ASD Information Security Manual (ISM) — June 2026 Update: New AI-Specific Security Controls

The Australian Signals Directorate published the June 2026 edition of its Information Security Manual (261 pages), adding new and revised controls with explicit AI security content. New controls include: ISM-2121 requiring that software developers without sufficient cybersecurity knowledge are not used on projects; a control recommending AI models be used to augment vulnerability assessments and penetration tests; a recommendation for threat intelligence services with AI models for event detection; and three new OPSEC controls (including ISM-2107) restricting personnel from posting work-related skills, duties, and security clearances on unauthorised platforms. All Australian government agencies and organisations processing government data must follow the ISM.

The ASD ISM is the mandatory baseline for all Australian government agencies and a de facto standard for government contractors. The June 2026 update is the first to embed AI-specific development vetting and AI-augmented security testing as normative controls, signalling that AI tooling in security operations is now a compliance expectation rather than an option in Australia.

Australian government agencies: review ISM June 2026 changes document; ensure developer vetting processes satisfy ISM-2121; update penetration testing and vulnerability assessment procedures to reflect AI-augmentation controls.