An Australian regulator says “governance, risk management, assurance and operational resilience practices” are falling behind in the A.I. revolution.
Securities operations teams are moving fast to keep up with the progress that systems and services are making because of the boost they are getting via artificial intelligence (A.I.)-based technologies.
Grygo is the chief content officer for FTF & FTF News.
At the same time, those working in “governance, risk management, assurance and operational resilience practices” are falling behind “the scale, speed, and complexity of A.I. adoption,” say officials at the Australian Prudential Regulation Authority (APRA), which is a regulator overseeing the financial services industry in Australia.
In fact, APRA, in a letter, is calling for “a step-change in how banks, insurers and superannuation trustees manage A.I.-related risks as the technology continues to rapidly evolve,” officials say.
“To understand and assess the current state of A.I. adoption and associated prudential risks, APRA conducted a targeted engagement on a group of selected large banks, insurers, and superannuation trustees in late 2025,” according to APRA. “The purpose of this letter is to outline these observations and APRA’s expectations in managing AI-related risk. Lessons drawn from APRA’s observations of these larger entities will assist other entities who may be earlier in their AI adoption journey.”
But these lessons learned will need governing boards that are up to speed.
“APRA observed many boards are still developing the technical literacy required to provide effective challenge on A.I. related risks and oversight. APRA also noted an overreliance on vendor presentations and summaries without sufficient examination of key A.I. risks such as unpredictable model behavior and the impact on critical operations,” according to the letter.
APRA officials say that at a minimum, boards should:
- “Maintain sufficient understanding and literacy with respect to A.I. in order to set strategic direction and provide effective challenge and oversight;”
- “Oversee an AI strategy which is consistent with the entity’s risk appetite and tolerance settings, supported by effective monitoring and reporting (including for third-party dependencies), with clearly defined triggers aligned to resilience objectives to enable timely action when not operating as expected.”
APRA officials also want firms to manage information security vulnerabilities and threats by actively:
- “Assessing the implications of AI reliance for operational resilience and business continuity. Where AI supports critical operations, credible fallback processes are required;”
- “Security controls and capabilities that effectively address AI‑specific threats and attack paths. This would include strong privileged access management, timely patching, hardened configurations, automated vulnerability discovery, penetration testing, and controls over agentic and autonomous workflows;”
- “Robust security testing across A.I.‑generated code, software components, and libraries;” and
- “Ongoing consideration of third-party and concentration implications in relation to common platforms, services, and providers.”
APRA officials also focused on supplier risks, and they are recommending that firms:
- Map and maintain visibility over the full A.I. supply chain, including material, third‑party, and fourth‑party dependencies;
- Have contractual and governance arrangements that provide sufficient transparency, auditability, and assurance over AI services;
- Have the ability to understand model behavior, material changes, performance issues, outcomes, and risk management practices across the service lifecycle; and
- Engage in the active management of concentration risk, including “plausible and systemic failure scenarios, the credibility and feasibility of substitution, portability or exit arrangements for critical AI providers.”
Therese McCarthy Hockey
“The A.I. revolution presents tremendous opportunities for banks, insurers, and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialize. But we cannot be blind to the risks of such powerful technology — whether in our own hands or the hands of those with malign intent,” says Therese McCarthy Hockey, an APRA executive board member, in a prepared statement.
APRA oversees “banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry,” officials note.
The letter in full can be found here: https://shorturl.at/6DWjX
Need a Reprint?