Regulators in Australia are delivering a clear message: Organisations can no longer leave cyber resilience solely to security and technology teams.
The Australian Prudential Regulation Authority (APRA) has sharpened the focus on operational resilience, third-party risk, and critical business services through CPS 230 and CPS 234. At the same time, the Australian Securities & Investments Commission (ASIC) has reinforced that cyber risk is a governance issue requiring active oversight from boards and executive leadership teams.
These regulations raise expectations around accountability. Boards must better understand the risks facing the organisation, challenge management on resilience, and be confident the right controls are in place. To do this, they need visibility.
Understanding access in complex environments
Organisations today operate in far more complex environments than they did even a few years ago. They must grant access to a range of users and systems: employees, contractors, partners, suppliers, applications, and cloud services. Many are also adopting AI tools, AI agents, and other non-human identities. As AI systems gain access to more applications, workflows, and business data, organisations need equal visibility and governance over these non-human identities as they have over human users.
That starts with understanding who—and what—has access to critical systems and information, what they can access, and how that access is managed. Without that visibility, identifying risk and responding when something goes wrong becomes much harder.
The right questions to ask
Boards and executives don’t need to become cybersecurity experts to address these gaps and satisfy regulators. They just need to ask the right questions:
- Do we understand our critical business services?
- Do we know who has access to the systems that support them?
- Can we quickly identify and respond to inappropriate access or unexpected activity?
- Can we demonstrate that our controls are working as intended?
In the age of AI, this foundation requires an expanded view of what needs governing. With AI agents entering critical systems, boards must apply these same checks to non-human identities.
Okta’s blueprint for the secure agentic enterprise provides a framework to do just that, helping organisations map where agents are running, what they can connect to, and what they can do. Securing both human and machine identities helps enterprises better manage AI risks, stay in step with regulations, and build operational resilience.
Identity: The foundation for resilience
Whether securing an employee, a contractor, or an AI agent, at the core is identity. Identity helps organisations understand who—and what—has access to critical systems and data, and whether that access remains appropriate over time.
Data confirms that organisations increasingly recognise identity as a critical part of building resilience. Okta's latest Secure Sign-In Trends Report found workforce multifactor authentication (MFA) adoption has reached 70% globally, while adoption of phishing-resistant authentication increased 63% year-on-year.
As organisations continue to modernise their operations, maintaining visibility across people, systems, and digital identities will only become more important.
Moving from compliance to confidence
Boards and executives are accountable for resilience outcomes. The organisations best positioned for that reality are those with a clear understanding of their environment, strong governance around access, and the ability to respond quickly when risks emerge.
For leaders, the objective isn't to become cybersecurity specialists. It's to help ensure the organisation has the visibility, governance and controls needed to make informed decisions about risk. That's what operational resilience is about.
Next steps
For organisations looking to better understand how Okta supports CPS 230 and CPS 234 requirements, we have developed resources to support due diligence, audit readiness and ongoing compliance efforts through the Okta Security Trust Centre.
