Home/GRC

GRC

AI in Governance, Risk & Compliance

Practical intelligence on AI developments across APRA, ASIC, FAR, AML/CTF, DDO, and CPS 230 for compliance and risk professionals in Australian financial services.

APRAASICFARAML/CTF

Intelligence, At Your Command.

Regulatory Frameworks

APRA / CPS 230

Operational Risk Management: AI system governance obligations

FAR

Financial Accountability Regime: accountability for AI-assisted decisions

ASIC

Consumer protection obligations and AI disclosure requirements

AML/CTF

Anti-money laundering and AI-assisted transaction monitoring

DDO

Design and Distribution Obligations: AI in product recommendations

CPS 234

Information Security: cybersecurity governance for AI systems

Analysis

GRC Intelligence

Warsaw Financial District Blue Hour
GRCRegulatory analysis·

AUSTRAC Just Put AI Risk Into Your AML Program Documents

On 19 June 2026 AUSTRAC updated the program starter kit documents that reporting entities build their AML/CTF programs from, adding artificial intelligence to the risk information. If you built your program before that date, your risk assessment is now out of step with the regulator's.

Read article
Doha West Bay Financial Dusk
GRCRegulatory analysis·

AML Tranche 2: What AI Can and Cannot Do for Your New Program

From 1 July 2026, tens of thousands of lawyers, accountants, real estate agents and dealers in precious metals become AML regulated for the first time. AI can help them stand up a program fast. It cannot own the risk-based judgement AUSTRAC will hold them to.

Read article
Luxembourg Kirchberg Financial Dusk
GRCRegulatory analysis·

Automated Decisions Now Belong in Your Privacy Policy

From 10 December 2026, APP entities that use personal information in automated decisions affecting people's rights must say so in their privacy policy. For Australian financial services, that is most of the AI already running in underwriting, fraud, collections and claims. Here is the readiness work, with a reusable AI project, prompt library and a worked insurer example.

Read article
Seoul Gangnam Financial Blue Hour
GRCOperational Risk·

Build an Offline GRC Controls Console Without Creating Shadow IT

A single-file controls console can sharpen evidence review without leaking data. Treat it as a governed end-user computing tool, not a free win.

Read article
Edinburgh Old Town Blue Hour
GRCRegulatory analysis·

AI in Internal Audit: What Still Counts as Evidence

Internal audit functions are adopting AI faster than they are writing the rules for their own use of it. The IIA's 2024 Standards never mention artificial intelligence, yet every evidence, documentation and objectivity requirement still applies to AI-assisted audit work.

Read article
Geneva Lake Jet Deau Dusk
GRCAI Governance·

Build an AI Use Case Register That Boards Can Actually Use

Practical guidance for GRC teams to create AI use case registers that deliver clear, decision-ready evidence for boards and risk committees.

Read article
Chicago Riverwalk Financial Blue Hour
GRCOperational Risk·

AI Cyber Risk Is Now a Board Governance Issue

ASIC's May 2026 cyber uplift warning highlights that AI-driven cyber risk demands active board and risk committee oversight, not just IT fixes. This article outlines a practical governance operating model for GRC teams.

Read article
Brisbane Cbd Night
GRCAssurance·

From Voluntary AI Guardrails to Audit Evidence

Australia's voluntary AI guardrails only become useful when GRC teams translate them into control objectives, artefacts and assurance tests.

Read article
Melbourne Southbank Night
GRCOperational Risk·

AI Incident Response Needs an Evidence Pack, Not Just a Playbook

Prompt injection, data leakage and agentic failures require GRC teams to rethink incident response evidence, escalation and assurance.

Read article
Sydney Cbd Towers
GRCAI Governance·

Board AI Literacy Is Now a Control Expectation, Not a Training Nice-to-Have

APRA's April 2026 AI letter signals that board AI literacy is becoming a governance control expectation, not a generic awareness exercise.

Read article
Singapore
GRCRegulatory analysis·

ASIC's AI Supervisory Posture, Decoded

ASIC's posture on AI in financial services is now visible across REP 798, the 2026 Key Issues Outlook, and recent statements from the Chair. Five themes shape supervisory expectation, and three create immediate work for compliance teams.

Read article
Zurich Limmat Old Town
GRCRegulatory analysis·

CPS 234 and AI Vendors: A Due Diligence Framework

CPS 234 has been in force since 2019. AI vendors stretch the framework in specific ways: training data exposure, model update opacity, and inference infrastructure that crosses the standard's information asset boundaries. A practical due diligence framework.

Read article
Adelaide King William St
GRCRegulatory analysis·

FAR and AI: How Accountability Maps to Tooling Decisions

The Financial Accountability Regime makes specific senior executives answerable for the systems and decisions inside their portfolios. AI tooling decisions sit inside that accountability, whether they are formally documented in the responsibility map or not.

Read article
Frankfurt
GRCRegulatory analysis·

AML/CTF and Large Language Models: A Compliance View

Large language models are now embedded across AML/CTF programs, from suspicious matter triage to KYC document review. AUSTRAC's posture on these uses is shaping. Reporting entities need a clear governance position now, not later.

Read article
Rotterdam
GRCRegulatory analysis·

DDO and AI-Driven Personalisation: Where the Boundary Sits

AI personalisation is moving fast inside Australian financial services. The Design and Distribution Obligations were not written with adaptive recommendation engines in mind. The boundary between targeting and personal advice is the line GRC teams need to govern.

Read article
London
GRCRegulatory analysis·

APRA's Model Risk Thematic Review: What to Expect

APRA's model risk thematic review is expected to land in the second half of 2026. The signals from supervisory engagement to date suggest where it will press hardest, and what regulated entities should be doing now.

Read article
Oslo
GRCRegulatory analysis·

CPS 230 and AI: A Practical Operational Resilience Playbook

CPS 230 has been live since 1 July 2025. Nine months in, the practical question for boards and operational risk teams is no longer whether AI tools fall inside the standard. It is how to evidence it.

Read article

Regulatory Updates

Tracking the regulators

Active coverage. In-depth analysis of ASIC AI guidance, AML/CTF reform implications, DDO and AI-assisted product recommendations, and CPS 234 vendor due diligence is published above. Quarterly GRC talent market reports and a dedicated AML/CTF supervisory engagement piece are in development. New analysis posts here as it's published.

Browse all GRC analysis

Tools

Practical instruments

AI Readiness Assessment

Bespoke question banks for GRC analysts, governance managers, and compliance and audit professionals.

AI Tool Comparison

Side-by-side comparison of major AI tools with criteria weighted for GRC use cases.

Governance Scorecard

A dedicated AI governance maturity self-assessment against APRA CPS 230 and CPS 234 is in development. In the meantime, the AI Readiness Assessment includes GRC paths covering analyst, governance manager, and compliance and audit roles.

Interactive tools

Put it into practice

AI Readiness Assessment

A short, role-specific check that scores where you are and returns a personalised 90-day plan.

Start the assessment

Compare AI tools

Side-by-side scoring of the major AI assistants across the criteria that matter for professional work.

Open the comparison