Published on the 05/11/2025 | Written by Heather Wright
AI threats, compliance and coffee…
AI doesn’t sleep and apparently tech teams aren’t getting such restful sleep these days either, thanks to AI.
In Australia and New Zealand, where the coffee is (thankfully) strong, but the budgets are not, AI – and managing generative AI risks – remain top-of-mind – and top-of-night – for tech leaders according to ISACA’s 2026 Tech Trends and Priorities Pulse Poll. But while some are losing sleep, they’re also getting more strategic in their response and leaning into the challenge with a mix of pragmatism and optimism.
“It’s encouraging to see many organisations start building long-term resilience through better governance, smarter investment and workforce development.”
The report, drawn from a survey of nearly 3,000 digital trust tech professionals globally, suggests organisations are both excited and anxious for 2026: While AI and generative technologies are promising transformation, they’re also introducing new risks and demanding robust governance. Alongside the struggle to keep pace with change, secure digital trust and keep an eye on, and comply with, evolving regulations, is the ongoing issue of resource and skills.
Generative AI and large language models (64 percent) are the top tech trends expected to shape local organisations next year, closely followed by AI and machine learning. The results mirror global trends but reveal a stronger local focus on AI adoption as the technology moves from pilot to core operations.
But with great power comes great potential for AI to impersonate the CEO or cause other mischief. Two-thirds of Oceania respondents say AI-driven cyber threats and deep fakes will keep them up at night next year, with AI-driven social engineering (60 percent) topping the list of cybersecurity concerns, followed by ransomware and extortion attacks (46 percent) and supply chain attacks (36 percent).
Supply chain is a big area of concern for local organisations according to the report, with 41 percent saying they fear supply chain vulnerabilities – second only to the 45 percent worrying most about the irreparable harm caused by failing to detect or respond to a major breach.
High-profile supply chain hits, including Qantas and Latitude Financial have no doubt heightened those concerns, with a recent report from professional services company Aon noting the emergence of AI-powered social engineering attacks in Australia. It cites the case of a UK engineering firm involved in a deepfake-enabled scam last year, resulting in the theft of US$25 million, and says the attack was later replicated in Australia at a smaller financial scale.
ISACA’s report shows just eight percent of Australian and New Zealand organisations (and 13 percent globally) feel ‘very prepared’ to manage generative AI risks with strong governance and training in place.
Technical issues including cloud misconfigurations and shadow IT (38 percent), and regulatory complexity (36 percent) are also featuring among the top issues expected to test tech professionals in the year ahead.
But in an interesting twist, Australian and New Zealand tech leaders are increasingly seeing regulation as a growth opportunity. Half of Oceania respondents believe regulation will drive business growth and 73 percent say it will advance digital trust. With frameworks like the EU’s AI Act and updated cybersecurity law, the NIS2, influencing global standards, A/NZ organisations appear to be preparing to align. And while 25 percent still have no plans to explore governance, risk and compliance tools in 2026, many others are taking steps toward more structured governance and embedding compliance into broader operational strategies.
Regulatory compliance was ranked as a top focus area for 58 percent of Oceania respondents, followed by business continuity and resilience (52 percent) and cloud migration and security (48 percent). The first two echo the global results which saw 66 percent rating regulatory compliance as ‘very important’ for the year ahead, with 62 percent saying the same about business continuity and resilience. The point of differentiation? Number three. While locally cloud migration and security is a key focus, globally, it’s back to AI, and more specifically managing AI-related risk.
Talent: The real MVP
None of this works, however, without people and resource and skills shortages continue to be a pressing issue.
A separate September report from ISACA on the state of cybersecurity noted 54 percent of Australian cyber teams said they didn’t have enough staff and 58 percent said they had unfilled roles. Even when hiring is approved, it’s a slow process, taking up to six months to fill many roles. (That report also saw 49 percent of Australian cyber teams saying their budgets were underfunded, and just 24 percent expecting an increase in the next 12 months – well below the global figure of 41 percent expecting increases.)
The latest survey shows one in three organisations plan to hire for digital trust roles in 2026, but, as before, many expect difficulty finding qualified candidates. Meanwhile, 40 percent have no hiring plans at all, either due to budget constraints or the hope that existing teams can stretch just a little further.
Jamie Norton, ISACA board vice chair, is blunt: “Security and risk teams are stretched. They’re dealing with constant AI-driven threats, together regulation and growing expectations from executives, all while struggling to find and keep the right people.”
He says it’s a perfect storm demanding stronger leadership focus on capability, wellbeing and risk management.
“At the same time, it’s encouraging to see many organisations recognise these gaps and start building long-term resilience through better governance, smarter investment and workforce development.”
There is some good news, with 37 percent of those who plan to hire in 2026 expanding their hiring compared to 2025. Forty-four percent are unsure if they’ll hire more or fewer.
Globally, 39 percent say workforce upskilling in data security and emerging technology risk management is ‘very important’ and a top improvement area, with organisations seeking more training, awareness and role-specific certifications.
Among the five key actions ISACA says organisations need to take to strengthen digital trust in the coming year is accelerating workforce upskilling and talent pipeline development and investing in continuous learning, certifications and internal mobility.
Modernising legacy systems and infrastructure to reduce vulnerabilities; strengthening cyber resilience and business continuity planning with cross-functional crisis management protocols and regular testing; and preparing for regulatory complexity and international compliance requirements are also included along with establishing AI governance and risk frameworks.
