What APRA's AI letter expects you to have in place, and why your existing security stack does not cover it

For CROs, CISOs and CTOs at APRA-regulated entities

On 30 April 2026, APRA published its letter to industry on artificial intelligence. It is the most consequential regulatory document the Australian financial sector has received on AI risk, and the language is unusually direct for a prudential regulator.

If you run risk, security or technology at an APRA-regulated entity, this letter is your next 90 days of work. It also exposes a control gap that most entities have not yet realised they have, and that traditional DLP, CASB and Microsoft Purview cannot close on their own.

Here is what the letter actually asks of you, why your existing stack falls short, and what the practical first move looks like.

What APRA said, in plain language

APRA conducted a targeted supervisory review of large banks, insurers and superannuation trustees in late 2025. The letter publishes the findings of that review and explicitly tells smaller entities that the same expectations apply to them.

The four observation themes:

• AI threats are increasing, but information security practices are struggling to keep pace. APRA names the new attack pathways: prompt injection, data leakage, insecure integrations, exploit injection, and the manipulation or misuse of autonomous AI agents.
• AI adoption is moving fast, but governance maturity is lagging. Most entities recognise that existing prudential standards apply to AI risk; few have operationalised that recognition into controls.
• Supplier risk management is in place, but supplier concentration and opacity present challenges. APRA observed entities heavily dependent on a single AI provider with limited contingency planning, and AI capabilities embedded inside platforms in ways that obscure independent assessment.
• Traditional change management and assurance is in place but is not sufficient for dynamic AI solutions. Point-in-time assurance is unsuited to probabilistic models that learn, adapt and degrade over time.

The single most quotable passage is in Theme 1:

In many cases, preventative controls were lacking, with entities relying primarily on policy direction or detective, after-the-fact measures, rather than enforceable technical restrictions or robust preventative controls.

Read in plain language: an AI policy is not a control. Detective DLP that flags issues after the fact is not a preventative control. Annual audits are not a control for systems that adapt between audits. APRA has explicitly said all three are insufficient.

The letter then closes with the line that converts this from a governance question into a Financial Accountability Regime question:

Where entities fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, we will take stronger supervisory action and, where appropriate, pursue enforcement.

What APRA expects you to have in place

Across the four observation themes, APRA lists minimum expectations. The four that matter most for technology and risk leaders:

1. An inventory of AI tooling and AI use cases. Not a policy. Not a vendor-supplied list of sanctioned tools. The actual inventory of every LLM your workforce is using today, and what they are using it for.
2. Enforceable preventative controls that prevent prohibited inputs from reaching AI systems in the first place, not just detect them after the event.
3. Continuous validation and monitoring for issues such as model drift, bias, failure modes and control breakdowns. Sample-based, point-in-time assurance is explicitly called out as insufficient.
4. Independent visibility over AI capabilities embedded inside third-party platforms, including Microsoft 365, Google Workspace, Salesforce and developer tooling. APRA says explicitly that platform-vendor opacity limits entities' ability to assess and manage AI risk.

These are the four expectations that most APRA-regulated entities cannot evidence today, even those with mature security and risk programs.

Why your existing security stack falls short

If you are at an APRA-regulated entity, you almost certainly already have substantial security and DLP investment. The question worth asking is which of those tools can actually inspect what your staff are typing into a browser-based AI session.

The honest answer for most stacks:

• Microsoft Purview sees file-level data movement and email content. It cannot inspect the live prompt content of what staff type into Copilot in the browser, and it has no visibility into ChatGPT, Gemini, Claude or any other LLM staff use in parallel.
• Traditional DLP and CASB tools are built for file uploads, web traffic and SaaS APIs. The prompt layer of a browser-based AI session is a different surface. It is keyboard input streaming to a third party, often over a personal account on a corporate device.
• Network monitoring and SIEM detect after the fact. By the time a sensitive prompt has been sent, the data has left the perimeter. APRA explicitly named detective controls as insufficient.
• AI vendor-side controls (the privacy and DLP features in ChatGPT Enterprise, Copilot, Gemini for Workspace) are platform-defined, vary between vendors, and create the exact concentration and opacity problems APRA flagged in Theme 3.

This is the gap APRA's letter has just made supervisory: your workforce is interacting with multiple AI tools every day, the policy says they should not paste customer data, and you have no enforceable preventative control verifying that they do not.

The practical first move, in 14 days

The expectation APRA lists first under governance is the AI tooling and use case inventory. It is also the cheapest, fastest and most defensible first step, because you cannot design controls, brief the Board, satisfy your insurer, or answer your internal auditor without it.

Airentect was built specifically for this gap. We are an AI-native prompt-layer monitoring and data loss prevention platform purpose-designed for APRA-regulated entities and other compliance-heavy sectors. Our platform sits in the browser, intercepts sensitive data at the prompt layer across ChatGPT, Copilot, Gemini and Claude, and produces a regulator-grade inventory of AI use across your workforce.

For mid-tier APRA-regulated entities working through what the letter means in practice, we are offering a 14-day Exposure Report at no cost. The report:

• Inventories every LLM in use across your workforce, sanctioned and unsanctioned
• Categorises the data being entered into each tool: PII, customer records, source code, financial data, internal documents
• Identifies the specific workflows and teams where data exposure is concentrated
• Produces, in regulator-grade form, the AI inventory APRA listed as a minimum governance expectation
• Maps directly to APRA's four observation themes for use in your next Risk Committee and ARC papers

The cohort is capped at five entities for May. Mid-tier ADIs, mutuals, insurers and superannuation trustees are prioritised, exactly the entities APRA's letter is most directly written for.

The window is short

APRA has flagged that it will continue and is finalising its forward plan for AI supervision. The combination of a regulatory letter, the FAR enforcement framing, the 10 December 2026 Privacy Act amendments on automated decision-making, and the cyber insurance market's hardening on AI controls means the next 90 days are the practical window to get ahead of this.

Entities that produce the inventory and the preventative-control evidence in May are positioned for the rest of the year. Entities that wait will be retrofitting controls under supervisory pressure, with less leverage and tighter timelines.

Apply for a 14-day Exposure Report

If you are at an APRA-regulated entity and the questions in this post are landing for your team, we would be glad to walk you through what the Exposure Report would surface for your environment.

Enquire now for the May cohort on our website.

Five spots available · No charge · Mid-tier ADIs, mutuals, insurers and superannuation trustees prioritised · Outputs map directly to APRA's four observation themes

Airentect is an AI-native, cross-LLM prompt-layer monitoring and DLP platform built specifically for APRA-regulated entities and other compliance-heavy sectors. We are headquartered in Sydney and work with mid-tier financial services firms across Australia.

Have a specific question about how the Exposure Report works, or how Airentect maps to your existing CPS 230, CPS 234 or ISO 42001 program? Email us at info@airentect.com.