Commonwealth Bank has elevated artificial intelligence to a material risk category in its enterprise risk framework, placing AI deployment oversight alongside traditional exposures like lending and liquidity.
The classification means CBA's board now sets annual risk appetite statements for AI, supported by a dedicated AI risk committee positioned between executive leadership and business units. The committee challenges higher-risk use cases and advises on framework design.
This formalizes governance around significant existing deployments. CBA screens 80 million events daily using AI fraud detection models and runs guardrails-as-a-service for its Ceba chatbot to prevent hallucinations when pulling content via retrieval augmented generation.
The structure emerged in a transparency report released February 5, days after Australia's National AI Plan pledged $29.9M for an AI Safety Institute. CBA disclosed the framework alongside December 2025 appointment of Ranil Boteju as Chief AI Officer, who starts early 2026.
Governance architecture matters here. Financial institutions balancing AI adoption with regulatory scrutiny need clear accountability chains. CBA's model places the board at apex, supported by risk and audit committees, with the AI risk committee sitting above business unit financial and non-financial risk committees that evaluate local deployments.
Policies governing AI risk get periodic review under the group policy framework. Business units maintain autonomy but face structured challenge on higher-risk implementations.
The report positions CBA's approach around six principles in a Group AI Policy covering ideation through monitoring, aligned with the bank's Code of Conduct. The bank flags investment in AI engineering and prompt engineering skills to support the transition.
What this means in practice: expect other financial institutions to formalize similar structures as AI moves from experimental to operational at scale. The committee layer between executives and business units is the notable addition, creating a dedicated forum for risk challenge before deployment.
Worth watching: how CBA's framework adapts as external AI agents interact with banking systems and regulation evolves beyond current voluntary principles.