01Start here
AI Model Register
Implementation effort5–10 days
Estimated costLow ($0–$5k tooling)
Regulatory obligationAPRA CPS230 §15, ISO 42001 §8.4
APRA's 2026 supervisory letters cited the absence of a model register as the single most common governance gap — not just in large banks, but in any organisation using AI for decisions. Without a register, you cannot answer the first question any regulator, board, or auditor will ask: what AI systems do you have in production, who owns them, and what decisions are they making on your behalf.
When this pattern is absent: Westpac AML failure
Westpac was fined $1.3B after regulators found that 23.5 million transactions were processed by an AI-assisted monitoring system the risk team did not know was in production. The system had not been reviewed, configured, or challenged since deployment.
02
AI Audit Trail
Implementation effort2–4 weeks
Estimated costMedium ($5k–$30k)
Regulatory obligationPrivacy Act APP 3 & APP 5, APRA CPS230 §15(d)
When your AI system makes a decision that harms a customer — denies credit, flags fraud incorrectly, routes a claim to the wrong outcome — you need to reconstruct exactly what inputs the model received, which version was running at that moment, and what it decided. Without a durable, tamper-evident audit trail, you cannot comply with the Privacy Act right to explanation, you cannot defend yourself in regulatory proceedings, and you cannot diagnose what went wrong to prevent it happening again.
When this pattern is absent: Robodebt Royal Commission
The Australian Government issued 381,000 unlawful debt notices through an algorithmic income averaging system. The Department of Human Services could not reconstruct the basis of any individual decision. The outcome: $720M in repayments, a Royal Commission, and findings that the scheme was unlawful from the moment it launched.
03
Human Approval Gateway
Implementation effort1–3 weeks
Estimated costLow-Medium ($2k–$15k)
Regulatory obligationEU AI Act Art. 14, APRA CPS230 §23
Any AI system that makes a high-stakes decision affecting a customer, employee, or citizen without a human checkpoint is a liability by design. The EU AI Act Article 14 mandates human oversight for all high-risk AI systems — a category that includes most financial services AI. This is the control that Robodebt did not have. The pattern does not require a human to review every decision; it requires that the right decisions — those above a risk threshold — are queued for human review before they take effect.
When this pattern is absent: Insurance claims auto-denial
US insurer Cigna was found to have used an AI system to deny 300,000 insurance claims in two months — with physicians spending an average of 1.2 seconds reviewing each claim before the system auto-denied. The pattern's absence converted a medical decision into a production queue item.
04
AI Incident Management
Implementation effort1–2 weeks
Estimated costVery low ($0–$3k)
Regulatory obligationAPRA CPS230 §52, Privacy Act breach notification obligations
You will have an AI incident. The question is whether you have a documented, tested response process when it happens. Without this pattern, your response will be ad-hoc, undocumented, and unable to demonstrate to APRA or the OAIC that you acted with the speed and governance rigour regulators expect. APRA CPS230 §52 requires entities to notify APRA of material incidents within defined timeframes — a requirement that is impossible to meet without a pre-existing escalation and classification process.
When this pattern is absent: Commonwealth Bank AUSTRAC enforcement
CBA paid $700M to AUSTRAC after failing to report 53,750 threshold transaction reports. A significant contributing factor was the absence of systematic incident detection and escalation for the automated reporting system. The system had been generating errors for years without anyone treating them as incidents requiring regulatory notification.
05
Model Drift Detection
Implementation effort3–6 weeks
Estimated costMedium ($10k–$40k)
Regulatory obligationAPRA CPS230 §15, ISO 42001 §9.1
AI models degrade silently. A model trained on 2022 data making credit decisions in 2025 will have drifted — sometimes catastrophically — away from the data distribution it was validated against. This is the architectural gap behind most financial AI failures: no one was watching. The pattern establishes automated monitoring of model output distributions, feature drift, and performance metrics, with defined thresholds that trigger human review before the degradation reaches the customer.
When this pattern is absent: Westpac's AML monitoring gap
Westpac's automated AML monitoring system had been running for years without systematic validation that its detection logic still matched real-world money laundering patterns. As laundering techniques evolved, the model's signal-to-noise ratio degraded. AUSTRAC's enforcement action found the system was not catching what it was designed to catch.