APRA flags AI governance gap as insurers race ahead with deployment
The Australian Prudential Regulation Authority has told insurers, banks, and superannuation trustees that their risk controls are not keeping pace with AI adoption. In a letter published April 30, 2026, APRA said governance, risk management, and operational resilience practices lag behind the speed and complexity of AI rollouts across the financial system.
The warning comes from a targeted supervisory review conducted in late 2025. APRA examined how regulated entities use AI, govern models, and integrate AI-enabled processes into existing risk frameworks. The regulator found that advanced AI is creating new financial and operational vulnerabilities while many institutions' information security capabilities are not developing at the same rate.
Boards lack technical depth to challenge AI risks
APRA identified specific governance weaknesses. Boards show interest in AI's potential but many lack the technical literacy to robustly question management on model risk, data quality, and AI-specific controls.
Concentration risk emerged as another concern. Some institutions rely on a single AI or cloud provider across multiple use cases without detailed contingency plans. When AI components are embedded within broader software platforms, entities often have limited visibility over how models are trained, updated, or constrained.
Existing change and assurance processes, designed for traditional technology, are fragmented and may not capture the full scope of AI-enabled activities. The regulator noted that the speed at which entities can identify and patch vulnerabilities needs to accelerate, matching the pace of AI-driven threats.
Frontier models pose fresh security threats
APRA drew attention to "frontier" AI models, including Anthropic's Claude Mythos, which could help malicious actors identify and exploit system weaknesses. This increases both the likelihood and speed of cyberattacks.
Therese McCarthy Hockey, APRA member, said entities must adjust cyber and operational practices continuously as AI capabilities advance. "The AI revolution presents tremendous opportunities for banks, insurers, and superannuation trustees to deliver improved efficiency and enhanced customer services. But we cannot be blind to the risks of such powerful technology - whether in our own hands or the hands of those with malign intent," McCarthy Hockey said.
APRA will not introduce new AI-specific standards-yet
APRA is not proposing new prudential standards specifically for AI. Instead, the regulator expects entities to manage AI within existing requirements for information security, operational risk management, governance, and data risk.
McCarthy Hockey said: "While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it."
APRA will continue working with government agencies and peer regulators in Australia and overseas to assess technological implications for financial system safety.
Insurers globally accelerating AI spending
APRA's guidance arrives as insurers internationally increase AI investment across underwriting, pricing, claims, and distribution. One large UK insurer reduced complex liability claims resolution time by 23 days using AI-enabled workflows. A major German carrier built and deployed a multi-agent AI claims system in less than 100 days.
In the US, an insurtech has automated 55% of claims end-to-end, with some settled in seconds. Nationwide announced a US$1.5 billion technology program with approximately 20% allocated to AI.
Industry estimates value the AI in insurance market at US$8.63 billion in 2025, potentially reaching US$59.5 billion by 2033-a compound annual growth rate above 27%. Sector-wide AI spending is forecast to grow more than 25% in 2026, with 86% of insurers intending to increase AI budgets this year, particularly for generative AI and agent-based applications.
Survey data from Grant Thornton covering 950 insurance executives shows just over half report AI-related revenue growth, while around two-thirds say AI influences business decision-making. Early AI adopters are generating significantly higher total shareholder returns than slower-moving peers.
Australian finance and insurance SMEs lead adoption
Australian SMEs in finance and insurance report high AI adoption rates. National Australia Bank's Embracing AI SME Business Insights report found that 42% of SMEs across all sectors currently use AI tools, 44% report no use, and 14% plan to adopt.
Finance and insurance SMEs show 64% adoption-above the overall SME average. Property services leads at 69%, followed by business services at 61%. Among finance and insurance SMEs using AI, 65% apply it to operations and logistics.
Cost reduction and efficiency rank as the primary AI opportunity for 29% of finance and insurance SMEs-the largest proportion of any sector. Respondents link this to regulatory obligations, manual processes, and administrative workloads that can be partially automated.
What this means for Australian insurers
APRA's letter signals that AI for insurance will be evaluated through a prudential lens covering board capability, model risk governance, cyber resilience, and third-party risk management.
As AI becomes more central to underwriting, pricing, and claims, and as consumer expectations and global competition intensify, Australian insurers face parallel pressures. They must realise efficiency and service gains from AI while demonstrating to APRA that control frameworks, assurance activities, and incident-response arrangements keep pace with the technology's expanding role.
Your membership also unlocks:
