On 30 April 2026, the Australian Prudential Regulation Authority (“APRA”), Australia’s prudential supervisor, responsible for ensuring that our financial system is stable, competitive and efficient, issued the document titled “APRA Letter to Industry on Artificial Intelligence (AI)”, addressed to all APRA-regulated entities, including banks, insurers and superannuation trustees in Australia. The communication follows APRA’s targeted supervisory engagement conducted in late 2025 with selected large financial institutions to assess the extent of Artificial Intelligence (“AI”) adoption and the prudential risks associated therewith. The letter outlines APRA’s observations concerning governance, cyber security, operational resilience, supplier concentration and assurance practices, while setting out supervisory expectations relevant to Boards and accountable executives in relation to AI deployment and oversight.
Rising AI Adoption Across Australia’s Financial Sector
The letter notes that AI adoption is accelerating across APRA-regulated industries as entities increasingly integrate AI into functions such as software engineering, claims triage, fraud detection, customer interaction, loan processing and productivity enhancement. APRA acknowledged that “AI presents great opportunity for productivity and efficiency” and observed that failure to adopt AI “may put businesses at a strategic disadvantage.” At the same time, APRA stated that AI “has the potential to create new risks and escalate existing challenges.” The regulator observed differing levels of maturity in governance, risk management and operational resilience across entities and stated that assurance practices “are not keeping pace with the scale, speed and complexity of AI.”
APRA Observations on Board Oversight and AI Governance
APRA further observed that, while Boards demonstrated “strong interest and pursuit for AI’s potential benefits and strategic imperatives,” many Boards are “still developing the technical literacy required to provide effective challenge on AI related risks and oversight.” The regulator additionally noted “an overreliance on vendor presentations and summaries without sufficient examination of key AI risks such as unpredictable model behaviour and the impact on critical operations.”
In this regard, APRA stated that Boards are expected, at a minimum, to “maintain sufficient understanding and literacy with respect to AI in order to set strategic direction and provide effective challenge and oversight” and oversee “an AI strategy which is consistent with the entity’s risk appetite and tolerance settings.”
Cyber Security and AI-Driven Threat Landscape Identified by APRA
In relation to cyber security, APRA observed that AI adoption is “materially changing the cyber threat landscape for regulated entities,” identifying common attack pathways including “prompt injection, data leakage, insecure integrations, exploit injection and the manipulation or misuse of autonomous AI agents.”
The regulator noted that identity and access management capabilities “have not yet adjusted to nonhuman actors such as AI agents,” while AI-assisted software development is placing “strain on the effectiveness of change and release management controls.” APRA also identified gaps in “security testing programmes,” delays in remediation activities such as patching and configuration management, and increasing use of enterprise AI tools outside approved control frameworks.
The letter states that entities may consider strengthening measures relating to “privileged access management, timely patching, hardened configurations, automated vulnerability discovery, penetration testing, and controls over agentic and autonomous workflows.”
AI Lifecycle Management and Operational Governance Concerns
On governance and lifecycle management, APRA observed that some entities continue to approach AI risk as “just another technology,” which, according to the regulator, may not fully account for “distinct characteristics of predictive systems, adaptive behaviour in models, ethical considerations such as inherent bias, and privacy and data risks.”
The regulator identified weaknesses relating to “post deployment monitoring, weak model behaviour monitoring, change management, and decommissioning of AI capabilities.” APRA indicated that entities may consider governance arrangements addressing “ownership and accountability across the AI lifecycle,” maintenance of “an inventory of AI tooling and AI use cases,” and “human involvement for high-risk decisions and accountability.” The regulator also highlighted the relevance of staff training concerning “AI use, misuse, limitations and secure practices.”
Supplier Concentration and Third-Party AI Dependency Risks
The letter also addressed supplier concentration and third-party dependency considerations. APRA observed that some entities are “heavily dependent on a single provider for multiple AI use cases,” with limited evidence of “tested exit and substitution strategies for critical AI providers.”
The regulator further noted that contractual arrangements often lacked “specific provisions addressing audit rights, model updates and deviations, incident notification or changes to data handling.” APRA additionally observed that upstream AI dependencies, including foundation models and fourth-party service providers, are frequently opaque, thereby limiting an entity’s ability to independently assess “model performance, bias, resilience and security.”
In this context, APRA stated that entities may consider maintaining visibility over “the full AI supply chain” and monitoring “concentration risk,” including “plausible and systemic failure scenarios.”
APRA Highlights Gaps in AI Assurance and Internal Audit Functions
With respect to assurance and audit practices, APRA stated that existing approaches remain “fragmented” and continue to rely on “point in time and sample based assurance methods,” despite such methods being “ill suited to probabilistic models that learn, adapt and degrade over time.”
The regulator observed that few entities had implemented “continuous validation or monitoring” capable of identifying “model drift, bias, failure modes, or control breakdowns.” APRA further noted that internal audit and risk management functions may face challenges due to limited “specialist skills and tools required to engage in AI assessment or audit.”
The regulator indicated that entities may consider adopting “integrated assurance across cyber security, data governance, model performance risk, operational resilience, privacy, and conduct risks,” together with enhanced technical capability within second-line risk management and internal audit functions.
Timeline of APRA’s AI Supervisory Engagement and Regulatory Focus
The chronology of the engagement reflects APRA’s continuing supervisory focus on AI-related prudential risks. In late 2025, APRA conducted targeted engagements with major banks, insurers and superannuation trustees to evaluate AI adoption and associated risk management practices. Following these supervisory reviews, APRA issued the present industry-wide letter on 30 April 2026 to communicate its observations and expectations across the regulated sector.
APRA also noted that it is engaging with the Council of Financial Regulators (“CFR”), government agencies and regulated entities concerning “the potential for increased cyber threats from high capability AI frontier models such as Anthropic Mythos.” In addition, APRA stated that it is “currently finalising its forward plan with regards to supervision of AI risks,” including “entity prudential reviews, thematic activities and AI supplier engagement.”
From a regulatory perspective, the letter may be viewed as reinforcing APRA’s principle-based prudential framework by clarifying that existing expectations relating to governance, operational resilience, risk management and information security remain applicable in the context of AI-enabled systems and processes.
Potential Regulatory Implications for APRA-Regulated Entities
APRA concluded by stating that it “will apply its supervisory focus to entities’ AI adoption and manage the resulting risks” and observed that where entities “fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity,” APRA may consider “stronger supervisory action and, where appropriate, pursue enforcement.”
The regulator also encouraged entities to engage with APRA’s Non-Financial Risk Team regarding “unexpected or heightened AI-related risk concerns, including where existing risk management approaches may be challenged.”
(Source: https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai)
