AdviserVoice

Best Practice

CPD: AI governance – a practical framework for advisers

For advisers, AI is rapidly moving from an experimentation phase to core advice infrastructure, and regulators are making it clear that governance expectations must keep pace.

Regulator scrutiny of AI governance just got serious

In years to come, they may well call it the ‘Mythos effect’ – the point in early 2026 where all the concerns about AI use in financial services came to a head and prompted the regulators to get serious.

ASIC has been watching this issue particularly closely since October 2024, when it published Report 798[1], an examination of AI governance practices across financial services licensees. But when Anthropic (the company behind ‘Claude’) began inviting selected organisations to trial Mythos[2] – a model built specifically for cybersecurity and autonomous coding – regulator anxiety shifted to a whole new level. Within weeks, ASIC had issued an urgent call[3] for cyber uplift in the face of agentic AI, and APRA had written[4] to all regulated entities demanding a ‘step change’ in AI risk management, warning that governance practices were falling dangerously behind the pace of advancements.

For advisers, the rapid adoption of AI gives this scrutiny extra relevance. A recent survey[5] found that 74% of Australian advisers are already using or planning to use AI in their business – well ahead of the global average of 64% – with practices already putting AI to work drafting file notes, generating statements of advice and client communications, and accelerating research and compliance tasks.

For readers, this article takes a timely and practical look the nature of AI risks, the extent to which existing compliance frameworks and obligations acknowledge these risks, and what you can do now to close the governance gap and protect yourself and your clients.

AI is rapidly becoming advicetech infrastructure

The increasing adoption of AI by advisers has seen it rapidly progress from being an add-on tool to becoming a central element underpinning the technology stacks of advice practices.

The 2025 Adviser Landscape Report[6] identified the key areas practices were already applying AI:

Given these rates are based on 2025 data, they are almost certainly higher now, as is the number of AI systems being used by advisers.

AI no longer just means ‘ChatGPT’, as advisers are presented with an ever-growing choice of generative AI tools developed specifically for advice, including Paradino, Saturn, and Marloo. At the same time, platforms and CRMs including Iress XPlan and Netwealth are rushing to offer various degrees of AI functionality, while the ubiquitous Microsoft 365 platform includes the rapidly improving Copilot.

The more innovative firms within the advice ecosystem are already pushing into more sophisticated territory. Melbourne-based Yarra Lane, working with outsourcing specialist Vital Business Partners, has been running AI-assisted workflow automation that literally goes to work overnight: bots review adviser calendars, access client systems, download portfolio reports and stage everything in SharePoint so advisers are ready to go before the first meeting of the day. As CEO Nick Perrett summed up, “our planners are working throughout the day, and our bots go to work at night.”[7]

The next evolution will be ‘agentic AI’ – systems capable not just of automating fixed tasks, but of reasoning, making decisions and adapting when circumstances change, all without constant human direction. While still in its nascency within advice, the lightning pace of change, and the enthusiasm many advisers have for new technology, will likely drive a very sharp adoption curve.

But its power creates governance challenges

The power of AI to transform financial advice is already beyond doubt. Terry Dillon, Chief Executive of Shadforth Financial, expects his advisers to see 50 per cent-plus more clients thanks to AI, without dropping the amount of client contact or the quality of the advice.

“We’re not talking incremental change. We’re talking a step change in the number of clients advisers will be able to see over time,” Dillon says[8].

As well as speed, AI can be consistent at scale, reducing the variability that can occur across different staff members or even across different decisions by the same team member.

Entireti’s Neil Younger argues this consistency “means you’re starting to introduce advice at lower cost points than we see in the traditional model.”[9]

But this scalability and power is a double-edged sword. Any flaw in the AI, whether it be a hallucination, an algorithmic bias, or inadequate personalisation, can be propagated across hundreds of client files before anyone realises.

And the unseen nature of some AI tools – which run in the background of more comprehensive systems, rather than being standalone – can amplify the governance challenges.

ASIC’s central finding from REP 798[10] is that these risks are real and growing, and businesses are struggling to ensure their governance practices can keep up with the explosive pace of change.

