APRA’s 30 April 2026 letter to industry on AI doesn’t read like guidance. It reads like a warning shot. Every regulator on the planet is worried about AI. The novelty here is the addressee. The letter is written to boards, and it says, in regulator-polite language, that boards aren’t keeping up.

This is the first time APRA has named boards directly as the AI control gap. The same letter warns that where entities fail to manage AI risks, stronger supervisory action and enforcement will follow. Everything else in the document is the supporting evidence for those two claims.

APRA regulates banks, insurers, and super funds. The letter reads, though, like the playbook for every other Australian regulator’s next move. If you sit on a board in financial services, health, education, government, aged care, or any sector with a serious compliance footprint, the questions APRA has put on the table are the ones a thematic review or audit will put in front of you soon enough.

Read it as a board paper, not as an IT advisory. The technical findings are familiar territory. The interesting material is what APRA has now committed to record about the people sitting in the chairs that signed off the AI strategy.

Boards are now the control gap

APRA’s framing is careful and pointed. “Many Boards are still developing the technical literacy required to provide effective challenge on AI related risks.” Read in plain English, the regulator has said on the record that the people accountable for AI risk cannot currently challenge it.

The letter also warns against “overreliance on vendor presentations and summaries without sufficient examination of key AI risks such as unpredictable model behaviour.” Most boards already know they nod through the vendor’s slides. They nod because AI demos are designed to look like magic, and pushing back on magic without technical literacy feels unprofessional. APRA has now said that instinct is the wrong one.

APRA’s prudential framework, as the letter reminds entities, is “technology and vendor agnostic”. Accountability does not come with a discount when the technology is new.

The five threads APRA pulls on

Five threads run through the letter. None of them are about whether you should use AI. APRA explicitly says failing to embrace AI may put businesses at a strategic disadvantage. The threads are about whether your board can prove it is in control of AI once it’s deployed.

1. An AI inventory that includes the tools staff use without telling you

APRA’s governance expectation is direct. Entities are expected to maintain “an inventory of AI tooling and AI use cases” and provide “training and education of staff on AI use, misuse, limitations and secure practices”. The letter then gets specific about what isn’t working in practice. APRA called out “the use of enterprise AI tools by staff outside approved control frameworks”, and noted that organisations rely “primarily on policy direction or detective, after-the-fact measures, rather than enforceable technical restrictions or robust preventative controls.”

Shadow AI is the shadow IT problem from a decade ago with a wider data-leakage path. A staff member pasting client information into a free GenAI chatbot is a control problem dressed up as a training problem, and policies don’t stop it. Enforceable technical restrictions do. Browser-level controls on consumer AI sites, DLP inspection on outbound prompts, a sanctioned-tools allow-list, and sensitivity-label awareness in the AI clients you’ve approved. The pre-Copilot security work we wrote about in our Microsoft 365 tenant readiness checklist is the foundation APRA is now asking boards to confirm exists underneath any production AI use.

An AI inventory records what data each system can see, who owns it through its lifecycle, what controls sit around it, and what would happen if it failed. Most organisations have a vendor list and call it an AI inventory. The two are not the same thing.

What the board should ask at the next executive review:

2. Someone has to own the AI lifecycle end-to-end

APRA expects “ownership and accountability across the AI lifecycle, from design and development through to deployment, monitoring and decommissioning”, alongside “human involvement for high-risk decisions and accountability”. Where the regulator has been finding gaps, the letter is blunt. APRA names “weak controls over post deployment monitoring, weak model behaviour monitoring, change management, and decommissioning” as common across the entities reviewed.

Most organisations name a deployment owner and stop there. Monitoring and decommissioning tend to live with whoever was last in the room, which usually means they live nowhere. Meanwhile the model signed off twelve months ago has been retrained twice by the vendor, the prompt library has drifted, and the system in production is no longer the system the board approved. The board has to know who owns that drift, and the safe assumption is that nobody owns it yet.

The work to do before the next board meeting is to name one accountable executive per material AI use case, with monitoring telemetry reported to the board on a defined cadence, a documented threshold that triggers a halt without needing a committee to pull, and an explicit human-in-the-loop checkpoint for any decision that affects a customer, a member, or a worker.

3. Your fourth-party AI dependencies are not optional to understand

APRA expects entities to be “mapping and maintain visibility over the full AI supply chain, including material, third-party and fourth-party dependencies”, and to put “contractual and governance arrangements which provide sufficient transparency, auditability and assurance” in place. The board-level test in the letter is the “ability to understand model behaviour, material changes, performance issues and outcomes”. None of those expectations are aspirational. APRA has been finding entities that can’t meet them today.

“Upstream dependencies such as foundation models, training data sources and fourth party service providers are opaque.” The chain looks ordinary at the front and opaque by the back of it. You have a contract with a SaaS vendor. They have a contract with the model provider. The model provider sits on top of compute and training data nobody downstream has any view of. When the foundation model gets retrained and the classifier you’ve built on top of it starts behaving differently, the way most boards will find out is when a customer complains.

APRA also flagged concentration risk. “Some entities heavily dependent on a single provider for multiple AI use cases”, with “few entities had demonstrated robust contingency planning or tested exit and substitution strategies”. Contractual arrangements, the letter says, lag practice. APRA was finding “limited evidence of specific provisions addressing audit rights, model updates and deviations, incident notification or changes to data handling”. Those four contractual gaps are the most reusable checklist in the entire letter.

