The Financial Accountability Regime (FAR) has been in force since March 2024 (for banks) and March 2025 (for insurers and super funds), marking a new era of individual accountability in Australia’s financial sector. Boards and executives carefully mapped responsibilities and ‘reasonable steps’ to comply with their respective FAR obligations but, did those frameworks anticipate today’s surge in artificial intelligence (AI)? Probably not.

Since FAR’s design phase, generative AI and automation have been rapidly embedded into core financial services, far beyond what many accountability maps contemplated in 2024. In other words, FAR is live, but generative AI wasn’t in the room when it was designed – nor could the scale of AI adoption and integration have been fully contemplated – and that’s a gap that needs to be addressed.

Regulators are sounding the alarm. Both APRA and ASIC have made it clear that AI adoption is accelerating faster than risk and accountability frameworks have evolved. For more details about the APRA and ASIC letters: APRA sharpens expectations on AI governance and risk management.

By way of summary, APRA’s April 2026 industry letter to all regulated entities found ‘differing levels of maturity’ in AI governance, with boards enthusiastic about AI’s benefits but lacking the technical literacy to challenge AI risks and oversight. APRA expects boards and executives to maintain sufficient understanding of AI to set strategy and provide effective oversight, and to ensure clear ownership and accountability across the AI lifecycle (e.g. from design and deployment to monitoring and decommissioning). ASIC’s recent open letter (May 2026) likewise urged firms to ‘not wait for perfect clarity’ on AI threats and to strengthen cyber resilience fundamentals now. ASIC underscored that existing obligations already cover AI-related risks, pointing to enforcement precedents (e.g. recent actions in the cyber and risk space) as a warning that regulators will hold firms and individuals to account for lapses in governance over technology.

Why does AI challenge traditional FAR assumptions? For one, responsibility mapping under FAR assumed human decision-making. However, increasingly, algorithms and AI systems influence or even automate decisions that affect customers and operations. Who is accountable when an AI recommendation goes wrong or even rogue? FAR requires an Accountable Person (AP) to actively manage risks in their area, yet complex AI models make it harder to demonstrate effective oversight and control. Accountability thus remains with the AP for the relevant function, regardless of the tool used to perform it. The practical challenge is that complex AI models make it harder for an AP to demonstrate the effective oversight and control the regime requires.

Delegation, ongoing monitoring, and oversight are tested when tasks shift from people to AI. FAR explicitly warns against inappropriate delegation, so APs cannot simply defer to an algorithm without robust checks and ongoing monitoring, which in turn, requires sufficient measures including data lineage and model transparency to enable oversight and control. APs need confidence in the data and assumptions driving AI predictions and decisions, and processes to catch bias or errors before they harm customers. Likewise, model risk management and continuous monitoring must be considered and integrated into the FAR framework as AI models evolve or ‘drift’ over time. Regulators have signalled that appropriate human oversight is essential and must be proportionate to risk. Human-in-the-loop (a person approves each decision before it takes effect) may suit high-impact or hard-to-reverse decisions affecting customers; on the other hand, human-on-the-loop (a person monitors and can intervene) may be proportionate for lower-impact, higher-volume decisions. APRA expects meaningful human oversight for high-risk AI decisions rather than fully hands-off automation. In short, AI is not ‘just another technology’, it’s a fast-moving target that widens the accountability gap if left unchecked.

FAR’s principles-based obligations are technology-neutral, but that doesn’t mean AI can be ignored. On the contrary, existing rules on governance, risk management, and conduct squarely apply to AI, and regulators are prepared to intervene under those rules if AI-related failures emerge. ASIC’s late-2024 Report 798 ‘Beware the Gap’ found that AI uptake is outpacing governance at many financial services organisations. That gap has only widened with recent developments in technology and rapid adoption – and in light of FAR now being in operation, boards and senior executives must ensure their FAR frameworks catch up with AI’s reality before regulators force the issue. This is ultimately about trust and resilience: if AI-driven processes fail – whether through bias, error or cyber exploitation, accountable executives will be on the hook. Against this backdrop of strong regulatory scrutiny and, an ever-changing environment, boards and executive APs should be considering:

• Is end-to-end accountability for AI systems and their outcomes and monitoring clearly ‘allocated’ among APs to ensure the institution’s compliance with its key personnel obligations?
• Have accountability maps and statements (if applicable) been updated to explicitly capture AI-related functions, initiatives, risks, and oversight roles?
• How can executive APs demonstrate the effective and appropriate management of AI risks in their areas and embed this into enterprise-wide AI governance and risk management systems (e.g. documented AI governance processes, risk assessments, and controls)?
• How can boards demonstrate they are discharging their duties, supporting APs, and have effective oversight of both the board’s and the institution’s adoption and deployment of AI and management of those risks?
• Have unique AI risks have been embedded into existing risk management and compliance frameworks?
• Do the technical and procedural assurance mechanisms allow AI-enabled decision making that is explainable, fair and free of unacceptable bias – and can we evidence this to regulators if challenged?
• Do AI deployments include appropriate human oversight or intervention points for high-impact decisions, to prevent unchecked automation?
• How is the organisation managing third-party AI providers and AI in our supply chain, and does supply contracts adequately manage and allocate risks? Do we have audit rights, contingency plans, and visibility over external models and data? See more: APRA’s AI letter: A wake-up call for managing your third-party suppliers
• Are APs sufficiently AI-literate to ask tough questions and challenge management on AI risks? If not, what is the plan to close that gap?
• Could we demonstrate our AI governance and risk controls to regulators or auditors on short notice? Do we maintain robust documentation of AI policies, model inventories, testing results, and decision records?
• Are we tracking progress, ensuring readiness, or making the right preparations to start disclosing our automated decisions within our Privacy Policy for December 2026?

By candidly confronting these questions, APs can close the ‘AI gap’ in their FAR frameworks and uphold the spirit of the regime – ensuring that transformational technologies are governed with the same rigour, integrity, and accountability that regulators and the public now demand.