AustraliaIn Effect Enforced: 2019-07-01Last updated: Jun 8, 2026

APRA CPS 234 & AI: Securing AI Models, Pipelines and Inference APIs

How APRA CPS 234 applies to AI in Australian banks, insurers and super funds. Treat AI models, training data, fine-tuning pipelines, vector stores and inference APIs as in-scope information assets - and map each obligation to Areebi's secure AI control plane.

Non-compliance penalty: CPS 234 is an enforceable prudential standard made under the Banking Act 1959, Insurance Act 1973, Life Insurance Act 1995, Private Health Insurance (Prudential Supervision) Act 2015 and Superannuation Industry (Supervision) Act 1993. Non-compliance is a breach of prudential requirements rather than a fixed civil penalty: APRA can issue directions, impose additional licence conditions, require independent reviews, escalate accountability under the Financial Accountability Regime (FAR) against the relevant accountable persons, and ultimately vary, suspend or cancel an entity's licence. Failing to lodge the mandatory 72-hour incident notification or 10-business-day control-weakness notification is itself a reportable breach.

How Areebi helps you comply

Identify and classify information assets by criticality and sensitivityCPS 234 para 20

Areebi: Shadow-AI discovery and AI asset inventory

Continuously discovers AI models, datasets, vector stores and inference endpoints in use across the enterprise and maintains a classified, live register, so AI assets are inventoried and rated rather than running unseen.

Implement controls to protect information assets commensurate with threats and sensitivityCPS 234 para 21-22

Areebi: Real-time DLP and policy engine

Inspects every prompt and response and applies machine-readable, enforceable policy at the inference boundary to prevent sensitive data exfiltration, sized to each asset's criticality and sensitivity.

Maintain detection and response mechanisms and meet APRA incident and control-weakness notification timeframesCPS 234 para 23-26, 35-36

Areebi: Immutable audit logging

Tamper-evident logging of all AI interactions provides the evidence needed to detect material incidents, support the 72-hour incident notification and 10-business-day control-weakness notification, and reconstruct what occurred.

Defend inference endpoints against manipulation and unsafe output (prompt injection, jailbreaks)CPS 234 para 21-22

Areebi: Guardrails

Input and output guardrails at the inference boundary mitigate prompt injection, jailbreaks and unsafe responses, addressing OWASP LLM01 and the requirement to control threats to information assets.

Restrict and authenticate access to information assets, including privileged and high-risk activitiesCPS 234 para 21-22

Areebi: Access control

Role-based access controls govern which users and systems can reach which models and data, supporting the strengthened authentication expectations APRA reiterated in its June 2025 action notice.

Manage third-party and related-party information assets and reduce reliance on external providersCPS 234 para 15-16, 28

Areebi: Private, sovereign deployment (Docker, Kubernetes, on-prem, private cloud) and model-agnostic control plane

Deploying the control plane inside your own Australian environment keeps data and inference in-jurisdiction across many models, shrinking the third-party information-asset attack surface and the CPS 230 material-service-provider dependency.

Provide audit-ready evidence of control design and operating effectiveness for internal auditCPS 234 para 32-34

Areebi: Compliance dashboards and audit trail

Centralised dashboards and exportable audit records give internal audit and assurance teams evidence of AI control coverage, policy enforcement and security events without manual reconstruction.

Does APRA CPS 234 apply to AI models, pipelines and inference APIs?

Yes. APRA Prudential Standard CPS 234 (Information Security) applies to AI even though the word "AI" never appears in the text - because AI models, training and fine-tuning data, vector and embedding stores, and inference/API endpoints are all "information assets" within scope. CPS 234 defines an information asset as "information and information technology, including software, hardware and data (both soft and hard copy)", which squarely captures the modern AI stack.

CPS 234 has been in force since 1 July 2019 and binds every APRA-regulated entity - authorised deposit-taking institutions (ADIs), general and life insurers, private health insurers, and registrable superannuation entity (RSE) licensees - along with their service providers. It requires a regulated entity to maintain an information security capability commensurate with the threats it faces, clearly define information-security roles and responsibilities up to and including the Board, classify and protect information assets in line with their criticality and sensitivity, systematically test control effectiveness, and notify APRA of material incidents and control weaknesses (APRA, Information Security).

The practical consequence for banks, insurers and super funds is that deploying a large language model, a retrieval-augmented generation (RAG) pipeline, or a customer-facing inference API does not create a regulatory gap - it extends an existing one. Each AI component must be inventoried, classified, controlled, tested and assured to the same standard as any other production system, and material AI security incidents are notifiable. APRA and ASIC have confirmed this reading: their joint messaging to industry is that regulated entities "will need to assess AI risk against existing CPS 230 and CPS 234 requirements" (ASIC and APRA letters on emerging AI risks).

This page sets out, obligation by obligation, how CPS 234 maps onto the AI lifecycle and how a secure AI control plane such as Areebi - deployed privately in your own Australian environment - operationalises each requirement.

Why are AI models, training data and vector stores "information assets" under CPS 234?

CPS 234 requires an entity to classify its information assets "by criticality and sensitivity" (paragraph 20) and to implement controls commensurate with the threats, vulnerabilities and consequences associated with those assets (paragraphs 21-22). An AI system is not one asset but a chain of them, and several attract the highest sensitivity ratings in a financial-services context.

Models and weights. A fine-tuned model embeds and can regurgitate the data it was trained on. Trained weights are intellectual property and an availability-critical production dependency - both criticality and sensitivity concerns under paragraph 20.
Training and fine-tuning data. Customer records, transaction histories and claims data used to train or fine-tune a model are typically the entity's most sensitive information assets, and they remain in scope while at rest in pipelines, feature stores and labelling tools.
Vector and embedding stores. RAG architectures copy sensitive documents into vector databases. Embeddings can be inverted to reconstruct source text, so a vector store is a sensitive information asset, not a benign cache.
Inference and API endpoints. A customer-facing or internal inference API is an availability-critical asset and a primary attack surface - the point at which prompt injection, model extraction and sensitive-information disclosure are attempted.
Prompts, system prompts and logs. System prompts often contain credentials, business logic and connection strings; prompt and completion logs frequently contain personal information. Both are information assets requiring classification and protection.

These AI-specific exposures map directly onto the OWASP Top 10 for LLM Applications 2025, where Prompt Injection (LLM01), Sensitive Information Disclosure (LLM02), Supply Chain (LLM03), Data and Model Poisoning (LLM04) and System Prompt Leakage (LLM07) are leading risk categories. CPS 234 does not name these threats, but its requirement to identify "vulnerabilities and threats" and protect assets accordingly makes addressing them mandatory in substance.

What does CPS 234 actually require - clause by clause - for an AI deployment?

CPS 234 is a short, principles-and-outcomes standard. The table below restates each core obligation in its own terms and translates it into the concrete AI-lifecycle control it demands. Paragraph references are to the CPS 234 standard (July 2019); non-binding implementation guidance is in Prudential Practice Guide CPG 234.

Roles and responsibilities (paragraphs 12-14)

The Board is ultimately responsible for information security, and roles must be clearly defined across the Board, senior management, governing bodies and individuals. AI translation: name an accountable owner for each AI system and ensure AI security risk is escalated to the Board as a whole-of-business risk, not delegated to a data-science team. Under the Financial Accountability Regime, information-security accountability should sit with the relevant accountable person rather than being left unowned.

Information security capability (paragraphs 13-18)

Maintain a capability commensurate with the size and extent of threats, including where assets are managed by related parties or third parties. AI translation: your capability must extend to model risk, AI supply-chain risk and inference-time threats - not just network and endpoint security.

Identification and classification (paragraph 20)

Classify information assets by criticality and sensitivity. AI translation: maintain a live inventory of every AI model, dataset, vector store and endpoint, classified for criticality and sensitivity. You cannot protect or report on assets you have not discovered - which is why shadow-AI discovery is foundational.

Implementation of controls (paragraphs 21-22)

Implement controls to protect assets commensurate with vulnerabilities, threats, criticality, sensitivity, lifecycle stage and the potential consequences of an incident. AI translation: apply data-loss prevention, access control, input/output guardrails and prompt-injection defences at the inference boundary, sized to the asset.