What the board should be looking for in the next supplier review pack is a documented exit strategy for the top two AI vendors, evidence the contracts have been re-papered to address all four of APRA’s named gap areas, and a concentration map showing where one provider failure cascades across multiple use cases. A vendor that won’t agree to those provisions is telling you something about the partnership.

4. Point-in-time assurance won’t survive a thematic review

APRA’s assurance expectation is “integrated assurance across cyber security, data governance, model performance risk, operational resilience, privacy, and conduct risks”, with “second line risk management and internal audit functions possess[ing] technical capability and tooling to independently assess AI systems”. Point-in-time and sample-based assurance, in the regulator’s own words, is “ill suited to probabilistic models that learn, adapt and degrade over time”. The letter notes few entities have continuous validation or monitoring in place to catch drift, bias, or quiet failure modes, and that internal audit and risk functions “lack the specialist skills and tools required”.

The bar has moved. Auditing a model the way you audit a financial control will no longer cover the obligation. The expectation now includes model telemetry, drift alerts, periodic red-teaming, and a second-line risk function with enough technical capability to push back on what the first line is producing. An internal audit team that sample-tests a probabilistic system once a year is, in practical terms, taking a photograph of something that has already moved on.

The cyber overlay in the letter is its own warning. APRA names “prompt injection, data leakage, insecure integrations, exploit injection and the manipulation or misuse of autonomous AI agents” as material threats, observes that “AI can shorten the attack cycle and increase speed, coordination and impact”, and flags engagement across the sector on increased cyber threats from high-capability frontier models, naming Anthropic’s Mythos in the letter as an example. The specific controls APRA expects entities to implement are listed in the letter. “Strong privileged access management, timely patching, hardened configurations, automated vulnerability discovery, penetration testing, and controls over agentic and autonomous workflows”, plus “robust security testing across AI-generated code”. The volume and speed of AI-assisted software development, the letter warns, “is placing strain on the effectiveness of change and release management controls”.

Identity and access management, in APRA’s words, “have not yet adjusted to nonhuman actors such as AI agents”. Agentic AI is already running in most environments, and most IAM models cannot see it. A security assessment sized for AI is the practical first move, because the controls APRA is describing don’t exist yet in most organisations.

Three questions to put to the CISO and CRO together:

AI risk dashboard with a model-health gauge, drift waveform, shield, and node-network indicators. The missing seat at the table." loading="lazy">

5. The board itself is the control

APRA put this one first, and most boards will read it last. “Many Boards are still developing the technical literacy required to provide effective challenge on AI related risks and oversight.”

The expectation that follows in the letter is concrete. Boards must “maintain sufficient understanding and literacy with respect to AI in order to set strategic direction and provide effective challenge and oversight”, and oversee an AI strategy “consistent with the entity’s risk appetite” with “clearly defined triggers aligned to resilience objectives”. Those two clauses do a lot of work. The first is asking boards to be able to challenge the strategy on substance, not endorse the deck. The second is asking the board to have decided, in advance, what would force the strategy to change. What loss event, what model failure, what regulator finding, what customer-impact threshold would trigger a halt or a rollback. Most boards have not had that conversation.

A board that cannot describe, in plain English, how the organisation’s most material AI use case works, what its failure modes are, and what would trigger a halt, has itself become the control gap. The bar APRA has set is lower than it sounds and harder to dodge than it looks. Directors don’t have to retrain as data scientists. They have to be capable of pushing back on what vendors and executives are telling them, and the easiest way to demonstrate that to a thematic reviewer is to point at the resilience triggers the board has already set, and the times the board has actually used them.

If the answers to the questions in the earlier threads make the board uncomfortable, that discomfort is the literacy gap APRA has just named. Closing it is now the board’s job, not the executive team’s to manage on the board’s behalf.

If you’re not APRA-regulated, you’re next

APRA wrote this letter for prudentially regulated entities, and every other Australian regulator is reading it. The Privacy and Other Legislation Amendment Act has already raised the bar on how organisations have to handle data fed into AI systems. The OAIC has published guidance on the use of commercially available AI products. State governments are running AI strategies and assurance frameworks under various names. Whatever your sector’s regulator writes next won’t be a copy of APRA’s letter, but the shape will rhyme.

If you sit on a board in health, education, government, aged care, or professional services, treat APRA’s letter as a leading indicator. The useful question to put to your executive team isn’t whether the regulator will eventually write something similar for your sector. It is how much runway you have before they do, and how prepared you’ll be when it lands.

The seat in the room

Read straight, the letter is telling boards they now need somebody at the table who can speak both regulator and AI fluently. “The IT team is across it” won’t be the answer when a thematic review lands, and “we have a project running” won’t be either. Boards need a named person whose job is translating APRA’s expectations into a twelve-month plan with owners, controls, and measurable triggers.

For organisations with a permanent CIO, this is the strategic conversation that role exists to lead. For everyone else, a fractional CIO or CTO does the same job on a retainer. Either way, the output that matters is an AI governance plan the board can actually defend, in writing, when somebody from the regulator asks to see it.

What APRA’s letter is really saying is that the board is now part of the AI risk surface, not a body overseeing it from outside. The work to be ready for that view has to start before the next thematic review, not after. Boards that wait will spend most of the next twelve months answering questions instead of asking them.