APRA's April 2026 AI Letter: What It Says, Why It's a Workforce Question, and How to Respond

Key takeaways

• On 30 April 2026, APRA wrote to all regulated entities setting out AI governance expectations, signed by Member Therese McCarthy Hockey.

• APRA's expectations map directly to workforce management: inventory, named ownership, supervision, escalation, audit, and lifecycle for every AI agent.

• The framing is decisive: a copilot is a feature; an agent is a colleague. APRA notes that identity and access controls "have not adapted to nonhuman actors."

• The productivity-versus-safety trade-off is false. Both outcomes come from the same onboarding discipline.

• ASIC has been signalling the same direction since REP 798 in October 2024. The CPS 230 deadline for AI vendor contracts is six weeks away; ADM transparency requirements take effect in December 2026.

• The organisations already capturing structural value from AI (50% fraud reductions, 46% engineering productivity, 80% control coverage uplifts) approached it as a workforce question first.

If you lead technology, operations, or risk at an Australian financial institution, you have spent the last eighteen months watching AI move through your organisation. Copilots have been deployed. Pilots have been funded. Individual teams are seeing real productivity gains. And the board is asking, increasingly insistently, what comes next.

What comes next is not more AI. It is a different kind of AI.

The first wave was tools: copilots, summarisers, search experiences embedded in productivity platforms. A tool assists a human who is already doing the work, and it fails safely because the human is in the loop by default. The second wave is agents: autonomous or semi-autonomous actors that take responsibility for tasks, request input when they need it, hand work to other agents, and produce outputs that other actors rely on. The human is no longer in the loop by default. The agent decides.

A copilot is a feature. An agent is a colleague.

Why Most Organisations Have Not Onboarded Their AI Agents

A copilot needs governance the way a tool needs governance. An agent needs governance the way an employee needs governance: onboarding, role definition, supervision, performance review, escalation paths, named accountability.

When you onboard a senior hire, you do not tell them to start work and figure out the rest. You define the role. You agree the scope of authority. You assign a supervisor. You set the escalation path. You agree what success looks like. You provision access to what they need and only what they need. You review their performance.

When most organisations deploy agents, they do none of this.

Many organisations now have over a hundred agents in production once you count the Copilot Studio agents inside Microsoft 365, the embedded workflow agents inside ServiceNow and Salesforce, the customer service agents, the security operations agents, and the developer copilots. Almost none have onboarded any of them in the way they would onboard a single new analyst.

The tools that produced the first wave assumed a human in the loop and a contained scope. The agents that produce the second wave assume neither.

What AI Is Already Delivering in Australian Financial Services

The organisations that have moved beyond pilots are not producing incremental improvements. They are producing structural ones.

AegisIQ's AI Horizons 2026 research, drawn from more than a hundred face-to-face conversations with Australian leaders, documented the kind of outcomes the top tier is already capturing: [4]

• A major Australian bank cut retail scam losses by 50% using AI-powered fraud detection, deployed at scale.

• A large superannuation fund achieved a 46% productivity gain in software engineering through AI coding assistants embedded in standard development workflows.

• An Australian financial institution reduced contact centre call wait times by 40% through intelligent routing and AI-assisted agents.

• A non-major bank increased control testing coverage by 80% while simultaneously reducing compliance costs.

These are AI-enabled outcomes already on the books, in organisations that look much like yours. The pattern across them is consistent: every one of these results came from an organisation that treated AI as a workforce question first and a technology question second. They defined what the agents would do, named the humans accountable for the outcomes, designed the supervision model, and built the audit layer before scaling. The capability followed the operating model, not the other way around.

The upside is real, and the path to it is now reasonably well understood. The harder question is whether the rest of the field can move at the same pace, on the same foundations, in the regulatory environment that is now forming around them.

What APRA's April 2026 AI Letter Requires

On 30 April 2026, APRA wrote to every regulated entity in Australia. The letter, signed by Member Therese McCarthy Hockey, set out the prudential regulator's observations from a year of targeted engagement on AI adoption across large banks, insurers, and superannuation trustees. [1]

The expectations map directly to the workforce framing.

APRA expects entities to maintain an inventory of AI tools and use cases, the agent equivalent of an HR system. To establish ownership and accountability across the AI lifecycle, with named owners for each agent. To ensure human involvement in high-risk decisions, the supervision and escalation layer. To train staff on AI use, limitations, and secure practices, the workforce capability investment. And to monitor behaviour continuously rather than through point-in-time sampling, which APRA notes is "unsuitable for probabilistic, adaptive models." Ongoing performance management, in other words.

The letter also names a structural gap most organisations have not yet addressed. "Identity and access management capabilities have not adapted to nonhuman actors like AI agents." [1] The regulator has noticed that agents act in systems, request data, and take actions, while the existing identity model still treats them as service accounts when they should be treated as actors with authority and accountability of their own.

