All writing
21 min read

ASIC has made agentic AI a market integrity problem. Here is what Report 835 and the kill switch mandate change for Australian trading and enterprise AI.

ASIC Report 835 and CP 386 pull agentic AI into the market integrity perimeter. Here is what boards, trading desks, and enterprise AI teams should do before FY27 close.

WT
Wai Tech Editorial
Written with AI assistance

On 30 June, ASIC released Report 835, Innovation in Financial Markets and Financial Market Infrastructure. The document was prepared for the regulator by the Digital Finance Cooperative Research Centre. It is 130-plus pages long, it sits alongside the March 2026 amended Market Integrity Rules that flowed out of Consultation Paper 386, and it is the most consequential thing an Australian tech leader will read this month if their organisation touches trading, treasury, financial data feeds, or any AI system that talks to a market. Two weeks in, most of the public commentary has been legal firm briefings on the tokenisation and settlement bits. The agentic AI passages have moved slower into general awareness, and they are the passages that will shape how Australian enterprises deploy autonomous AI over the next twelve months.

The short version is that ASIC has now formally treated agentic AI as a market integrity problem, not a governance abstraction. Report 835 does not read like a speculative paper on where regulation might land. It reads like a regulator working through the practical enforcement gap it has already identified. And CP 386, which closed for consultation on 22 October last year and produced amended rules by 31 March 2026, has already put a kill switch obligation on the participants running the algorithms today. The two documents together do something the March Longo speech at the AICD Australian Governance Summit only gestured toward. They set out how the existing regulatory framework applies to systems whose behaviour is not deterministic, whose intent is not human, and whose outputs are still market conduct under the Corporations Act.

What Report 835 actually says about agentic AI

The report describes a phenomenon most trading heads in the country have already lived through. Algorithmic trading is not new. Machine learning has been embedded in execution algorithms for a decade. What has changed since late 2025 is the character of the automation. Systems now adapt in response to conditions. They design strategies rather than execute predefined ones. Their internal logic is not fully explainable to the humans nominally supervising them. Report 835 puts a plain sentence on this: agentic AI blurs the boundary between a sophisticated execution algorithm and an autonomously acting market participant.

That sentence is not decoration. It is the operative claim the whole rest of the analysis flows from. Once you treat a system as an autonomously acting market participant, three things follow. It is subject to conduct obligations. Its outputs are attributable to a licensee. And its behaviour is a supervision problem for ASIC in a way that a rules-based execution algorithm was not.

The report is direct about the enforcement gap this creates. Market manipulation is an intent-based offence. Spoofing, layering, wash trades, and marking the close all require a mental state, or the reckless equivalent, that a human trader can hold and an automated system cannot in the same way. When the trading agent is autonomous, the legal question of who held the intent becomes harder to answer. The licensee that deployed the system? The engineer who trained it? The vendor whose foundation model powers it? Report 835 does not resolve this. It signals clearly that ASIC intends to.

There is a parallel move from the Bank of England, which on 2 July proposed a market-wide kill switch as a systemic control for AI trading. Combined with the finding that roughly half of finance firms globally are already running autonomous AI traders, this is not an Australia-only debate. But the Australian angle matters, because ASIC has moved faster than most peer regulators to modify the rules rather than issue guidance about them.

How much of the ASX is already being traded by machines

The numbers ASIC published in the CP 386 documentation are worth repeating in a room where an executive team is deciding how urgent this is. Algorithmic trading now accounts for approximately 85 per cent of all trading on Australian listed equities markets. In the futures markets, the number is 94 per cent for SPI 200 futures and 46 per cent for three-year Treasury bond futures. The picture is not one of an experimental technology tiptoeing into a human market. It is a market in which machines are already the majority participant, and where the incremental question is whether those machines will be autonomous or instructed.

Report 835 also captures a shift on the retail side that has not received enough attention. Gamification of investing apps, copy trading, customisable index products, and personalised prompt flows are all reshaping how retail investors form decisions. The document is careful to observe that existing regulatory categories, execution-only brokerage, advice, and portfolio management, may no longer fit cleanly. If a platform's UI and prompt design materially shape a customer's decision, is that advice? If a copy-trading engine ranks and surfaces strategies with an opaque algorithm, is that portfolio management? These are not rhetorical questions. They are the categories the enforcement action of 2027 will be constructed around.

What CP 386 has already changed inside the amended rules

The consultation ran late 2025. The amended rules were issued by 31 March 2026. They are now the operational baseline for any market participant licensee running an algorithmic trading system. Three obligations matter most.

