AI Is Now a Financial Services Governance Issue: What ASIC and APRA Expect Boards to Evidence

ASIC and APRA have made the message clear: artificial intelligence is no longer just a technology implementation issue. For financial services firms, AI is now a governance, cyber resilience, privacy, outsourcing and accountability issue.

ASIC’s 8 May 2026 open letter to AFS licensees and market participants warned that frontier AI is changing the cyber threat environment by increasing the capability, speed and accessibility of sophisticated attacks. ASIC’s point was not that entirely new categories of risk have emerged. It was that existing controls will be tested more often, at greater speed and under greater pressure. ASIC expressly directed boards and risk governance committees to table and discuss the letter.

APRA’s 30 April 2026 AI letter took the same issue into prudential governance. APRA observed that AI adoption is accelerating across banks, insurers and superannuation trustees, while governance, risk management, assurance and operational resilience practices are not keeping pace. APRA also identified board technical literacy, overreliance on vendor summaries, third-party dependencies and weak assurance as areas of concern.

The privacy overlay is also moving. The OAIC is consulting on automated decision-making transparency. From 10 December 2026, APP entities using personal information in automated decision-making that may affect rights or interests will need to disclose relevant information in privacy policies about the kinds of personal information used and decisions made.

For AFSL holders, AI risk should be viewed through the existing licence obligation framework. Section 912A of the Corporations Act 2001 (Cth) already requires licensees to provide financial services efficiently, honestly and fairly, comply with financial services laws, maintain competence and resources, supervise representatives and have adequate risk management systems where applicable.

That means an AI failure may become more than a systems incident. Depending on the facts, it may raise issues around cyber resilience, representative supervision, outsourcing, breach reporting, misleading conduct, privacy compliance, client data handling, operational continuity and board oversight.

The issue affects AFSL holders, responsible managers, CAR networks, superannuation trustees, platform operators, fintechs, digital advice providers and firms relying on outsourced IT, cyber, regtech, compliance or data vendors.

The governance question is simple but demanding: can the firm explain where AI is used, what risk it creates, who owns it, how it is controlled, and what evidence supports management’s assurance?

Regulators are unlikely to be satisfied with an AI policy sitting on a shelf. A credible AI governance pack should include an AI use-case register, risk ratings for each use case, approval pathways for high-risk or customer-facing use, vendor due diligence, cyber control testing, privacy mapping, CAR and representative controls, board reporting, independent assurance and incident response testing.

The practical risk is not that every AI tool creates unacceptable legal exposure. The risk is that firms adopt AI faster than their governance framework can explain or control it.

AI governance should be embedded into existing AFSL, privacy, cyber, outsourcing, breach reporting and representative supervision frameworks. It should not sit in a separate innovation stream with weaker controls.

ASIC and APRA will ask for evidence, not aspirations. Firms that can produce a current AI register, tested cyber response, clear vendor controls, privacy mapping and board-level challenge will be in a stronger position than firms relying on broad statements that “management is comfortable”.