AI governance built for APRA, ASIC, and OAIC scrutiny.

We advise Australia's banks, insurers, superannuation trustees, and public-sector agencies on the governance frameworks regulators expect to see, with deadlines now in force or arriving in 2026.

Run the free AI risk calculator

Built for

Boards & risk committees Chief risk officers Chief information officers General counsel Public-sector AI leads
We work against: APRA CPS 230 / ASIC REP 798 / Privacy Act 1988 / ISO/IEC 42001 / EU AI Act / NIST AI RMF / Voluntary AI Safety Standard

What you walk away with.

Full engagement methodology

AI inventory & risk register

A documented map of every AI system in use, classified by risk tier and tied to a named accountable owner.

Mapped controls

Controls mapped against APRA CPS 230, the Privacy Act, ISO 42001, and the Voluntary AI Safety Standard.

Board-ready artefacts

Policy documents, oversight charters, escalation paths, and reporting packs sized for board approval.

Audit-ready evidence pack

A single evidence pack a regulator, internal auditor, or external reviewer can work through end to end.

The dates your governance plan has to anchor to.

Key Australian and international milestones that materially change the obligations on regulated and public-sector deployers of AI.

In force

1 Jul 2025

APRA CPS 230

Operational risk management requirements apply. AI systems are in scope.

In force

1 Oct 2025

Service Provider Register

APRA material service provider register required. AI vendors included.

Upcoming

Aug 2026

EU AI Act

Full enforcement. Penalties up to 7% of global annual turnover.

Upcoming

10 Dec 2026

Privacy Act ADM

Automated decision-making transparency requirements take effect.

Four regulatory pressures now stack on the same board agenda.

Most Australian organisations are running AI in production without a documented risk taxonomy, accountable owner, or evidence trail. Below are the frameworks a regulator, auditor, or general counsel asks about first.

  1. 01
    In force

    APRA CPS 230 covers AI as operational risk.

    AI systems sit inside the operational-risk perimeter for APRA-regulated entities. The standard requires documented risk assessments, controls testing, third-party AI vendor classification as material service providers, and board-level accountability. Service-provider register obligations took effect 1 October 2025.

    Build a CPS 230-aligned framework
  2. 02
    In force

    Board oversight is now a personal-accountability question.

    Under the Financial Accountability Regime, accountable persons can be named for AI-related failures. Boards need a documented inventory of AI systems in use, an approvals path for new deployments, a clear escalation route for incidents, and a review cadence aligned to the entity's risk appetite statement.

    Structure board-level oversight
  3. 03
    Aug 2026

    The EU AI Act reaches Australian providers and deployers.

    If your AI system is placed on the European market, or if its output is used in the EU, the Act applies regardless of where you sit. High-risk classification triggers conformity assessment, technical documentation, post-market monitoring, and registration. Full enforcement begins August 2026, with penalties of up to 7% of global annual turnover.

    Map your EU AI Act obligations
  4. 04
    Dec 2026

    Privacy Act amendments add automated-decision-making transparency.

    From 10 December 2026, APP entities that use automated decision-making in decisions affecting individuals must update their privacy policies to disclose the kinds of personal information used and the decisions made. Internal documentation, model-cards, and notice copy all need to be ready before the date.

    Prepare for the December 2026 deadline

How we work with regulated and public-sector clients.

Three practice tracks, each tied to a documented set of artefacts. Engagements typically run six to twelve weeks with a defined evidence pack at close.

Track A

Governance & strategy

Frameworks, policies, and operating models that hold up under board, regulator, or audit scrutiny.

Track B

Assessment & assurance

Independent evaluation of AI systems and the governance wrapping them. Evidence packs sized for internal audit or external review.

Track C

Compliance & advisory

Ongoing alignment with Australian and international regulators. Workforce uplift, board education, and standing advisory support.

Sector-specific governance work.

Banking, insurance, superannuation, healthcare, and government each carry distinct regulatory expectations for AI. Engagements are scoped against the prudential, sectoral, and statutory frameworks that apply.

01
Banking & financial services
APRA 路 ASIC 路 FAR
02
Insurance
APRA 路 Claims AI
03
Superannuation
APRA 路 SIS Act
04
Healthcare
TGA 路 My Health Records
05
Government & public sector
AI Assurance Framework
06
Technology & SaaS providers
EU AI Act 路 ISO 42001

Start with the AI Risk Calculator. Then talk to us.

The calculator gives you a baseline view of your AI risk exposure against EU AI Act and ISO 42001 lenses in under five minutes. From there we can map your inventory against APRA, ASIC, and the Privacy Act, and outline the work needed to close any gaps.

Run the free calculator

Get in Touch