What happened on 30 April 2026

On 30 April 2026, the Australian Prudential Regulation Authority issued a formal letter to all regulated entities, every Australian bank (ADI), general and life insurer, private health insurer, and superannuation trustee, setting out its observations and expectations on artificial intelligence.

This was not a discussion paper. It was not a consultation. As one legal analysis described it: a statement of observed failure and a formal declaration of supervisory intent.

The letter, signed by APRA Member Therese McCarthy Hockey, followed a targeted deep-dive engagement conducted in late 2025 with a sample of the largest banks, insurers, and superannuation trustees. While the direct observations came from large entities, APRA was explicit that all regulated entities, including smaller and earlier-stage AI adopters, are expected to apply the same lessons proportionately.

The letter was accompanied by a detailed observations attachment addressed specifically to CROs, CTOs, and CISOs.

Why this letter is different

APRA has long maintained that AI risk is covered by existing prudential standards, CPS 220 (risk management), CPS 230 (operational risk), and CPS 234 (information security). That position remains unchanged. The existing framework applies to AI.

What changed with the April 2026 letter is specificity. As Clayton Utz's analysis put it, this letter "goes materially beyond what CPS 220, CPS 230 or CPS 234 say in their own terms." For the first time, APRA published structured, AI-specific expectations, observation area by observation area.

The MinterEllison team described it as marking a transition: "from principle-based guidance to active supervision of AI risk." The published expectations are now testable. Each of the four observation areas sets out, in plain language, what APRA expects, which means each expectation is a direct supervisory yardstick.

The letter also signals what comes next. APRA is "currently finalising its forward plan for AI-related supervisory activities" including proportionate prudential reviews, thematic activities, AI supplier engagement, and potential further policy action.

The four areas of observed failure

APRA identified four areas where current practice is not keeping pace with AI adoption:

1. Information security practices are not keeping pace with AI threats

APRA observed new attack pathways specific to AI: prompt injection, data leakage, insecure integrations, and the manipulation of autonomous AI agents. Security testing coverage is inconsistent, entities are not applying the same testing rigour to AI implementations that they apply to traditional technology.

The expectation: entities must extend their information security frameworks, including penetration testing, vulnerability management, and incident response, explicitly to AI systems and agents.

2. Governance maturity is lagging adoption

This is the finding with the most direct board implications. APRA found, across the entities it reviewed, that AI is being actively adopted, but governance, risk management, and assurance are not keeping pace with the scale, speed, and complexity of that adoption.

Specifically, APRA observed:

  • Many boards are still developing the technical literacy required to provide effective challenge on AI related risks and oversight. This is direct, specific, and board-addressable.
  • An overreliance on vendor presentations and summaries without sufficient examination of key AI risks such as unpredictable model behaviour and the impact on critical operations.

APRA expects entities to establish consistent governance arrangements that include, at a minimum:

  • Frameworks, policy, standard, and guidance, and reporting lines to promote safe, responsible, and sustainable AI adoption
  • Ownership and accountability across the AI lifecycle, from design and development through deployment, monitoring, and decommissioning
  • An inventory of AI tooling and AI use cases
  • Adequate resourcing, skills, and training for those managing AI systems
  • Clear integration with existing risk management frameworks

The inventory requirement is significant. It has appeared in ISO 42001 and the Australian Voluntary AI Safety Standard for some time. APRA has now made it an explicit minimum expectation.

3. Supplier risk management has not adapted to AI opacity

Regulated entities are sourcing AI capabilities from a small number of large technology providers, creating concentration risk. The letter notes that supply chain opacity, the difficulty of understanding what data is being used to train third-party models, how outputs are generated, and what the failure modes are, creates risks that traditional vendor due diligence processes are not designed to assess.

The expectation: supplier risk management must extend specifically to AI vendor relationships, including sub-suppliers and foundation model providers. Material service provider frameworks under CPS 230 must be applied with AI-specific rigour.

4. Traditional assurance is not sufficient for dynamic AI

AI systems change over time in ways that static assurance approaches were not designed to detect. Model drift, changes in output quality or behaviour as real-world data distributions shift, can occur without any code change. APRA observed that traditional change management and assurance processes are not capturing this dynamic behaviour.

The expectation: assurance frameworks must be adapted to include ongoing monitoring of AI system behaviour, not just point-in-time review at deployment.

The AI agent finding that boards need to act on now

Perhaps the most forward-looking observation in the letter concerns AI agents specifically. APRA noted that identity and access management capabilities have not yet adjusted to nonhuman actors such as AI agents.

