APRA warns super trustees over AI adoption

The Australian Prudential Regulation Authority (APRA) has called on superannuation trustees, insurers and to significantly lift their approach to managing artificial intelligence (AI) risks, warning current practices are not keeping pace with rapid adoption.

In a letter to regulated entities, the prudential regulator said while AI is increasingly embedded across financial assurance, frameworks remain uneven and, in some cases, underdeveloped.

The findings follow a targeted review of large, regulated entities conducted in late 2025, which found widespread use of AI, but varying levels of maturity in oversight and operational resilience.

APRA noted boards are actively pursuing AI driven productivity and customer gains but often lack the technical expertise required to effectively challenge management and oversee associated risks. It also flagged an overreliance on third-party vendors, with limited scrutiny of issues such as model unpredictability and potential impacts on critical systems.

APRA member Therese McCarthy Hockey said regulated entities need to constantly adjust cyber practices to lift resilience and protect assets in a fast-moving threat environment.

"The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services," McCarthy Hockey said.

"We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology, whether in our own hands or the hands of those with malign intent."

APRA said cyber risks remain a key concern, particularly as more advanced models emerge. The regulator warned frontier systems including those developed by Anthropic, could increase the scale and sophistication of cyber threats, requiring a corresponding uplift in security capabilities.

It also identified concentration risk where firms depend on a single provider across multiple use cases, alongside limited transparency in AI tools embedded in broader software platforms.

APRA said its supervisory focus will intensify with potential enforcement action where entities fail to adequately manage AI related risks in line with their size and complexity.

While no new potential standards have been introduced, APRA signalled expectations for more robust governance, stronger cyber hygiene and faster identification of vulnerabilities as AI adoption accelerates.