The Australian Prudential Regulation Authority (APRA), the prudential regulator overseeing banks, insurers and superannuation trustees, has urged the financial sector to significantly raise its standards for managing the risks posed by artificial intelligence.
The warning follows a targeted supervisory review conducted by APRA late last year, examining how AI was being deployed and governed across its regulated industries. The regulator found that governance, risk management, assurance and operational resilience practices are all failing to keep pace with the scale, speed and complexity with which AI is being adopted across the sector.
Among the review’s most significant findings was that concentration risk has become a pressing concern, with some entities leaning heavily on a single provider for multiple AI use cases and showing gaps in contingency planning. The review also flagged that AI functionality is frequently embedded within broader software platforms or developer tooling, making it harder for entities to assess where and how models are trained, updated or constrained. Separately, the regulator noted that frontier AI models are expected to increase both the likelihood and severity of cyber attacks by making it easier for malicious actors to identify vulnerabilities.
The review found that AI adoption is accelerating across all APRA-regulated industries, with entities moving beyond experimentation into operationally embedded and customer-facing deployments. However, governance has not kept pace. Boards were found to show strong enthusiasm for AI’s potential but many lack the technical literacy necessary to effectively challenge management on AI-related risks. Information security practices were also found to be struggling to match the pace of change, with AI risks spanning multiple domains — including operational resilience, cyber security, privacy and procurement — while existing assurance frameworks remain fragmented.
APRA is Australia’s prudential regulator, responsible for supervising institutions across the banking, insurance and superannuation industries to promote financial system stability.
Although the regulator indicated it is not proposing new requirements at this stage, it made clear it expects entities to make meaningful progress in closing the gap between the capabilities of the technology they deploy and their ability to monitor and control it. APRA added it will continue engaging with government agencies, regulated entities and peer regulators both domestically and internationally as it assesses the implications of these technological developments.
APRA member Therese McCarthy Hockey said regulated entities needed to constantly adjust cyber practices to lift resilience and protect assets in a fast-moving threat environment.
“The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology – whether in our own hands or the hands of those with malign intent.
“What we’ve observed from our supervisory engagement is that while AI adoption is continuing apace, the systems and processes required to safely govern its use aren’t keeping up. Likewise, the speed at which entities can identify and patch vulnerabilities needs to operate much faster, commensurate with the AI-accelerated threat.
“The findings outlined in today’s letter emphasise our expectations for how entities should be managing these risks in alignment with our prudential standards in areas such as information security, operational risk management, governance and data risk.
“While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.
“In the meantime, APRA will continue engaging with government agencies, entities and peer regulators, domestically and overseas, to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system.”
Copyright © 2026 FinTech Global
