Australia warns frontier AI is outpacing banks’ risk controls

Australia’s financial regulator is warning that frontier artificial intelligence is spreading faster than banks, insurers and superannuation trustees can control it. The Australian Prudential Regulation Authority said many firms are adopting AI quickly, but the safeguards around governance, risk management, assurance and operational resilience have not kept pace.

APRA said it completed a targeted supervisory review in late 2025 across APRA-regulated industries and found a familiar pattern: boards are interested in AI’s upside, but many still lack the technical literacy needed to challenge management on what the systems are doing, where they fail and how they might affect critical operations. The regulator also said some entities lean too heavily on vendor presentations and summaries instead of independent scrutiny of model behavior, data handling and control weaknesses.

The warning goes beyond internal controls. APRA identified concentration risk where some firms depend on a single provider for multiple AI use cases, creating a potential single point of failure if that vendor is hit by outage, breach or model error. It also flagged gaps in contingency planning and fragmented assurance processes, both of which matter in a sector where even small failures can ripple into customer losses, regulatory penalties or broader market stress.

APRA said it is also engaging across the sector on the cyber risks posed by high-capability frontier models such as Anthropic’s Claude Mythos. The concern is not that AI is inherently unsafe, but that it can lower the cost of sophisticated offense, helping malicious actors identify vulnerabilities faster and scale phishing, exploitation and other attacks with greater speed and reach. That is why APRA framed the issue as a board-level governance problem, not just an information technology issue.

The warning lands alongside Anthropic’s push to position AI as a security tool. The company launched Project Glasswing on 7 April 2026, naming Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA and Palo Alto Networks as launch partners. Anthropic said it had extended access to more than 40 additional organizations and committed up to US$100 million in usage credits and US$4 million in donations to open-source security groups.

APRA’s 2025-26 Corporate Plan says the regulator is focused on a safe and stable financial system and is working with industry on emerging risks, including cyber-attacks and increased reliance on service providers. In a 2025 speech, APRA member Suzanne Smith said banks, insurers and super funds now operate like technology companies and face systemic risk when oversight lags behind technology change. That is the central message of the new warning: AI is arriving faster than the controls built to contain it, and the gap is now a financial stability issue.