Financial Services · APRA AI Governance
APRA AI governance, made practical.
APRA's expectations are now clear. Governance frameworks. Named accountability. An inventory of AI tools. Human review for high-risk decisions. Staff trained on safe use. We help banks, insurers, super funds, and health funds put a practical baseline in place.
For mid-sized regulated organisations that need practical governance, training, policy, and visibility into how AI is actually being used.
AI Governance
Board pack readyTools inventoried
47
Staff trained
83%
The Challenge
AI is moving faster than governance. For most organisations, that gap is already a risk.
Your staff are using AI tools today. Some of those tools your IT and compliance teams have never seen: public GenAI platforms, browser extensions, productivity add-ons, vendor-embedded AI. The question is not whether your people are using AI. It is whether you know which tools they are using, who is accountable, and whether your governance has kept up.
Shadow AI
Most organisations have staff using AI tools outside formal procurement. That is real risk around data, privacy, and third-party exposure.
Unclear accountability
When something goes wrong with an AI-assisted decision, who owns it? Without a clear accountability map, the answer ends up being everyone and no one.
Board and audit evidence gap
APRA expects boards to demonstrate AI oversight. Without an inventory, a policy baseline, and a training record, there's nothing to show.
APRA's Five Requirements
What APRA expects. What it means in practice.
APRA has set a clear baseline for regulated entities. Writing a policy is not enough. You need evidence of how AI is being used, who owns it, how high-risk decisions are controlled, and how staff are being trained.
01
Governance frameworks
Move from ad hoc AI use to a documented governance framework, with clear policies, reporting lines, and board-ready oversight.
Risk if unmanaged
No clear accountability to the board, risk committee, or regulator.
02
Ownership and accountability
Clarify who owns each AI use case, from discovery and approval through to monitoring, change, and retirement.
Risk if unmanaged
Tools adopted without clear owners for sourcing, approval, monitoring, or retirement create gaps regulators will find.
03
AI inventory
Build an evidence-based inventory of AI tools and use cases, including the tools your staff are actually using.
Risk if unmanaged
You can't govern what you can't see. Shadow AI is often the biggest gap.
04
Human review
Define where human involvement is required, especially in decisions that affect customers, members, claims, underwriting, credit, or advice.
Risk if unmanaged
Automated decisions affecting customers, claims, credit, or advice can expose you to regulatory action when oversight is absent.
05
Staff training
Train staff on AI use, misuse, limitations, secure practices, and the difference between approved and risky use.
Risk if unmanaged
Staff experimenting without guidance form habits around data handling and tool choice that are hard to reverse.
Why Now
APRA has made AI governance a supervisory priority. These are live expectations, not future ones.
APRA's 2026 letter says AI use is accelerating across regulated industries, and governance, risk, and resilience practices are not keeping pace. The letter flags specific risks: shadow AI, board literacy, supplier assurance, AI supply chains, cyber controls, non-human actors, internal audit capability, and agentic workflows.
For mid-sized regulated organisations, the practical challenge is real. You have the same regulatory obligations as larger institutions. You often have leaner technology, risk, and compliance teams to meet them.
APRA's expectations are live.
The requirements are framed as minimum governance expectations for all regulated entities, proportionate to size and complexity.
AI is already inside your organisation.
Staff may be using public or enterprise AI tools before formal governance and training have caught up.
The inventory requirement is the hardest.
You need visibility into actual AI tooling and use, not just known enterprise systems.
Board oversight is part of the requirement.
APRA expects boards to maintain enough AI understanding to oversee strategy, risk, and reporting.
Third-party AI is in scope.
APRA expects attention to AI supply chains, third- and fourth-party dependencies, and concentration risk.
The 30-Day Sprint
A practical path to readiness.
We help regulated organisations move from uncertainty to a clear, board-ready AI governance baseline. The work starts with discovery and visibility. From there, it turns into policy, accountability, training, and a prioritised remediation roadmap.
Step 01
Discover actual AI use
Step 02
Assess against APRA's five requirements
Step 03
Build the governance baseline
Step 04
Train staff and leaders
Step 05
Report to executives and board
Sprint deliverables
AI tooling and use-case inventory: known tools, discovered tools, business owners, data types, vendors, risk tier, and current controls.
Brolli AI visibility report: browser-based insight into which AI tools your staff are actually using.
Five-requirement gap assessment: current-state maturity against APRA's minimum AI governance expectations.
Governance and policy pack: AI acceptable-use policy, governance standard, reporting lines, and a board or risk-committee reporting template.
Accountability map: named owners across the AI lifecycle for material use cases.
High-risk decision review: identification of use cases needing human review, escalation, and oversight.
Staff training plan: general staff training plus tool-specific modules for Copilot, Claude, ChatGPT, and Gemini.
90-day roadmap: prioritised remediation actions, owners, and evidence artefacts.
AI Visibility
You can't govern AI use you can't see.
One of APRA's five requirements is an inventory of AI tooling and use cases. That's hard when staff are using browser-based AI tools outside formal procurement.
