CPD: AI governance – a practical framework for advisers

From

For advisers, AI is rapidly moving from an experimentation phase to core advice infrastructure, and regulators are making it clear that governance expectations must keep pace.

Regulator scrutiny of AI governance just got serious

In years to come, they may well call it the ‘Mythos effect’ – the point in early 2026 where all the concerns about AI use in financial services came to a head and prompted the regulators to get serious.

ASIC has been watching this issue particularly closely since October 2024, when it published Report 798[1], an examination of AI governance practices across financial services licensees. But when Anthropic (the company behind ‘Claude’) began inviting selected organisations to trial Mythos[2] – a model built specifically for cybersecurity and autonomous coding – regulator anxiety shifted to a whole new level. Within weeks, ASIC had issued an urgent call[3] for cyber uplift in the face of agentic AI, and APRA had written[4] to all regulated entities demanding a ‘step change’ in AI risk management, warning that governance practices were falling dangerously behind the pace of advancements.

For advisers, the rapid adoption of AI gives this scrutiny extra relevance. A recent survey[5] found that 74% of Australian advisers are already using or planning to use AI in their business – well ahead of the global average of 64% – with practices already putting AI to work drafting file notes, generating statements of advice and client communications, and accelerating research and compliance tasks.

For readers, this article takes a timely and practical look the nature of AI risks, the extent to which existing compliance frameworks and obligations acknowledge these risks, and what you can do now to close the governance gap and protect yourself and your clients.

AI is rapidly becoming advicetech infrastructure

The increasing adoption of AI by advisers has seen it rapidly progress from being an add-on tool to becoming a central element underpinning the technology stacks of advice practices.

The 2025 Adviser Landscape Report[6] identified the key areas practices were already applying AI:

  • 86% were using it for file notes and meeting documentation
  • 53% were using it for client engagement applications such as newsletters
  • 48% were using it for marketing, and
  • 46% were using it with SOA or ROA production.

Given these rates are based on 2025 data, they are almost certainly higher now, as is the number of AI systems being used by advisers.

AI no longer just means ‘ChatGPT’, as advisers are presented with an ever-growing choice of generative AI tools developed specifically for advice, including Paradino, Saturn, and Marloo. At the same time, platforms and CRMs including Iress XPlan and Netwealth are rushing to offer various degrees of AI functionality, while the ubiquitous Microsoft 365 platform includes the rapidly improving Copilot.

The more innovative firms within the advice ecosystem are already pushing into more sophisticated territory. Melbourne-based Yarra Lane, working with outsourcing specialist Vital Business Partners, has been running AI-assisted workflow automation that literally goes to work overnight: bots review adviser calendars, access client systems, download portfolio reports and stage everything in SharePoint so advisers are ready to go before the first meeting of the day. As CEO Nick Perrett summed up, “our planners are working throughout the day, and our bots go to work at night.”[7]

The next evolution will be ‘agentic AI’ – systems capable not just of automating fixed tasks, but of reasoning, making decisions and adapting when circumstances change, all without constant human direction. While still in its nascency within advice, the lightning pace of change, and the enthusiasm many advisers have for new technology, will likely drive a very sharp adoption curve.

But its power creates governance challenges

The power of AI to transform financial advice is already beyond doubt. Terry Dillon, Chief Executive of Shadforth Financial, expects his advisers to see 50 per cent-plus more clients thanks to AI, without dropping the amount of client contact or the quality of the advice.

“We’re not talking incremental change. We’re talking a step change in the number of clients advisers will be able to see over time,” Dillon says[8].

As well as speed, AI can be consistent at scale, reducing the variability that can occur across different staff members or even across different decisions by the same team member.

Entireti’s Neil Younger argues this consistency “means you’re starting to introduce advice at lower cost points than we see in the traditional model.”[9]

But this scalability and power is a double-edged sword. Any flaw in the AI, whether it be a hallucination, an algorithmic bias, or inadequate personalisation, can be propagated across hundreds of client files before anyone realises.

And the unseen nature of some AI tools – which run in the background of more comprehensive systems, rather than being standalone – can amplify the governance challenges.

ASIC’s central finding from REP 798[10] is that these risks are real and growing, and businesses are struggling to ensure their governance practices can keep up with the explosive pace of change.

