When sections 182 and 183 were drafted, "information" meant client files, deal memos, and boardroom discussions. In 2026, it also means:
Sections 182 and 183 prohibit directors, officers, and employees from improperly using their position or information for personal gain — or to cause detriment to the corporation. In 2026, as AI systems create new ways to access, leverage, and misuse proprietary data at scale, these provisions have taken on new operational urgency for every AFSL holder.
A director, secretary, other officer, or employee must not improperly use their position to gain an advantage for themselves or someone else, or to cause detriment to the corporation. Involvement in a breach also contravenes the section. Both are civil penalty provisions.
A person who obtains information because of their role as director, officer, or employee must not improperly use it to gain an advantage or cause detriment. Critically, this obligation survives the end of employment — it follows the individual. Those involved in a breach are equally liable.
When sections 182 and 183 were drafted, "information" meant client files, deal memos, and boardroom discussions. In 2026, it also means:
Proprietary AI model weights and training data built or curated by the firm
Client behavioural data used to train or fine-tune automated advice engines
Algorithmic outputs and scoring logic that represent significant competitive and commercial value
System architecture and prompt engineering that underpin a firm's ADM capabilities
Data access logs and system credentials that enable access to sensitive client information at scale
The practical exposure has changed in both scale and speed. A departing employee who takes a copy of a client database engages s183 in exactly the same way as one who takes a firm's AI training dataset or proprietary prompt library — but the latter may represent far greater commercial harm and be far harder to detect after the fact.
An employee with access to AI systems, client data pipelines, or proprietary model logic leaves to join a competitor or establish their own practice. If they take system credentials, model outputs, client datasets, or even detailed knowledge of how your AI is configured, s183 is directly engaged — regardless of what their employment contract says or doesn't say.
A director or senior manager uses their position to influence how an automated system routes opportunities, recommendations, or client referrals in a way that benefits themselves, a related party, or an associated business. This is a s182 exposure — and it is harder to detect when the decision-making layer is obscured by automation.
An employee uses their position to access client data — legitimately, in the course of their role — and then uses that data to train a personal AI tool, develop a competing service, or enhance their own capabilities outside the firm. No explicit "taking" of files occurs. But s183 is still engaged: the information was obtained because of their role, and its use for personal advantage is improper regardless of the mechanism.
Unlike many employment-related duties, s183 explicitly survives the end of employment. A former employee who uses client information or proprietary system knowledge obtained during their tenure — even months or years later — remains liable under the Act. The obligation has no sunset clause.
Sections 182 and 183 do not operate in isolation. They sit alongside — and reinforce — other obligations that AFSL holders are managing in 2026:
| Obligation | Connection to s182 / s183 |
|---|---|
|
s912A(1)(a) — Efficient, Honest & Fair View provision ↗ |
An AI system configured by an officer to advantage the firm over the client is simultaneously a s912A breach and a s182 breach. |
|
s912A(1)(d) — Adequate Resources View provision ↗ |
You must have the systems and processes to detect misuse of position or information by those with AI access. |
|
Directors' Duties (s180–s181) View provision ↗ |
A director who fails to implement controls over AI access and data use may breach their duty of care as well as s182. |
|
CPS 230 — Operational Risk View resource ↗ |
Data misuse by an insider is an operational risk event; your CPS 230 framework should address it explicitly. |
| Privacy Act 1988 | Misuse of client information obtained through an AI system also engages Privacy Act obligations — the exposure is rarely contained to a single framework. |
The Act does not define "improper use" exhaustively — this is deliberate. Courts and regulators assess it contextually, looking at whether the use was contrary to the interests of the corporation, inconsistent with the person's role, or undertaken with knowledge that it was unauthorised or beyond their remit.
In the AI context, this creates a practical challenge: if your firm does not have clear policies about who can access AI systems, what they can do with AI outputs, and what firm or client data can be used in AI tools, it becomes very difficult to establish that a particular use was "improper." Unclear governance creates ambiguity — and ambiguity favours the individual, not the firm.
Sections 182 and 183 were written for a pre-AI world, but they apply directly to every employee who has access to your AI systems, client data pipelines, or model infrastructure. The question your firm needs to answer is not "do we have employment contracts?" — it's "do we have the governance and audit capability to detect and evidence a breach if one occurs?" If the answer is no, you have a live exposure that your employment law advisors alone cannot close.
— Lead Strategist, Liberate Consulting
The s182/183 risk in an AI-enabled firm is a governance and systems problem, not just a legal one. Liberate Consulting works with AFSL holders to:
Identify what constitutes proprietary information in your AI systems and ensure it is formally documented as such — a prerequisite for evidencing any future breach.
Assess whether your current HR and IT protocols are adequate to detect and prevent improper use — including in the critical window before a departure is formalised.
Develop governance policies that address the specific scenarios where s182 and s183 exposure arises, including shadow training, post-employment obligations, and ADM configuration controls.
Ensure these provisions are treated as live operational risks — not just legal background — with clear owners, monitoring triggers, and escalation paths.
Liberate Consulting can undertake a Gap Analysis that maps your current AI access controls, data governance, and offboarding practices against the specific risk scenarios these provisions create.