AI Governance for Financial Services in 2026: Inside APRA and ASIC’s New Expectations

Two letters. Nine days apart. Both landing in the inboxes of every regulated entity in Australian financial services.

On 30 April, APRA wrote to banks, insurers and superannuation trustees. On 8 May, ASIC followed with its own letter on cyber resilience. Different regulators, different focuses, but the headline is the same. AI is now a material part of how financial services runs. The governance needs to match.

That’s a good problem to have. Eighteen months ago the question was whether AI would deliver enough to justify the investment. Now the question is how to scale it responsibly. The regulators have helpfully written down what that looks like in practice, with explicit expectations for boards, accountable executives and the wider control environment.

For most organisations, the gap between current practice and what’s now expected is closeable. The platform tooling exists, the frameworks are there, and the work is mostly about connecting governance to capability that’s already in your tenant. The organisations that move first will be in a stronger position with their boards, their customers, and the AI investments they’ve already made.

Here’s what both letters say, where they overlap, and what to do about it this quarter.

Key Takeaways

  • APRA’s 30 April letter is its first published AI-specific set of expectations. It’s a clear signal that AI is now material to the sector and worth governing properly.
  • ASIC’s 8 May letter on cyber resilience lands in the same week, with twelve practical action points for boards and executives. Both letters must be tabled at board and risk committees.
  • Together they set out what good AI governance now looks like in Australian financial services. That’s a useful reference point for anyone building or scaling AI on the Microsoft stack.
  • Boards are expected to develop genuine AI literacy. Vendor briefings are no longer enough on their own, but the bar set is workable with the right reporting and partner support.
  • The four observation areas APRA covers (information security, AI governance, supplier risk and assurance) are a strong frame for a gap assessment. They work as well for organisations early in their AI journey as for the largest banks.
  • For organisations on Microsoft, much of the capability the regulators are now expecting (agent identity, lifecycle governance, model observability, AI-aware security) already sits in your tenant.
  • Supplier concentration and assurance for probabilistic models are the two areas where most organisations have the furthest to travel. Worth a closer look this quarter.
  • Active supervisory engagement is coming over the next twelve months. The organisations that move early will be in a stronger position with their boards, their customers, and the AI investments they’ve already made.

 

Two Letters, One Bigger Picture

Read separately, the two letters tell distinct stories. Read together, they describe a co-ordinated shift in how Australian regulators are approaching AI in financial services.

APRA’s letter focuses on prudential AI governance. The four observation areas, which we’ll get into below, cover information security, AI lifecycle governance, supplier risk and assurance. It’s a board and executive document, with explicit expectations for each accountable role.

ASIC’s letter is narrower in scope but direct in its framing. It focuses on cyber resilience and frontier AI threats, building on the recent court outcome against FIIG Securities, which established that cyber risk management must be demonstrably effective and proportionate. Commissioner Simone Constant described the moment as ‘a minute to midnight’ on cyber fundamentals.

Both letters share three things. They specifically name frontier models (Anthropic Mythos gets called out in both) as a step-change in the threat environment. They both demand board-level accountability and technical literacy. And both require formal tabling at board and risk committees.

That last point matters. These aren’t background guidance documents. Boards must engage with them on the record.

 

APRA’s Four Observation Areas

APRA conducted a deep-dive supervisory review of major banks, insurers and super trustees in late 2025. The findings, published in the 30 April letter, fall into four areas. Each comes with a set of explicit expectations.

1. Information security isn’t keeping pace with AI-driven threats

APRA observed that AI is materially changing the cyber threat landscape. New attack pathways include prompt injection, data leakage through AI tools, insecure integrations, and manipulation of autonomous agents. At the same time, AI is shortening attack cycles and increasing speed.

Specific concerns called out: identity and access management hasn’t adjusted to non-human actors like AI agents. The volume of AI-assisted software development is straining change and release controls. Patching timelines aren’t keeping up with the accelerated threat environment. And shadow AI, staff using enterprise AI tools outside approved controls, is widespread with weak preventative controls.

2. AI adoption is moving fast, but governance maturity is lagging

This is APRA’s central observation, and it’s the one most worth dwelling on. Entities are moving from internal productivity use cases to customer-facing AI in claims triage, loan processing, fraud detection and customer service. But governance hasn’t matured at the same pace.

APRA observed a tendency to treat AI risk as ‘just another technology’. That misses what’s distinct about AI: predictive systems that behave probabilistically, models that adapt and drift, inherent bias, and data and privacy risks specific to how AI is trained and deployed.

Gaps include weak post-deployment monitoring, weak model behaviour monitoring, change management for evolving models, and unclear decommissioning processes.

3. Supplier concentration and opacity are creating new risks

APRA found entities heavily dependent on a single AI provider across multiple use cases. Few had tested exit or substitution strategies. Contractual arrangements often lagged actual practice, with limited audit rights, no provisions for model updates, and unclear incident notification.

