Australian AI Governance: What APRA's AI Letter and the Voluntary AI Safety Standard Require

January 27, 2026

Australian organisations navigating AI governance do not yet face a single comprehensive AI regulation in the way that comparable markets are beginning to introduce. What they do face is a set of clear regulatory signals that describe what responsible AI governance looks like and set expectations that will inform supervisory attention, procurement decisions, and eventual regulatory requirements. Two documents are central to that landscape: APRA's 2024 letter to regulated entities on AI risk management, and the Australian federal government's Voluntary AI Safety Standard.

Understanding what each document actually requires, and where they overlap, is more useful than treating them as background reading. For organisations in APRA-regulated sectors, the letter establishes active supervisory expectations. For all Australian organisations, the Voluntary AI Safety Standard describes a framework that is likely to influence contractual and procurement requirements even before it acquires mandatory force.

What APRA's letter requires of regulated entities

APRA's letter on AI risk management is addressed to authorised deposit-taking institutions, insurers, and superannuation trustees. Its core message is that AI risk falls within existing prudential obligations. Boards and senior management are accountable for AI governance. The letter does not create new obligations from scratch; it clarifies that existing obligations under CPS 220 (risk management) and related standards apply to AI systems, and that APRA expects entities to have considered AI risk explicitly within their risk management frameworks.

In practical terms, this means APRA entities should be able to demonstrate that AI systems are inventoried, that material AI systems have been risk assessed, that accountability for AI risk is assigned at a senior level, and that AI is addressed in the organisation's risk appetite statement. APRA has indicated it will examine how entities are managing AI risk through its supervisory cycle, which means these are not aspirational expectations but active ones that entities need to be ready to address in a supervisory context.

What the Voluntary AI Safety Standard requires

The Voluntary AI Safety Standard, published by the Australian federal government in 2024, establishes ten guardrails for responsible AI use. It applies to organisations that develop or deploy AI in high-risk settings, though the government has framed voluntary adoption as a baseline for responsible practice across all sectors. The ten guardrails cover accountability, transparency, human oversight, privacy, contestability, and safety testing, among other areas.

The standard is described as voluntary, but that characterisation warrants some scrutiny. Government procurement and funding requirements are increasingly likely to reference it, and the standard is explicitly designed as a precursor to mandatory requirements. Organisations that adopt the guardrails now will be better positioned when mandatory obligations arrive. More immediately, the standard provides a clear and publicly recognised framework against which organisations can benchmark their AI governance and demonstrate responsible practice to clients, partners, and regulators.

Where the two frameworks overlap and how to use them together

Both documents share a common emphasis on accountability, risk assessment, and human oversight. They differ in their audience and their formal weight, but the governance activities they describe are largely consistent. An organisation that builds an AI governance programme against the Voluntary AI Safety Standard will address most of the areas that APRA expects regulated entities to have covered. An APRA entity that has addressed the letter's expectations will find that it has satisfied a significant portion of the Voluntary AI Safety Standard's guardrails.

ISO 42001, the international standard for AI management systems, provides a more detailed framework that maps well to both documents. Organisations looking for a structured way to implement AI governance that satisfies Australian regulatory expectations will find that ISO 42001 provides the process rigour that APRA expects and the accountability structures that both documents require. We hold ISO 42001 Lead Implementer certification and work with organisations across APRA-regulated and non-regulated sectors to implement AI governance frameworks that align with the Australian landscape.

What good AI governance looks like in practice

Both the APRA letter and the Voluntary AI Safety Standard describe outcomes rather than prescribing specific processes. That flexibility is intentional but requires organisations to translate principles into concrete programme activities. In practice, sound AI governance involves:

  • A maintained inventory of AI systems with risk classifications
  • Defined accountability for each material AI system at a senior level
  • Pre-deployment risk assessment and security testing appropriate to the system's risk classification
  • Ongoing monitoring and periodic review of deployed AI systems
  • An AI incident response procedure that covers AI-specific failure modes
  • Transparency to affected parties about AI use in decision-making
  • Board-level reporting on AI risk

If you want to understand where your organisation stands against the APRA letter and the Voluntary AI Safety Standard, or if you are building an AI governance programme from the ground up, contact us at info@cyberlinx.com.au. We work with Australian organisations to translate regulatory expectations into practical governance programmes.

Table of Contents
Resource Type
Blogs
Category
AI Security
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?