As of May 06, 2026, more than half of Australia’s largest financial institutions have deployed AI agents in critical operations — claims processing, loan applications, fraud detection, and software engineering — without clear ownership, monitoring, or exit strategies, according to a regulator report.
Key Takeaways
- APRA reviewed large financial entities in late 2025 and found universal AI use, but inconsistent risk controls.
- Boards are relying on vendor summaries and not probing AI’s unpredictable behavior or failure impact.
- No human oversight mandates in high-risk decisions at many institutions, despite known model instability.
- AI is creating new attack surfaces via prompt injection and insecure integrations — and identity controls haven’t adapted to non-human agents.
- Some firms depend on a single AI vendor for multiple systems, with no exit plan in case of failure or lock-in.
AI Is Everywhere — But Nobody Owns It
The Australian Prudential Regulation Authority (APRA) didn’t mince words in its assessment: AI is operational across every major financial institution it reviewed. That part isn’t surprising. What is — and should alarm every developer and CTO in the sector — is that many of these AI instances have no named owner. No person, no team, no accountability.
This isn’t experimental sandbox territory. These are production systems handling loan approvals, customer interactions, and fraud detection. Yet APRA found institutions lacked even basic inventories of their AI tools. You can’t govern what you can’t see. And right now, half the AI in Australian finance is flying blind.
And the problem isn’t just internal chaos. When an AI agent fails, who rolls it back? Who checks the logs? Who explains it to auditors? Without named-person ownership, incidents become finger-pointing exercises — or worse, get buried.
APRA didn’t just note the absence of ownership. It called for it explicitly. Institutions need to assign responsibility per AI instance. Not “the AI team.” Not “platform engineering.” A person. A name. Accountability.
The Boardroom Delusion
Boards are excited about AI. That’s what APRA observed. They’re sold on productivity gains and customer experience upgrades. But that enthusiasm hasn’t translated into disciplined oversight. Instead, many board members are relying on vendor presentations and glossy summaries — not technical assessments or red-team reports.
That’s not governance. That’s theater.
The regulator pointed out a critical failure: boards aren’t asking about model behavior under stress, failure cascades, or bias drift. They’re not connecting AI risk to their institution’s stated risk appetite. And they’re not demanding monitoring procedures or error response plans — the kind of controls that would exist for any other critical system.
It’s ironic. These are the same boards that would demand penetration testing results for a new mobile app. But when it comes to AI agents making loan decisions, they’ll accept a 10-slide demo from a sales engineer.
No One’s Watching the Models
AI models change. They drift. They hallucinate. They get poisoned by bad data. They’re not static like a database schema. But APRA found that many institutions have gaps in model behavior monitoring, change management, and decommissioning protocols.
Some firms are treating AI risk the same way they treat any other technology. That’s a fatal mistake. A server crash is predictable. A model that starts denying loans to entire postcodes because of biased training data? That’s different. That’s dangerous.
And yet, institutions aren’t building safeguards tailored to AI’s quirks. There’s no routine bias scanning. No real-time anomaly detection in output patterns. No rollback triggers when confidence scores dip. Nothing.
Worse, AI is creeping into upstream dependencies — tools, libraries, pipelines — and teams aren’t even aware it’s there. APRA noted that AI can be present in software supply chains without explicit acknowledgment. That means a third-party library doing auto-classification behind the scenes could be making regulated decisions — and no one knows.
Change Control Is Breaking
The volume of AI-assisted software development is overwhelming change and release controls. That’s not speculation. It’s a finding from APRA’s review.
When developers use AI to generate code, test cases, or deployment scripts, those artifacts still need review. But the pace is too fast. The volume too high. And the approval gates? Still manual, still slow.
The result? Teams are skipping checks. Or worse, treating AI-generated code as inherently trustworthy. APRA called for security testing of AI-generated code — a basic step that some shops still treat as optional.
But testing isn’t enough. The regulator also stressed the need for controls on agentic and autonomous workflows. That means privileged access management, configuration hardening, and patching — all applied to AI agents, not just humans.
An AI agent with access to customer data and the ability to modify workflows is a privileged actor. It should be treated like one. But in too many environments, it’s not.
Cybersecurity Is Playing Catch-Up
AI is rewriting the attack surface. Prompt injection. Insecure plugin integrations. Leaked context from long-running agent sessions. These aren’t hypotheticals. They’re real exploits, and APRA says financial firms are exposed.
Yet identity and access management (IAM) systems haven’t adapted. They’re built for humans — usernames, passwords, MFA. But what about AI agents? They need identities too. They make API calls. They access data. They trigger actions.
If you can’t authenticate an AI agent, you can’t authorize it. And if you can’t audit its actions, you can’t defend your system.
This isn’t just a tech ops issue. It’s a regulatory one. APRA flagged that IAM practices “had not adjusted in some instances to non-human elements such as AI agents.” That’s a red flag for any auditor.
And the FIDO Alliance is already moving. It’s formed an Agentic Authentication Technical Working Group to develop standards for non-human identity. That’s the kind of signal you ignore at your peril. The standards are coming. The question is whether banks will be ready.
Vendor Lock-In Has No Exit Plan
Some institutions have become dependent on a single provider for multiple AI functions. APRA didn’t name names. But we’ve all seen it: one vendor for code generation, another for customer service chatbots, a third for fraud detection — all from the same platform. Or worse, all from one.
And when APRA asked for exit plans? Only a few could show one.
That’s not just risky. It’s reckless. What happens when the vendor changes pricing? Or has an outage? Or gets acquired and deprecates your API?
AI supplier substitution isn’t like switching CRM tools. Models are trained on proprietary data. Integrations are deep. Context is persistent. Extracting yourself could take months — if it’s possible at all.
APRA’s warning is clear: dependence without contingency is a failure of governance. And right now, it’s widespread.
Human Oversight Is Optional — For Now
Here’s the part that should keep builders awake: some institutions aren’t requiring human involvement in high-risk decisions.
Let that sink in. An AI agent can deny a loan, flag a pension account for fraud, or triage a customer complaint — and no human has to review it first.
APRA noted this as a concern. It’s more than that. It’s a breach of basic risk management. Models fail silently. They inherit bias. They hallucinate policy rules. Without human review, errors compound.
And the regulator isn’t asking for a rubber stamp. It’s asking for meaningful oversight. A person who understands the decision, the context, and the consequences.
If you’re building these systems, you already know: automation isn’t autonomy. Not yet. Maybe not ever.
What This Means For You
If you’re a developer working on AI systems in finance — or any regulated industry — this report is a wake-up call. Your tools are moving faster than your governance. That gap is now on regulators’ radar. Expect audits. Expect questions. And expect consequences.
Start today: inventory every AI instance you own. Assign a name. Document the risk tier. Map the data flows. Test the fallbacks. And if you’re using AI-generated code, test it like it’s hostile. Because if it fails in production, you’ll be the one explaining it — not the model.
If you’re a CTO or engineering lead, demand proof of human oversight in high-risk workflows. Require security reviews for AI-generated artifacts. And for god’s sake, diversify your AI vendors. Build an exit strategy now — before APRA shows up at your door.
Who Authenticates the Agent?
The FIDO Alliance is working on standards for agentic authentication. But the deeper question remains: when an AI agent makes a decision, who — or what — vouches for its integrity?
Sources: AI News, original report