Incident management and notification (paragraphs 23-26 and 35-36)

Maintain robust detection and response mechanisms and test response plans at least annually. Notify APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident that materially affected, or could have materially affected, the entity or its customers (paragraph 35), and no later than 10 business days after becoming aware of a material control weakness the entity cannot remediate in a timely manner (paragraph 36). AI translation: a successful data-exfiltration via prompt injection, a poisoned model, or an exposed inference endpoint is a notifiable incident or weakness - and you need immutable logs to detect and evidence it.

Testing control effectiveness (paragraphs 27-31)

Systematically test the effectiveness of controls, with frequency commensurate with the rate of change of vulnerabilities, asset criticality and the materiality of change. AI translation: red-team your models and inference APIs for prompt injection, jailbreaks, extraction and data leakage; test guardrails and DLP, not just infrastructure.

Internal audit (paragraphs 32-34)

Internal audit must review the design and operating effectiveness of information security controls, using appropriately skilled personnel. AI translation: AI controls fall within the internal-audit mandate and the AI control evidence must be audit-ready.

Third-party and related-party assets (paragraphs 15-16, 21-22, 28)

Where information assets are managed by a third party, the entity must evaluate that party's information security capability and the design and operating effectiveness of its controls. AI translation: using a third-party LLM API or hosted model is a third-party information-asset arrangement - assess the provider, and pair this with the operational-resilience and service-provider obligations of CPS 230.

How do CPS 234 and CPS 230 work together for AI vendor and resilience risk?

CPS 234 secures the AI information asset; CPS 230 keeps the AI-dependent business operating and governs the providers behind it. Australian regulated entities must satisfy both - they are complementary, not alternative.

Prudential Standard CPS 230 (Operational Risk Management) came into force on 1 July 2025, with contractual requirements for existing arrangements transitioning by the earlier of the next renewal or 1 July 2026 (APRA, Operational Risk Management). It requires entities to manage operational risk with effective controls, maintain the ability to deliver critical operations within tolerance through severe disruptions, and manage the risks of material service providers - a category that expressly includes providers the entity relies on for a critical operation, such as cloud and SaaS providers, and therefore hosted AI and inference services.

For an AI deployment the division of labour is clear:

CPS 234 governs the security of the model, data, pipeline and inference API as information assets - classification, controls, testing, incident notification.
CPS 230 governs whether an AI-dependent process is a critical operation, the tolerance levels for its disruption, the business continuity plan if a model or AI vendor fails, and the due diligence, contractual terms and ongoing monitoring of material AI service providers.

Where a third-party LLM provider both holds your data (CPS 234, third-party information asset) and underpins a critical operation (CPS 230, material service provider), both standards apply simultaneously. APRA and ASIC have made clear that AI risk must be assessed against these existing frameworks rather than waiting for AI-specific rules (Corrs, ASIC and APRA letters on emerging AI risks). A private, sovereign deployment of the AI control plane reduces both surfaces at once: keeping data and inference inside your own Australian environment shrinks the CPS 234 third-party attack surface and the CPS 230 material-service-provider dependency.

How seriously is APRA enforcing CPS 234, and what has gone wrong?

APRA is actively enforcing CPS 234 through an independent tripartite assurance program and has publicly flagged systemic control gaps - several of which map directly onto AI risk. This is not a dormant standard.

On 5 July 2023 APRA published initial findings from the first tranche of its tripartite cyber assessment, covering roughly 24% of regulated entities in a program designed to reach more than 300 banks, insurers and superannuation trustees. The common control gaps it identified included incomplete identification and classification of critical and sensitive information assets, limited assessment of third-party information-security capability, inadequate definition and execution of control-testing programs, incident-response plans that were not regularly tested, limited internal-audit coverage, and inconsistent, untimely reporting of material incidents and control weaknesses (APRA, Cyber security stocktake exposes gaps). Every one of these is amplified by AI: unclassified models and vector stores, self-attesting AI vendors, untested guardrails, and AI incidents that slip past detection.