The opacity problem is bigger than most realise. AI capabilities are increasingly embedded in software and developer tools, which means foundation models, training data and fourth-party providers sit upstream and aren’t visible. That makes it genuinely hard to assess model performance, bias, and security with any independence.

4. Traditional assurance isn’t fit for probabilistic AI

Point-in-time and sample-based assurance methods, the bread and butter of internal audit, work for static systems. They don’t work for AI systems that learn, adapt and degrade. APRA found few entities had continuous validation or monitoring for model drift, bias or control breakdowns.

Internal audit and risk functions are also under-equipped. Most lack the specialist skills and tooling to assess agentic workflows or AI-generated code. Assurance, predictably, is lagging deployment.

 

What ASIC Adds to the Picture

ASIC’s letter is more action-focused and lands on the cyber side of the picture. The core argument: frontier AI doesn’t create entirely new categories of risk, but it puts existing controls under more pressure, more often. That’s a useful frame for boards working out where to focus.

ASIC’s twelve action points cover the familiar ground of cyber hygiene (patching, privileged access, attack surface reduction, layered defences) but with new urgency. A few are worth pulling out:

  • Patch management processes need a hard look. AI is accelerating vulnerability discovery and exploitation, and daily patching cycles bring their own governance challenges.
  • Insider threats are explicitly called out as increasing. User access reviews and privilege management need more attention.
  • Third-party risk, particularly where services create concentration or systemic exposure, is flagged. This is the same territory as APRA’s supplier concentration concern.
  • Use AI for defensive purposes. ASIC is explicit that AI itself should be part of the response, not just the threat.

ASIC’s frame for governance is direct. Boards must understand their organisation’s position, ask the right questions, and evidence the basis for their assurance. That language is going to be familiar to anyone who’s read CPS 230. The thread connecting all of this back to operational resilience is clearly intentional.

 

Where the Microsoft Stack Fits In

Most Australian financial services organisations are running their AI on Microsoft. That includes M365 Copilot, Copilot Studio agents, Dynamics 365 agents, Azure AI Foundry, and the broader Power Platform footprint. The good news is that much of what APRA and ASIC are asking for maps directly to capability that’s already in your tenant. The harder news is that capability isn’t governance, and you still have to do the work.

Here’s how the main pieces line up against the regulator expectations.

Agent 365 and identity for non-human actors

APRA specifically flagged that identity and access management hasn’t adjusted to non-human actors like AI agents. Microsoft’s Agent 365, announced in detail at Ignite and confirmed in Q3 earnings, is built exactly for this. It’s the control plane for managing agent identity, security, permissions and lifecycle at enterprise scale.

If you’re deploying agents from Wave 1 release (the Sales Qualification Agent, Customer Service agents, the Business Central Payables Agent, and so on), Agent 365 is how you bring them under formal governance instead of leaving each agent’s identity scattered across products.

Microsoft Purview for data governance and AI lifecycle

Purview’s AI Hub and Data Security Posture Management capabilities address several APRA observations directly. Inventory of AI tooling and use cases. Visibility over data flowing into AI systems. Monitoring of prompts and responses. Controls on shadow AI use. None of this is automatic, but the platform’s there to be configured properly.

Azure AI Foundry for model governance and observability

Continuous validation, monitoring for drift, and assurance over probabilistic models all point to capability in Foundry. Built-in evaluators, content safety filters, and observability for model performance address what APRA called out as missing in traditional assurance approaches. The Foundry control plane also handles model versioning and change management, which APRA flagged as weak across the entities they reviewed.

Entra for identity, including AI agents

Entra’s expansion to cover workload and agent identities is the practical foundation for managing AI as a first-class identity. Combined with Conditional Access, this is how you address the privileged access management concerns both regulators raised.

Defender and Sentinel for AI-augmented cyber defence

ASIC explicitly encourages the use of AI for defensive purposes. Microsoft’s security stack, particularly Sentinel with Security Copilot, is positioned for exactly this. Threat hunting, vulnerability identification and incident response are all being augmented with AI on Microsoft’s side of the platform.

A practical caveat. Having these tools in your tenant isn’t the same as having them configured, monitored and integrated into your risk framework. APRA was clear that operationalising governance is where the work sits. The platform supports the outcome, but the framework, accountability and assurance still need to be built around it.

 

What This Looks Like in Practice

Consider a mid-tier Australian bank with Copilot deployed across the workforce, a handful of custom agents built in Copilot Studio surfacing through Dynamics 365 Customer Service and Teams, and Power Platform automations doing customer-facing work.

Under the old governance model, each of these probably sat under a different owner. Copilot under M365 ops. Copilot Studio agents under the Power Platform team. Power Platform automations under a centre of excellence. Cyber under the CISO. AI ethics, if it exists, somewhere in the second line of defence.

Under what APRA and ASIC are now expecting, that fragmentation is a problem. There needs to be a single AI inventory that captures every material AI use case. Each one needs an accountable executive, lifecycle controls, monitoring for drift and behaviour, and a tested fallback if it fails. The board needs to understand the portfolio at more than a conceptual level. The CISO needs visibility over AI-specific attack paths. Internal audit needs the tools and skills to evaluate what’s running.