What ASIC found in Rep 798

ASIC’s Report 798 was based on a review of 624 AI use cases across 23 licensees, including banks, credit providers, insurers and financial advice businesses. What they found was that governance frameworks put in place by many of these businesses were failing to evolve at the same speed as the technology.

More alarming was the observed variability in standards – while some licensees had documented strategies and board-level reporting, others had no AI specific policies or governance framework at all.  Among the specific findings:

  • Only 12 of the 23 licensees had policies addressing fairness or bias in their AI systems
  • Only 10 had any documented approach to disclosing AI use to consumers
  • None had implemented ‘contestability’ arrangements (mechanisms allowing clients to challenge decisions in which AI had played a role)
  • 30% of all use cases relied on third-party AI models, and many licensees could not explain what those models were actually doing.

ASIC illustrated the practical implications of these governance shortcomings with a powerful, real life case study : a credit scoring model that had been running for months with no governance documentation, no risk rating and where the provider “could not explain the variables in the scorecard or the impact they are having on an applicant’s score.”[11]

It is easy to imagine the same sort of ‘black box’ scenario in risk profiling software, which, if some unknown error or bias crept in, could allocate erroneous risk profiles to clients, undetected, for a significant period of time, potentially opening those clients up to significant financial harm.

Cyber risks take centre stage

While AI related cyber risks received little focus in Rep 798 (being mentioned only twice), the ‘Mythos effect’ has seen the topic become much more prominent in ASIC’s recent thinking, culminating in their May 2026 call for ‘cyber uplift’.

In an open letter[12] from Commissioner Simone Constant, ASIC noted:

“The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape. These models are accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors.”

“This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives.”

While ASIC weren’t targeting one specific industry sector with this message, the sensitive nature of client data stored and used by financial advisers makes advice firms an attractive target for ‘bad actors’, giving this statement added resonance for the advice profession.

In particular, it forces AFSLs to reckon with a problem not previously factored into most AI governance thinking – the extent to which AI dramatically expands the “attack surfaces” (exposure to untrusted networks).

When client data is fed into third-party AI tools, for example to generate file notes, draft SOAs, or summarise meeting transcripts, it is leaving the firm’s ‘controlled’ environment. The data handling practices of the AI vendor and the security of the API connection become a critical part of the firm’s cyber risk profile. The more vendors used, the bigger the attack surface.

APRA puts all regulated entities on notice

During a targeted review of large banks, insurers and superannuation trustees in late 2025, APRA identified a number of gaps which echoed those uncovered in Rep 798, including cyber security, governance maturity, and third-party concentration.

Following their review, APRA wrote to all regulated entities in April 2026 warning that while AI adoption is accelerating across the sector, associated governance and risk management practices are not keeping up[13]. Boards were singled out as needing to develop the ability to challenge AI-related risks and ask hard questions of management.

AI governance – advisers’ existing obligations

ASIC frequently makes the point that the law, and its associated guidance, is ‘technology neutral’. This makes it easier for the regulatory framework to adapt to unforeseen technological advancements (video SOAs anyone?), and also means advisers have a base level of compliance obligations that apply regardless of the technologies used.

Key examples of obligations that are directly relevant to the use of AI in advice include (but are not limited to):

  • Providing services “Efficiently, honestly and fairly” (under s912A)
    • You can’t blame an AI tool for incorrect outputs
  • Not making “False and misleading representations” (under Australian Consumer Law)
    • AI hallucinations remain a significant risk
  • Best Interests Duty
    • Professional reasoning cannot be delegated to a model
  • Record keeping
    • The same evidentiary standards apply to AI generated file notes as to human generated documents.

A practical adviser framework for AI governance

In addition to the foundational compliance obligations that apply regardless of the technology used, the governance questions included by ASIC in Report 798 are a valuable starting point when building a practical, AI specific, governance framework for advisers.