The real-world cost became visible in March and April 2025, when coordinated credential-stuffing attacks hit Australian superannuation funds. AustralianSuper confirmed that around 600 member accounts were accessed and four members suffered financial losses totalling roughly A$500,000, while Rest reported limited personal information being accessed for about 8,000 member accounts, in a wave that compromised more than 20,000 accounts across the sector (BleepingComputer, Australian pension funds hit by credential stuffing). In response, on 10 June 2025 APRA wrote to all RSE licensees requiring them to self-assess their information-security and authentication controls by 31 August 2025, implement MFA or equivalent controls for all high-risk activities and privileged access, and lodge a material-control-weakness notification where controls were deficient (APRA, For action: Information Security Obligations and Critical Authentication Controls).

The AI-adoption gap is widening the exposure. ASIC's Report 798, Beware the gap, published 29 October 2024, reviewed 624 AI use cases across 23 licensees and found that only about half had specifically updated their risk-management policies or procedures to address AI, even as generative AI made up roughly 22% of in-development use cases (ASIC REP 798). The supervisory direction is unambiguous: AI is being deployed faster than it is being governed, and CPS 234 is the standard against which that gap will be measured.

How does Areebi help an APRA-regulated entity meet CPS 234 for AI?

Areebi is a secure AI control plane that sits between your users and any AI model, enforcing CPS 234-style controls - discovery, classification, DLP, access control, guardrails and immutable audit - at the inference boundary, deployable entirely within your own Australian environment. It does not replace your CPS 234 program; it operationalises it for the AI estate.

Because Areebi is privately deployable - via Docker, Kubernetes, on-premises or in your private cloud - data and inference stay inside your jurisdiction, directly addressing the third-party information-asset concern in CPS 234 paragraphs 15-16 and the material-service-provider concern in CPS 230. It is model-agnostic across a wide range of large language models, so the same control plane governs commercial APIs and self-hosted open models alike. The control mapping below is honest about what the product does today.

Shadow-AI discovery and inventory builds and maintains the live AI asset register that classification (paragraph 20) presupposes.
Real-time DLP inspects prompts and responses to stop sensitive information assets leaving via inference - the control demanded by paragraphs 21-22 and OWASP LLM02.
The policy engine applies machine-readable, enforceable rules at the point of use, sized to asset criticality and sensitivity.
Guardrails defend the inference boundary against prompt injection, jailbreaks and unsafe output (OWASP LLM01).
Access control enforces who can reach which model and data, supporting the authentication expectations APRA reiterated in its June 2025 notice.
Immutable audit logging provides the tamper-evident record needed to detect incidents, meet the 72-hour and 10-business-day notification obligations, and satisfy internal audit (paragraphs 32-36).

On Areebi's own assurance posture, accuracy matters: Areebi is currently progressing SOC 2 readiness and is not yet certified. We make no claims of named customers, audited metrics or certifications we do not hold. Explore the full control set on the platform overview or see the financial-services solution for BFSI-specific deployment patterns.

Compliance Checklist

Maintain a live inventory of every AI model, training and fine-tuning dataset, vector or embedding store, system prompt and inference/API endpoint, and classify each by criticality and sensitivity (CPS 234 para 20).

Name an accountable owner for each AI system and ensure information-security accountability sits with the relevant accountable person under the Financial Accountability Regime, with AI security risk reported to the Board as a whole-of-business risk (CPS 234 para 12-14).

Implement information-security controls at the inference boundary - DLP, access control and MFA for high-risk and privileged activities, and prompt-injection guardrails - sized to each asset's sensitivity (CPS 234 para 21-22).

Address the OWASP Top 10 for LLM Applications 2025 risks, in particular prompt injection, sensitive information disclosure, supply chain, data and model poisoning, and system prompt leakage, within your CPS 234 control set.

Assess every third-party AI provider's information-security capability and the design and operating effectiveness of its controls, and pair this with CPS 230 material-service-provider due diligence and contracts (CPS 234 para 15-16, 28).

Systematically test AI control effectiveness, including red-teaming models and inference APIs for jailbreaks, extraction and data leakage, at a frequency commensurate with risk and change (CPS 234 para 27-31).

