The Australian Prudential Regulation Authority (APRA) has urged a lasting shift in how banks, insurers, and superannuation trustees manage AI-related risks amid its ongoing evolution.
The financial regulator made the call in a letter to industry, published on 30 April 2026. It warned that “governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed, and complexity of AI adoption.”
The letter highlights the findings of a review APRA undertook last year examining how AI is being deployed and governed. The review found that AI has created new financial and operational vulnerabilities for entities, while information security practices are not keeping up with AI’s transformation.
It also warns that frontier AI models, such as Anthropic’s Claude Mythos, which could help malicious actors identify vulnerabilities, are expected to further increase the likelihood, speed, and scale of cyberattacks.
APRA also listed the following observations from the study:
- AI use is accelerating across all APRA-regulated industries, with entities moving from experimentation towards more operationally embedded and customer-facing applications. However, governance arrangements have not matured at the same pace.
- Boards have a strong interest in AI’s potential benefits, but many lack the technical literacy required to effectively challenge management on AI-related risks and oversight.
- Heightened concentration risk was noted, with some entities heavily dependent on a single provider for multiple AI use cases, alongside gaps in contingency planning.
- AI functionality is often embedded within broader software platforms or developer tooling, reducing transparency over where and how models are trained, updated, or constrained, and limiting entities’ ability to fully assess and manage risks.
- AI risks can cut across multiple domains, including operational resilience, cyber and information security, privacy, and procurement. Existing change and assurance management approaches are often fragmented and may not provide sufficient assurance for AI.
APRA Member Therese McCarthy Hockey said entities should regularly adjust cyber practices to strengthen resilience and protect their assets.
She said, “While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.”