The first is A$172.3 billion. That is Gartner's forecast for total IT spending in Australia in 2026, up 8.9% on last year, with data centre systems growing 22.5% and server spend rising 30% on the back of AI workloads. Fourteen per cent of Australian CIOs say their organisations are already running AI agents in production. Another 42 per cent expect to in the next twelve months.
The second number is 88 per cent. That is the share of organisations running AI agents globally that reported a confirmed or suspected security incident involving those agents in the past year, according to recent enterprise survey data. Only 6 per cent of security budgets are allocated to AI agent security.
Both numbers are true at the same time, and that is the problem.
The Spending Curve Has Outrun the Containment Curve
Australian boards approving FY27 budgets right now are pricing in aggressive AI agent rollouts. Generative AI was the headline category last cycle. The new line items sit further along the maturity curve: agent orchestration, retrieval pipelines, vector databases, observability stacks, agent identity and access management.
Treasurer-style budget logic does not match the operational reality. Agent-driven systems are not yet stable infrastructure. They are software that reasons, calls tools, writes to systems of record, and increasingly initiates actions without a human in the immediate loop. The security primitives, audit posture, and behavioural evaluation methods needed to run these systems at enterprise scale are still being defined.
This gap is not theoretical. It is being measured in incidents.
What the Last Six Weeks of Incidents Actually Show
Three live cases illustrate the threat surface that agentic deployments are exposing.
ServiceNow disclosed a security incident affecting hosted customer instances in early June. The flaw allowed unauthenticated users to query customer data through an exposed API. The bug had been disclosed to the company through its bounty programme on 22 April. The patch was issued on 5 June, after attacker activity began on 2 June. AppOmni's research traced the vulnerability path through ServiceNow's agentic AI platform layer, where agent permissions were broader than the customer instance configurations assumed.
Agentjacking, disclosed in June by AI security researchers, demonstrated a 85 per cent exploitation success rate against AI coding agents including Claude Code and Cursor. The attack works by injecting crafted input into Sentry error events, which coding agents interpret as legitimate diagnostic context and act on. At least 2,388 organisations had exposed Sentry DSNs that allowed the injection. The practical effect is that any developer running an AI coding agent with elevated repo access has, until the patches propagated, been one malformed error report away from running attacker-controlled code.
The CISO Platform breach report on 16 June pulled three high-signal incidents together and identified a consistent pattern: "privileged automation under pressure". Network controllers, AI coding agents, and self-directed AI malware are all turning trusted operational paths into attack paths.
None of these are exotic. They are the operating conditions under which agentic AI is being deployed.
The ASD and ACSC Have Already Drawn the Line
In May the Australian Signals Directorate's Australian Cyber Security Centre, alongside CISA, the NSA, and partners in Canada, New Zealand, and the UK, published Careful Adoption of Agentic Artificial Intelligence (AI) Services. The guidance is the most concrete statement yet from the Five Eyes cyber community on how organisations should approach agentic deployments.
The headline recommendation is plain. Until evaluation methods, security practices, and standards mature, organisations should assume agentic AI systems may behave unexpectedly. Deployments should be planned with resilience, reversibility, and risk containment ahead of efficiency gain. The ASD and ACSC recommend adopting agentic AI incrementally and limiting it to low-risk tasks.
That phrasing matters. It does not say wait. It says contain. Australian regulated industries, critical infrastructure operators, and federal agencies now have a published baseline against which their agentic deployments will be measured. Boards that approve high-stakes agent rollouts without alignment to this guidance are accepting a documented governance gap.
What an Agentic AI Deployment Doctrine Actually Looks Like
Australian enterprises that have run successful agent pilots are converging on a small number of operational rules. None of them are exotic. All of them are commonly missing.
A working doctrine includes:
- A documented agent inventory with system owner, tool access scope, identity boundary, and blast radius assessment for each deployed agent.
- Separation between agent identity and human identity at the IAM layer, with agent identities subject to short-lived credentials and per-action authorisation rather than session-wide trust.
- Logging that captures the agent's reasoning trace, tool calls, and authorisation decisions, retained at a granularity that supports incident reconstruction. The most common audit failure is logging the outcome but not the reasoning step that led to it.
- A reversibility plan for every agent that writes to a system of record. If the agent makes 200 wrong updates, the question is how those updates are detected, isolated, and rolled back without manual reconstruction.
- Containment boundaries that limit which tools an agent can call and which data it can read. The principle of least privilege has not changed. The novelty is that the principal is no longer a person.
- Evaluation methods that test the agent against adversarial inputs before deployment, not just against the intended workflow. Agentjacking succeeded because production agents were never adversarially tested against malformed third-party error inputs.
Most enterprises currently have none of these in place. A smaller group has two or three. The mature deployments have all six and treat them as the deployment baseline.
The Real Risk Sitting on FY27 Roadmaps
The strategic risk is not that agentic AI fails. It is that agentic AI succeeds operationally while failing on security and governance, and that the failure surfaces during a high-visibility incident that triggers regulatory attention.
