90% of Australian security teams are cutting AI corners, and most think they're ready
TL;DR
A Delinea study found 90% of Australian security teams have been pressured to cut corners on AI security, while 80% cannot explain what their AI systems are actually doing. At the same time, 83% of those same organisations believe their security posture is ready for AI, a confidence paradox that is either deeply delusional or wilfully blind. The EU AI Act arrives in August 2026 with fines up to €15 million, Goldman Sachs estimates 300 million jobs will be exposed to automation, and Australian businesses are still leaving the digital doors unlocked.
What does the Delinea study actually reveal about Australian AI security?
The numbers are stark. 90% of Australian security teams report being pressured to loosen identity controls for AI. 80% cannot explain what their AI systems are doing. And 83% simultaneously believe their security posture is ready for AI adoption.
That last figure is the most alarming, not because organisations are unprepared, but because they know they are cutting corners and still rate themselves as ready. That is not confidence. That is complacency dressed up as confidence.
90% of the people hired to protect your business are being told to look the other way.
The directive comes from the top: move fast, make it happen, we cannot be left behind. That pressure rolls downhill onto IT and security teams who are then asked to integrate complex AI systems into existing infrastructure, and to do it yesterday. The result is unlocked doors, over-privileged AI agents, and a shadow world of unmanaged risk.
Why is an over-privileged AI agent such a serious threat?
When security teams are told to loosen identity controls, what does that look like in practice? It means AI agents, non-human workers, are being handed the keys to the kingdom without proper vetting. You would not give a new employee master access to every file, every database, and every system on their first day. Yet that is precisely what is happening with AI.
The real-world consequences are not hypothetical:
- A marketing AI with access to your entire customer database, including sensitive personal information
- A logistics AI that can not only track shipments but alter delivery addresses or reroute entire fleets
- An entry point for a malicious actor, a hacker who compromises one over-privileged AI gains access to everything that AI can touch
If 80% of your team cannot explain what the AI is doing, they will not spot a breach before it is too late. This is not a failure of technology. It is a governance failure driven from the top down.
What is the confidence paradox, and why does it matter?
83% of organisations feel their security posture is ready for AI. That same group is admitting their governance is deficient and they are actively weakening security controls. It is like saying you are ready to climb Everest in a pair of flip-flops. The enthusiasm is there. The preparation is not.
The driver is fear, fear of looking slow or uninnovative in front of the board. Projecting an image of being "AI-ready" overrides the quiet voice of caution from the security team. Speed is assumed to matter more than safety. The assumption is that it is better to ask for forgiveness than permission.
This mindset creates a culture of complacency where difficult questions are avoided, red flags are dismissed as friction, and the security team is further disempowered. Their concerns get labelled as roadblocks to innovation. But true innovation is not reckless speed. It is building something that is powerful, resilient, and trustworthy. Ignoring the foundations of good governance is not a shortcut to success, it is a direct path to disaster.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
How widespread is shadow AI in Australian workplaces?
The risk is not only coming from the top down. It is bubbling up from the bottom too. The Delinea study found that 67% of Australian workers are using non-approved AI tools. This is the shadow AI epidemic, ungoverned, unsecured AI entering your network every day, often without the organisation's knowledge.
Shadow AI in practice:
- A marketing assistant pasting confidential customer data into ChatGPT to write an email campaign
- A sales rep using a free AI transcription service for client calls, with no idea where that data is stored or who has access to it
- A developer connecting an open-source AI plugin to the company codebase without IT approval
Each of these actions, taken with the best of intentions, creates a new risk vector. The problem is compounded by the fact that 55% of organisations are already struggling with data quality issues. Poor data quality plus ungoverned AI tools means critical business decisions are being made on flawed information, while your most valuable asset is exposed to a host of unknown risks.
This is not a failure of your employees. They are trying to do their jobs more effectively. This is a failure of policy and education. If you do not provide clear guidelines and sanctioned, secure tools, people will find their own solutions, and those solutions will almost certainly not be secure. The shadow AI epidemic is a direct consequence of the governance gap that starts at the very top.
What are Singapore and the UAE doing that Australia is not?
The contrast is instructive. While Australia appears to be fumbling, other countries are providing a clear blueprint for responsible AI adoption.
Singapore's Monetary Authority of Singapore (MAS) collaborated with 24 financial institutions to build a comprehensive AI Risk Management Toolkit, a practical, actionable framework that helps businesses navigate the complexities of AI governance. They are not just talking about the risks; they are building the tools to manage them.
