Australia CISC: Enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules 2026 — Mandatory AI Risk Assessment for Critical Infrastructure Operators

Australia's Cyber and Infrastructure Security Centre (CISC) published the 'Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026' (Federal Register instrument F2026L00701), announced June 18, 2026. The Enhanced CIRMP Rules are legally binding amendments under the SOCI Act 2018 and mandate that critical infrastructure entities across energy, electricity, gas, liquid fuel, water, broadcasting, DNS, and freight asset classes must: (1) assess and mitigate risks from novel/emerging technology including AI; (2) implement phishing-resistant MFA for critical systems; (3) segregate critical from non-critical systems; (4) address legacy system risks, supply chain, offshoring, and insider threats. Compliance timelines begin 2027 with extended grace periods.

This is the first legally enforceable Australian regulation to explicitly name AI as a mandatory risk assessment category for critical infrastructure operators. It creates a compliance obligation — not merely guidance — for all entities holding critical infrastructure assets under the SOCI Act. It sets a precedent for sector-wide AI risk governance alongside traditional OT/IT controls and runs parallel to Australia's Horizon 2 Cyber Security Strategy released the same week.

Australian CI operators: immediately inventory AI deployments and legacy systems, initiate CIRMP risk assessments for AI use cases, implement phishing-resistant MFA for critical systems, and plan for system segregation. Map controls to the Enhanced CIRMP Rules before 2027 compliance deadlines. Legal/compliance teams should review Federal Register instrument F2026L00701.