Australia's Financial Regulator Just Exposed an AI Governance Gap

On April 30, APRA — the regulator overseeing $9.8 trillion in Australian bank, insurance, and superannuation assets — published a letter to every entity it regulates. The message was blunt: AI governance is not keeping pace with AI adoption. Boards lack the technical literacy to challenge management on AI risks. Assurance practices are falling behind the speed of deployment. Post-deployment monitoring is weak or absent.

These are organisations with dedicated risk committees, chief risk officers, and compliance budgets in the hundreds of millions. If they're struggling, it raises an obvious question for the 42% of Australian SMEs now using AI, per NAB's April 2026 data: what does your governance look like?

APRA's letter followed a targeted supervisory review of large banks, insurers, and super trustees conducted in late 2025. The findings were qualitative — no league tables or scorecards — but the patterns were consistent across the sector.

Boards showed strong interest in AI's potential benefits but, according to APRA Member Therese McCarthy Hockey, "many lack the technical literacy required to provide effective challenge on AI-related risks." In practice, this meant boards approving AI strategies they couldn't meaningfully evaluate, with an overreliance on vendor presentations and summaries.

At the operational level, APRA found that few entities had operationalised governance beyond policy documents. Post-deployment monitoring — tracking what AI is actually doing after go-live — was a common gap. So was change management: AI-assisted development is producing code faster than existing review processes can handle. And concentration risk was widespread, with some entities relying on a single AI vendor across multiple use cases without tested exit strategies.

The letter also flagged a transparency problem specific to embedded AI — models built into software platforms where the entity has "limited visibility over how models are trained, updated, or constrained." This isn't a niche concern. Every business using AI features inside Xero, MYOB, ServiceM8, or any other platform faces the same issue at a smaller scale.

You don't need APRA breathing down your neck to care about this. AI governance at SME scale isn't about compliance committees and quarterly board reports. It's about knowing three things: what AI tools are active in your business, what data flows into them, and who's accountable when an output is wrong.

Right now, most SMEs can't answer all three. A 2025 Deloitte Access Economics report found that while a majority of Australian SMBs use AI in some capacity, only 5% have reached a level of maturity where AI is strategically embedded with proper oversight. The rest are in what Deloitte called experimentation mode — using AI tools ad hoc, often without documented policies or clear accountability. We covered those numbers in an earlier note — the gap between adoption and readiness hasn't closed.

For accounting firms, the connection to APRA is direct. If you serve clients in banking, insurance, or super, your processes will increasingly need to demonstrate governance standards your clients' regulators expect. For trades businesses, the connection runs through your insurer: the same insurers APRA just told to lift their AI governance are the ones using AI to assess your claims and set your premiums.

The good news: governing AI in a 10- to 50-person business is dramatically simpler than at a bank. You don't need a framework document. You need four practices.

First, maintain an inventory. Know every AI tool in use across the business — including the ones embedded in your existing software. If your team is pasting client data into ChatGPT, that counts.

Second, classify your data. Decide what can go into AI tools and what can't. Client financial records, personal health information, pricing data — draw the line and make it visible to your team.

Third, assign accountability. When AI generates a quote, a report, or a customer communication, someone specific should review it before it goes out. Not "the team." A name.

Fourth, check your vendor concentration. If your scheduling, invoicing, and customer communication all run through one platform's AI features, you have the same concentration risk APRA flagged for the banks — just at a smaller scale. Know your dependencies.

Spend 30 minutes listing every AI tool your business uses — including the built-in ones. Xero's AI categorisation. Your email platform's smart compose. The chatbot on your website. The scheduling optimiser in your field service software. Most business owners we talk to discover two or three tools they didn't realise were AI-powered.

That inventory is the foundation. Everything else — data classification, accountability, vendor mapping — follows from knowing what you're actually running.

Key takeaways

Want to know where your AI governance gaps are?

A short conversation can identify which AI tools in your business need tighter controls and which are already well-managed. Book a call to talk it through.