APRA calls for a step-change in AI-related risk management and governance

The Australian Prudential Regulation Authority (APRA) has called for a step-change in how banks, insurers and superannuation trustees manage AI-related risks as the technology continues to rapidly evolve.

In a letter to industry published today, APRA warned that governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed, and complexity of AI adoption.

The letter outlines the findings of a targeted supervisory review APRA undertook late last year across all its regulated industries examining how AI was being deployed and governed. The review noted that the expanded use of advanced AI is introducing a range of new financial and operational vulnerabilities for entities, but that information security practices are struggling to keep up with the pace of change.

It also warns that frontier AI models such as Anthropic's Claude Mythos, which could enhance the discovery of vulnerabilities by bad actors, are expected to further increase the probability, speed and scale of cyber attacks.

Other key observations include:

• AI use is accelerating across all APRA-regulated industries with entities moving from experimentation towards more operationally embedded and customer-facing applications. However, governance arrangements have not matured at the same pace.
• Boards have strong interest for AI's potential benefits but many lack the technical literacy required to provide effective challenge to management on AI related risks and oversight.
• Heightened concentration risk was noted with some entities heavily dependent on a single provider for multiple AI use cases and gaps in contingency planning.
• AI functionality is often embedded within broader software platforms or developer tooling, reducing transparency over where and how models are trained, updated or constrained and limiting entities' ability to completely assess and manage risks.
• AI risks can cut across multiple domains, such as operational resilience, cyber and information security, privacy and procurement. Existing change and assurance management approaches are often fragmented and may not effectively provide sufficient assurance for AI.

APRA Member Therese McCarthy Hockey said regulated entities needed to constantly adjust cyber practices to lift resilience and protect assets in a fast-moving threat environment.

"The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology - whether in our own hands or the hands of those with malign intent.

"What we've observed from our supervisory engagement is that while AI adoption is continuing apace, the systems and processes required to safely govern its use aren't keeping up. Likewise, the speed at which entities can identify and patch vulnerabilities needs to operate much faster, commensurate with the AI-accelerated threat.

"The findings outlined in today's letter emphasise our expectations for how entities should be managing these risks in alignment with our prudential standards in areas such as information security, operational risk management, governance and data risk.

"While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.

"In the meantime, APRA will continue engaging with government agencies, entities and peer regulators, domestically and overseas, to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system."

Today's letter to industry is available on the APRA website at: APRA Letter to Industry on Artificial Intelligence (AI).