How APRA’s information-security (CPS 234) and operational-risk (CPS 230) standards shape AI and AI-vendor use for banks, insurers and super funds.
dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.
For APRA-regulated businesses — banks, insurers and super funds — two prudential standards shape how you can use AI and AI vendors: CPS 234 on information security and CPS 230 on operational risk. Here is how they apply.
| Item | Detail |
|---|---|
| CPS 234 | Information Security — protect information assets, incl. those held by third parties |
| CPS 230 | Operational Risk Management — incl. service-provider (vendor) management |
| Applies to | APRA-regulated banks, insurers, superannuation entities |
| AI angle | AI systems and AI vendors fall within both standards |
CPS 234 — information security
CPS 234 requires APRA-regulated entities to maintain information-security capability commensurate with the threats, clearly define roles, and protect information assets — including those managed by third parties. An AI vendor processing your data is in scope: you must assure its security controls, not just your own.
CPS 230 — operational risk and vendors
CPS 230 (operational risk management) brings service-provider management under formal control — an AI model provider or platform is a material service provider whose risk you must identify, assess and manage, with continuity and exit planning. Final targeted amendments to CPS 230 were released in 2026.
What this means for AI
For regulated firms, choosing AI tooling is a prudential decision: favour vendors and architectures you can assess, audit and exit. A self-hostable, model-agnostic platform helps — you control the data path and can switch providers. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer an Australian managed region. For data that must stay in Australia, the honest path is self-hosting osFoundry (BYO Cloud) inside an Australian cloud region such as AWS (Sydney or Melbourne), Microsoft Azure (Australia East, Australia Southeast or Australia Central in Canberra) or Google Cloud (Sydney or Melbourne), or running models locally on-device.
Where dgm fits
dgm is an independent integration partner that helps Australian businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.