The AI Governance Gap: What ASIC REP 798 and APRA's 2026 Letter Mean for Lenders

Part of the series: How to use AI with client documents in Australian real estate finance

General information, not legal advice. Current as at June 2026.

There is an assumption doing the rounds in Australian B2B: that AI is a regulatory grey zone, and until Parliament passes a dedicated "AI Act," nobody can really hold you to a standard. That's not the case, and both of Australia's main financial regulators have now said so in writing.

The message from ASIC and APRA is consistent and blunt: the law you already operate under applies to AI right now. The risk is not that you broke a rule that doesn't exist yet. The risk is the gap between how fast you adopted AI and how slowly you updated the governance around it.

REP 798: ASIC names the "governance gap"

ASIC published Report 798, Beware the gap: Governance arrangements in the face of AI innovation which reviewed 624 AI use cases across 23 licensees and reached an unsurprising but pointed conclusion: firms are deploying AI faster than they are updating the risk and compliance frameworks meant to control it.

ASIC's position was not anti-AI. In its 21 May 2024 opening statement to the Senate Select Committee on Adopting AI it described itself as "supportive of the safe and responsible use of AI by Australian businesses." The point was about accountability: director duties, the licensee obligation to act "efficiently, honestly and fairly," and consumer protections apply to an AI-assisted decision exactly as they apply to a human one. An algorithm in the loop does not dilute the obligation - it just makes it harder to see where the obligation is being met.

For credit licensees specifically, that lands close to home. ASIC flagged concern about opaque, "black box" AI in credit decisioning - systems that produce an outcome no one can fully explain. If you cannot show which inputs drove a risk grade or a serviceability call, you have a defensibility problem the moment anyone asks.

APRA sharpens it: AI is a risk domain, not a tool

In April 2026, APRA followed with a letter to industry warning that governance, risk management and operational resilience are not keeping pace with AI adoption. It named four weaknesses that should read like a self-assessment checklist for any regulated lender:

1. Boards without the technical literacy to oversee AI effectively.
2. Frameworks that treat AI as "just another technology" rather than a distinct risk domain.
3. Cyber and information-security gaps - identity and access, patching delays, insufficient testing of AI systems.
4. Poor visibility over third-party AI dependencies - the models and vendors you quietly rely on.

Crucially, APRA's view is that existing prudential standards already capture AI risk. CPS 234 (Information Security), CPS 230 (Operational Risk Management) and CPS 220 (Risk Management) all apply - they just need to be operationalised for AI. The targeted amendments to CPS 230 commence 1 July 2026, which makes third-party and operational-resilience questions especially live for anyone leaning on an external AI tool. By its Key issues outlook for 2026, ASIC had agentic AI on its watchlist alongside private credit.

What "closing the gap" actually looks like

The regulators have effectively handed you the remediation list. Closing the governance gap means moving AI out of the "IT tools" drawer and into your risk framework, with real ownership:

• Give AI an owner. AI use sits in the risk framework with a named accountable person, not scattered across whoever happened to sign up for a chatbot.
• Get the board literate enough to oversee it. Risk appetite and board reporting should address AI risks, not just AI opportunities.
• Do third-party due diligence. Know which models and vendors you depend on, where they run, and what happens if one fails or changes. (This is also where sovereignty matters - see sovereign AI for CRE finance.)
• Keep AI explainable. Anything touching a credit decision should be traceable to its inputs. Use AI to assemble and structure the evidence; keep the decision and its rationale with a human.
• Log it. Record where automation was used and what it produced - both as operational-risk evidence and as the raw material for your privacy-policy disclosures.

That last point is not abstract. The recordkeeping you build to close the governance gap is the same recordkeeping the private-credit reforms now demand - see private credit under the microscope - and the same evidence you'll need for the automated decision-making transparency obligation. Do it once, properly, and three obligations get easier at the same time.

The bottom line

The risk ASIC named is not that you broke a rule that doesn't exist yet. It is the gap between how fast you adopted AI and how slowly you governed it - the gap that makes a defensible AI workflow indistinguishable from a guess. The firms that come through the next two years cleanly will be the ones that treated AI as a governed risk from the start - owned, overseen, explainable and logged - rather than a clever shortcut bolted onto a legacy process. The firms that don't won't just sit in the compliance crosshairs; they will watch their competitors use the same revolutionary tools effectively, and at speed, while they are still trying to work out who owns the chatbot. The gap ASIC named is real. It is also closeable, and the work to close it pays off across your whole compliance surface.

---

Want to see where you stand? Run through the checklist for using AI legally in Australia - a two-minute scorecard for CRE brokers and lenders, including the governance questions ASIC and APRA are asking.

This article is general information about regulatory developments and is not legal or compliance advice. Confirm your obligations with your own advisers.