APRA's 30 April 2026 letter to industry should change how governance, risk and compliance teams think about AI education for boards. The practical message is not that directors must become machine learning engineers. The message is that AI literacy is now connected to risk appetite, control assurance, third-party oversight, resilience and accountability. APRA states that AI adoption is accelerating across regulated entities, while maturity in governance, risk management, assurance and operational resilience remains uneven.
For GRC teams, this moves AI literacy out of the optional learning calendar and into the control environment. If a board approves strategy, sets risk appetite and oversees material risk, then the board needs enough AI literacy to ask whether AI systems are being governed with the same discipline as other material technology, data, outsourcing and operational risks. That is a different standard from watching a demonstration of a chatbot or attending a one-hour awareness session.
Why the bar is rising
APRA's letter is careful, but it is not ambiguous. It expects regulated entities to maintain risk management that is commensurate with the scale, complexity and materiality of AI use. It also expects boards to have sufficient literacy to understand AI opportunities, limitations and risks, including risks arising through third-party services and cyber pathways.
That expectation aligns with the wider Australian direction of travel. The Australian Government's voluntary AI Safety Standard sets out 10 guardrails for safe and responsible AI, including accountability, risk management, transparency, human oversight and contestability. The Digital Transformation Agency's Policy for the responsible use of AI in government also expects agencies to assign accountability, classify AI use by risk, publish transparency statements and manage AI safely. These are not identical regimes, but they point in the same direction: governance must be visible, accountable and evidence-based.
This distinction matters because AI risk often hides in familiar business processes. A model summarising customer interactions may create privacy and accuracy risks. A retrieval system connected to policy documents may create information security and prompt injection risks. A workflow agent that drafts decisions may create accountability and recordkeeping risks. None of these risks is solved by teaching directors model terminology alone. The literacy requirement is practical: directors need enough understanding to interrogate the control story.
AI literacy should be role-specific
Many organisations will respond with generic AI training. That is a start, but it is not enough for boards and senior executives. A board literacy programme should be built around decisions the board actually makes. It should cover AI strategy, materiality thresholds, high-risk use cases, assurance expectations, regulatory reporting, third-party concentration, cyber exposures and incident escalation.
The NIST AI Risk Management Framework is useful here because it frames AI risk around governance, mapping, measurement and management. The value of that structure is not that Australian firms should simply import a United States framework. The value is that it gives boards a practical language for asking whether the organisation has understood context, measured risk, implemented controls and monitored outcomes. Those questions translate well into Australian GRC work.
The third-party problem
Third-party AI is likely to be the place where board literacy is most tested. Many organisations will not build frontier models. They will buy software, embed vendor copilots, connect enterprise data to external platforms and rely on cloud providers, model providers and specialist workflow tools. APRA's AI letter specifically points to third-party dependencies as a matter for board and senior management attention.
This creates a practical challenge. Traditional vendor due diligence often focuses on security questionnaires, service levels, financial viability and contractual terms. AI due diligence needs those controls, but it also needs questions about model behaviour, data retention, training use, explainability, evaluation, subcontractors, monitoring, incident notification and exit. Where an AI service supports critical operations, the control expectation should connect to operational resilience obligations, including CPS 230 arrangements for material service providers.
For boards, the point is not to review every model card. The point is to insist that management has a defensible process for classifying vendor AI risk. A vendor tool that drafts internal meeting summaries is not the same as a vendor tool that recommends fraud flags, employment actions, claims triage outcomes or customer hardship responses. Board literacy should help directors detect when management has treated materially different use cases as if they were the same.
What GRC teams should build now
GRC teams can turn AI literacy into a control by creating artefacts that boards can use. The first artefact is an AI use-case register that identifies owner, business purpose, users, affected stakeholders, data categories, vendor dependencies, risk rating and assurance status. The second is a board reporting pack that summarises new material uses, exceptions, incidents, overdue controls and assurance outcomes. The third is a literacy and attestation process for executives accountable for material AI systems.
These artefacts should be tested through internal audit or assurance. The question is not merely whether the register exists. The question is whether the register is complete, current and connected to actual procurement, technology, privacy, cyber and change-management processes. A stale spreadsheet is not a control. A living register that triggers review when a business unit connects sensitive data to a new AI tool is much closer to the standard regulators are signalling.
The best board AI literacy programmes will use scenarios. Scenario-based training reveals whether directors understand materiality, affected stakeholders, failure modes and assurance needs. A useful scenario might walk the board through a vendor copilot that quietly begins drafting customer hardship responses after a routine product update. Directors who can ask where that change was approved, what data the tool now touches, who tested it, and who accepted the residual risk are demonstrating exactly the literacy APRA is describing. Directors who accept the new capability without those questions are not.
The bottom line
AI literacy is becoming part of governance evidence. A board can delegate technical execution, but it cannot delegate the need to understand material risks well enough to oversee them. In 2026, the defensible position is not "our board received AI training". The defensible position is "our board understands how AI is used, how material uses are escalated, what risks sit outside appetite, and what assurance evidence supports management's position".
That is a higher standard, but it is also a more useful one. It turns AI education from a learning event into a governance capability.
References
- APRA letter to industry on artificial intelligence
- Australian Government Voluntary AI Safety Standard
- Policy for the responsible use of AI in government
- NIST AI Risk Management Framework
Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from APRA, ASIC, or the relevant regulatory authority.
TheAICommand. Intelligence, At Your Command.
