What Financial Services Regulators Actually Want on AI Governance in 2026

What regulators say versus what they examine

Regulatory guidance documents on AI governance tend to be principle-based and comprehensive — they cover the full landscape of AI governance considerations and create the impression that demonstrating compliance requires a correspondingly comprehensive governance programme. The reality of regulatory examination is more specific and more operational than the guidance suggests. Regulators are not reading your AI governance policy document and checking it against a framework. They are asking specific questions and looking for specific evidence.

The most consistent examination question across all major financial services regulators is some version of: walk me through how your organisation decided to deploy [specific AI system] and how you governed that deployment. The answer they are looking for is not a description of your governance framework — it is a specific account of the specific decisions made about the specific system, who made them, what they were based on, and how the system has been monitored since deployment.

APRA: model risk as the primary lens

APRA's approach to AI governance in financial institutions is primarily through the model risk management lens, applied through CPG 234 (Information Security) and the operational risk prudential standards. APRA examiners ask for the model inventory, select individual models for deep review, and examine the model development, validation, and monitoring documentation for those models. The specific examination points: Is the model within the approved model risk appetite? Was it validated by someone independent of the development team? Is performance being monitored against defined thresholds? Is there a model owner with documented accountability? What is the process for model updates and when does a material update require revalidation?

The common APRA finding is not that organisations have no model governance — it is that model governance exists for traditional statistical models but has not been extended to ML and AI systems on the same terms. The ML model used for fraud detection was built by the data science team, is monitored by the data science team, and does not have a model owner in the risk management sense. APRA's view is that the risk management requirements apply equally regardless of model complexity.