Earlier this year, the Federal Court of Australia handed down a judgment that every company director in the country should read. ASIC v Bekier [2026] FCA 196 confirmed a principle that lawyers had been anticipating but boards had not fully internalised: director duties of care and diligence, under section 180 of the Corporations Act, are personal and non-delegable. They do not diminish because an AI system was involved in the decision. They do not transfer to the vendor who supplied the model. And they cannot be satisfied by pointing to an AI-generated output that the board relied upon without adequate human review.
Federal Justice Lee was clear. The Court confirmed that AI tools cannot replace human judgement or accountability. What the Court assessed was what directors and officers actually knew, the quality of their decision-making and whether they engaged substantively with the material before them. Unverified AI summaries, AI-generated board papers relied upon without independent scrutiny and AI systems making recommendations that directors rubber-stamped without challenge all fail that test.
For Australian enterprise boards, this is not a hypothetical risk. It is an established legal position. And it arrives at precisely the moment when AI is moving from the technology function into the boardroom and into the governance of organisations that directors are personally responsible for.
What the Bekier Judgment Actually Established
The Institute of Directors New Zealand analysis of the Bekier judgment, published in April 2026, put the core holding plainly: the Court confirmed that AI tools cannot replace human judgement or accountability, and that statutory duties of care and diligence are personal and non-delegable. That finding has three practical implications for Australian boards.
First, director liability is assessed against what directors actually knew and the quality of their decision-making, not against whether the tools they used were sophisticated. A director who relied on an AI summary of board papers without reading the underlying material is not protected by the sophistication of the AI. The Court's inquiry is about whether the director engaged substantively with the decision.
Second, the standard of care is calibrated to the director's role and expertise. A CIO or CFO on a board who allows AI systems to operate in their domain without adequate governance controls is assessed against what a person with their expertise should have known and done.
Third, the duty extends to ensuring the organisation has adequate AI governance frameworks in place. Boards that have not established clear accountability structures, AI risk oversight mechanisms and regular reporting on AI performance are not discharging their oversight obligations under section 180. This is the point most boards are missing.
What the AI Governance Gap Looks Like at Board Level
MinterEllison published guidance on governing AI agents from the boardroom in April 2026, making an observation that applies well beyond agentic AI. Boards would not allow a human workforce to operate without clear reporting lines, defined authority limits, performance oversight and the ability to manage and terminate relationships. Most boards are currently allowing AI systems to do exactly that.
The practical gap has four dimensions.
AI inventory visibility. Most boards do not know what AI systems are operating within their organisations. A board that cannot answer what systems are running, what decisions they influence and what the failure modes are cannot discharge its oversight duty under section 180.
Accountability structures below board level. The Bekier judgment assesses what directors knew and should have known. A board that has established clear accountability at the executive level for AI risk, with defined escalation paths and regular reporting, is in a materially better position than one that has delegated AI governance to the technology function without visible board oversight.
Human oversight mechanisms. The Court's emphasis on substantive human engagement with AI outputs creates a specific governance requirement. Boards need to establish which categories of AI-influenced decisions require human review before action and ensure those mechanisms are documented and enforced, not just stated in policy.
Regular AI risk reporting. Boards in APRA and ASIC regulated sectors that do not receive regular AI risk reporting equivalent to what they receive on financial and operational risk are not satisfying regulatory expectations. The reporting cadence needs to match the speed at which AI systems can create governance problems.
ISO 42001 and the Board's Evidential Position
The most defensible position for an Australian board facing regulatory scrutiny of AI governance is documented, independently assessed governance practice. ISO 42001, as the world's first certifiable AI management system standard, provides exactly that: a defined, auditable framework that can be independently certified by an accredited third party.
The Bekier judgment aligns directly with what ISO 42001 requires: AI use case registration, documented risk assessment, clear accountability structures, human oversight mechanisms and ongoing monitoring. A board that has overseen implementation of an ISO 42001-aligned AI governance framework and received regular reporting against it is in a materially stronger evidential position than one relying on policy documents and vendor assurances.
In Australia and New Zealand, there are currently only 10 to 15 properly accredited auditors who can certify to ISO 42001. Boards that want the evidential protection of independent certification before the regulatory environment tightens further need to be directing management to scope this engagement now.
The ASIC and Privacy Act Dimension
The Bekier judgment was itself an ASIC action. ASIC's willingness to pursue director liability in the context of AI governance failures is not theoretical. ASIC's Report 798, reviewing AI governance at AFS and credit licensees, found that some organisations may be adopting AI faster than their risk and governance arrangements are evolving.
The Privacy Act automated decision-making obligations arriving on 10 December 2026 add a further personal dimension. Directors of organisations using AI to make or substantially contribute to decisions affecting individuals will be personally accountable for whether those organisations have complied with disclosure obligations. Discovering in November 2026 that AI systems have been making customer decisions without adequate governance documentation is a director liability problem, not only a compliance one.
What This Means for Your Board
At Trusenta, the Bekier judgment has changed the nature of board conversations about AI governance. Directors who previously framed AI governance as a management responsibility are increasingly recognising it as a board-level duty with personal legal consequences.
The practical implications are clear. Boards need to receive and engage substantively with AI risk reporting on the same cadence as financial and operational risk. They need to ensure management has established the accountability structures, risk classification frameworks and monitoring disciplines that constitute an operational AI governance programme. The governance infrastructure required to do this is the same infrastructure required to satisfy ISO 42001, the Privacy Act ADM obligations and APRA and ASIC governance expectations. Build it once. Use it for all.
Key Takeaways
- ASIC v Bekier [2026] FCA 196 confirmed that director duties of care and diligence are personal and non-delegable, and do not reduce when AI is involved in decisions
- The Court assesses what directors actually knew and the quality of their decision-making, not the sophistication of the tools used
- Four board-level governance gaps create specific exposure: AI inventory visibility, accountability structures, documented human oversight mechanisms and regular AI risk reporting
- ISO 42001 certification provides the most defensible evidential record of systematic AI governance for boards facing regulatory scrutiny
- ASIC Report 798 findings and Privacy Act ADM obligations from December 2026 compound the personal liability exposure for directors of regulated entities
- The governance infrastructure required to satisfy board legal duties overlaps directly with ISO 42001, APRA and ASIC obligations. It only needs to be built once.
How Trusenta Can Help
AI Governance: Trusenta's AI Governance platform provides the use-case register, risk classification, accountability tracking and portfolio reporting infrastructure boards need to discharge their oversight obligations. It creates the documented, auditable governance record that forms the evidential foundation of a defensible board position.
Compliance Management: Trusenta's Compliance Management platform maps controls across ISO 42001, the NIST AI RMF and the Australian Guidance for AI Adoption simultaneously, generating audit-ready evidence that satisfies independent certification requirements.
Fractional AI Officer: For boards that need a named executive accountable for AI risk at the management level, with the authority to build the governance infrastructure that the board's oversight obligations require, Trusenta's Fractional AI Officer provides that leadership without a full-time hire.
Conclusion
The legal position is now clear. Australian directors cannot satisfy their duties of care and diligence by pointing to AI systems, AI vendors or AI-generated outputs as the source of decisions they oversaw. The duty is personal. The boards that treat the Bekier judgment as a call to action rather than a legal curiosity will be in a materially different position when regulatory scrutiny intensifies and when the Privacy Act obligations arrive in December. The question is not whether your board has a position on AI governance. It is whether that position is evidenced, operational and sufficient to satisfy a court applying section 180 of the Corporations Act.
