APRA CPS 234 and AI Agents: What Australian Financial Institutions Need to Do Now
Australian financial institutions have been living with APRA CPS 234 since 2019. Most compliance teams have it handled for traditional IT systems. AI agents are a different story.
What CPS 234 Requires (The Relevant Parts)
CPS 234 imposes obligations on APRA-regulated entities — banks, insurers, superannuation funds — to maintain information security capability commensurate with the size and extent of threats to their information assets.
For AI agents, the sections that bite are:
Section 15 — Information Asset Identification
AI agents that access customer data, process transactions, or interface with core systems are information assets — and so are the decisions they make.
Section 17 — Implementation of Controls
Controls must be enforceable, testable, and documented. "The agent has a system prompt" is not a control under CPS 234.
Section 21 — Incident Management
An AI agent making unauthorised decisions is an incident. Can you detect it? Can you reconstruct what happened?
Section 24 — Testing Control Effectiveness
You need to be able to demonstrate that your AI agent security controls work — not just assert that they exist.
The Gap Most ADIs Have Right Now
The typical AI agent deployment looks like this:
- Agent built on LangChain or similar framework
- System prompt with instructions not to share customer data
- Logs going to Splunk or CloudWatch
- No documented control framework for agent decisions
Under CPS 234, this fails on control effectiveness, incident detection, and testability.
What Compliant AI Agent Security Looks Like Under CPS 234
1. Enforceable Technical Controls
# CPS 234-aligned policy for a customer support agent
id: customer-support-cps234
version: 1.2.0
rules:
- id: pii-access-limit
action: block
match:
tool: database_query
param.table:
in: ["customer_financials", "account_numbers"]
reason: "PII access restricted"
- id: no-external-data-transfer
action: block
match:
tool: http_post
param.destination:
notIn: allowlist
- id: log-all-crm-access
action: log
match:
tool: crm_lookup
severity: high
default: allow
2. Testable Controls
# Automated control effectiveness test
result = guard.evaluate({
"tool": "http_post",
"params": {
"destination": "https://external.example.com",
"body": {"customer_id": "12345", "balance": 50000}
}
})
assert result["decision"] == "block"
assert result["matchedRuleId"] == "no-external-data-transfer"
This is auditable. A system prompt is not.
3. Incident Detection
Every agent action logged with identity, intent, data scope, policy decision, and tamper-evident hash chain. When your APRA auditor asks "show me everything this agent accessed last Tuesday" — you can answer in seconds.
The APRA Audit Conversation You Want to Have
The right answer: "We have a runtime policy engine that evaluates every agent action before execution. Policies are version-controlled YAML — reviewed in PRs. Every decision is logged with tamper-evident hash chains. We test control effectiveness with automated test suites against our policy definitions."
The wrong answer: "We have system prompts with instructions not to access sensitive data."
The Timeline
CPS 234 is live now. There is no "August 2026" grace period for Australian financial institutions — you are already in scope.
AgentGuard includes pre-built APRA CPS 234 compliance templates. Free tier available.
Top comments (0)