How regulation is catching up with AI for AFS licensees

There is no AI-specific compliance obligation under the Corporations Act 2001 (Cth). However, AI use engages general licensee obligations to:

• provide services efficiently, honestly and fairly;
• not engage in unconscionable conduct;
• not make false or misleading statements;
• have adequate compliance measures for complying with their obligations;
• maintain adequate technological and human resources; and
• have adequate risk management systems.   

Licensees remain responsible for outsourced functions, including third-party AI models. Boards must discharge their duties with care and diligence, including in relation to AI.

ASIC's Report 798 Beware the gap: Governance arrangements in the face of AI innovation reviewed 624 AI use cases across 23 licensees and found a governance gap – some licensees were adopting AI faster than their risk frameworks were being updated. Only half had updated their risk management policies for AI, and some were assessing risk through a business efficiency lens rather than a consumer harm lens, creating exposure under the design and distribution obligations.

ASIC's Key Issues Outlook for 2026 identifies advanced technology, including agentic AI, as a key risk, noting AI may influence significant financial decisions without adequate oversight and consumers may not be aware they are interacting with AI. APRA has likewise called for a 'step-change' in AI risk management, warning that governance and assurance practices are not keeping pace with the scale and complexity of AI adoption. 

APRA also flagged that over-reliance on a small number of AI providers creates concentration risk, and existing internal audit and compliance processes may not be structured to catch AI-specific issues.

Both ASIC and APRA have emphasised that board accountability cannot be delegated away. APRA noted that while boards show strong interest in AI's potential benefits, many lack the technical literacy to effectively challenge management on AI risks. ASIC has reinforced that directors must discharge their duties with care and diligence extending to the use of AI, and they should be aware of reasonably foreseeable associated risks.

Licensees who invest in governance frameworks now will be better positioned to innovate with confidence – and to comply with whatever mandatory obligations come next.

Practical steps licensees can take now:

• Assess systems and conduct an AI audit: map current and planned AI use, including third-party tools and embedded platform functionality, and assess systems against the Federal Court’s finding in the FIIG Securities case.
• Assess AI through a consumer harm lens – not merely as a business efficiency tool.
• Update governance frameworks before expanding AI use: governance should lead adoption, not lag it.
• Review AI provider arrangements: ensure contractual protections and the ability to monitor third-party models.
• Implement the National AI Centre’s voluntary Guidance for AI Adoption: compliance is not mandatory, but ASIC recommends adherence and it may become a benchmark against which ASIC assesses licensee conduct.
• Brief the board and prepare for regulatory change: Directors need visibility of AI use, risk appetite and the regulatory trajectory, including the Australian Government's ongoing consultation on mandatory AI guardrails.