APRA Letter to Industry on AI APRA's prudential expectations for AI governance

Why it matters for NETEVO

APRA's first AI-specific Letter to Industry reports findings from a late-2025 targeted supervisory review across authorised deposit-taking institutions, insurers and superannuation trustees: AI adoption is accelerating across financial services, but governance, risk management, assurance and operational resilience practices are not keeping pace. The Letter calls for a "step-change" under existing prudential standards rather than a new AI-specific regime.

Dual-regulator convergence. APRA is the prudential-side counterpart to ASIC REP 798. ASIC documented the AI governance gap in AFS and credit licensees; APRA has now documented the same gap in prudentially regulated entities. Australia's two financial-sector regulators — ASIC on conduct and disclosure, APRA on prudential resilience — have reached the same conclusion from independent supervisory reviews: governance, controls and assurance are not keeping pace with adoption.

CPS 230 and CPS 234 as the operational form. The Letter explicitly maps the AI gap against the existing CPS 230 and CPS 234 architecture rather than proposing a parallel AI prudential standard. AI governance for prudentially regulated entities will therefore be delivered through the existing operational-risk and information-security regimes; the supervisory expectations attach to prudential standards that are already in force.

Concentration risk and embedded-AI opacity named. Among its findings, the Letter names single-provider dependence with gaps in contingency planning, and the loss of transparency when AI is embedded in broader software platforms or developer tooling. Both are failure modes the Implicit Authority Cascade describes, now named at the prudential-supervision level.