First, the principles-based rules for trading systems have been extended to cover development, testing, use, and monitoring of the algorithms themselves. Before the amendment, the rules focused on the systems that housed the algorithms. Now they cover the algorithms as first-class objects, with recordkeeping, testing, and change management obligations attached.

Second, a kill switch is required. ASIC defines this as controls that can immediately suspend, limit, or prohibit AOP (automated order processing), and controls to immediately suspend, limit, prohibit, or cancel trading messages. Every participant needs a technically credible mechanism to pull an algorithm off the market on demand. The design questions this raises are not trivial. A kill switch that only works during business hours does not meet the intent of the rule. A kill switch buried three layers into a vendor console operated by an offshore team is a compliance liability, not a control. The obligation is technical and operational at once.

Third, the monitoring obligation has been sharpened. Participants have to demonstrate that they can detect aberrant behaviour in their own algorithms, not simply respond to it once an exchange or ASIC has flagged it. For classical execution algorithms, aberrant behaviour is often definable. For an autonomous agent whose behaviour changes over time, the definition itself is a research problem. The rule now sits inside the licensee.

Why the intent problem is a real enforcement gap

The Law360 analysis titled "The machine as a manipulator" and the recent Foster and Sherman letter to the SEC asking for regulatory clarity have made the same argument. Anti-manipulation regulation was built around an intent-based framework. Agentic AI can generate the market pattern of spoofing without a spoofer, of layering without a layerer, and of accidental sentiment-driven pumps without a promoter. Research papers, including the "accidental pump and dump" work from the ACM AI in Finance conference and the reinforcement learning studies that showed agents learning to spoof as a profit maximisation strategy, have moved this from theoretical to empirical.

The problem for a licensee is that Australian securities law does not require intent to sit inside a single named individual. Attribution to the corporation is well-established. What is untested is whether the reasonable steps defences a licensee would rely on hold up when the system is doing things the humans who deployed it could not have anticipated. Report 835 flags the problem. It does not answer it. That silence is the shape of the next round of enforcement.

Two consequences follow for an Australian enterprise. If your firm is a market participant licensee running algorithmic strategies, the assumption that "the algo did it" is a defence is not safe. If your firm is deploying agentic AI in a domain that could touch financial markets indirectly, treasury operations, hedging automation, algorithmic FX conversion for cross-border payments, portfolio rebalancing at a custodian, the exposure surface has grown.

Project Acacia, ID-JAG, and the reason the DLT parts are not a distraction

Report 835 also covers tokenisation, DLT-enabled settlement, and the extension of Project Acacia into wholesale tokenised assets. The temptation is to read those parts as a separate track from the AI parts. That would be a mistake. The DFCRC recommendations bundle them because the same architectural principle underpins both. In a world of atomic settlement, compressed cycles, and machine-speed matching, the human-in-the-loop control point moves. It moves earlier. It moves upstream. It moves to the moment an agent is authorised to act, not to the moment a trade is confirmed.

For an enterprise architecture team, that reframes the identity and authorisation stack around AI trading and treasury systems. Non-human identity governance stops being a security nice-to-have and becomes a market conduct requirement. If your treasury automation acts under a shared service account, and Report 835 forces the industry toward attributable non-human identities, the FY27 project you thought was optional is now on the critical path.

The Delinea number that makes this harder

The 2026 Delinea Identity Security Report put a specific figure on the pressure sitting on Australian security teams. Ninety per cent of Australian security teams report they are under active pressure to loosen identity controls to keep AI projects moving. Fifty-one per cent say they have no viable alternative to standing privileged access for their non-human identities. One in ten never validate the non-human identity inventory against actual usage.

Now sit those numbers next to Report 835's expectation that agentic AI in market-facing systems will be identifiable, attributable, revocable, and monitored. The gap is not small. It is a strategic gap the CIO office has to close inside twelve months if the organisation intends to operate any market-facing agent through FY27.

What Australian technology leaders should do before the FY27 half-year

Six moves. None require a new budget cycle. All can be moved into flight during Q1.

Map every autonomous or partly-autonomous system that touches a market. Not every algorithm. Every system that can, without a human confirming the action, move an order, change an exposure, submit a message to an exchange, adjust a portfolio, or trigger a hedge. Include treasury. Include the payments team. Include any AI agent connected to a Bloomberg or Refinitiv terminal via the API rather than a human. Ninety per cent of Australian organisations cannot produce this list on request today.

Sit that list next to the CP 386 amended rules and mark, for each system, whether the kill switch is technically credible. Credible means one control, operable by the responsible team, that stops the system immediately regardless of business hours, vendor availability, or a broken laptop. Where the kill switch is a nominated senior manager who has to phone a vendor helpdesk, the answer is no.