Maintain and at least annually test an incident-response plan that covers AI-specific scenarios such as poisoned models and exfiltration via inference (CPS 234 para 23-26).

Ensure tamper-evident logging of AI interactions so you can detect, assess and notify APRA of material incidents within 72 hours and material unremediable control weaknesses within 10 business days (CPS 234 para 35-36).

Bring AI controls within the internal-audit mandate and keep AI control evidence audit-ready (CPS 234 para 32-34).

Determine whether any AI-dependent process is a critical operation under CPS 230, set tolerance levels, and maintain a business continuity plan for model or AI-vendor failure.

Frequently Asked Questions

Does CPS 234 mention AI?

No. The word "AI" does not appear in CPS 234. But the standard applies to AI because it governs "information assets" - defined as information and information technology including software, hardware and data - and AI models, training data, fine-tuning pipelines, vector stores and inference APIs all fall within that definition. APRA and ASIC have confirmed entities must assess AI risk against existing CPS 234 and CPS 230 requirements.

When did CPS 234 come into force and who does it apply to?

CPS 234 (Information Security) has been in force since 1 July 2019. It applies to all APRA-regulated entities - authorised deposit-taking institutions, general, life and private health insurers, and registrable superannuation entity (RSE) licensees - and its requirements extend to information assets managed by third parties and related parties.

Is a customer-facing LLM inference API an information asset under CPS 234?

Yes. An inference or API endpoint is an availability-critical information asset and a primary attack surface for prompt injection, model extraction and sensitive-information disclosure. It must be inventoried, classified by criticality and sensitivity (para 20), protected with controls commensurate to its risk (para 21-22), and tested for effectiveness (para 27-31), the same as any other production system.

What are the CPS 234 incident notification timeframes for an AI security incident?

An APRA-regulated entity must notify APRA as soon as possible and no later than 72 hours after becoming aware of a material information security incident (para 35), and no later than 10 business days after becoming aware of a material information security control weakness it cannot remediate in a timely manner (para 36). A data exfiltration via prompt injection or an exposed inference endpoint can trigger both obligations.

How do CPS 234 and CPS 230 differ for AI?

CPS 234 secures the AI model, data, pipeline and inference API as information assets - classification, controls, testing and incident notification. CPS 230, in force since 1 July 2025, governs operational resilience and material service providers - whether an AI-dependent process is a critical operation, its disruption tolerance, business continuity if a model or AI vendor fails, and due diligence over AI providers. A hosted LLM that holds your data and underpins a critical operation engages both standards at once.

Does using a third-party LLM API create a CPS 234 obligation?

Yes. Where your information assets are managed or held by a third party, CPS 234 requires you to evaluate that provider's information-security capability and the design and operating effectiveness of its controls (para 15-16, 28). Relying on a vendor's self-attestation is one of the gaps APRA has criticised. Pair this assessment with CPS 230 material-service-provider obligations, or reduce the exposure by deploying AI privately in your own environment.

Is APRA actively enforcing CPS 234?

Yes. APRA runs an independent tripartite assurance program; its July 2023 findings (covering about 24% of entities, in a program reaching 300+ entities) flagged systemic gaps in asset classification, third-party assurance, control testing and incident reporting. After the March-April 2025 superannuation credential-stuffing attacks, APRA issued a June 2025 "For action" notice requiring RSE licensees to self-assess controls by 31 August 2025 and implement MFA for high-risk and privileged activities.

Can Areebi make my AI deployment CPS 234 compliant?

Areebi does not certify compliance - CPS 234 is an outcomes-based standard assessed by APRA and your auditors. Areebi operationalises the controls: shadow-AI discovery for the asset register, real-time DLP and a policy engine for protection, guardrails for inference defence, access control for authentication, and immutable audit logging for detection and notification, deployable privately in your Australian environment. Areebi is progressing SOC 2 readiness and is not yet certified.

Related Resources

Ready to achieve APRA CPS 234 & AI: Securing AI Models, Pipelines and Inference APIs compliance?

See how Areebi maps to APRA CPS 234 & AI: Securing AI Models, Pipelines and Inference APIs requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page