90 Days Gen AI Risk Trial -Start Now
Book a demo
GUIDES

APRA CPS 234 and AI: What Australian Financial Institutions Must Do in 2026

AuthorAona Team
DateMarch 26, 2026

In This Article

  1. 1. What CPS 234 Actually Requires
  2. 2. Where AI Creates CPS 234 Compliance Risk
  3. 3. The Shadow AI Problem for APRA Entities
  4. 4. What CPS 234 Audit Expects on AI
  5. 5. 5 Practical Steps for APRA-Regulated AI Compliance
  6. 6. How Aona Helps APRA-Regulated Entities

APRA CPS 234 governs information security for all APRA-regulated entities — banks, insurers, and superannuation funds. As AI adoption accelerates across Australian financial services, CPS 234 compliance now requires explicit consideration of AI systems, Shadow AI, and AI vendor risk.

What CPS 234 Actually Requires

CPS 234 has four core pillars: Capability (information security capability proportionate to risk), Policy Framework (documented policies), Implementation (controls), and Audit (independent assurance). Each pillar now intersects with AI.

Where AI Creates CPS 234 Compliance Risk

Three specific risk areas require attention: (1) AI tools processing customer data without proper classification — this violates the minimum necessary standard; (2) Shadow AI — employees using unapproved ChatGPT, AI transcription tools, and similar services that are not captured in the information asset register; (3) AI vendor risk — third-party AI vendors must meet CPS 234 third-party requirements including BAA-equivalent data processing agreements.

The Shadow AI Problem for APRA Entities

APRA expects regulated entities to maintain an information asset register covering all systems that hold or process regulated information. Shadow AI tools used by employees — AI writing tools, AI data analysis tools, AI communication tools — are information assets that almost certainly are not on that register. APRA has signalled increasing scrutiny of AI governance via CPG 234.

What CPS 234 Audit Expects on AI

An independent audit under CPS 234 will increasingly ask: (1) What AI systems are in use? (2) What customer and regulated data do they process? (3) Are vendor agreements in place? (4) What controls exist to prevent data exfiltration via AI? If you cannot answer these with evidence, you have a finding.

5 Practical Steps for APRA-Regulated AI Compliance

  • Conduct an AI system inventory including Shadow AI discovery
  • Classify AI tools against your information asset tiers
  • Review all AI vendor agreements against CPS 234 third-party requirements
  • Implement real-time controls to prevent regulated data entering unapproved AI tools
  • Document your AI governance framework for audit evidence

How Aona Helps APRA-Regulated Entities

Aona gives Australian financial institutions the discovery layer, guardrails, and audit trail they need to demonstrate CPS 234 compliance for AI: automatic AI tool discovery (including Shadow AI), real-time data protection controls, complete audit logs, and compliance reporting built for APRA examinations.

See it in action

Want to see how Aona handles this for your team?

15-minute demo. No fluff, no sales pressure.

Book a Demo →

Stay ahead of Shadow AI

Get the latest AI governance research in your inbox

Weekly insights on Shadow AI risks, compliance updates, and enterprise AI security. No spam.

Ready to Secure Your AI Adoption?

Discover how Aona AI helps enterprises detect Shadow AI, enforce security guardrails, and govern AI adoption across your organization.

Book a DemoFree Templates

Related Reading

Explore more insights on AI governance & security

View all posts

March 26, 2026

AI Red Teaming Cost & ROI: What Enterprises Are Budgeting in 2026

Read article →

March 26, 2026

Australian Privacy Act AI Reform 2026: What Every Enterprise Must Do Before December

Read article →

March 26, 2026

AI Insider Threat 2026: When Your AI Systems Have More Access Than Your Employees

Read article →