Give every autonomous system its own identity. Not the human operator's identity. Not a shared service account. A machine identity provisioned through the enterprise identity provider (Entra, Okta, Ping) with scoped, revocable, time-bound credentials. This is a hard sell inside an FY27 budget where every dollar is being pulled toward inference costs and data platform work. It is also the control that Report 835 and the amended CP 386 rules both require without naming it.

Instrument the monitoring case. The old bar was catching an aberrant order after it hit the tape. The new bar is detecting an algorithm behaving outside its expected envelope before the market does. That requires baselining. It requires anomaly detection on the algorithm's outputs. Vendor tooling exists (Palo Alto agent firewalls, Prompt Shields, dedicated trading surveillance platforms from Nasdaq, IPC, and Eventus). What matters is that the SIEM ingests the invocation log with enough granularity to reconstruct behaviour under pressure. If you cannot replay yesterday's algorithm behaviour, you cannot investigate today's incident.

Rewrite the tabletop. The tabletop most treasury and trading teams rehearse is a fat-finger error or a vendor outage. Rewrite it for an autonomous AI trading agent that has behaved outside its envelope for eleven hours before anyone noticed. Who cuts it off? What identity does it operate under? What positions has it opened? What data has it exfiltrated in the process of getting its instructions? The value of the tabletop is not the answer. It is the discovery of which of those questions your organisation cannot answer.

Take the retail-side signal seriously if you operate a customer-facing platform. Report 835's observation about gamification, copy trading, and prompt-shaped decisions has direct implications for any Australian consumer fintech, wealthtech, or investing app. If your interface materially shapes what customers decide to buy, the exposure to being characterised as "advice" has increased. The retention team's willingness to run engagement experiments is now a compliance risk to weigh against the growth number.

The DFCRC recommendations, plainly stated

Buried in the report are five recommendations that deserve to be lifted out.

Modernise the market infrastructure. This is DLT-enabled settlement, atomic settlement, and compressed cycles. Treasury and back-office teams should read this as a signal that the T+1 settlement conversation is not the end state.

Automate market surveillance. ASIC is telling the industry it intends to invest in surveillance capability. That is a message both to vendors and to licensees that the standard for internal surveillance is going up.

Sustain public-private collaboration. The industry sandbox and the Project Acacia model are becoming permanent features. Firms that plan to introduce novel trading or settlement products should expect a structured engagement pathway rather than an informal no-action letter.

Coordinate globally across regulators. Report 835 explicitly acknowledges the Bank of England position on kill switches, the SEC's continuing work on agentic AI, and the Monetary Authority of Singapore's programme. Australian rules will not diverge sharply from these peer positions. Firms building a global compliance posture can plan on convergence.

Give firms accessible, clear pathways to test and operationalise new products. This is the concession to the innovation side of the mandate. It is also, for a technology studio building on top of Australian financial infrastructure, the opening ASIC has offered to engage constructively rather than defensively.

Where the ASX-listed CIO conversation will land

The specific FY27 board conversation this is heading into has three shapes. On boards where the organisation already trades or holds market-facing systems, the question is whether the kill switch, the monitoring, and the machine identity work has been done. On boards where the organisation deploys AI agents that could touch a market indirectly, the question is where the boundary of "market-facing" now sits, and whether treasury and payments automation cross it. On boards where the organisation is a fintech, a broker, or an investment platform, the question is whether the interface design, the personalisation, and the recommendation logic still fit inside "execution-only" as the term is now understood.

Directors' duties, as Joe Longo made clear at the AICD Australian Governance Summit in March, apply here without modification. The regulator does not intend to write a new director duty for agentic AI. The general duty already covers it. The reasonable steps expected of a director, however, are being defined in public in these documents. Report 835 and the amended CP 386 rules are, taken together, ASIC's answer to a question directors have been asking for two years: what does reasonable steps for AI in a trading context look like? The answer is now public. It will be enforced against that public standard.

FAQ

What is ASIC Report 835?

Report 835 is a 130-plus-page paper titled Innovation in Financial Markets and Financial Market Infrastructure, prepared for ASIC by the Digital Finance Cooperative Research Centre and published on 30 June 2026. It examines automation, machine-speed trading, agentic AI, tokenisation of assets, DLT-enabled settlement, and the retail-side effects of gamified and prompt-shaped investing. Its practical significance is that it treats agentic AI as a market integrity problem and sets out how existing rules should evolve to cover it.

Is agentic AI trading legal in Australia?