An example of such a framework is below:

  • Do an AI inventory check
    It is crucial to understand where AI exists in your practice. Start with a simple inventory: every AI tool in use, what it does, who is accountable for it, and what client data it touches. Include tools embedded in CRMs and wealth platforms, not just standalone AI applications.
  • Have a documented AI policy
    At some stage, it is likely that having a documented AI policy will be mandatory, so get ahead of the curve. Your policy should cover:
    • which AI tools are approved for use and for what purposes?
    • what AI tools are not permitted (particularly for client-facing outputs without human review)?
    • what data may and may not be input into AI tools?
    • what review is required before AI-generated content is relied upon or sent to clients?
    • what client information is being fed into AI tools?
    • who stores those prompts, and what are the privacy implications?
  • Assign accountability
    Someone in the practice needs to own AI governance. In a small practice this may be the principal adviser. In a larger licensee it may require a formal role or committee. ASIC’s May 2026 cyber statement is explicit that this responsibility sits at board and leadership level.
  • Conduct meaningful human oversight
    Having genuine human oversight of AI output – often referred to as ‘Human in the loop’ – means the adviser can stand behind every recommendation in the document, explain the reasoning, and confirm it reflects the specific client’s circumstances. Anything short of this means such oversight doesn’t really exist.
  • Train your staff on the tools they use
    The black box phenomenon, where no one really understands how AI is generating the answers it does, is clearly dangerous. Staff need to understand what each AI tool does, what it can get wrong, and where their judgement needs to take over.
  • Make your vendors accountable too
    Most AI powered software is provided by a third party, and you need to be comfortable about their own governance standards. Find out from the vendor what model they provide to you, how it is trained and updated, how errors are identified and corrected, and what happens to client data entered into the system. 
  • Address cyber risk specifically
    ASIC’s May 2026 letter placed active management of third-party cyber risk squarely on the licensee. Review which AI tools are receiving client data and under what terms. Assess vendor security practices and data handling as part of your outsourcing governance.
  • Tell your clients where you have used AI
    There is currently no mandatory requirement to disclose AI use to clients in the advice context. But Rep 798 flags this as an area of emerging expectation, and voluntary disclosure is now better practice. Consumers have a growing expectation that AI is used by businesses and indeed may even use AI to critique your recommendations. Providing a brief, plain-language explanation of where AI is used in the advice process can protect you and the client down the track.
  • Build in regular reviews
    AI vendors can update models, add capabilities and change data handling practices at breathtaking speed. The governance framework you put in place today will likely date faster than almost any other document in your business, meaning regular reviews are critical.

In summary

For advisers, AI is rapidly moving from an experimentation phase to core advice infrastructure, and regulators are making it clear that governance expectations must keep pace. Recent interventions from APRA and ASIC – for which new ‘frontier’ and agentic AI systems were the catalyst – signal that improving AI oversight is something for entities of all sizes to prioritise now.

For advisers, the challenge is not whether AI should be used, but how it can be used in a way that remains defensible and consistent with existing professional obligations. Practices that treat AI governance as an extension of their broader compliance and client protection frameworks will be better positioned to capture the transformative benefits of the technology, while avoiding the governance failures regulators are increasingly worried about.

 

Take the FAAA accredited quiz to earn 0.25 CPD hour:

CPD Quiz

The following CPD quiz is accredited by the FAAA at 0.25 hour.

Legislated CPD Area: Regulatory Compliance & Consumer Protection (0.25 hrs)

ASIC Knowledge Requirements: Regulatory Environment (0.25 hrs)

 

———–
References:
[1] https://download.asic.gov.au/media/mtllqjo0/rep-798-published-29-october-2024.pdf
[2] https://www.abc.net.au/news/2026-04-23/powerful-ai-tools-posing-cybersecurity-risks-australia-lagging/106584436
[3] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-092mr-asic-calls-for-urgent-cyber-uplift-as-ai-accelerates-cyber-threats/
[4] https://www.apra.gov.au/news-and-publications/apra-calls-for-a-step-change-ai-related-risk-management-and-governance
[5] https://www.adviserratings.com.au/news/the-ai-revolution-in-financial-advice-australian-practices-leading-global-adoption/
[6] Ibid
[7] https://www.professionalplanner.com.au/2025/05/meet-the-advisers-pioneering-the-professions-ai-adoption/
[8] https://www.afr.com/companies/financial-services/the-biggest-constraint-to-using-ai-for-financial-advisers-20260407-p5zltj
[9] Ibid
[10] https://download.asic.gov.au/media/mtllqjo0/rep-798-published-29-october-2024.pdf
[11] Ibid
[12] https://download.asic.gov.au/media/xhrf1w0e/26-092mr-open-letter-to-afs-licensees-and-market-participants.pdf
[13] https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai

Have feedback on this article? Contact Us