APRA's signal is unambiguous: the regulator is preparing to pursue "stronger supervisory action and enforcement where entities fail to adequately identify, manage, or control AI risks proportionate to their size and complexity." [1]

This is not the first regulatory signal. ASIC's *Beware the Gap* report (REP 798) published in October 2024 reviewed 624 AI use cases across 23 financial services and credit licensees and concluded that "licensees are implementing AI more quickly than they are adjusting their risk and compliance frameworks to manage the heightened risks and challenges." [2] Eighteen months later, APRA's April letter makes similar points but notes the increase in capabilities of the underlying models. The direction of regulatory travel has been consistent.

Productivity vs. Safety: The False Trade-Off

Most executive teams are responding to this environment by trying to balance two things they perceive as opposed: move faster to capture productivity gains, or move more carefully to satisfy the regulators. The framing produces caution at the wrong layers and speed at the wrong layers.

The trade-off is false. The same discipline that satisfies APRA is what unlocks the productivity gain.

When agents are onboarded properly — defined roles, named supervisors, scoped authority, audit trails, lifecycle management — three things happen. Their output becomes trustworthy enough to use without a human re-check, which is where the productivity gain actually lives, and it is what the 50% scam loss reductions, 46% engineering productivity gains, and 80% control coverage uplifts in the AI Horizons research were built on. Their behaviour becomes evidenced, which is what APRA expects. And the operating model becomes coherent, which means the next agent can be added at near-zero marginal coordination cost.

When agents are deployed without this discipline, the opposite happens. Their output requires re-checking, which erases the productivity gain. Their behaviour cannot be evidenced, which exposes the organisation to regulatory action. And each new agent adds non-linear coordination cost, which is why most programmes feel heavier at fifty agents than they did at ten.

The productivity-versus-safety framing is a symptom of treating agents as tools. Treat them as colleagues, and the choice dissolves.

How to Onboard an AI Agent: A Seven-Point Framework

The discipline is not new. Most of it is borrowed directly from how organisations have always onboarded people, with adjustments for what is different about agents.

1. A defined role: what the agent is responsible for, what it is not, and where its authority ends.

2. A named owner: a human accountable for the agent's performance, behaviour, and outcomes.

3. A scope of access: only the systems and information the role requires, applied through on-behalf-of authentication rather than a shared service account.

4. A supervision model: who reviews the agent's work, on what cadence, and against what criteria.

5. An escalation path: when the agent should pause and request human input, and to whom.

6. An audit trail: every action evidenced, every decision traceable.

7. A lifecycle: the agent is versioned, monitored for drift, performance-reviewed, and retired when its role is no longer needed.

None of these is technically difficult on its own. What is difficult is operationalising them at the scale of fifty or two hundred agents, and that operational discipline is precisely what APRA's April letter is asking organisations to evidence.

What Australian Financial Services Leaders Should Do Next

The organisations handling this transition well are not those with the most AI. They are those that have asked the workforce question early — what classes of actor exist on our org chart, what are their roles, where does accountability sit, what does our operating model look like with humans and agents together — and designed for the answer.

Most have not yet asked the question. Some have asked it and not answered. A small number have answered it and are scaling agents at a pace others cannot match, because the foundation is in place.

The structured discovery to find where your organisation actually sits takes a half day, with the executives who collectively own the answer in the room. It surfaces the live operating model gaps against APRA's expectations. It identifies the next deliberate move, which is usually not "more AI" but "the operating model layer that lets the AI you already have produce both productivity and confidence."

If you'd like to explore what that looks like for your organisation, we'd welcome the conversation.

Book here.

Footnotes

[1] Therese McCarthy Hockey (APRA Member), *Letter to industry on artificial intelligence*, 30 April 2026. Source: https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai

[2] ASIC, *Report 798: Beware the Gap — Governance Arrangements in the Face of AI Innovation*, 29 October 2024. Reviewed 624 AI use cases across 23 AFS and credit licensees. Source: https://download.asic.gov.au/media/mtllqjo0/rep-798-published-29-october-2024.pdf

[3] ASIC, *Corporate Plan 2025–26*, published 27 August 2025. AI named as a strategic priority under the digital, technology and data section; "poor use of AI" listed alongside ASX, cyber resilience, and stress events under Strategic Priority 4 (operational digital and data resilience and safety). Source: https://download.asic.gov.au/media/xbtjrb4m/asic-corporate-plan-2025-26-published-27-august-2025.pdf

The CPS 230 vendor contract compliance deadline (1 July 2026) is set by APRA Prudential Standard CPS 230, not the ASIC Plan. The automated decision-making transparency requirement (December 2026) is set by Privacy Act amendments, not the ASIC Plan. Verify both primary sources before publishing.

[4] AegisIQ, *AI Horizons 2026 Leadership Survey*. Internal primary research drawn from 100+ face-to-face interviews with Australian executive leaders across financial services, government, and retail. Production outcomes anonymised at organisation level. Source: AegisIQ internal research.