What APRA Actually Expects on AI Governance: A Practical Guide for Australian Financial Institutions

APRA's April 2026 letter — AI governance is a current obligation, not an emerging expectation

On 30 April 2026, the Australian Prudential Regulation Authority (APRA) released a landmark industry-wide letter that fundamentally changed the regulatory conversation about AI in Australian financial services. APRA's findings were direct: current AI governance, risk management, assurance, and operational resilience practices across the sector are not sufficient. APRA named four specific gaps that every regulated entity now needs to address.

The most important reframing in APRA's letter is this: CPS 230 (Operational Risk Management) and CPS 234 (Information Security) apply to AI. They have always applied. APRA was not announcing new rules — it was telling the sector that existing prudential standards are operative for AI and that current practice falls short of compliance. For board directors, this is the critical takeaway: AI governance is not a future commitment, it is a current obligation that regulators expect to be operating now.

The four AI governance gaps APRA named

Gap 1: AI inventory and lifecycle management. APRA found that AI systems are being deployed without proper inventory, lifecycle ownership is unclear, post-deployment monitoring is weak, model behaviour monitoring is weaker, and decommissioning processes are largely absent. Governance documentation exists at policy level but very little at operational level. This is fundamentally a CPS 234 information security issue — you cannot secure or monitor what you have not catalogued.

Gap 2: Identity and access management for non-human actors. APRA explicitly observed that identity and access management has not yet adapted to non-human actors like AI agents. This is a major finding for the era of agentic AI. Traditional IAM frameworks were built for human users accessing systems through known interfaces. Autonomous AI agents that act with their own credentials, escalate privileges, and chain actions across systems do not fit those frameworks. APRA found gaps in the scope and coverage of security testing for AI implementations.

Gap 3: Supplier risk management. "Supplier risk management is in place, but supplier concentration and opacity present challenges." Most AI capability is delivered through third-party vendors (OpenAI, Anthropic, Google, Microsoft, smaller specialists). This creates concentration risk that traditional supplier risk management was not designed to address. CPS 230's material service provider regime applies to material AI vendors — and APRA expects entities to manage that risk substantively, not nominally.

Gap 4: Change management and assurance for dynamic AI. traditional change management and assurance is in place but is not sufficient for dynamic AI. Conventional change management was built for static software releases with defined version control. AI models that learn, adapt, and degrade over time require continuous monitoring and assurance, not point-in-time testing. A penetration test from six months ago tells you what the attack surface looked like that day — it tells you nothing about model drift, emerging bias, or control breakdowns that develop in use.

The board-level minimum expectation — live from 30 April 2026

APRA stated explicitly in its 30 April 2026 letter that, at a minimum, boards must: have enough AI literacy to set strategic direction and provide meaningful challenge and oversight; and oversee an AI strategy aligned with the entity's risk appetite, with monitoring of third-party dependencies and pre-defined triggers for intervention.

The practical implications are immediate. Board members of APRA-regulated entities cannot defer AI literacy as something to develop over time. The expectation is live. Boards must be able to demonstrate they have received structured AI risk briefings, that they understand the entity's AI footprint and risks, and that they have set explicit AI risk appetite. The "black box" defence — "we use the vendor's AI, we don't know exactly how it works" — is not consistent with CPS 230's requirements for operational risk management.

CPS 230 — what changed and what remains

On 30 April 2026, APRA also released final targeted amendments to CPS 230 and CPG 230, with the amended standard coming into effect on 1 July 2026. The amendments introduce limited exemptions from specific contractual requirements for material arrangements with certain categories of non-traditional service providers (NTSPs) — central banks, clearing and settlement facilities, government agencies, regulators, financial market exchanges, payment system operators, and financial messaging infrastructures — where contractual compliance is not practicable.

Crucially for AI vendors: the exemption is narrow. AI vendors are not in the exempt categories. The full CPS 230 contractual requirements apply to material AI vendor arrangements. Norton Rose Fulbright's analysis confirms that regulated businesses need to ensure their contracts with AI vendors are updated to be CPS 230-compliant by the next renewal and at the latest by 1 July 2026. The full operational risk framework — risk identification, due diligence, business continuity, monitoring — continues to apply to all material arrangements including those with exempt providers.

What APRA-regulated entities should have in place

Drawing together CPS 230, CPS 234, the 30 April 2026 letter, and APRA's supervisory direction, a defensible AI governance framework includes:

AI inventory. Every AI system in use is catalogued: purpose, vendor, data processed, decisions made or supported, materiality assessment under CPS 230, accountability owner, and lifecycle status. The inventory is updated when systems are added, materially changed, or retired.

Material service provider assessment under CPS 230 for material AI vendors. Due diligence documented, contracts updated with CPS 230-compliant provisions (audit rights, incident notification, sub-processor restrictions, business continuity), monitoring in place, exit/transition planning documented.

AI-specific adversarial testing. Conventional penetration testing is insufficient. AI systems require testing for prompt injection, jailbreak chaining, data exfiltration scenarios, and assessment of agentic workflows. This testing must be ongoing, not point-in-time.

Explainability documentation for customer-impacting AI. AI used in credit decisions, financial advice, insurance underwriting, or claims requires explainability documentation sufficient for both internal review and regulatory examination. ASIC has been clear that an AI system producing systematically biased financial advice creates conduct risk for the AFS licensee — not just for the vendor.

Continuous monitoring for model drift and emerging bias. AI systems' behaviour changes over time. Monitoring must detect drift in inputs, outputs, and outcomes against expected performance. Triggers must escalate anomalies for human review.

Board accountability and oversight. AI risk is named in the accountability map. Boards receive structured briefings on AI risk. AI strategy is approved by the board and consistent with risk appetite. Reporting cadence is defined.

ISO 42001 as the implementation vehicle

For APRA-regulated entities, ISO/IEC 42001:2023 (the international AI Management System standard) maps directly to CPS 234 and CPS 230 obligations. Implementing an AIMS aligned with ISO 42001 provides the structured governance framework that APRA expects to see in supervisory reviews. The same evidence base satisfies multiple framework requirements simultaneously. For entities that have invested in ISO 27001 information security management, ISO 42001 follows the same Plan-Do-Check-Act methodology and integrates with existing governance documentation. APRA has not mandated ISO 42001, but the standard is increasingly the practical answer to the question "how do we demonstrate structured AI governance to regulators?"