Australian Regulators Issue Direct Warning on Insurers' AI Governance Failures
Australia's financial regulators have lost patience. The Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) have issued two sharply worded letters to the insurance industry, declaring that governance systems are dangerously out of step with AI adoption.
ASIC's letter, published early last month, abandoned the usual regulatory tone. "This is not a distant or hypothetical risk," the regulator wrote. "It is here now, evolving quickly and requires the attention of boards and executives."
The message was blunt enough that senior industry figures raised it unprompted in unrelated conversations. Andrew Stafford, FM's senior vice-president for Australia and New Zealand operations, noted that ASIC rarely sends letters of this directness. "They're basically saying lift your game if you haven't already," Stafford said.
Boards lack technical literacy on AI risks
APRA's follow-up letter, based on a targeted supervisory review of major banks, insurers and superannuation trustees, identified specific governance failures.
Many boards show strong appetite for AI's productivity gains but lack the technical literacy to challenge AI-related risks effectively. APRA found that boards often rely too heavily on vendor presentations rather than conducting rigorous independent scrutiny.
Most entities treat AI risk as just another technology problem, missing critical distinctions: the adaptive behaviour of AI models, inherent bias, data privacy risks, and novel cyber vulnerabilities. "While AI adoption is continuing apace, the systems and processes required to safely govern its use aren't keeping up," said APRA member Therese McCarthy Hockey.
Post-deployment model monitoring is particularly weak. Governance across the full AI lifecycle-from design through deployment, monitoring and decommissioning-remains fragmentary across the industry.
APRA signals enforcement action ahead
APRA warned that where entities fail to adequately identify, manage or control AI risks, it will "take stronger supervisory action and, where appropriate, pursue enforcement."
Stafford said the two letters compound each other. "They're not proposing to change prudential standards, but they're putting everyone on notice that you better get across how AI will impact your work, your security arrangements, your governance and your frameworks," he said. "For it to be that direct was atypical."
What boards must do now
ASIC makes clear that governance cannot rest on management assurances alone. Boards must evidence control through test results, audit findings, incident reviews and independent validation.
ASIC calls for immediate action across several fronts:
- Regularly review and validate core cyber controls
- Patch systems promptly-AI accelerates vulnerability discovery and exploitation
- Rigorously manage third-party and supplier concentration risks
- Implement layered, defence-in-depth architectures that assume breach
- Review user access privileges frequently to address rising insider threats
ASIC also encourages firms to deploy AI offensively in their own defence, using it to identify vulnerabilities and secure software before release.
APRA adds further requirements: maintain a comprehensive inventory of AI tools and use cases, ensure human accountability is embedded in high-risk decisions, and train staff on AI limitations, misuse risks and secure practices.
These expectations are not new. What has changed is the speed and likely severity of consequences for ignoring them.
For insurance professionals seeking to understand AI governance requirements in depth, AI for Insurance resources provide targeted guidance. Board members and executives should also consider AI for Executives & Strategy training to build the technical literacy regulators now demand.
Your membership also unlocks:
