APRA warns banks on AI and cyber risks as tech use grows

Australia’s prudential regulator has sharpened its warning to banks, insurers and superannuation trustees, saying AI and cyber controls are not keeping pace with the technology entering the system. In an industry letter on artificial intelligence and its System Risk Outlook for May 2026, Australian Prudential Regulation Authority chair John Lonsdale said faster AI adoption, cyber threats and broader system shocks would test the sector’s operational resilience.

APRA oversees institutions at the centre of Australia’s financial system, so the warning goes beyond a compliance exercise. Its latest papers show the regulator now treats AI governance as a prudential issue, not just an IT matter. Reuters reported on 30 April that APRA had already warned frontier AI could enable larger, faster cyber attacks and was pressing firms to tighten controls.

In the AI letter, APRA said targeted engagement in late 2025 with selected large banks, insurers and superannuation trustees found adoption moving faster than many entities could manage the risks. The regulator said existing control frameworks were still lagging the scale and speed of deployment.

That pushes AI out of the innovation bucket and into board-level risk management. For regulated firms, the question is less whether a tool lifts productivity than whether executives can show where it is used, who is accountable and how failures would be contained if a model, vendor or connected service breaks.

Lonsdale set out the concern in the letter to industry:

“Among the areas we are most focused on are rapid developments in AI, which are outpacing the ability of many entities to manage the risks.”
— John Lonsdale, APRA

APRA tied that warning to a broader resilience push in the system risk outlook. The regulator said geopolitical tensions remained a top threat, while technology concentration and cyber risk were also rising concerns. Its 2024-2025 banking stress tests included a cyber incident affecting a critical service provider, alongside a downside scenario built around 10 per cent unemployment and a 40 per cent fall in house prices.

By linking the AI letter with a system-wide risk paper, APRA is putting new technology in the same frame as liquidity, capital and operational continuity. A breach at a shared provider would not remain an IT problem for long if multiple banks, insurers or super funds depend on the same infrastructure.

APRA’s message is that the system is not failing, but resilience has to keep pace as institutions add more digital dependencies.

“Sustaining that resilience, however, will require ongoing investment in strong risk management across the system.”
— John Lonsdale, APRA

The stance leaves boards and executives with less room to treat AI as a side project. Prudential expectations now reach into model governance, shared-supplier cyber exposure and the speed with which a local technology failure could spread more broadly.

That gives APRA a firmer basis for supervisory work through 2026. The agency has already moved from general guidance to direct engagement with large institutions, and the language in both documents suggests AI governance and cyber resilience will stay near the top of its agenda.