APRA Urges Stronger Oversight as AI Risks Outpace Controls
The Australian Prudential Regulation Authority (APRA) has warned that governance, risk management, assurance, and operational resilience practices are failing to keep pace with the rapid adoption of artificial intelligence (AI) across regulated entities. In its April 2026 letter[1], APRA highlights the widening gap between the speed of AI deployment and the maturity of controls designed to manage associated risks.
Structural gaps in managing AI risk
APRA’s research identifies several key challenges in how organizations are managing AI. These include limited technical understanding of AI at board level, reduced transparency as AI capabilities become increasingly embedded within broader software ecosystems, and growing concentration risk as organizations rely on a small number of technology providers.
AI-related risks also span multiple domains of cyber security, operational resilience, privacy, procurement, and information security, yet are often managed in silos. This results in fragmented assurance and an incomplete view of risk exposure.
These challenges are further heightened by the emergence of advanced AI models, which are expected to increase the scale and sophistication of cyber-attacks by enabling malicious actors to identify and exploit vulnerabilities more efficiently.
The growing impact of third-party and supply chain risk
Key findings from the BCI Operational Resilience Report 2026 show that operational resilience is firmly established in many organizations and that the practice is moving on from initial frameworks to practical action. However, aligning with APRA’s findings, the research identifies third-party risk and supply chain dependencies as key concerns.
Organizations are increasingly required to manage networks of third-party providers across numerous regions, and this compliance remains a significant challenge. Both APRA and the BCI’s findings indicate that third-party dependency is a core operational resilience concern and a future challenge for practitioners to grapple with.
What can organizations do?
While APRA’s recommendations are directed at Australian regulated entities, the risks it highlights are globally relevant. Organizations across all sectors and regions can draw practical lessons from its guidance.
APRA’s key recommendations include:
- Adopting recognised control frameworks to support consistent risk management and change control for AI systems
- Increasing supply chain visibility, including mapping third- and fourth-party dependencies across AI ecosystems
- Strengthening AI risk management by defining risk appetite and establishing clear accountability
- Enhancing oversight and governance, including improving board-level understanding of AI risks
- Improving cyber resilience, with a focus on timely patching, vulnerability management, and strong cyber practices
- Investing in training and awareness to ensure staff understand the use, limitations, and risks of AI.
Strong operational resilience practices offer a practical way to close the gap between current practices and advancing AI, and the increasing reliance on third party suppliers. Its recent maturation toward practical testing of resilience capabilities that ensure critical services can be maintained under a range of disruption scenarios provides an effective response to the pace and complexity of AI deployment.
The pace of AI innovation is unlikely to slow. The question for organizations is whether their controls, governance, and resilience will keep up. Operational resilience will play a defining role in bridging the gap, and organizations that integrate AI risk into their broader resilience strategies will be better equipped to respond effectively to the developing threats.
Download the BCI Operational Resilience Report 2026 now to get the insights that matter and start building a more resilient organization.
More on
About the author
Rebecca Mathews
Content Manager, The BCI
