APRA, the Australian Prudential Regulation Authority and financial regulator overseeing banks, insurers and superannuation trustees, has urged the sector to significantly strengthen how it governs and manages risks tied to artificial intelligence.
The regulator published a letter to industry warning that governance frameworks, risk management practices, assurance processes and operational resilience measures are falling behind the pace at which AI is being adopted across its regulated industries. The letter follows a targeted supervisory review APRA conducted late last year, spanning all regulated sectors, to examine how AI was being deployed and overseen.
Among the key findings, APRA highlighted accelerating AI adoption across all regulated industries, with entities moving beyond experimentation into operationally embedded and customer-facing applications. Despite this, governance arrangements have not developed at the same rate. Boards were found to have a strong appetite for AI’s potential but often lack the technical knowledge needed to effectively challenge management on AI-related risks.
The review also identified heightened concentration risk, with some entities heavily reliant on a single provider for multiple AI use cases, alongside gaps in contingency planning. Additionally, AI functionality embedded within broader software platforms was found to be reducing transparency over how models are trained, updated or constrained, limiting entities’ capacity to fully assess associated risks. APRA further noted that AI risks span multiple domains — including operational resilience, cyber and information security, privacy and procurement — and that existing assurance approaches are often too fragmented to address them adequately.
The regulator also cautioned that frontier AI models, such as Anthropic’s Claude Mythos, could assist malicious actors in identifying vulnerabilities and are expected to raise the probability, speed and scale of cyber attacks.
APRA is the Australian body responsible for prudential supervision of the banking, insurance and superannuation sectors, setting and enforcing standards designed to ensure the financial safety and resilience of regulated entities.
While the regulator stated it is not proposing to introduce new requirements at this stage, it said it expects to see meaningful progress in how entities are closing the gap between the capabilities of the AI they deploy and their ability to monitor and control it. APRA added it will continue engaging with government agencies, regulated entities and peer regulators both domestically and internationally to assess the implications of technological developments for the financial system.
APRA member Therese McCarthy Hockey said regulated entities needed to constantly adjust cyber practices to lift resilience and protect assets in a fast-moving threat environment.
“The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology – whether in our own hands or the hands of those with malign intent.
“What we’ve observed from our supervisory engagement is that while AI adoption is continuing apace, the systems and processes required to safely govern its use aren’t keeping up. Likewise, the speed at which entities can identify and patch vulnerabilities needs to operate much faster, commensurate with the AI-accelerated threat.
“The findings outlined in today’s letter emphasise our expectations for how entities should be managing these risks in alignment with our prudential standards in areas such as information security, operational risk management, governance and data risk.
“While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.
“In the meantime, APRA will continue engaging with government agencies, entities and peer regulators, domestically and overseas, to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system.”
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
