On 30 April 2026 APRA told every bank, insurer and super fund it regulates that AI governance is lagging adoption, and put the board's own AI literacy on the supervisory agenda. A board can delegate the build, but not the understanding.
- On 30 April 2026 APRA (the Australian Prudential Regulation Authority, which supervises the country's banks, insurers and superannuation funds) told every entity it regulates that AI adoption is racing ahead of the governance meant to control it, and signalled it will pursue enforcement where that gap stays open.
- Its sharpest finding lands in the boardroom: many directors are, in APRA's words, "still developing the technical literacy required to provide effective challenge" on AI, and lean too heavily on vendor presentations.
- "Effective challenge" is a real supervisory expectation, not a figure of speech. United States model-risk guidance has demanded it of boards since 2011; APRA now expects the same standard applied to AI.
- Under the Financial Accountability Regime, this became personal. Named accountable executives and directors can face civil penalties and lose deferred pay, so a board can delegate the build but never the understanding.
"We approved the AI programme after a slick vendor presentation, and only afterwards did it dawn on me that not one of us in the room could have challenged a single claim in that deck." A director said almost exactly that to me earlier this year, quietly, the way these admissions tend to arrive. The paper had been thorough. The vendor was credible. The board had done what boards do, which was to ask a few sensible questions and move to a resolution. The unease came later.
On 30 April 2026, APRA turned that private unease into a supervisory expectation. In a letter to every bank, insurer and superannuation trustee it regulates, the regulator said plainly that the systems and processes needed to govern AI safely are not keeping pace with how fast the technology is being deployed, and that boards are where the gap shows first. If you have signed off on an AI initiative you could not fully interrogate, this letter is, in effect, addressed to you.
What did APRA actually say about boards and AI?
It said the maturity gap is real and that the board sits at the centre of it. Drawing on a supervisory review of selected large banks, insurers and super funds conducted in late 2025, APRA found that many boards are "still developing the technical literacy required to provide effective challenge on AI related risks", and flagged "an overreliance on vendor presentations and summaries without sufficient examination of key AI risks". APRA Member Therese McCarthy Hockey put the headline bluntly: while AI adoption is continuing apace, the systems and processes required to govern its use safely are not keeping up.
This is not a regulator hostile to the technology. The same letter calls AI a genuine opportunity for better efficiency and customer service. The concern is narrower and sharper: that the people accountable for these institutions are approving things they cannot yet examine. APRA expects boards to hold enough understanding to set the AI strategy, align it to the entity's risk appetite, and monitor it against clearly defined triggers. Australia's own conduct regulator reached the same conclusion eighteen months earlier. In its October 2024 report on AI use by licensees (REP 798, which reviewed 23 financial services and credit licensees and 624 AI use cases), ASIC warned that governance was at risk of falling behind deployment, with its chair naming "the potential for a governance gap".
What does "effective challenge" actually require of a board?
It requires the capacity to push back with substance, not just to receive a briefing. "Effective challenge" is a term of art borrowed from model-risk supervision (the discipline of governing the statistical models banks use to make decisions). The benchmark United States guidance on the subject, known as SR 11-7 and in force since 2011, defines it as critical analysis by objective, informed parties who can identify a model's limitations and assumptions and press on them. The key word is informed. A challenge from a board that cannot read the risks is not a challenge; it is a nod with extra steps.
For AI, the bar is higher than for a traditional model, because the system itself behaves differently. APRA noted that entities tend to treat AI risk as "just another technology", which misses what makes it distinctive: these are probabilistic systems (they produce likely answers rather than fixed, repeatable ones) that learn, adapt and degrade over time. A board does not need to code. It does need to understand enough to ask where a model could be wrong, how anyone would know, who owns the consequence, and what happens when the answer drifts.
| What APRA expects of the board | The gap it found in practice |
|---|---|
| Enough AI literacy to set strategy and challenge risk | Boards still building the literacy to challenge effectively |
| Independent examination of key AI risks | Overreliance on vendor presentations and summaries |
| An AI strategy aligned to risk appetite, with monitoring and defined triggers | AI treated as "just another technology" |
| Clear accountability for high-risk, AI-influenced decisions | Ownership of AI outcomes left unassigned |
Build the board's ability to challenge, before the supervisor tests it
The fastest way to close the literacy gap APRA named is a focused session that gives directors the questions, the risk map and the language to interrogate AI properly. That is the work we do with boards and executive teams.
Book your Strategy SessionWhy has this suddenly become personal for directors?
Because accountability in Australian financial services now has names attached to it. The Financial Accountability Regime (FAR), jointly administered by APRA and ASIC, took effect for banking on 15 March 2024 and for insurance and superannuation on 15 March 2025. It requires entities to map senior responsibilities to specific accountable people, who must meet personal obligations, can have a slice of their pay deferred against good conduct, and can face civil penalties or disqualification when things go wrong on their watch.
Read APRA's AI letter through that lens and it changes character. An AI system that approves credit, prices a policy or flags a claim is making decisions that already sit inside someone's accountability statement. "The vendor assured us" is not a defence a named accountable person can comfortably rest on. This is the quiet force of the letter: it connects a probabilistic system nobody fully examined to a human being who is personally answerable for it.
A board can delegate the building of an AI system. Under the accountability regime, it cannot delegate the understanding of one.
What should a board do with this letter?
Treat it as a dated expectation, because that is what it is. The practical moves are concrete and within reach of any board this quarter.
- Run an AI literacy session that is built for challenge, not comfort. The aim is a board that can ask where a model fails and how the entity would detect it, not a board that can recite vendor benefits.
- Ask for the inventory. Request a single list of where AI is already in use across the organisation and what each use case actually decides. Most boards have never seen one.
- Name the owner of every high-risk AI decision. Tie each material AI use case to an accountable person, in the language of your FAR accountability map.
- Set the triggers. Agree the handful of signals (model drift, customer harm, complaint spikes) that bring an AI matter back to the board, and the threshold at which they fire.
- Make independent challenge a standing item. Invite a voice into the room that does not sell you the system, so the examination is genuinely objective.
APRA has told the industry it expects a step-change, and that it will supervise and, where needed, enforce against the gap. A board cannot outsource its understanding to the company selling it the system. Under the regime now in force, it owns that understanding by name, and the time to build it is before the supervisor comes asking how the last decision was made.
This letter reaches well past the boardroom. I have written two companion pieces on the rest of it: one on how your existing risk framework already covers AI, and one on what APRA expects when your AI runs through a single vendor.
Frequently asked questions
Does APRA's AI letter apply to my organisation?
What does APRA mean by a board providing "effective challenge" on AI?
How does the Financial Accountability Regime change a director's exposure on AI?
- APRA, Letter to industry on AI and accompanying media release, 30 April 2026
- APRA, Financial Accountability Regime (banking 2024; insurance and superannuation 2025)
- US Federal Reserve and OCC, SR 11-7 Supervisory Guidance on Model Risk Management, 2011
- ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 2024

About the author
British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.