APRA and ASIC are clear that controls must keep pace with AI
APRA and ASIC are clear that controls must keep pace with AI
Australian Prudential Regulation Authority’s (APRA) call for a step change in managing AI risk is not fundamentally new. It reflects the familiar issue that control environments designed for a slower, more predictable world are now operating at a pace the risk environment no longer tolerates.
Further, ASIC’s recent call for urgent cyber uplift reinforces the same point from a different angle. Rather than creating new types of cyber risks, AI is surfacing existing ones faster, larger and more advanced than before.
Across the sector, there is an increased risk of controls failing because they are too slow to adapt to technological advancements.
APRA has been clear that governance, risk management, assurance and operational resilience are not keeping pace with the scale and velocity of AI. ASIC goes further in affirming that this is not a hypothetical or future-state issue – it is already here, and boards and executives are expected to act with urgency and discipline.
Reframing the issue of AI-related risk
The challenge is no longer whether organisations can identify risk. It is whether their controls remain effective when threats evolve faster than governance, decision-making cycles, and remediation processes.
Many control environments still assume controlled release cycles, human-led decision points, and tolerance for delay. AI disrupts all three by compressing time, increasing volume and reducing visibility, which turns delay into compounding risk.
That is why regulators are no longer solely focused on whether controls exist, but whether they are effective at the pace required to manage risk.
APRA’s CPS 234 is a clear example. Most organisations have classified their information assets by criticality, but how many organisations revisit these classifications regularly and truly implement proportionate controls based on this classification? The risk of delay now exceeds the risk of controlled disruption.
Most financial institutions already operate within mature frameworks. CPS 234 has driven asset classification, cyber programs are established, and governance structures are in place. The issue is not the absence of controls, but whether they are demonstrably effective under pressure.
ASIC’s position reflects a return to fundamentals
ASIC promotes focusing on the discipline of maintaining core controls over critical assets and ensuring they operate as intended when it matters most. This becomes more acute in an environment where vulnerability identification is accelerating, and threat actors can operate at scale with low barriers to entry. Controls are no longer tested periodically, they are tested continuously, often in parallel.
In this context, ASIC is clear that organisations must sharpen focus on critical assets, minimise exposure, and strengthen the execution of core controls, particularly around access management, patching, and response. Where asset classification enables it, there is also an expectation to apply controls more intelligently: automate where the risk of failure is low, streamline decision pathways, and avoid over-consuming scarce human capacity on low impact activities. The intent is not to reduce control, but to ensure it is applied proportionately and at scale.
Multiple lines of defence
This shift has distinct implications for how responsibilities are executed and overseen across multiple lines of defence.
For first line teams, the uplift challenge is operational. Leading organisations are shifting focus from adding governance layers to removing friction in control execution. This means eliminating low value approvals and handoffs, automating repeatable, low risk activities, and concentrating specialist effort on truly critical assets. This results in a control environment that is both faster and higher quality, where human intervention is reserved for high impact decisions, and can be executed with greater speed and clarity.
For assurance functions, the imperative is a shift from verifying control presence to evaluating governance effectiveness and proportionality. In line with APRA’s direction, this requires assessing whether first line teams are using asset criticality to drive differentiated pathways, enabling streamlined or automated treatment where appropriate, while maintaining robust guardrails. Equally, it involves challenging whether excess governance is diluting capacity without reducing risk. The defining question becomes whether the control environment enables timely action on what matters most, or does it introduce delay that ultimately increases exposure?
The organisations that respond well will do three things: focus on fundamentals, align effort to criticality, and reduce reliance on manual intervention where it no longer reduces risk. Most importantly, they will treat speed as a core attribute of control effectiveness.
AI does not create a new category of risk. It reveals where controls rely on delay, depend on human throughput, and assume a level of visibility that no longer exists.
In this environment, control effectiveness is no longer just about design. It is about whether the control can keep up.
How BDO can help
At BDO, our view is practical: AI risk is an accelerator of the risks many financial institutions already manage such as cyber security, operational resilience, data governance, third-party dependency, and assurance.
Our risk advisory services team supports clients to assess where their current risk and control environment is likely to fall behind in an AI-shaped threat landscape, and where safe automation can improve response speed without weakening oversight. That includes AI readiness assessments, governance and assurance uplift, targeted reviews of vulnerability and patching processes, and control design that helps organisations distinguish between what should remain human-led and what can be accelerated safely.
Contact BDO today to move beyond policy awareness to confident, responsible AI adoption, and to turn principles into practice.
