# 40° South — The evidence layer for Australian AI

> Guard is the evidence layer for Australian AI. Every call checked against Australian regulation, signed as tamper-evident evidence, and logged for seven years. Proof, every call.

THE EVIDENCE LAYER FOR AUSTRALIAN AI 

# Your business already runs on AI.  
When the board asks you to prove it,  
what will you show? 

Australia has assigned accountability for AI faster than anyone can prove it's being met. Guard sees every AI call it's given, checks it against the Australian rules that apply, and proves it with an independent, tamper-evident record. 

[Start with the guarantee → ](/#get-started) [See how Guard works ](/how-it-works) 

If Guard hasn't delivered in 60 days, every dollar back. 

Data stays under Australian law · Built for APRA-regulated business · Live in a day 

* The provider's logs  
They prove a connection happened. Not what was in it, or whether it was allowed.
* A screenshot  
Anyone can make one. Nobody can verify one.
* Your AI policy  
It says what should happen. It can't show what did.

There's a fourth answer. [ ](#certificate) 

THE GAP 

## Your policy says you control AI.  
Can you prove it? 

Your business has deployed AI through claims triage, support assistants, credit decisioning, document review, or features inside your own products. Ask for the compliance record of any one of those calls and today, there isn't one. 

### Nobody can see it

Staff and systems call AI providers directly. The network records that a connection happened. It can't say what crossed it, or whether it was allowed. 

### The clock is short

A material incident gives you 72 hours to notify APRA. A data breach gives you 30 days under the Privacy Act. Without records, both windows are guesswork. 

### Silence accumulates

Every week without evidence is a week you can't retroactively prove. Auditors mark what was evidenced, not what was intended. 

40° South is the evidence layer. 

A DIFFERENT WAY TO THINK ABOUT IT 

## You can't stop every incident.  
You can stop being the one who can't explain it. 

Think of it the way you think about insurance. You can't prevent every storm. What you can do is make sure that whatever happens, you can show your controls were working. That is the difference between a managed risk and a front-page problem. 

Guard is the premium you pay for that proof. 

## Evidence is permission. 

The brake on AI in a regulated business isn't the technology. It's that the risk function can't say yes defensibly, because there's nothing to review. Guard changes the answer from "no, we can't see it" to "yes, and here's the proof." More AI in production, sooner, because each use ships with its own evidence. 

[See how Guard produces the proof → ](/how-it-works) 

THE AI ASSURANCE CERTIFICATE 

## This is what the board sees. 

Every quarter, Guard produces an AI Assurance Certificate. One page. It states what your AI touched, what was checked, what was found, and that the record is intact. It arrives the way an audit opinion does, and it reads like one. 

40° South Guard 

AI Assurance Certificate

Period

1 Apr – 30 Jun 2026

Entity

Demo Financial Services Pty Ltd

AI calls evidenced

2,841,062

Checks performed

personal information ·hidden instructions ·offshore disclosure 

Findings

312 flagged · 12 blocked · record intact 

Every number on it traces back to a signed record of a real AI call. Change one character in the record and the signature breaks. 

[Verify a signed record yourself → ](/how-it-works#verify) 

WHAT GUARD DOES 

## Sees it. Checks it. Proves it. 

### Sees it.

Every AI call your business makes. The systems you build, and the platforms you buy. 

### Checks it.

Against the rules that apply in Australia. Personal information, hidden instructions, data leaving the country. 

### Proves it.

Signs every record so nobody can quietly change it. Not even us. 

[See exactly how, step by step → ](/how-it-works) 

THE PATTERN 

## You already carry this kind of cover. 

01 SOC 2 02 Penetration testing 03 Cyber insurance 04 AI assurance 

 No law says "get a SOC 2." Your enterprise customers require it anyway. 

 No statute names it. Your insurer and your auditor expect it. 

 Nobody was ever fined for not carrying it. Every serious firm does. 

 The same three forces are forming around AI right now: insurers, auditors, courts. 

SOC 2

No law says "get a SOC 2." Your enterprise customers require it anyway.

Penetration testing

No statute names it. Your insurer and your auditor expect it.

Cyber insurance

Nobody was ever fined for not carrying it. Every serious firm does.

AI assurance

The same three forces are forming around AI right now: insurers, auditors, courts.

AI assurance is where cyber security was a decade ago. Nobody mandated it by name. It became non-negotiable anyway. 

WHY NOW 

## The regulator has stopped asking nicely. 

 ASIC 

 ASIC commissioned the DFCRC to survey the ground. Its May 2026 review found the deployment of AI decision systems has outpaced the governance around it, and named accountability for automated decisions a national priority. An independent diagnosis, on the record. 

