AI That Works for Heavy Industry logo
← Back to the map

Mandatory Tools & Artefacts · SOCI Act stream

Critical Infrastructure Risk Management Program

Updated 15 Oct 2025

The CIRMP is the central artefact under SOCI for high-risk asset classes. Adoption of AI in OT counts as a material change and must be integrated across the four hazard vectors with board-level sign-off.

Key obligations

  • Document AI use in OT and treat it as a material risk in the CIRMP.
  • Address cyber & information security (including model integrity), personnel, supply chain, and physical/natural hazards.
  • Adopt an approved cyber framework (e.g. ISM, Essential Eight ML2, NIST CSF, ISO 27001, AESCSF, IEC 62443).
  • Test, review and update the CIRMP at least annually.
  • Submit the annual board-approved report to the CISC.

Key dates

  • 17 Aug 2024Full compliance with CIRMP Rules required.
  • AnnualBoard-approved report due each financial year.

Who is affected

  • Responsible entities for the high-risk SOCI asset classes captured by the CIRMP Rules.
  • Operational technology vendors and integrators — expect contractual flow-down.

Source documents

Information is general in nature and not legal advice. Always confirm with the source documents and your own legal counsel.