APRA CPS 230 Is Your AI Strategy

Two conversations are happening simultaneously in most Australian financial services organisations right now.

The data governance team is working through CPS 230 obligations: cataloguing critical data elements (CDE), establishing ownership, documenting lineage, maintaining audit trails. Compliance work. Necessary, but rarely connected to the AI discussion happening three floors up.

Across the organisation, the AI team is running experiments that demo beautifully and then stall. Pilots get approved, early results look strong, and then nothing reaches production. Months pass. The initiative quietly shrinks.

The two teams share an organisation chart. But, they rarely share intelligence, or recognise that the problem one team is solving is identical to the infrastructure the other team needs.

This is the structural failure underneath most AI deployment challenges in FSI. It is commonly attributed to model quality, vendor limitations, or resourcing shortfalls. The actual cause is a framing error: treating data governance and AI deployment as two separate workstreams, when they are the same workstream.

Why AI programmes stall in regulated environments

Every executive team in Australian financial services is pushing the same directive: move faster on AI. Automate manual processes, accelerate decisions, reduce time spent on low-value work. The business case is well understood.

But the teams responsible for delivery keep running into the same wall. AI models are only as reliable as the data they run on. In FSI, that data is typically distributed across business units, frequently duplicated, often undocumented, and governed inconsistently. Put a model on that foundation and the outcome is predictable: strong demo results, accuracy failures in production, and teams quietly shelving initiatives rather than putting their name against outputs they cannot verify.

Gartner found that 60% of AI projects will be abandoned through 2026 in organisations lacking AI-ready data, based on a survey of more than 1,200 data management leaders. The primary cause: organisations lack the metadata practices and data quality infrastructure needed to feed production AI reliably. A companion Gartner survey found that 63% of organisations either do not have or are unsure whether they have the right data management practices for AI at all.

When production deployments fail, data governance is almost always the root cause, not model capability.

What CPS 230 is actually asking you to build

APRA CPS 230 took effect on 1 July 2025. For many institutions, the hardest deadline is still ahead: the grace period for pre-existing Material Service Provider contracts expires on 1 July 2026, requiring all legacy arrangements to fully meet CPS 230 risk, service level, and subcontracting requirements. Many teams are in the middle of that work right now. Most are treating it as an ongoing documentation obligation: a standard to satisfy rather than infrastructure to build. That reading is not wrong. It is incomplete.

CPS 230 requires financial institutions to identify and manage material data risks, establish clear ownership of critical information assets, and demonstrate ongoing control over data quality and integrity. Know what your critical data is, know who owns it, and be able to prove it is accurate and traceable.

This is also, almost exactly, the specification for AI-ready data.

The fraud detection systems, risk models, and operational agents your organisation wants to run in production all require the same foundation: data that is documented, owned, trusted, and supported by governed business semantics. CPS 230 is not asking you to clear compliance first. It is asking you to build the thing that makes the AI work.

APRA confirmed this directly in its April 2026 letter to all regulated entities. After targeted engagements with large banks, insurers, and superannuation trustees, APRA's conclusion was plain: AI adoption is accelerating across regulated industries, but governance maturity is lagging badly. Assurance practices are not keeping pace with the scale and complexity of AI deployment. Where entities fail to manage AI risks proportionate to their exposure, enforcement will follow.

The data governance infrastructure CPS 230 requires is no longer just a compliance obligation. It is the foundation APRA expects your AI programme to sit on.

When compliance becomes infrastructure

The manual effort involved in managing critical data is one of the most underestimated costs in FSI. Identifying CDEs from a regulatory filing is a slow, labour-intensive process: back-and-forth between governance and business teams, debate over what qualifies as critical, documentation cycles that most institutions repeat annually. Most organisations spend three to six months on each exercise.

That cost does not appear only in governance budgets. It shows up in delayed AI programmes, overstretched data teams, and leadership conversations that circle the same problem without resolution.

Leading institutions are approaching this differently. CDE identification processes that once required months are being automated. Annual reports and regulatory filings that previously needed extensive manual review are producing prioritised CDE inventories in a fraction of the time. The staff who spent those months on documentation are being redeployed.

The question worth asking now

APRA's expectations are escalating. The April 2026 letter signals increased supervisory intensity and the explicit prospect of enforcement where AI governance falls short. For most FSI organisations, the pressure is no longer abstract.

The organisations that will outpace their peers are not those treating each piece of regulatory guidance as a separate compliance task. They are the ones that have recognised a pattern: every data governance requirement APRA sets describes the same foundation their AI programme needs. CPS 230 compliance, lineage and ownership requirements, and CDE management expectations are not prerequisites to the AI strategy. They are the AI strategy.

Making that shift asks nothing extra of your organisation. The work is already mandated. The question is whether you build the foundation once, for two purposes, or twice.

For a framework on how leading financial institutions are turning CDE compliance into AI readiness, download Governing What Matters: Why Data Prioritisation Is Becoming the Foundation of AI-Ready Enterprises.

Sources

1. Gartner, "Lack of AI-Ready Data Puts AI Projects at Risk" (February 2025) - https://www.gartner.com/en/newsroom/press-releases/2025-02-26-lack-of-ai-ready-data-puts-ai-projects-at-risk

2. APRA, Prudential Standard CPS 230 Operational Risk Management (effective 1 July 2025) - https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf

3. APRA, Letter to Industry on Artificial Intelligence (April 2026) - https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai