Issue 1 | 6 May 2026
THE BANK'S VIEW
The question now appearing in governance reviews is not about the AI your institution built. It is about the AI your vendors built and quietly embedded into tools you have been using for years.
The pattern that catches institutions out is consistent. The internally built models are catalogued. The accountability is mapped. Then the reviewer asks about the AI inside the core platform's vendor modules, the anomaly detection, the document classifier, the credit decisioning overlay, and the inventory has gaps. Modules that have been live for years sit outside the register because nobody included them. Nobody built them. The vendor did.
That is the gap that will catch institutions out between now and 1 July.
When we assess a vendor, we are not just looking at what they deliver. We are looking at what decision-making capability sits inside their product. If a vendor's platform scores a transaction, flags a customer, or routes a workflow using a model, that model is part of your operational risk profile. CPS 230 does not distinguish between AI you commissioned and AI that came bundled in a licence agreement.
The practical implication for compliance teams: go back to your material service provider register and ask a different question of each vendor. Not "do you use AI?" but "does your product make or influence any decisions that affect our customers or operations?" The answer will be yes more often than you expect.
For technology companies serving regulated institutions, this is the question your bank clients are now preparing to ask you formally. If you cannot answer it cleanly, with documentation, not a verbal assurance, you are a risk item on someone's register. The vendors who arrive at that conversation with a clear inventory of their embedded AI, mapped to the functions it performs, will close contract renewals faster than those who do not.
The 1 July deadline is 65 days away. The vendor contract transition clock has been running since 1 July 2025, or since your last renewal date, whichever came first.
REGULATORY UPDATE
APRA's CPS 230 Operational Risk Management requires regulated entities to identify and manage risks from all material service providers. The standard came into force 1 July 2025 for significant financial institutions. Non-SFIs face a final deadline of 1 July 2026.
APRA finalised targeted amendments to CPS 230 on 30 April 2026, taking effect 1 July 2026. The amendments give limited contractual exemptions for material arrangements with seven categories of non-traditional service provider: government agencies, regulators, central banks, financial market exchanges, clearing and settlement operators, payment system operators, and financial messaging providers. The exemption only applies where standardised terms or no formal agreement applies. Entities must still seek CPS 230-compliant contracts where bespoke terms can be negotiated. All other CPS 230 obligations remain. Technology vendors serving regulated institutions are not exempt. Existing vendor contracts must comply with CPS 230 by the earlier of 1 July 2026 or the next renewal date.
THE BRIDGE
The APRA AI Governance Review Preparation System provides an inventory register, deadline calendar, and 20-question pre-review checklist built for regulated institutions preparing for APRA's governance requirements. Available at the product page.
SHARE
If this was useful, the web version is at theinsidebrief.com. Forward that, not this email.
TODAY'S ACTION
Pull your material service provider register this week. For each vendor, add one column: "Embedded AI, Y/N/Unknown." After coordinating with your compliance and procurement teams, request written confirmation from your top five vendors as to whether their platform uses any automated decision-making or AI-assisted processing. Document the responses. This is what the first question in a CPS 230 review looks like.
THE RED FLAG
Vendors who say "we don't use AI" when their platform includes automated scoring, routing, or anomaly detection are not lying, they often genuinely do not know what their engineering team shipped. That answer is not a pass. It is a flag. Request written confirmation from their technical team, not their account manager.
THE TAKE
My view: the embedded AI question is the one most institutions will answer wrong in their first governance review, not because they were careless, but because nobody thought to ask the vendor. The gap is almost never in what you built. It is in what you bought.