[widget id="surstudio-translator-revolution-3"]
    Home > Legal insights > All > Information Technology and Procurement > AI governance in focus: APRA signals key risk areas

AI governance in focus: APRA signals key risk areas

19 May 2026
Dudley Kneller, Partner, Melbourne Raisa Blanco, Special Counsel, Melbourne

APRA’s 30 April 2026 Letter to Industry on Artificial Intelligence (Letter) is a clear signal that the era of informal AI governance is drawing to a close.

The Letter followed a targeted review of large banks, insurers and superannuation trustees, with APRA identifying that the pace of AI deployment is consistently outstripping the maturity of regulated entities’ risk management frameworks.  It comes as a timely reminder for boards, senior executives and compliance professionals, highlighting that their roles include building literacy and organisational capacity to address the risks posed by AI tools both prior to implementation and throughout operation.

Although addressed to APRA-regulated entities, the letter carries learnings that extend to other highly regulated and risk-sensitive sectors, such as the healthcare, energy, telecommunications, and infrastructure sectors. In this article, we step through what you need to know to ensure you stay on the front foot with AI deployment and are prepared to implement robust risk management practices.

Key Takeaways

There are four critical themes in the Letter: IT security, AI governance, supplier risk and operational resilience, and assurance and risk management.  Together, they offer a practical and actionable roadmap for organisations seeking to ensure robust AI governance, and to stay ahead of intensifying regulatory scrutiny.

APRA’s observations

APRA’s review found a consistent pattern of fragmentation across the industry in respect of the deployment and management of AI.  Rather than deploying AI through coordinated, enterprise-level programmes, regulated entities have often adopted AI tools on an ad-hoc basis, without adequate visibility over risks, or the centralised governance structures needed to manage them.  The results are concerning, reflecting:

  1. Information security practices that struggle to keep pace with these new technologies;

APRA notes that AI tools pose additional pathways for cyber attacks, including prompt injection and data leakage – in particular, where autonomous agents are implemented with limited oversight.

To manage this, APRA expects entities to manage these unique information security vulnerabilities and threats by assessing the implications of AI for operational resilience and business continuity, implementing robust security controls, rolling out a security testing program across AI-generated code (to address latent vulnerabilities), and implementing ongoing reviews of risks posed by third parties.

  1. Immature governance procedures;

APRA observed a particular trend towards customer-facing applications, extending use cases beyond internal ‘experimentation’ and ‘productivity’ use cases.  This creates particular risks due to the bias that can be inherent in these tools (especially when poorly configured), risks from automated decisions without humans in the loop (particularly for high-risk activities), and privacy concerns.

Existing frameworks can help manage these risks, but they must be updated to clearly address ownership and accountability for AI use.  At a minimum, APRA also expects entities to have an inventory of AI tools and use cases, and training for staff specifically on AI use, misuse, limitations, and secure practices. A human in the loop will also be critical in risk scenarios.

  1. Supplier concentration and opacity; and

APRA identified that entities are often reliant on single providers for multiple AI use cases, with few implementing contingency planning, exit strategies or responsive contractual arrangements.  AI capabilities in software, platforms and developer tools, create further upstream risks, particularly where the performance of AI models (and their impacts on those systems or development processes) cannot be easily ascertained.

Robust supplier management practices are required, extending beyond traditional contractual controls regarding data security.  In particular, APRA expects entities to consider broader AI governance matters regarding transparency, auditability and assurance, including to understand the impact and performance of AI models, and the ability to overcome supplier concentration through contingency and exit planning.

  1. Change management measures that are not responsive to the dynamism of emerging AI tools.

APRA found AI risks cut across operational, cyber, information security, data governance, and change management domains, just to name a few.  In this sense, they pose unique challenges not seen across other software categories, meaning that fragmented governance may be insufficient.  Additionally, risk assessments based on tools at a point in time may not be appropriate to manage the rapid development of these tools, and their underlying models.

Entities will therefore need to consider expanding specialist skills and tools to support AI assessments and audits, including leveraging globally recognised control frameworks, comprehensive assessments and continuous monitoring to ensure they remain responsive to these developing technologies.

Foreshadowed Regulatory Developments

The Letter stops short of introducing new prudential standards.  However, APRA appears to signal that it is evaluating whether further guidance or direct regulatory intervention is warranted given these emerging risks.  In particular, APRA notes it is currently finalising its ‘forward plan’ regarding supervision of AI risks, indicating it would seek a “proportional approach to entity prudential reviews, thematic activities and AI supplier engagement.”  This would be coupled with ongoing monitoring to assess prudential risks.

Exactly what this plan would involve remains to be seen.  However, the trajectory is clear – regulated entities need to appropriately manage the risks posed by AI tools, both at a business level in terms of daily operations, and at a board level in terms of oversight of an AI strategy.

Further, although targeted at regulated entities, APRA’s commentary is industry-agnostic.  Highly regulated and risk-sensitive sectors such as healthcare, energy, telecommunications, and infrastructure, should pay attention to these warnings, taking steps to enhance their own risk management processes and responsibly implement AI.

To help translate these themes into practical actions, the infographic below highlights key steps organisations can take to strengthen their AI governance and risk management frameworks in line with APRA’s expectations which you can view here.

Our Gadens team regularly advises on a range of AI governance matters across the development and implementation lifecycle.  Please do not hesitate to reach out if you have any queries, or would like any further information on how to help prepare your business.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Dudley Kneller, Partner
Raisa Blanco, Special Counsel
Chris Giardi, Associate
Precious Guma, Graduate

 

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch

In NSW, QLD, SA, VIC and WA: Liability limited by a scheme approved under Professional Standards Legislation.
Gadens acknowledges the Traditional Custodians of the land on which we work, and pay our respects to Elders past and present.

© Gadens 2026

  • workers compensation
  • risk management
  • joint venture
MENU