We are living through the most dynamic regulatory and commercial moment for artificial intelligence since the advent of cloud computing. Contract standards and supervisory expectations are being shaped in real time, propelled by the extraordinary velocity of technical change and the breadth of AI’s impact across ethical, anthropological, and legal domains.
The phase feels strikingly reminiscent of the early-2010s transition to cloud: regulators and institutions alike confronted a technology whose promise far outpaced their skills, certainty, and risk frameworks. Then, as now, hesitancy was rooted in the unknown and impoverished skill.
Globally, there is still no consensus on how AI should be regulated, and genuinely technology-specific regimes remain the exception. The EU’s AI Act is a standout; China has enacted AI-specific measures; the United States has no federal statute (with California presently focused on developers); Japan has adopted a light-touch approach with minimal obligations and no enforcement; and Canada’s AI bill stalled ahead of this year’s election. The result is a fragmented, uneven rulebook.
The challenge is magnified by the rise of two distinct strands of AI. Generative AI, which produces text or visual outputs in response to prompts, and agentic AI, which decides when and why to act and can chain steps toward a goal, now cut across society and industry in fundamental ways. They are reshaping how individuals interact and how enterprises operate with employees, customers, and regulators. Unsurprisingly, the ecosystem is evolving faster than many boards, regulators, and technologists, can comfortably track.
Regulatory crossroads: APRA’s stringency vs. Productivity Commission’s restraint
Australia’s adoption picture is mixed. Analyses suggest AI skills penetration sits slightly below the global average, domestic demand growth (measured through online job advertisements) lags international benchmarks, and usage trails the Asia-Pacific average including New Zealand. Interest is high, but maturity is uneven.
Two recent publications are particularly significant: the Productivity Commission’s Interim Report on Harnessing Data and Digital Technology and APRA’s 2025–26 Corporate Plan. Together, they signal a regulatory climate laser-focused on AI-driven risks while recognising its productivity upside, particularly in insurance, where use cases such as claims automation, dynamic underwriting, fraud detection, and risk modelling could prove transformative.
APRA’s posture has been clear: supervisory uplift and the implementation of CPS 230. The Corporate Plan elevates AI as an emerging risk and flags targeted supervisory engagement with larger entities. An information paper setting out effective practices and AI risk-management approaches is likely to follow. This sits alongside the hard law of CPS 230, in force from 1 July 2025 (with a one-year grace period for existing contracts), which materially lifts operational risk management expectations and tightens oversight of third-party providers; not only for underwriting agencies but also for technology vendors.
Guidance in CPG 230 makes the uplift explicit. Resilience testing, credible exit plans, and stronger oversight of material service providers are now mandatory expectations. For insurtech vendors, this translates into stricter due diligence, tougher service levels, stronger assurance, and more rigorous security reviews. Rising demand for SOC 2 or ISO 27001 certification, clearer data exit mechanics, and closer performance monitoring is evident. Vendors able to demonstrate CPS 230-ready controls will enjoy a commercial advantage and close deals more quickly with insurers.
APRA has also made its supervisory scope clear. Insurers deploying AI in underwriting, claims handling, or risk modelling will be squarely in view. Board governance must provide line-of-sight into AI system design and deployment, supervisory frameworks must be AI-aware, and resilience has shifted from aspiration to expectation. Notably, APRA’s own use of AI remains internal-only, with no holistic automated supervisory decisions affecting regulated entities.
The Productivity Commission’s report takes a complementary but distinct approach. It projects AI’s potential contribution to the Australian economy at over AUD 116 billion in the coming decade, but cautions against burdensome, AI-specific regulation. It advocates a risk-based, outcomes-focused, and technology-neutral, approach. Key suggestions include stress-testing AI systems in ways analogous to other critical infrastructure and shifting away from prescriptive checklists toward demonstrable outcomes such as fairness, accuracy, and traceability. The Commission even recommends a “pause and review” on new mandates, such as last year’s “10 Guardrails” for high-risk AI, to ensure future rules are proportionate, evidence-based, and integrated into existing frameworks, rather than creating wholesale new legislation.
This creates a striking disconnect. APRA is raising the bar through supervisory focus and CPS 230, while the Productivity Commission counsels regulatory restraint to preserve innovation and avoid the chilling effects of GDPR-style frameworks. Navigating this tension, between stringency and restraint, will determine which insurers merely adapt and which succeed in leading.
From pilots to scale: AI’s growing footprint in insurance
Across the insurance industry, there has been a clear pivot from pilots to scale. Most implementations are built on cloud-based, governed data platforms with thin orchestration layers, and human-in-the-loop oversight, for material decisions. Adoption is most visible at the “front door” in customer-service chatbots. Globally, only a minority report “advanced” AI maturity; with a small cohort of trailblazers adopting fully operationalising automated, data-driven recommendations. Funding data confirms the trajectory: AI-powered insurtechs accounted for nearly half of deal activity in Australia during 2024.
This rapid transformation brings risks as well as opportunities. Workforce anxiety around job displacement is evident. Errors can erode trust and provoke regulatory overreach. Poorly designed customer interactions risk de-humanised experiences if chatbots supplant rather than support human engagement (especially in the insurance sector where customers often navigate emotionally charged circumstances arising from accidents, injury or loss). Customers also remain concerned about the fairness, discrimination, transparency, bias, and privacy, dimensions of AI systems, particularly when integrated into legacy technology that can amplify fragility.
At the same time, clear opportunities exist for differentiation. Robust “AI by design” assurance, embedding governance, transparency, auditability, and explainability, into solutions, will directly address APRA’s supervisory focus on AI risks. Outcomes-based innovation, measuring impact through metrics such as improved fraud-detection rates or reduced claims-settlement times, aligns with the Productivity Commission’s orientation. Above all, building governance early has become a commercial differentiator, not merely a compliance obligation.
Conclusion
The market is moving quickly from experimentation to execution, while the regulatory frame is still settling. Australian insurers that industrialise AI with governance, treating CPS 230 as a capability roadmap and embracing outcomes-based measurement, will not only satisfy supervisors but also win customers and capital. Those that do not will find the gap between promise and performance widening, precisely when the stakes have never been higher.
[View source.]
