Regulated AI · APRA, the Privacy Act & the vendors who serve them

AI that survives
APRA supervision.

We take AI, from conventional models to the hardest agentic systems, to governed, auditable production for Australia's regulated economy: banks, insurers and superannuation funds, and the fintechs and vendors who serve them. Before the supervision questions arrive.

30 April 2026: APRA letter to industry, AI expectations set

1 July 2026: CPS 230 amendments take effect

10 December 2026: Privacy Act automated-decision rules commence

Which side of the CPS 230 line are you on?

The institution carries the regulatory obligation. The vendor only has to satisfy it. Different problem, different work. Pick your path.

You are the regulated entity

A bank, insurer or super fund

You own the CPS 230 obligation and you are bringing AI from pilot to governed, auditable production. We do the governance, assurance and financial-crime work that survives supervision.

  • Operational-resilience and AI governance engagements
  • Assurance your board and APRA can stand behind
  • Done with a former Tier-1 bank architect

You sell to one

A vendor supplying a regulated institution

You are not APRA-regulated, only your customer is. But under CPS 230 they must prove their critical suppliers are well-governed, so the resilience questions now land on you. We get you ready to pass.

  • The Vendor Resilience Gap Scan, fixed scope, one week
  • A pack you can hand any FS customer
  • Free readiness check and guides to start

Built for Australia's regulated businesses

BNK
Banks & ADIs
INS
Insurers
SUP
Superannuation funds
VEN
Fintechs & vendors

Pilots are easy.
Supervision is not.

APRA has set AI-specific expectations and CPS 230 takes effect on 1 July 2026. The gap between an AI pilot and a supervisable production system is not a technology problem. It's an evidence problem. We close it.

The Gap

Policy on paper.

Most regulated firms now have an AI policy, a working group and a pilot or two. What they don't have is the operational machinery APRA expects: live inventories, behaviour monitoring, lifecycle ownership, assurance.

Our Work

Machinery, built.

We build the governance and engineering infrastructure that turns AI pilots (agentic systems included) into supervised production systems: evaluation gates, autonomy controls, audit trails, evidence by default.

The Result

Evidence on demand.

When the supervision questions arrive, you answer with artefacts: a live agent registry, monitoring in place, reconstructable decisions. Not a slide deck and good intentions.

Three engagements.
Built for the APRA clock.

APRA's 30 April 2026 letter set AI-specific expectations: inventories, behaviour monitoring, lifecycle ownership, assurance. CPS 230 amendments commence 1 July 2026. Most firms have AI policy on paper. We build the operational machinery behind it.

Governance & assurance

APRA-Ready AI

We operationalise APRA’s AI expectations so your AI, agentic systems included, stands up to supervision, not just demonstration.

APRA has told industry what it expects of AI: inventories, model behaviour monitoring, lifecycle ownership and assurance. Few firms can evidence any of it. In 8–12 weeks we build that evidence: auditable artefacts your board, your auditors and your supervisor can inspect.

  • Agent inventory & registry, liveEvery AI system and agent: owner, autonomy level and lifecycle stage on record, mapped to APRA’s stated expectations.

  • Evaluation & assurance machinery, runningBehaviour monitoring and assurance harnesses producing evidence of control, not assertions of it.

  • Autonomy under authorityAutonomy controls, kill switches and identity for non-human actors, with audit trails that reconstruct any agent decision end-to-end.

8–12 week fixed-scope engagement

AML/KYC alert triage

Agentic Financial-Crime Investigation

Agentic triage for AML/KYC alert queues: evidence assembled, narratives drafted, dispositions recommended. Humans make every final call.

Banks commonly assign 10–15% of staff to KYC and AML work, much of it gathering evidence and writing narratives. Our agents do that assembly: they compile the case file, draft the investigation narrative and recommend a disposition. Your investigators review, decide and sign off. Explainable, auditable, human-in-the-loop by design.

  • Faster investigationsIndustry results show ~50% time reduction per AML investigation (EY), and many institutions saving $1M+ annually in AML operations.

  • Decision-ready case filesAgent-assembled evidence and draft narratives for every alert, so investigators spend their time judging, not gathering.

  • Audit-grade by constructionEvery recommendation explainable and traceable, with human disposition as a design guarantee, not a configuration option.

6–10 week scoped pilot

Built by a founder with five years architecting financial-crime risk systems (KYC, transaction monitoring, fraud) at a global Tier-1 bank.

See ComplianceNexus, the working system behind this engagement

Compliance automation

APRA & Privacy Act Compliance Automation

Onshore, audit-ready AI pipelines built before the next regulatory deadline, not after the breach review.

The deadlines are set: CPS 230 and CPS 234 operational resilience expectations, and APP 1.7 automated decision-making transparency requirements commencing 10 December 2026. We audit your AI toolchain and build compliant, fully onshore pipelines on Australian cloud regions (AWS, GCP or Azure), so every inference, and every byte, stays within Australian borders.

  • Shadow AI, eliminatedA complete audit of every AI tool touching your data, with unsanctioned usage replaced by governed, onshore alternatives.

  • Data residency, evidencedPipelines architected to keep data within Australian borders, with the artefacts to prove it to your auditor, not just assert it.

  • ADM transparency, readyAutomated decision-making disclosures and controls mapped to APP 1.7 ahead of its 10 December 2026 commencement.

2–4 week audit · ongoing retainer optional

Autonomy is earned,
never assumed.

Every agent we build climbs the same ladder: it starts in shadow, earns its way through evaluation gates, and only holds the autonomy it has evidenced. At any stage, the artefacts exist to show a supervisor exactly why the agent is trusted to do what it does.

