この記事は現在英語でのみご利用いただけます。
What APRA Actually Expects on AI Governance: A Practical Guide for Australian Financial Institutions
APRA has not published a dedicated AI regulation, but its expectations are clear through CPG 234, CPS 230, and examination findings. Here is what APRA examiners look for — and what institutions consistently get wrong.
Key Takeaways
APRA applies model risk management expectations through CPG 234 and CPS 230 — there is no separate AI prudential standard, but APRA examiners are explicitly asking about AI and ML in technology risk examinations.
The most common APRA finding on AI in 2025-2026: model governance that exists for traditional statistical models but has not been extended to ML/AI systems on the same terms.
APRA expects a named model owner for every model used in regulated decisions — including ML models — with documented accountability for performance, validation, and change management.
CPS 230 operational resilience requirements now apply to AI systems that are material to critical operations — institutions need to assess AI system criticality and ensure recovery capabilities.
APRA has flagged third-party AI as a specific concern — institutions using cloud-based AI services from major technology vendors need vendor due diligence that addresses AI-specific risks, not just standard technology outsourcing requirements.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
APRA's AI governance framework: the existing standards applied to AI
APRA has taken a consistent approach to AI governance: apply existing prudential standards to AI rather than create AI-specific standards. This means CPG 234 (Information Security), CPS 230 (Operational Resilience), and the model risk management expectations embedded in various prudential standards apply to AI systems. APRA's position is that AI does not require special treatment — it requires the same rigorous governance that high-risk technology and high-impact models have always required under existing frameworks.
The practical implication is that institutions cannot wait for an APRA AI standard before implementing AI governance. The obligations exist now. What has changed is APRA's examination focus: technology risk examinations in 2025-2026 explicitly include questions about AI and ML systems that were not in examination programmes two years ago.
The model governance gap APRA consistently finds
The most consistent APRA finding on AI across examination themes and supervisory discussions is the extension gap: institutions have mature model governance for traditional statistical models (credit scorecards, economic capital models, ALM models) but have not extended that governance to ML and AI systems on equivalent terms. The ML model developed by the data science team for fraud detection, the NLP model used for customer service triage, the pricing algorithm used for deposit products — these may not be in the model inventory, may not have been independently validated, may not have a named model owner in the risk management sense, and may not be within an approved model risk appetite.
APRA's view is straightforward: if a model is used in a regulated decision or operation, it is subject to model risk management requirements regardless of its technical complexity. A gradient boosted ensemble is still a model. An LLM used in a customer-facing decision is still a model. The validation methodology may need to adapt to the model type, but the governance requirement does not go away because the model is complex.