Brolli gives organisations visibility into which AI tools are actually being accessed, so risk, compliance, and technology teams can build the AI inventory from evidence, not assumptions.
Ask us about Brolli →Identify which AI tools are being accessed by your staff.
Build and maintain your AI inventory from observed usage.
Distinguish approved, tolerated, and risky tool use.
Inform staff training and policy updates.
Give risk and technology teams a practical starting point for shadow AI governance.
Privacy note
Brolli deployments should be configured in line with your internal policies, privacy obligations, and employee communications. We use the words "visibility" and "insight" deliberately. This is not surveillance.
Staff Training
Train staff before risky habits become normal.
APRA expects staff training and education on AI use, misuse, limitations, and secure practices. We deliver practical training for everyday users, leaders, and specialist teams, including tool-specific sessions for Copilot, Claude, ChatGPT, and Gemini.
The Office of the Australian Information Commissioner has noted that publicly available GenAI tools can make it hard to track, control, or remove personal information that staff have entered. Staff education is one of the recommended controls.
Module 01
AI fundamentals for regulated organisations
What AI can and cannot do, common risks, and safe usage principles.
Module 02
Secure GenAI use
What not to paste into AI tools, how to handle confidential information, and how to use approved platforms.
Module 03
Tool-specific training
Practical, governed use of Copilot, Claude, ChatGPT, and Gemini for your teams.
Module 04
Manager and executive training
How to assess team use cases, approve experiments, and escalate risk.
Module 05
Board and senior leader briefing
AI literacy, APRA expectations, risk appetite, and governance reporting.
Who We Work With
Built for mid-sized APRA-regulated organisations.
Customer-owned and regional banks
AI governance without bank-scale overhead.
You face the same regulatory expectations as larger institutions, often with leaner technology, risk, and compliance teams. We help you create a practical AI governance baseline covering staff use, vendor AI, policy, accountability, and board reporting.
Private health insurers
Control GenAI use around sensitive member and health data.
Health funds need to manage AI adoption while protecting personal and sensitive information. We help you identify staff AI use, train teams on secure practices, and put an APRA-ready governance framework in place that aligns with your privacy obligations.
Superannuation trustees
Govern AI across trustees, platforms, and service providers.
Super funds and trustees rely on administrators, custodians, insurers, platforms, and technology vendors. We help you map internal and third-party AI exposure, clarify ownership, and build a roadmap for ongoing oversight.
Specialist insurers
AI controls for claims, underwriting, and customer interactions.
Insurers are exposed to AI in claims, underwriting, fraud detection, customer service, document processing, and productivity tools. We help you identify high-risk use cases, design human review controls, and train teams on safe use.
What You Walk Away With
A clear, evidence-based response to APRA's five requirements.
An AI inventory grounded in observed usage, not just known systems.
A governance gap assessment against APRA's minimum expectations.
An accountability map with named owners across material AI use cases.
An AI acceptable-use policy and governance framework.
A staff training plan with tool-specific modules.
High-risk decision controls for AI-assisted customer and member outcomes.
A board-ready 90-day remediation roadmap.
Next step
Need to show progress on APRA's AI requirements?
In 30 minutes, we'll help you find the fastest path to an APRA-ready governance baseline.
Book a readiness call →Or download our five-requirement checklist to see where you stand.
FAQs
Common questions.
What are APRA's five AI governance requirements?
APRA expects regulated entities to have AI governance frameworks, named ownership and accountability across the AI lifecycle, an inventory of AI tooling and use cases, human involvement in high-risk decisions, and staff training on AI use, misuse, limitations, and secure practices.
Does this apply to smaller regulated organisations?
Yes. APRA's letter applies across regulated entities, with expectations managed proportionately to size, scale, and complexity. That makes the requirements especially relevant for mid-sized organisations with real AI exposure but limited internal AI governance capacity.
What counts as an AI inventory?
A structured record of AI tools and use cases, including the business owner, purpose, data involved, vendor or platform, risk level, controls, and approval status. For APRA-regulated entities, it should cover both approved enterprise tools and AI use that may be occurring outside formal procurement.
How does Brolli help with the inventory requirement?
Brolli gives organisations visibility into which browser-based AI tools staff are actually accessing. That helps risk, compliance, and technology teams build the AI inventory from observed usage rather than from surveys or known enterprise tools alone.
Can Knowello train our staff on specific AI tools?
Yes. We provide general staff AI training and tool-specific training for Copilot, Claude, ChatGPT, and Gemini, with emphasis on secure practices, limitations, approved use, and what to avoid.
Do we need a full-time Chief AI Officer?
Not necessarily. Many mid-sized regulated organisations need AI governance capability without justifying a full internal AI team. We can provide policy, advisory, training, and fractional Chief AI Officer support to create a proportionate model.
How quickly can we have a board-ready roadmap?
Most organisations have a working draft within 30 days through our APRA AI readiness sprint. That covers discovery, gap assessment, policy baseline, accountability mapping, and a prioritised remediation roadmap.