Australian regulators are watching. The OAIC has flagged generative AI in its 2026 priorities. APRA has signalled that operational resilience expectations under CPS 230 apply to material AI deployments. The ACSC has now published the technical baseline. The pieces of a future enforcement framework are already in the file.
For ASX-listed companies, the disclosure dimension is also live. A material incident in an agent-driven workflow that affects revenue recognition, customer data, or operational continuity will need to be disclosed under continuous disclosure obligations. Boards approving agent rollouts without an articulated containment posture are creating a future disclosure event they cannot yet describe.
Where Wai and ARC Fit
Wai works with technology, SaaS, and enterprise teams on the layer that sits underneath the public AI story: how agents are deployed, how they are governed, how their outputs are made discoverable, and how their authority is positioned in front of buyers and AI retrieval systems.
ARC is Wai's authority and AI-visibility infrastructure layer. It is built for the world that the ServiceNow, Agentjacking, and ASD guidance stories all describe: one in which agents and AI systems are reading, ranking, and acting on enterprise content at scale. ARC is the layer that makes an organisation's content, expertise, and product surface area discoverable, attributable, and cited inside AI retrieval systems while keeping the underlying infrastructure governable.
The same operating principle applies on both sides. If you cannot describe how your agents are constrained, you cannot scale them safely. If you cannot describe how your content is structured for AI retrieval, you cannot defend your authority position as buyers move their first-stage research into AI systems.
What Senior Technology Leaders Should Be Doing This Quarter
A practical list for CTOs, CIOs, and CISOs reviewing FY27 plans:
- Run an agent inventory across all business units. Most organisations do not have one. The first step is knowing what is already deployed and what is in pilot.
- Map every deployed and planned agent against the ASD and ACSC guidance criteria. Document where the gap is and who owns closing it.
- Insist that every agent business case includes a reversibility plan and a containment boundary before budget is released.
- Set up adversarial evaluation as a release gate for any agent that writes to a system of record or executes external actions.
- Allocate a security budget line specifically for AI agent security. Six per cent of the security budget is the current benchmark and it is not enough. Australian enterprises in regulated sectors will need more.
- Brief the board on the disclosure exposure that an agent-related incident would create.
The boards that do this work in the next two quarters will move into FY27 with deployable, defensible agentic infrastructure. The boards that defer it will be making the same decisions under incident pressure.
FAQ
What did the ASD and ACSC say about agentic AI in 2026?
The Australian Signals Directorate's ACSC, alongside CISA, the NSA, and partner agencies in Canada, New Zealand, and the UK, published Careful Adoption of Agentic Artificial Intelligence (AI) Services in May 2026. The guidance recommends adopting agentic AI incrementally, limiting deployments to low-risk tasks, and assuming systems may behave unexpectedly until evaluation standards mature. Deployments should prioritise resilience, reversibility, and containment ahead of efficiency.
What is agentjacking and why does it matter for enterprises?
Agentjacking is an attack technique disclosed in June 2026 that injects crafted input into Sentry error events, which AI coding agents like Claude Code and Cursor interpret as legitimate diagnostic context. Researchers achieved an 85 per cent exploitation success rate against 2,388 organisations with exposed Sentry DSNs. The technique demonstrates that AI agents can be tricked into running attacker-controlled code via trusted third-party inputs, which expands the threat surface beyond conventional supply chain attacks.
How much are Australian organisations spending on AI in 2026?
Gartner forecasts total Australian IT spending will reach A$172.3 billion in 2026, an 8.9 per cent year-on-year increase. Data centre systems spend is growing 22.5 per cent and server spend 30 per cent, largely driven by AI workloads. Around 14 per cent of Australian CIOs report active AI agent deployments, with another 42 per cent planning deployment in the next twelve months.
Why are 88 per cent of organisations with AI agents reporting security incidents?
The combination of broad tool access, weak identity boundaries, immature logging, and undefined reversibility plans means agents in production routinely operate beyond their intended blast radius. Only 6 per cent of enterprise security budgets are currently allocated to AI agent security. Agents are being deployed faster than the security primitives needed to govern them are being built.
What does an agentic AI deployment doctrine look like in practice?
A working doctrine covers six elements: a documented agent inventory, separation of agent and human identity at the IAM layer, granular logging of agent reasoning and tool calls, a reversibility plan for any agent writing to a system of record, containment boundaries scoped to least privilege, and adversarial evaluation as a release gate before production deployment.
How should boards handle agentic AI disclosure exposure?
For ASX-listed entities, a material incident in an agent-driven workflow may trigger continuous disclosure obligations, particularly if revenue recognition, customer data, or operational continuity is affected. Boards approving agent rollouts should require that containment posture, incident response plans, and material risk descriptions are documented before budget is released, so that the company can describe its exposure ahead of any incident rather than during one.
Wai is an Australian technology studio working with enterprise, SaaS, and regulated industry teams on AI adoption, software delivery, and AI-visibility infrastructure. ARC is Wai's authority and AI-visibility platform.
