The Australian Prudential Regulation Authority has published a letter to all regulated entities setting out findings from a late 2025 supervisory review of AI use at selected large banks, insurers and superannuation trustees, warning that governance, risk management, assurance and operational resilience are not keeping pace with the scale, speed and complexity of adoption. AI use is moving beyond experimentation into operationally embedded and customer-facing applications, and APRA expects entities to close control gaps under existing prudential standards rather than through new requirements at this stage. The review found boards are interested in AI’s strategic benefits but often lack the technical literacy to challenge management effectively, with overreliance on vendor material and weak oversight across the AI lifecycle. Information security controls were also found to be lagging, including identity and access management for nonhuman actors, security testing, patching and change controls, while frontier AI models such as Anthropic Mythos could increase the probability, speed and scale of cyber attacks. Other weaknesses included fragmented assurance, limited continuous monitoring of model drift and failures, heavy dependence on single AI providers, opaque upstream model and data dependencies, and weak contingency, exit and substitution planning. APRA expects boards and executives to align AI strategy with risk appetite, maintain inventories and accountability for AI use cases, retain human involvement in high-risk decisions, strengthen cyber hygiene and testing, and improve supplier transparency, concentration risk management and integrated assurance. APRA is finalising a forward supervisory plan covering proportionate prudential reviews, thematic work and engagement with AI suppliers, and will continue monitoring whether further policy action is needed. Where entities do not identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, it said it will escalate supervisory action and, where appropriate, pursue enforcement.
Australian Prudential Regulation Authority 2026-04-30
Australian Prudential Regulation Authority calls for step change in AI risk management after review finds governance and cyber controls lagging adoption
The Australian Prudential Regulation Authority has issued a letter to regulated entities outlining findings from a 2025 supervisory review of artificial intelligence use, warning that governance, risk management, assurance and operational resilience are not keeping pace with rapidly expanding deployments. The review highlights board-level technical literacy gaps, lagging information security controls, fragmented assurance, concentration risks in AI suppliers and weak contingency planning, and sets expectations for stronger oversight, cyber hygiene, human involvement in high-risk decisions and integrated assurance. APRA is finalising a supervisory plan and signalled it will escalate enforcement where entities fail to manage AI risks proportionately.