The ISM June 2026 changes add four controls aimed squarely at artificial intelligence, the first time the manual treats AI applications as their own attack surface. If your system holds OFFICIAL: Sensitive data or above and runs an AI feature, an IRAP assessor will now test against them. The control set moved. Your evidence has to move with it.
What changed in the ISM in June 2026?
The headline is AI. The Australian Signals Directorate added four new controls that name artificial intelligence directly, broadened a cryptography control to cover all data encrypted in transit, widened the software development guidance to include AI built code, and added a control on using cyber threat intelligence to detect incidents. None of it is cosmetic.
This release sits on top of a bigger structural shift from earlier in the year. In March 2026 ASD restructured the cyber security principles into six functions, govern, identify, protect, detect, respond and recover, aligning the ISM with the international NIST Cyber Security Framework. The Information Security Manual changes through the year, usually each quarter. June is one release of several, and the next one will move again.
What are the new AI controls?
Four new controls. They treat an AI application as something that can reach out to the open internet, take actions on its own, and drift from how it behaved last week. Each one closes a path an attacker or a misconfigured model could use.
| Control | What it asks for |
|---|---|
| ISM-2112 | AI applications that process classified data have their ability to directly access external public data sources disabled |
| ISM-2113 | AI applications are configured to flag organisationally defined risky actions for human approval before they run |
| ISM-2114 | Baselines of expected behaviour and performance for AI applications are established and monitored for unexpected deviations |
| ISM-2116 | Suitable AI models are used to augment the detection of cyber security events and the identification of cyber security incidents |
Read them together and the intent is clear. Keep a model that handles classified data off the open internet, put a human between the model and anything consequential, watch for the model behaving in a way it should not, and turn AI back on the defenders as a detection aid. The first three constrain the AI you deploy. The last one is permission to use AI in your own security operations.
Do the new AI controls apply to your assessment?
It depends on your classification and whether your system actually uses AI. Every ISM control carries an applicability marking, non-classified, OFFICIAL: Sensitive, PROTECTED, SECRET or TOP SECRET, so the assessor selects and tailors the controls to the system in front of them. The control set is the same at OFFICIAL: Sensitive and PROTECTED; what changes higher up are the physical, personnel and network obligations.
If your system has no AI component, these controls are marked not applicable in your control matrix, with a justification, and the assessment moves on. Where teams come unstuck is the AI feature nobody scoped as AI. A support copilot, a document summariser, a model bolted onto a PROTECTED workload after the boundary was agreed. ISM-2112 names classified data systems directly, so an assessor will ask where the model can reach. If the honest answer is the open internet, that is a finding.
What else changed: cryptography, software development and threat intelligence?
Three changes that are easy to miss behind the AI headline. An existing cryptography control, the use of an ASD Approved Cryptographic Protocol or a high assurance cryptographic protocol over network infrastructure, was amended to capture all scenarios where data is encrypted in transit, not only traffic crossing network infrastructure. That is a wider net than it reads.
The introduction to the software development fundamentals section was rewritten to state plainly that it applies to human, AI assisted, AI powered and AI driven software development. If a coding assistant writes part of your product, the secure development guidance still binds it. ASD also added a control recommending cyber threat intelligence services support the detection of events and the identification of incidents, the defensive sibling of ISM-2116.
Does an ISM update reset your IRAP clock?
No. A new ISM version does not retroactively invalidate a current authorisation. An IRAP assessment is point in time, measured against the version of the ISM used on the day. The report you hold was assessed against the ISM as it stood then, and the authorising officer accepted that risk.
What the update changes is your next assessment. Under PSPF requirement 0109 a cloud service must have been IRAP assessed within the previous 24 months against the latest ISM at the time of assessment, so a reassessment from today is measured against the June 2026 manual, AI controls included. Material change forces a reassessment sooner, and here is the part teams underrate: adding an AI capability to an already assessed system is a material change. A copilot dropped into an authorised system is a change to the boundary, not a footnote.
Frequently asked questions
The June 2026 release added ISM-2112, ISM-2113, ISM-2114 and ISM-2116. They cover disabling direct external data access for AI that processes classified data, human approval for risky AI actions, behavioural baselining of AI applications, and using AI to augment threat detection.
No. If there is no AI component in scope, the assessor marks the AI controls not applicable in the control matrix, with a justification. They apply once an AI feature sits inside the assessment boundary.
No. The assessment is point in time against the ISM version used on the day, so a current authorisation stands. Your next assessment is measured against the latest ISM, and PSPF requirement 0109 expects reassessment within 24 months.
ASD publishes a changes document alongside each ISM release on cyber.gov.au, listing every control added, amended or removed. The June 2026 changes document records the new AI controls and the cryptography amendment.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISM June 2026 changes, ASD, June 2026
- Information Security Manual, ASD, June 2026
- The cyber security principles, ASD, March 2026
- Cloud assessment and authorisation, ASD, 2026
- Protective Security Policy Framework (Table 21, requirement 0109), 2024 release
Last updated: 21 June, 2026