APRA Warns Risk Management Trails Rapid A.I. Adoption

APRA's letter, cited in reporting by FTF News, states that "governance, risk management, assurance and operational resilience practices" are not keeping pace with the "scale, speed, and complexity of A.I. adoption." According to the letter, APRA conducted a targeted engagement with a group of selected large banks, insurers, and superannuation trustees in late 2025 to assess the current state of A.I. adoption and associated prudential risks. The FTF News coverage also notes that securities operations teams are moving fast to adopt A.I.-based systems and services.

APRA's letter highlights specific supervisory observations, including that many boards are still developing the technical literacy required to provide effective challenge on A.I.-related risks and that there is an overreliance on vendor presentations without sufficient examination of risks such as unpredictable model behavior and impacts on critical operations. The letter asks for a "step-change" in how regulated entities manage A.I.-related risk and lists minimum expectations for board oversight, including maintaining sufficient A.I. understanding and overseeing an AI strategy aligned with risk appetite.

Companies and financial-sector boards undergoing rapid A.I. adoption commonly face gaps in technical governance, vendor risk management, and operational resilience. Observed industry patterns include delegating model validation to vendors, delayed investment in monitoring and logging, and insufficient playbooks for model degradation or failure. These patterns increase the likelihood of operational incidents, model drift, and regulatory friction when supervisors demand evidence of governance and control.

Industry observers note that supervisory scrutiny of A.I. in financial services has been rising globally, and APRA's letter is consistent with that trend. For practitioners, the combination of faster adoption in operations and lagging governance elevates the importance of reproducible validation, explainability where feasible, robust monitoring, and clear vendor due-diligence processes. Firms that cannot demonstrate governance controls may face closer supervisory attention.

• •Public supervisory letters and guidance from other regulators (EU, UK, US) for convergence or divergence in expectations
• •Evidence of board-level technical upskilling programs or independent technical advisory appointments
• •Changes in vendor-contracting practices, including right-to-audit, model access, and reporting obligations
• •Adoption of standardized model-risk management and operational-resilience tests suitable for ML workloads