What APRA-Regulated Boards Need to Have Documented on AI Governance in 2026
On 30 April 2026, APRA wrote to all regulated entities on artificial intelligence. The letter was not a discussion paper, it was a findings letter. APRA had already reviewed AI governance practices across large banks, insurers, and superannuation trustees, identified material failures, and issued a clear signal: governance that is not keeping pace with AI adoption will attract supervisory action and, where warranted, enforcement. For directors of APRA-regulated entities, this is now a board-level governance obligation, not a management technology decision.
What APRA Found
APRA's targeted review identified four specific governance failures:
Boards lack sufficient AI literacy to provide effective oversight
Many boards accepted vendor briefings and management narratives about AI's benefits without the capability to independently assess the risks. APRA found this created conditions where material issues, including model unpredictability and impacts on critical operations, were not understood at board level.
AI risk is being treated as "just another technology"
Most entities had not distinguished AI from other technology risks in their risk frameworks. This understates AI's distinct characteristics: adaptive and non-deterministic behaviour, probabilistic outputs, bias risk, and heightened data and privacy exposure.
Risk management and assurance practices have not kept pace with adoption
Traditional point-in-time, sample-based assurance methods are poorly suited to AI systems that learn, adapt, and degrade over time. APRA found entities were deploying AI faster than their assurance frameworks could assess it.
Third-party and supply chain AI risk is inadequately managed
AI capabilities embedded in vendor platforms create complex, often opaque supply chains. Contractual arrangements frequently do not address audit rights, model changes, or data handling.
The Regulatory Framework That Already Applies
APRA has not introduced new AI-specific prudential standards. It has confirmed that existing standards already apply to AI:
CPS 230, Operational Risk Management
Effective from 1 July 2025, CPS 230 requires entities to manage operational risks end-to-end and ensure robust governance over material service providers. The 1 July 2026 deadline for bringing pre-existing supplier arrangements into compliance is now imminent, AI vendor contracts are not exempt.
CPS 234, Information Security
AI systems introduce new attack pathways: prompt injection, data leakage, insecure integrations, and misuse of autonomous agents. Controls must be updated to address AI-specific vulnerabilities.
CPG 235, Data Risk
The data governance obligations under CPG 235 apply to data feeding AI systems and the outputs they produce.
CPS 510, Board Accountability
APRA's letter makes explicit that a board that cannot demonstrate adequate AI oversight is not discharging its CPS 510 obligations.
What Boards Must Have Documented
APRA's supervisory scrutiny will focus on whether boards can produce evidence of governance, not just assert that it exists. The minimum documentation a board should be able to produce:
- check_circleAn AI strategy reviewed and endorsed by the board, consistent with approved risk appetite and tolerance settings
- check_circleBoard reporting on AI risk that demonstrates active challenge, not just commercially optimistic management updates
- check_circleA defined AI risk appetite within the enterprise risk framework, specific to AI's distinct characteristics
- check_circleAn AI governance framework covering the full AI lifecycle with clear accountability across the three lines of defence
- check_circleDocumented assurance over material AI suppliers including concentration risk, contractual protections, and model behaviour visibility
- check_circleTriggers and escalation criteria for when AI is not operating as expected, aligned to CPS 230 resilience objectives
The Enforcement Warning
"Where entities fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, we will take stronger supervisory action and, where appropriate, pursue enforcement."
Therese McCarthy Hockey, APRA MemberFor directors, APRA's framing matters. Supervisory scrutiny will assess whether the board itself discharged its oversight obligations, not just whether management had policies in place. The absence of board-level documentation, reporting, and evidence of challenge is itself a governance failure in APRA's framework.
Is Your Board's AI Governance Documentable?
The Andrew Roberts Advisory AI Governance Board Review assesses your board's position against APRA's April 2026 expectations, CPS 230, CPS 234, and CPS 510, and produces a documented findings report your board can rely on as evidence of oversight. Designed specifically for APRA-regulated entities.