  1. 1

    Shadow

    Observes only. Outputs are captured and compared offline: no customer, no system is touched.

    Gate
  2. 2

    Advisory

    Recommends. The agent drafts and proposes; a person reviews and acts on every output.

    Gate
  3. 3

    Controlled

    Acts within hard limits. Bounded actions, human override, kill switch always armed.

    Gate
  4. 4

    Full autonomy

    Acts independently on defined tasks, continuously monitored, fully reconstructable.

Each gate is an evaluation, not a meeting. An agent passes only when it has produced the predefined behavioural evidence (accuracy, boundary compliance, escalation discipline) under the monitoring that stays with it in production. Fail the gate, stay at the current rung.

Built for environments where “move fast” is not a strategy

Four commitments that shape every engagement and stand up in front of a board, an auditor or a supervisor.

Agentic AI built and led at bank scale

Built and led agentic AI to governed production inside a global Tier-1 bank, from architecture through hands-on engineering: RAG pipelines, evaluation harnesses, model governance and AI DevOps. Passed regulatory 2LOD reviews on AI and cloud systems. That sits on 22+ years of regulator-visible production and European operational-resilience programs (ECB, DORA), the same obligations CPS 230 now brings to Australian entities.

Financial-crime depth

Five years architecting financial-crime risk systems (KYC, transaction monitoring, fraud) at a global Tier-1 bank. We speak AML natively, not from a briefing pack.

Human-in-the-loop by design

Agents recommend; people decide. Autonomy is earned through evaluation gates and held under monitoring, kill switches and audit trails. Never assumed.

Fixed scope, auditable outcomes

Engagements are fixed-scope and outcomes are delivered as auditable artefacts: registries, harnesses, reconstructable decisions. Things your auditors can inspect, not promises.

Built where the regulators sit across the table.

Two decades running systems regulators watch.
That is what Vanexus is built on.

22+ years running the kind of mission-critical systems regulators scrutinise, paired with the agentic engineering to put that discipline to work under APRA supervision.

The full track record

22+

Years running mission-critical platforms at Tier-1 global banks

99.99%

SLA on the production platforms operated

5

Years architecting financial-crime risk systems at a global Tier-1 bank

  • Agentic AI built and led to governed production inside a global Tier-1 bank: RAG pipelines, evaluation harnesses, model governance, AI DevOps. Regulatory 2LOD reviews passed on AI and cloud control domains.

  • Production-operations leadership across mission-critical banking platforms: 99.99% SLA, 24/7, regulator-visible.

  • Operational-resilience programs delivered inside Tier-1 banks in Europe (ECB, DORA), the same family of obligations APRA now brings to Australian entities under CPS 230, so it is home ground, not new territory.

  • Financial-crime risk systems architected end-to-end: KYC, transaction monitoring, fraud.

  • Multi-agent systems built across AWS, GCP and Azure, the engineering patterns we now apply to regulated agentic AI.

The machinery is already running.

LiquidNexus runs a treasury liquidity cycle end to end. ComplianceNexus takes AML alerts from intake to disposition. Both are built with AssureNexus, our governed AI-SDLC toolkit. Working systems, demonstrable in a walkthrough.

Asked by boards,
risk and engineering.

Straight answers to the questions we hear from CTOs, CROs and heads of risk at regulated firms.

The letter set AI-specific expectations for APRA-regulated entities: maintain an inventory of AI in use, monitor model and agent behaviour, assign clear lifecycle ownership, and be able to provide assurance over AI-driven processes. The common gap is not policy (most firms have a policy): it is the operational machinery that produces this evidence continuously. That machinery is what our APRA-Ready Agentic AI engagement builds.

CPS 230 is general operational-risk regulation, not an AI-specific rule, but its accountability extends to any process where AI acts, and most acutely where autonomous agents act. If AI participates in a critical operation, you need to evidence the controls around it: who owns it, what it is permitted to do, how its behaviour is monitored, and how you would detect and respond if it misbehaved. The amendments commence 1 July 2026, which is why we structure engagements as fixed-scope builds measured in weeks, not transformation programs measured in years.

By design, not by policy. Every agent we build climbs a progressive autonomy ladder (Shadow, Advisory, Controlled, Full autonomy) and only moves up by passing evaluation gates with predefined behavioural evidence. In financial-crime work specifically, agents assemble evidence, draft narratives and recommend dispositions; a human investigator makes every final call, and the audit trail records both the recommendation and the decision.

A defined checkpoint where an agent must demonstrate specific behaviour (accuracy thresholds, boundary compliance, escalation discipline) under the same monitoring it will carry in production. Passing a gate earns the next level of autonomy; failing means staying at the current level. The gate results are artefacts: they are how you show a supervisor that autonomy was earned on evidence, not granted on enthusiasm.

Vanexus has built multi-agent systems across AWS, GCP and Azure, and the founder brings 22+ years of production-operations leadership at Tier-1 global banks, including 99.99% SLA platforms and the European operational-resilience programs (ECB, DORA) that mirror APRA's expectations here, plus five years architecting financial-crime risk systems. That is the engineering discipline we bring to every engagement, structured so the outcomes are auditable artefacts that stand on their own, whoever operates them.

APRA has told you what it expects. Can you evidence it?

Thirty minutes with the founder: we built and led agentic AI to governed production inside a global Tier-1 bank, with 22+ years on Tier-1 banking platforms and five years inside financial-crime risk systems. We map where your AI plans stand against APRA’s expectations, and what the path to auditable production looks like. No pitch deck, no obligation.