The UAE's National AI Strategy 2031 has seen 30% of organisations establish dedicated AI ethics boards, embedding governance into the fabric of their AI initiatives. Even the Australian Defence Force, an organisation that understands risk better than most, has released a comprehensive AI policy that emphasises human oversight and accountability. The military gets it. Why doesn't the boardroom?
Good governance is not a barrier to innovation. It is the enabler of it. A clear governance framework gives you the confidence to move forward, knowing the guardrails are in place. The "move fast and break things" mantra might work for a Silicon Valley start-up. It is a deeply irresponsible way to run an established business.
What does the regulatory and financial risk actually look like?
The stakes have never been higher. Goldman Sachs estimates that 300 million jobs will be exposed to automation in the coming years. The EU AI Act is set to come into force in August 2026, with fines of up to €15 million for non-compliance. The regulatory landscape is changing fast, and businesses that fail to adapt will not just be left behind, they will be penalised.
But the cost of getting it wrong goes well beyond financial penalties:
- Customer trust, a single high-profile AI failure can destroy a reputation that has taken years to build
- Reputational damage from being seen as reckless with customer data
- Internal chaos from a workforce running a patchwork of unmanaged, unsecured AI tools
- Ethical failures, if your AI is a black box that no one understands, how can you be sure it is aligned with your company's values, or that it is not perpetuating biases?
Trust is your most valuable currency in a digital economy. The cost of getting AI governance wrong is not just a line item on a balance sheet. It is a fundamental threat to the integrity and sustainability of your business.
What to do this week
Four actions. Start here.
Conduct an AI audit. Map every AI tool and system in use across your organisation, sanctioned and unsanctioned. You cannot govern what you cannot see, and with 67% of workers already running shadow AI, you almost certainly have blind spots.
Create an acceptable use policy. A clear, readable document outlining the do's and don'ts of AI use for all employees. Not a legal document that sits in a drawer, a practical guide people will actually follow.
Invest in governance training. Your leadership team and board need to understand the risks and their responsibilities. The governance gap starts at the top. Close it there.
Talk to your security team. Ask them directly whether they are being pressured to cut corners. Create a culture where they are empowered to raise red flags and be a partner in innovation, not a roadblock.
If you cannot answer yes to these questions, do you have an audit trail for what your AI agents are doing? can you explain in plain terms how your AI is making decisions? do you have a written policy on external AI tools?, then you are in the 83% with a false sense of security.
The EU AI Act does not care how fast you moved. The regulator does not give credit for enthusiasm. The time to build the governance foundation is now, before the tide comes in.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Need an AI operator inside your team?
Place a Chief AI Officer, an AI Officer, or embed an Anaboo Forward Deployed Engineer for 3–6 months.
Frequently asked questions
What did the Delinea study find about Australian AI security?
+
The Delinea study found that 90% of Australian security teams have been pressured to cut corners on AI security, 80% cannot explain what their AI systems are doing, and 83% simultaneously believe their organisation's security posture is ready for AI adoption.
What is shadow AI and why is it a risk for Australian businesses?
+
Shadow AI refers to non-approved AI tools that employees use without IT or security sign-off. The Delinea study found 67% of Australian workers are already doing this, activities like pasting confidential data into ChatGPT or using free AI transcription services for client calls, creating data breach risks the organisation has no visibility over.
What is the EU AI Act and when does it come into force?
+
The EU AI Act is a regulatory framework governing the use of artificial intelligence. It is set to come into force in August 2026 and carries fines of up to €15 million for non-compliance, making AI governance a financial risk as well as a reputational one.
How are Singapore and the UAE approaching AI governance differently from Australia?
+
Singapore's Monetary Authority of Singapore (MAS) collaborated with 24 financial institutions to build a comprehensive AI Risk Management Toolkit. The UAE's National AI Strategy 2031 has seen 30% of organisations establish dedicated AI ethics boards. Both countries treat governance as an enabler of AI adoption, not a barrier to it.
What is an AI audit and does my business need one?
+
An AI audit maps every AI tool and system in use across your organisation, both approved and unapproved. Given that 67% of workers are using non-sanctioned AI tools, most businesses need one urgently. You cannot govern what you cannot see.
Why do so many businesses have a false sense of AI security readiness?
+
The Delinea study points to a confidence paradox: pressure to project an 'AI-ready' image to boards and competitors overrides the internal voice of caution from security teams. Fear of looking slow or uninnovative leads organisations to prioritise speed over sound governance.
What does Goldman Sachs say about AI and jobs?
+
Goldman Sachs estimates that 300 million jobs will be exposed to automation in the coming years, underscoring the scale of the AI transition and the importance of having robust governance in place as organisations accelerate adoption.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