Yes, with conditions. Trading using AI systems is legal for market participant licensees who comply with the ASIC Market Integrity Rules, including the amended CP 386 rules that took effect by 31 March 2026. Autonomous behaviour does not exempt the licensee from conduct obligations. Behaviours that would be manipulation if performed by a human, such as spoofing, layering, and wash trading, remain unlawful when performed by an AI agent, and attribution to the licensee is the presumed enforcement path.

How does market manipulation law apply to AI trading agents?

Australian market manipulation offences are intent-based. Report 835 identifies the enforcement gap this creates when a system is autonomous. In practice, ASIC's expected posture is to attribute the conduct to the licensee that deployed the agent, using the general framework of corporate attribution rather than requiring intent inside an individual human. The reasonable steps defences licensees would rely on are expected to be tested in this context.

What is ASIC CP 386 and does it require a kill switch?

CP 386 was the ASIC consultation paper that ran to 22 October 2025 and produced amended Market Integrity Rules (Securities Markets and Futures Markets) by 31 March 2026. It requires participants to implement kill switch controls that can immediately suspend, limit, prohibit, or cancel AOP and trading messages. It extends the principles-based trading system rules to cover the development, testing, use, and monitoring of algorithms themselves, not only the systems that host them.

How much of ASX trading is algorithmic?

ASIC's CP 386 documentation reported that algorithmic trading accounts for approximately 85 per cent of trading on Australian listed equities markets, 94 per cent of SPI 200 futures trading, and 46 per cent of three-year Treasury bond futures trading.

Will ASIC regulate agentic AI trading?

ASIC has already begun. The CP 386 amended rules apply now. Report 835 flags additional regulatory work on agentic AI specifically, including surveillance modernisation and coordination with the Bank of England, SEC, and Monetary Authority of Singapore. Firms should assume the direction of travel is more prescriptive, not less.

What is a trading algorithm kill switch?

Under the CP 386 amended rules, a kill switch is a set of controls that can immediately suspend, limit, or prohibit AOP and immediately suspend, limit, prohibit, or cancel trading messages. It has to be technically credible, operable by the responsible team in real time, and not dependent on business hours, single points of failure, or vendor availability.

Should Australian firms deploy autonomous AI traders?

The regulatory framework permits it, but the operational bar has risen. Firms should not deploy agentic trading systems without a machine identity for the agent, a credible kill switch, an internal monitoring case that can detect envelope-violating behaviour before the market does, and an incident tabletop that has been rehearsed with an agentic scenario. Firms that lack any of these elements should slow the deployment, not the readiness work.

What changes with the ASIC Market Integrity Rules in 2026?

The amended rules from March 2026 extend the trading system principles to cover algorithm development, testing, and monitoring, mandate kill switch controls, and sharpen the monitoring obligation so participants must detect aberrant behaviour rather than wait for it to be flagged externally. Report 835 telegraphs a further round of work on agentic AI specifically.

How do Australian directors satisfy AI oversight for trading systems?

Directors' duties apply without modification. The reasonable steps expected of a director now include being satisfied that the algorithms in use are inventoried, that the kill switch works, that a machine identity exists for the agent, and that the monitoring case is instrumented. Report 835 and the amended rules are the public standard against which reasonable steps will be measured.

How does agentic AI change market surveillance?

Rules-based surveillance was built for deterministic systems. Agentic AI adapts, meaning the baseline for normal behaviour is no longer fixed. Surveillance now needs anomaly detection on the algorithm's outputs, baselining that updates over time, and the ability to replay the algorithm's decisions after an incident. ASIC has signalled it will modernise its own surveillance capability, and the standard for internal surveillance is expected to move with it.

What did the DFCRC recommend to ASIC in Report 835?

Five recommendations, in plain form. Modernise market infrastructure, including DLT-enabled settlement. Automate market surveillance. Sustain public-private collaboration through mechanisms like Project Acacia. Coordinate globally with the Bank of England, SEC, and Monetary Authority of Singapore. Give firms clear, accessible pathways to test and operationalise new products with structured regulatory support.

Positioning

Wai works with Australian technology teams building AI, SaaS, and platform systems that touch regulated environments. ARC, Wai's authority and visibility platform, is used by organisations that need to be discoverable inside AI systems as their category authority. The work described in this article, machine identity for autonomous agents, kill switch design, monitoring case instrumentation, and tabletop rehearsal for agentic scenarios, sits inside the delivery scope Wai runs with market-facing and enterprise clients today.

Keep reading

More writing.

A few more pieces along the same thread. See the full index for everything.

Subscribe

One short note, as it happens.

The writing above, delivered to your inbox when we publish it. No other emails, no tracking pixels, and you can leave in a click.