 APRA 

 On 30 April 2026, APRA published its first AI-specific expectations for boards. Its finding: AI governance isn't keeping pace with adoption. Its position: enforcement is in reserve for entities that don't manage the risk. 

 $5.8M 

 Australia's first Privacy Act civil penalty, against Australian Clinical Labs in October 2025\. Most of it for one thing: failing to take reasonable steps to protect the data. 

 December 2026 

 From 10 December 2026, automated decisions that significantly affect people must be disclosed. The record you'll need starts accumulating now, not the week before. 

WHO IT'S FOR 

## Built for regulated Australia. 

Super funds. Banks and non-bank lenders. Insurers. Health and aged care. Government. Whether nobody owns this problem yet or a whole team does, the obligation is the same, and so is the evidence that answers it. 

[ Superannuation ](/who-its-for#superannuation)[ Financial services ](/who-its-for#financial-services)[ Insurance ](/who-its-for#insurance)[ Health and aged care ](/who-its-for#health-aged-care)[ Government ](/who-its-for#government)[ Legal and professional services ](/who-its-for#legal) 

Already have an AI governance team? Guard doesn't replace them. It hands them the per-call evidence they're currently reconstructing by hand. 

[See what Guard covers in your sector → ](/who-its-for) 

SOVEREIGNTY 

## The data stays on the ground. 

Guard runs on Google Cloud in Sydney, with failover in Melbourne. Processing, storage, evidence: all of it in Australia, under Australian law. Built for Australia, on Australian infrastructure. The proof stays with you. 

[Architecture and security detail → ](/trust) 

PRICING 

## One price. Everything included. 

Most common 

 Assurance 

For most regulated mid-market businesses.

An annual premium, banded by your monthly AI call volume. Everything included.

 Board Assurance 

Enterprise scale, custom terms.

Custom commercial terms, dedicated onboarding, and support through your security review.

Sixty days on your own traffic. If Guard hasn't delivered, every dollar back. The risk is ours, not yours. 

Less than one compliance hire. About a third of one external CPS 234 engagement. 

[Talk to us for the band that fits your volume → ](/#get-started) [Full pricing detail and what's included → ](/pricing) 

Advise regulated clients on AI risk? We partner with advisers, MSPs and integrators. 

[Partner with us → ](mailto:hello@40south.au) 

COMMON QUESTIONS 

## Answers to the questions we hear most. 

Does Guard stop bad things from happening, or just record them? 

Guard is an evidentiary control. Its job is a complete, verifiable record of every AI call: what went in, what was found, what came back. You can configure it to flag, redact, or block when it detects a problem, per data type, per team. What we promise is the proof. That's the part nobody else can hand your board.

Do we have to change how we use AI? 

No. For the AI you build, your developers change one URL and one API key. For the platforms you buy, Guard ingests their compliance feeds. Nobody's workflow changes and nobody has to remember to capture the proof.

Does Guard cover Microsoft 365 Copilot, ChatGPT Enterprise, and Claude Enterprise? 

Yes, through ingest. These platforms publish compliance and audit feeds, and Guard captures them into the same signed evidence trail as your direct AI calls. An ingested record is only as complete as the platform's own export, so for the AI you build the live proxy path is stronger: Guard sees the call itself.

Who can see our data? 

By default Guard stores scan results, compliance status, and signatures, not your prompts and responses. Full content logging is optional and off by default. Everything is processed and stored in Australia.

Is our data used to train anything? 

No. Guard is not an AI model and nothing is trained on your traffic. Guard checks your calls and signs the record. That's the whole job.

Is 40 South itself IRAP assessed or SOC 2 certified? 

The infrastructure Guard runs on (Google Cloud Sydney) is IRAP PROTECTED assessed and SOC 2 Type II certified. 40 South's own independent assessments are on the roadmap, not yet complete.

What happens if we leave? 

You get a complete portable export: every record, every signature, your configuration. The signatures verify independently of Guard, so your archive stands as evidence on its own. The vault copies stay immutable for the 7-year retention period, which is the point: not even we can edit history.

GET STARTED 

## The next time the board asks,  
the answer is a certificate. 

Book a 30-minute conversation, or start with the guarantee. We'll show you exactly what Guard covers for your sector and what the first 60 days look like. 

If Guard hasn't delivered in 60 days, every dollar back. 

We'll respond within one business day. No sales pressure. 

Australian company · Your data stays under Australian law · No spam

---
Markdown version of https://40south.au/ for AI readers. Site index for LLMs: https://40south.au/llms.txt
