Artificial intelligence (AI) is reshaping the insurance industry faster than most boards can comprehend and Australia’s regulators are concerned. In two sharply worded letters issued in quick succession, the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) have put insurers on notice: the governance gap between the AI tools being adopted and the systems in place to control them is dangerously wide and the window for passive observation has closed.
“We recently received a letter from ASIC that was sent to all insurers basically saying lift your game if you haven’t already - and ASIC don’t routinely do that, it was quite direct,” said Andrew Stafford, FM’s senior vice-president and operations manager for Australia and New Zealand.
Stafford raised the issue during a recent interview on an unrelated topic - itself a measure of how much the letter has registered. ASIC’s letter, also published on its website early last month, was striking for its register.
“This is not a distant or hypothetical risk,” the regulator warned. “It is here now, evolving quickly and requires the attention of boards and executives.” Insurers were urged not to wait for regulatory clarity but to “act now, and act with discipline.” The regulator was careful to add: “We are not calling for panic or reactive overreach. But we are calling for urgency, focus, and accountability.”
APRA’s follow-up letter, published a few days ago, followed a targeted supervisory review of major banks, insurers and superannuation trustees and was equally pointed. The central conclusion: AI adoption is accelerating rapidly across all regulated industries but governance, risk management, assurance and operational resilience practices are failing to keep pace.
Among the most unsettling observations was the state of boardroom oversight. While boards showed strong appetite for AI’s productivity and efficiency gains, APRA found that many “are still developing the technical literacy required to provide effective challenge on AI related risks.” An overreliance on vendor presentations, rather than rigorous independent scrutiny, was specifically called out as a material weakness.
Equally troubling, the review found that most entities were treating AI risk as “just another technology” problem - missing critical distinctions such as the adaptive behaviour of AI models, inherent bias, data privacy risks, and the novel cyber vulnerabilities AI introduces. Governance across the full AI lifecycle - from design through deployment, monitoring and eventual decommissioning - was found to be fragmentary. Post-deployment model monitoring was particularly weak.
“While AI adoption is continuing apace, the systems and processes required to safely govern its use aren’t keeping up,” said APRA member Therese McCarthy Hockey (pictured).
Which led to a strong warning. Where entities fail to adequately identify, manage or control AI risks, APRA said it would “take stronger supervisory action and, where appropriate, pursue enforcement.”
Stafford said the APRA letter compounded what ASIC had already flagged.
“They’re not proposing to introduce or change the prudential standards, however they’re certainly putting everyone on notice that you better get across how AI is going to impact your work, your security arrangements, your governance and your frameworks,” he said. “For it to be that direct, it was a little atypical.”
For brokers, both letters carry a clear, practical message: the fundamentals matter more than ever and boards can no longer delegate accountability downward. ASIC is explicit that governance should not rest on management assurances alone - it must be evidenced through test results, audit findings, incident reviews and independent validation.
On a practical level, ASIC calls for immediate action across several fronts: regularly reviewing and validating core cyber controls; patching systems promptly given that AI is dramatically accelerating vulnerability discovery and exploitation; rigorously managing third-party and supplier concentration risks; and implementing layered, defence-in-depth architectures that operate on the assumption of breach. User access privileges should be reviewed frequently - insider threats are rising. Notably, ASIC also encourages firms to deploy AI offensively in their own defence, using it to identify vulnerabilities and secure software before release.
APRA adds a further discipline: entities should maintain a comprehensive inventory of AI tools and use cases, ensure human accountability is embedded in high-risk decisions, and move quickly to train staff on AI limitations, misuse risks and secure practices.
As ASIC noted, these are not new expectations. What has changed is the speed and likely severity of the consequences of ignoring them.
