The Govern Practice A four-week diagnostic

AI Security
Health Check.

AI adoption has outpaced AI governance in most organisations. The accountability landscape has shifted — boards are now formally responsible for AI under APRA CPS 230, CPS 234, AS ISO/IEC 42001 and AICD director-duty guidance.

The Mycelium AI Security Health Check is a four-week diagnostic across 14 dimensions and four pillars — built to give boards and executives a defensible picture of where their AI risk actually sits under the new accountability landscape.

APRA CPS 230  ·  CPS 234  ·  AS ISO/IEC 42001  ·  AICD director-duty guidance  ·  the new accountability landscape
4

pillars across which AI governance and security are scored — Govern, Protect, Operate, Enable

The Mycelium 14-Dimension AI Security Framework

14

dimensions assessed Red, Amber or Green — each mapped to specific regulatory expectations

Mapped to CPS 230, CPS 234, AS ISO/IEC 42001, AICD

1

board-ready scorecard — defensible to the regulator, the auditor, and the board

Delivered in four weeks

The Problem

Most boards cannot see
where AI risk actually sits.

Shadow AI is the fastest-growing category of unmanaged enterprise risk. Most incident response plans were written before generative AI existed. Most privacy policies don't yet disclose AI use. Most organisations have no formal AI Acceptable Use Policy at all.

The new accountability landscape is regulatory and structural. APRA CPS 230 and CPS 234 place AI-related operational risk and information security obligations directly on boards. AS ISO/IEC 42001 has been adopted as an Australian standard. AICD director-duty guidance has explicitly extended director accountability to AI literacy, AI oversight, and the board's own use of AI tools.

The first step is not more tools. It is a defensible picture of where the organisation currently sits across every control area regulators, auditors, and boards will ask about.

You cannot govern what you cannot see. The Health Check makes the exposure visible.

Without a Health Check With a Health Check
Board cannot quantify AI risk or compliance posture
RAG-rated scorecard across 14 dimensions, board-ready
Shadow AI usage is unknown and ungoverned
Shadow AI scoped, quantified, and remediation prioritised
Privacy Act 2026 obligations approached without an inventory
Documented AI inventory and disclosure roadmap before the deadline
Microsoft Copilot deployed without scope review or access controls
Copilot access scoped, reviewed, and tied to data classification
No AI Acceptable Use Policy or board-level AI governance
Policy gaps named, owners assigned, executive sign-off path defined
The Mycelium AI Security Framework

14 dimensions.
Four pillars.
Every layer assessed.

The Mycelium AI Security Health Check assesses your AI security and governance posture across 14 structured dimensions, grouped into four strategic pillars: Govern, Protect, Operate, Enable.

Each dimension is independently scored Red / Amber / Green, with the aggregate producing an overall AI Security Posture Score — defensible to a board, an auditor, or a regulator.

01
Govern

Accountability, policy, compliance & use-case governance

  • 01AI Tool Governance & Inventory
  • 02AI Policy & Acceptable Use
  • 03Regulatory, Compliance & AI Risk Framework
  • 04AI Governance & Board Accountability
  • 05AI Use-Case Triage & Impact Assessment
02
Protect

Access controls, data handling, technical security & threat defence

  • 06Identity, Access & Human Oversight Controls
  • 07Data Classification & Handling
  • 08Technical Controls & Security Architecture
  • 09Threat Detection & Adversarial AI Risk
03
Operate

Incident response, vendor risk & model lifecycle management

  • 10AI Incident Response & Continuous Monitoring
  • 11AI Procurement & Third-Party Risk
  • 12Model Lifecycle, Testing & Integrity
04
Enable

Transparency, disclosure & AI literacy

  • 13Transparency, Disclosure & Stakeholder Communication
  • 14AI Literacy & Responsible Use Training

RAG Scorecard  →  Governance  →  Enablement  →  Agents

Aligned to the Australian Government's six Essential AI Practices — plus eight additional control areas regulators are likely to formalise next.

Deliverable One

Executive Scorecard

One page. Board presentation ready.

  • 14 RAG ratings at a glance
  • Overall AI Security Posture Score
  • 3 headline risks and immediate priorities
  • Ready to table at your next board meeting
Deliverable Two

Detailed Findings Report

10–15 pages. Full forensic detail.

  • Full findings and evidence base
  • Root cause analysis per dimension
  • Prioritised remediation roadmap
  • Next steps and immediate quick wins

A complete, bounded
diagnostic.

The AI Security Health Check is a self-contained engagement. It stands alone — with defined deliverables, a written report, and a board-level debrief, regardless of whether further work follows.

Where findings reveal material gaps, follow-on work is offered only where it makes sense: AI Governance Framework, AI Enablement & Literacy, or Intelligent Agent Deployment. If we are not the right firm for your situation, we will say so in the first conversation.

The first conversation is diagnostic. No pitch. No proposal until it makes sense.

Entry Points

Four
entry points.

Organisations engage with AI Security from different starting points. The diagnostic conversation is the same regardless of entry point — it determines where you sit, what the priority is, and the right path forward.

Compliance Deadline

The 10 December 2026 Privacy Act deadline is approaching.

APP entities must publicly disclose AI-driven decisions that materially affect individuals. The Health Check produces the AI inventory, disclosure mapping, and remediation roadmap required to meet the obligation defensibly.

Recommended entry: Health Check

Board or Audit Pressure

The board is asking where your AI risk actually sits.

Boards, risk committees, and internal audit increasingly require a defensible answer on AI exposure. The Executive Scorecard is designed precisely for that conversation — a single page, ready to table.

Recommended entry: Health Check

Post-Incident

An AI-related incident has revealed gaps you cannot fully see.

A confirmed incident is the strongest possible mandate to assess the rest of the surface area. The Health Check identifies the dimensions that allowed the incident and the dimensions still exposed.

Recommended entry: Health Check

Before Investment

Significant AI investment is being considered. Diagnose first.

Before committing further AI tooling, licences, or vendor contracts, the Health Check confirms whether the governance and security posture can absorb the spend — or whether remediation is required first.

Recommended entry: Health Check

Aligned to the regulator

Aligned to the Australian Government's six Essential AI Practices — plus eight additional control areas regulators are likely to formalise next.

Mycelium's 14-dimension framework is the operational extension of the National AI Centre's guidance. It is designed to be defensible in front of the regulator, the auditor, and the board — today and after 10 December 2026.

The Mycelium Journey

Diagnose. Govern. Enable. Operate.

Every Mycelium engagement begins with a diagnostic. Where the findings support further work, governance, enablement, and operation follow — in that order.

Diagnose
AI Security
Health Check
4 weeks · Fixed price
Board-ready output
Start Here
Govern
AI Governance
Framework
Following Health Check.
Scoped to findings.
Enable
AI Enablement
& Literacy
Role-specific.
Board literacy support.
Operate
Intelligent
Agent Deployment
Departmental AI agents.
Begins with Discovery.

Each stage stands alone. The path is determined by findings — not a preset structure. Request a diagnostic conversation →

Ready to know
where you stand?

Sixty minutes. We assess the presenting problem, determine whether the Health Check is the right move for your situation, and tell you if it is not.

No pitch. No proposal until it makes sense.

Request a Diagnostic Conversation

admin@themyceliumgroup.com.au  ·  +61 401 844 836  ·  Melbourne, Australia