundaries. Stronger governance gives directors one usable picture while the response can still be shaped.
The 2026 automated decision-making rules will test whether organisations know where consequential decisions are made and who controls them.
How boards should understand privacy, data, cyber, AI, and regulatory exposure before the issue becomes an incident, penalty, or public failure.
Privacy Act reform, AI regulation, Consumer Data Right, APRA expectations, and the operational choices regulated businesses need to make.
How privacy, data, and AI governance actually work inside businesses: ownership, controls, capability, tooling, reporting, and escalation.
The writing carries most of my thinking on these issues; the contact form is there for anything you want to take further.