The Australian Prudential Regulation Authority (APRA) published an open letter dated 30 April 2026 to all APRA-regulated entities. The letter sets observations and supervisory expectations for managing AI-related risk, including the use of AI agents in production. The Australian Securities and Investments Commission (ASIC) followed with an open letter dated 8 May 2026 to all Australian Financial Services licensees, credit licensees, and market participants. The ASIC letter calls for urgent action to strengthen cyber resilience against AI-enabled threats. Both letters are final supervisory communications. Both regulators announced that stronger supervisory and enforcement action will follow where boards and management fail to close identified gaps.
APRA's letter ties to its prudential standards CPS 230 on Operational Risk Management, CPS 234 on Information Security, CPS 220 on Risk Management, and CPS 510 on Governance. APRA states that those standards are sufficient legal hooks to govern AI deployment and AI agent use, without new instruments. The letter names four control gaps: missing model inventories, weak third-party model assurance, inadequate accountability mapping under CPS 510, and gaps in incident response for AI-related events. ASIC's letter ties to the Corporations Act 2001 obligations under section 912A on efficient, honest, and fair conduct, section 912A(1)(d) on adequate resources, and section 912A(1)(h) on adequate risk management. ASIC names eight control priorities: critical asset identification, access reviews, prompt patching, reduced attack surfaces, incident response plans, third-party risk management, defensive AI use, and ongoing supervision.
The letters reach Australian banks, insurers, superannuation trustees, AFSL holders, ACL holders, market operators, clearing and settlement participants, and registered managed investment scheme operators. Boards must approve AI use policies and confirm accountability under the Financial Accountability Regime (FAR). Operators must maintain a model inventory, evidence of pre-deployment testing, and run-time monitoring records. Third-party AI vendor contracts require new diligence on training data, model lineage, and incident notification. Cyber incident response plans must cover prompt injection, model theft, and deepfake-enabled social engineering.
Neither letter is a legislative instrument and neither imposes new obligations beyond the existing prudential and corporations rules. APRA flagged that CPS 230 applies in full to non-significant financial institutions from 1 July 2026 and that AI controls will be tested at that point. The Financial Accountability Regime extends to APRA-regulated insurers and superannuation trustees from 15 March 2025 and to authorised deposit-taking institutions from 14 March 2024. ASIC has flagged further guidance on AI in financial advice. Civil penalty exposure under section 1317G of the Corporations Act applies to identified breaches.
Licentium advises Australian financial services and crypto firms on AI governance, CPS 230 readiness, and ASIC cyber resilience programmes through a partner network. Contact us to discuss AI inventory builds, board policy drafting, or third-party vendor due diligence. Work we undertake includes APRA prudential reviews, FAR accountability mapping, AI risk policy drafting, AFSL compliance audits, cyber incident response planning, and model risk management.
Source: Australian Prudential Regulation Authority, "APRA Letter to Industry on Artificial Intelligence (AI)," 30 April 2026, https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.