In late 2025, APRA conducted market research on a targeted group of large banks, insurers and superannuation trustees (the Market) to better understand the current adoption of Artificial Intelligence (AI) and the associated risks for those regulated entities.

Some of APRA's key findings include (but are not limited to)

1.      That while AI has been adopted by the Market, there are varying levels of maturity across key areas such as governance, risk and operations.

2.      That given the scale, complexity and speed of the AI being used, it has overtaken the Market's assurance practices.

3.      That while governance processes, in particular Boards, were seeing efficiencies in the use of AI, overall Board AI literacy still required development.

4.      The Market reported an overreliance on vendor presentations and summaries, without appropriate interrogation of the use of AI in that process.

5.     Increased reliance on one AI service provider with insufficient contingency planning or substitution strategies and/or increased reliance on upstream third and fourth party service providers.  

6.      Use of AI tools outside of the approved controls, creating increased exposures.

7.      A focus on managing the risk ‘after the fact' as opposed to proactive and targeted action with a focus on preventative measures.

APRA's minimum standards and watch areas include (but are not limited to)

While APRA reported that some key efficiencies were being achieved, APRA also noted that there were some minimum standards which needed to be maintained, including:

1.      Boards maintaining sufficient AI literacy.

2.      Ensuring that AI processes have appropriate oversight and monitoring, in line with the individual risk appetite and tolerance levels of the regulated entity.

3.      Regulated entities establishing governance arrangements that include frameworks and policies, accountability and ownership, human involvement in high-risk decisions and ongoing training and development for staff using AI.

4.      In line with the CPS requirements, APRA again reiterated the ongoing importance of entities having robust Business Continuity Plans to promote operational resilience.

APRA also issued a general warning to entities about the risk of increased cyber threats, from increasingly sophisticated models, including the use of non-human actors.

APRA not ruling out further policy action

APRA has made it clear that their focus will remain on supervising regulated entities to ensure that where they have adopted the use of AI, they have implemented appropriate controls to identify and manage AI risks, in a manner proportion to their size, scale and complexity. APRA again reinforcing that a failure to satisfy this may result in criticism and in some instances, enforcement action.

APRA is currently reviewing their position and has not ruled out implementing further policy action.

How can MM Legal+ assist

At MM Legal+, we are constantly reviewing APRA policy action and establishing products which assist entities in efficiently implementing changes to ensure ongoing compliance. We also develop detailed process maps that translate each policy obligation into clear operational workflows with defined ownership, timeframes and checkpoints. Our approach is focused on being proactive, not reactive.

Please refer to our process mapping guide, which can assist your organisations in drafting, implementing and embedding governance processes into the business.