Home/GRC

GRC

AI in Governance, Risk & Compliance

Practical intelligence on AI developments across APRA, ASIC, FAR, AML/CTF, DDO, and CPS 230 for compliance and risk professionals in Australian financial services.

APRAASICFARAML/CTF

Intelligence, At Your Command.

Regulatory Frameworks

APRA / CPS 230

Operational Risk Management: AI system governance obligations

FAR

Financial Accountability Regime: accountability for AI-assisted decisions

ASIC

Consumer protection obligations and AI disclosure requirements

AML/CTF

Anti-money laundering and AI-assisted transaction monitoring

DDO

Design and Distribution Obligations: AI in product recommendations

CPS 234

Information Security: cybersecurity governance for AI systems

Analysis

GRC Intelligence

Edinburgh Old Town Blue Hour
GRC·

AI in Internal Audit: What Still Counts as Evidence

Internal audit functions are adopting AI faster than they are writing the rules for their own use of it. The IIA's 2024 Standards never mention artificial intelligence, yet every evidence, documentation and objectivity requirement still applies to AI-assisted audit work.

Read article
Geneva Lake Jet Deau Dusk
GRC·

Build an AI Use Case Register That Boards Can Actually Use

Practical guidance for GRC teams to create AI use case registers that deliver clear, decision-ready evidence for boards and risk committees.

Read article
Chicago Riverwalk Financial Blue Hour
GRC·

AI Cyber Risk Is Now a Board Governance Issue

ASIC's May 2026 cyber uplift warning highlights that AI-driven cyber risk demands active board and risk committee oversight, not just IT fixes. This article outlines a practical governance operating model for GRC teams.

Read article
Brisbane Cbd Night
GRC·

From Voluntary AI Guardrails to Audit Evidence

Australia's voluntary AI guardrails only become useful when GRC teams translate them into control objectives, artefacts and assurance tests.

Read article
Melbourne Southbank Night
GRC·

AI Incident Response Needs an Evidence Pack, Not Just a Playbook

Prompt injection, data leakage and agentic failures require GRC teams to rethink incident response evidence, escalation and assurance.

Read article
Sydney Cbd Towers
GRC·

Board AI Literacy Is Now a Control Expectation, Not a Training Nice-to-Have

APRA's April 2026 AI letter signals that board AI literacy is becoming a governance control expectation, not a generic awareness exercise.

Read article
Singapore
GRC·

ASIC's AI Supervisory Posture, Decoded

ASIC's posture on AI in financial services is now visible across REP 798, the 2026 Key Issues Outlook, and recent statements from the Chair. Five themes shape supervisory expectation, and three create immediate work for compliance teams.

Read article
Zurich Limmat Old Town
GRC·

CPS 234 and AI Vendors: A Due Diligence Framework

CPS 234 has been in force since 2019. AI vendors stretch the framework in specific ways: training data exposure, model update opacity, and inference infrastructure that crosses the standard's information asset boundaries. A practical due diligence framework.

Read article
Adelaide King William St
GRC·

FAR and AI: How Accountability Maps to Tooling Decisions

The Financial Accountability Regime makes specific senior executives answerable for the systems and decisions inside their portfolios. AI tooling decisions sit inside that accountability, whether they are formally documented in the responsibility map or not.

Read article
Frankfurt
GRC·

AML/CTF and Large Language Models: A Compliance View

Large language models are now embedded across AML/CTF programs, from suspicious matter triage to KYC document review. AUSTRAC's posture on these uses is shaping. Reporting entities need a clear governance position now, not later.

Read article
Rotterdam
GRC·

DDO and AI-Driven Personalisation: Where the Boundary Sits

AI personalisation is moving fast inside Australian financial services. The Design and Distribution Obligations were not written with adaptive recommendation engines in mind. The boundary between targeting and personal advice is the line GRC teams need to govern.

Read article
London
GRC·

APRA's Model Risk Thematic Review: What to Expect

APRA's model risk thematic review is expected to land in the second half of 2026. The signals from supervisory engagement to date suggest where it will press hardest, and what regulated entities should be doing now.

Read article
Oslo
GRC·

CPS 230 and AI: A Practical Operational Resilience Playbook

CPS 230 has been live since 1 July 2025. Nine months in, the practical question for boards and operational risk teams is no longer whether AI tools fall inside the standard. It is how to evidence it.

Read article

Regulatory Updates

Tracking the regulators

Active coverage. In-depth analysis of ASIC AI guidance, AML/CTF reform implications, DDO and AI-assisted product recommendations, and CPS 234 vendor due diligence is published above. Quarterly GRC talent market reports and a dedicated AML/CTF supervisory engagement piece are in development. New analysis posts here as it's published.

Browse all GRC analysis

Tools

Practical instruments

AI Readiness Assessment

Bespoke question banks for GRC analysts, governance managers, and compliance and audit professionals.

AI Tool Comparison

Side-by-side comparison of major AI tools with criteria weighted for GRC use cases.

Governance Scorecard

A dedicated AI governance maturity self-assessment against APRA CPS 230 and CPS 234 is in development. In the meantime, the AI Readiness Assessment includes GRC paths covering analyst, governance manager, and compliance and audit roles.

Interactive tools

Put it into practice

AI Readiness Assessment

A short, role-specific check that scores where you are and returns a personalised 90-day plan.

Start the assessment

Compare AI tools

Side-by-side scoring of the major AI assistants across the criteria that matter for professional work.

Open the comparison