What ASIC found in Rep 798

ASIC’s Report 798 was based on a review of 624 AI use cases across 23 licensees, including banks, credit providers, insurers and financial advice businesses. What they found was that governance frameworks put in place by many of these businesses were failing to evolve at the same speed as the technology.

More alarming was the observed variability in standards – while some licensees had documented strategies and board-level reporting, others had no AI specific policies or governance framework at all.  Among the specific findings:

ASIC illustrated the practical implications of these governance shortcomings with a powerful, real life case study : a credit scoring model that had been running for months with no governance documentation, no risk rating and where the provider “could not explain the variables in the scorecard or the impact they are having on an applicant’s score.”[11]

It is easy to imagine the same sort of ‘black box’ scenario in risk profiling software, which, if some unknown error or bias crept in, could allocate erroneous risk profiles to clients, undetected, for a significant period of time, potentially opening those clients up to significant financial harm.

Cyber risks take centre stage

While AI related cyber risks received little focus in Rep 798 (being mentioned only twice), the ‘Mythos effect’ has seen the topic become much more prominent in ASIC’s recent thinking, culminating in their May 2026 call for ‘cyber uplift’.

In an open letter[12] from Commissioner Simone Constant, ASIC noted:

“The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape. These models are accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors.”

“This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives.”

While ASIC weren’t targeting one specific industry sector with this message, the sensitive nature of client data stored and used by financial advisers makes advice firms an attractive target for ‘bad actors’, giving this statement added resonance for the advice profession.

In particular, it forces AFSLs to reckon with a problem not previously factored into most AI governance thinking – the extent to which AI dramatically expands the “attack surfaces” (exposure to untrusted networks).

When client data is fed into third-party AI tools, for example to generate file notes, draft SOAs, or summarise meeting transcripts, it is leaving the firm’s ‘controlled’ environment. The data handling practices of the AI vendor and the security of the API connection become a critical part of the firm’s cyber risk profile. The more vendors used, the bigger the attack surface.

APRA puts all regulated entities on notice

During a targeted review of large banks, insurers and superannuation trustees in late 2025, APRA identified a number of gaps which echoed those uncovered in Rep 798, including cyber security, governance maturity, and third-party concentration.

Following their review, APRA wrote to all regulated entities in April 2026 warning that while AI adoption is accelerating across the sector, associated governance and risk management practices are not keeping up[13]. Boards were singled out as needing to develop the ability to challenge AI-related risks and ask hard questions of management.

AI governance – advisers’ existing obligations

ASIC frequently makes the point that the law, and its associated guidance, is ‘technology neutral’. This makes it easier for the regulatory framework to adapt to unforeseen technological advancements (video SOAs anyone?), and also means advisers have a base level of compliance obligations that apply regardless of the technologies used.

Key examples of obligations that are directly relevant to the use of AI in advice include (but are not limited to):

A practical adviser framework for AI governance

In addition to the foundational compliance obligations that apply regardless of the technology used, the governance questions included by ASIC in Report 798 are a valuable starting point when building a practical, AI specific, governance framework for advisers.

An example of such a framework is below:

In summary

For advisers, AI is rapidly moving from an experimentation phase to core advice infrastructure, and regulators are making it clear that governance expectations must keep pace. Recent interventions from APRA and ASIC – for which new ‘frontier’ and agentic AI systems were the catalyst – signal that improving AI oversight is something for entities of all sizes to prioritise now.

For advisers, the challenge is not whether AI should be used, but how it can be used in a way that remains defensible and consistent with existing professional obligations. Practices that treat AI governance as an extension of their broader compliance and client protection frameworks will be better positioned to capture the transformative benefits of the technology, while avoiding the governance failures regulators are increasingly worried about.

 

Take the FAAA accredited quiz to earn 0.25 CPD hour:

CPD Quiz

Copyright © 2026 AdviserVoice PTY Limited. All rights reserved. ABN 17 145 288 375 Reproduction in whole or in part in any form or medium without express written permission of AdviserVoice PTY Limited is prohibited. Site design and development by sixfive.