This is a precise description of a widespread gap. When AI agents are deployed in enterprise environments, they operate with credentials, access rights, and system permissions, but the identity and access governance processes designed for human employees have not been extended to cover them.

What this means in practice:

  • AI agents may have broader access to systems and data than their specific tasks require
  • There is often no named human owner accountable for each agent's access scope
  • Access reviews do not include AI agent credentials
  • Agents connect to multiple systems, databases, APIs, communication tools, document repositories, without the same governance applied to human access

The least-privilege principle, giving any actor, human or nonhuman, only the access required for their specific task, is fundamental to information security. It is routinely absent from AI agent deployments.

For boards and executives, this creates a concrete question: for every AI agent operating in your organisation, can you answer what it has access to, whether that access is appropriate, and who is accountable for it?

What APRA will actually look for

Based on the letter and the accompanying observations document, regulated entities should expect supervisory attention on:

At the board level: - Evidence that the board has discussed AI risk as a distinct agenda item, not just as part of general technology risk - Board reporting that goes beyond vendor summaries, including direct engagement with AI risk metrics, incident data, and governance gaps - A documented process for the board to exercise effective challenge on AI-related decisions

At the executive level: - A completed inventory of AI tools and use cases, with named owners - Clear accountability mapping, who is responsible for each AI system, at each stage of its lifecycle - Supplier due diligence documentation that addresses AI-specific risks (not just standard IT vendor assessments) - Evidence of AI-adapted assurance, monitoring of deployed system behaviour, not just pre-deployment testing

At the operational level: - Penetration testing and security assessment coverage explicitly extended to AI implementations - Incident response procedures that address AI-specific failure modes (hallucination, model drift, agent misbehaviour) - Change management processes that capture the ongoing nature of AI system change

The enforcement context

The April 2026 letter is explicitly not the end of APRA's engagement with AI governance, it is the beginning of a structured supervisory program.

APRA has stated that it will "take stronger supervisory action and, where appropriate, pursue enforcement" where entities fall short of the expectations in the letter. The combination of published expectations, a structured supervisory program, and explicit enforcement intent means that the letter has direct accountability implications.

It is worth noting that the expectations in the letter apply to existing standards, entities that have CPS 230 operational risk obligations, CPS 234 information security obligations, and board accountability obligations under CPS 510 are already required to address the risks APRA has identified. The letter does not create new legal obligations. What it does is narrow the room for regulated entities to argue that their existing AI governance approach is adequate.

What boards and executives should do now

Immediate (within 30 days):

  1. Table the APRA letter at the next board meeting as a stand-alone agenda item, not as part of a technology update. The board needs to discuss it directly.

  2. Commission an AI inventory. If your organisation cannot produce a complete list of AI tools and use cases currently in operation, with named owners, that gap needs to be closed. This is explicitly the minimum APRA expects.

  3. Review your board AI reporting. Are board papers on AI based on vendor summaries, or do they reflect independent risk assessment? APRA has specifically named over-reliance on vendor presentations as a failure.

  4. Extend your IAM review to AI agents. For every AI agent or automated AI process operating in your environment, document what systems and data it has access to, whether that access is appropriate, and who is accountable for it.

Short term (within 90 days):

  1. Assess your supplier risk management against AI-specific criteria. Standard vendor due diligence questions are not designed to assess AI model opacity, training data provenance, or the behaviour of AI-powered services under unusual conditions.

  2. Test your assurance framework against APRA's dynamic AI observation. Traditional point-in-time assurance does not detect model drift or behavioural change in deployed AI systems. Map the gaps and address them.

  3. Engage with your CRO and CISO on AI-specific threat modelling. The letter specifically mentions prompt injection, data leakage, and agent manipulation. These are technical risks that require technical assessment, and board understanding.

A note on scale and proportionality

APRA's letter addressed to "all regulated entities" includes institutions of very different scales. A tier-1 bank with dedicated AI risk teams and a regional credit union implementing its first AI-powered product face different implementation challenges.

APRA acknowledged this: smaller and earlier-stage adopters are expected to apply the lessons in proportion to their size, scale, and complexity. That does not mean the obligations do not apply, it means the form they take should be proportionate.

For smaller regulated entities, the starting point is the same as for large ones: a complete inventory of what AI you are using, who owns it, and what it has access to. The minimum is the minimum regardless of size.

Primary source: APRA Letter to Industry on Artificial Intelligence (AI), 30 April 2026. Legal analysis: Clayton Utz, MinterEllison, Gadens. This article is general information and does not constitute legal or compliance advice.