None of this is impossible. But it’s a meaningful step up from where most organisations are today, and it’s the work that turns AI from a series of separate deployments into a properly governed portfolio.

 

So What Do You Actually Do With This?

If you’re an APRA-regulated entity

Both letters need to be on your next board agenda. APRA has been explicit that the 30 April letter is the start of an active supervisory program, with prudential reviews, thematic activities and supplier engagement coming over the next twelve months. The honest gap assessment, against APRA’s four observation areas, is where to start. ASIC’s twelve action points are a useful parallel checklist for the cyber-specific work.

If you supply services to APRA-regulated entities

Your largest regulated clients are going to start asking pointed questions about your AI controls. That includes how you’re managing AI inside your own organisation, what AI sits in the services you provide to them, and what your supplier risk position looks like. If you’re not ahead of that conversation, you’ll be having it on the back foot.

If you’re early in your AI journey

APRA’s letter notes that lessons from larger entities will help those earlier in adoption. That’s a reasonable signal. You don’t have to build for a Tier 1 bank’s scale, but you do need to build proportionately. The four observation areas (governance, security, supplier risk, assurance) are the right starting frame regardless of size.

If you’re on the Microsoft stack

Most of what you need is already in your tenant. Agent 365, Purview, Foundry, Entra and Sentinel cover the bulk of the regulator-named expectations. The work is mapping the platform capability to the governance framework, configuring it properly, and making sure the controls actually fire when they’re supposed to. This is where having a partner who knows both sides of the equation helps.

 

One Last Thing

APRA’s letter contains a line worth reading twice. The regulator expects entities to ensure AI is integrated ‘responsibly throughout the financial sector’. That’s a strong word, responsibly, doing a lot of work in a short sentence.

Read together with ASIC’s framing, the message is clear. The regulators aren’t asking financial services to slow down on AI. They’re setting out what mature AI governance looks like at the point where adoption has become material. That’s a useful reference for any organisation thinking about how to scale responsibly.

The organisations that close it first will be in a stronger position. Not just with regulators, but with customers, with their boards, and with the AI investments they’ve already made.

If you’d like to talk through how any of this applies to your environment, your AI roadmap, or how your Microsoft stack maps to what APRA and ASIC are now expecting, get in touch with our team.

 

FAQs

What is APRA’s 30 April 2026 letter on AI?

It’s APRA’s first published set of AI-specific expectations for regulated entities. Drawn from a targeted supervisory review of major banks, insurers and superannuation trustees in late 2025, it sets out observations and expectations across four areas: information security, AI governance, supplier risk, and assurance. Boards must table it formally.

What is ASIC’s 8 May 2026 letter about?

It’s a call to urgent cyber resilience uplift in light of frontier AI threats. Commissioner Simone Constant outlined twelve actions licensees and market participants should take now, with a particular focus on patching, access management, third-party risk and incident response.

Do these letters apply if we’re not a bank or insurer?

APRA’s letter applies directly to APRA-regulated entities, which includes banks, insurers, friendly societies, private health insurers and superannuation trustees. ASIC’s letter applies to AFS licensees and market participants. If you supply services to either, expect the obligations to flow through to your contracts and audit processes.

Why are both regulators naming frontier AI models specifically?

Frontier models like Anthropic’s Mythos are capable enough to materially change the cyber threat landscape. Both regulators referenced ASD advice on frontier models and flagged that these capabilities lower the barrier to sophisticated attacks while increasing their speed and scale. The naming is a signal that this is the threat environment to plan for, not a future hypothetical.

What’s the supplier concentration risk APRA is talking about?

APRA found entities heavily dependent on a single AI provider for multiple use cases, often without tested exit or substitution strategies. Combined with the opacity of foundation models and fourth-party dependencies, this creates concentration risk that traditional supplier governance isn’t well-equipped to manage. Expect more scrutiny of your AI supply chain.

Does Microsoft tooling make us compliant with these expectations?

No. The platform capability supports good governance outcomes, but compliance and prudential obligations sit with the regulated entity. Agent 365, Purview, Foundry, Entra and Sentinel provide much of the capability the regulators are expecting, but configuring those tools properly, mapping them to your control framework, and operationalising the governance is the work that still sits with you.

When does supervisory action start?

APRA has flagged a proportional approach over the next twelve months, including prudential reviews, thematic activities and AI supplier engagement. The expectation is that entities don’t wait. APRA strongly encourages early engagement with its Non-Financial Risk Team where existing risk approaches are being challenged.

How does 365 Mechanix help?

We work with organisations across Australian and New Zealand financial services to turn Microsoft capability into practical, governed AI deployments. That includes mapping the platform tooling to regulator expectations, configuring controls in Purview, Foundry, Entra and Agent 365, and working alongside risk and compliance teams to operationalise AI governance. If any of this is on your radar, get in touch.

 

This blog is intended as general guidance only and does not constitute legal or compliance advice. We recommend consulting your compliance team or legal advisors for advice specific to your organisation.