AI,
under supervision.

Working briefings on APRA's AI expectations, CPS 230, and the engineering of governed AI — agentic systems included — written for the people who have to answer for them: CTOs, CROs and heads of risk. No hype, no vendor speak.

The first briefings are live; more are in preparation. Want one prioritised — or a private walkthrough applied to your estate? Ask us directly.

Regulation22 June 2026 · 9 min read

What CPS 230 means for your business, and what to do now

Operational-risk regulation in plain English: critical operations, tolerances, business continuity and the service providers you depend on. What APRA now expects you to evidence, and why going live was the start, not the finish.

Regulation22 June 2026 · 8 min read

Selling to an APRA-regulated company? What CPS 230 now asks of you

When a bank, insurer or super fund relies on you for a critical operation, CPS 230 reaches your contract and your controls. What a material service provider has to evidence, the terms your agreement must carry, and how to stop the assurance step stalling your deals.

Engineering23 June 2026 · 7 min read

From vibes to verifiable: engineering AI you can put in front of a regulator

Vibe coding ships a prototype; it does not survive an audit. Its worst failures are silent. How agentic engineering, a real harness and binding verification gates turn probabilistic AI output into code you can evidence to a supervisor.

Engineering8 July 2026 · 11 min read

The Regulated AI-first SDLC: Intent in → Evidence Out

AI-first delivery is not giving every engineer a coding assistant. It is an operating model: humans set intent and constraints, AI produces the artefacts and the evidence, and binding gates decide what advances. How to run it across the whole lifecycle, under APRA supervision.

RegulationIn preparation

APRA's AI expectations, decoded for engineering teams

What the 30 April 2026 letter to industry actually requires: inventories, behaviour monitoring, lifecycle ownership, assurance. Translated from supervisory language into systems you have to build and run.

RegulationIn preparation

CPS 230 and the agent in your critical operation

The amendments commence 1 July 2026. If an AI agent participates in a critical operation, what does operational-risk accountability look like in practice: ownership, controls, monitoring, response?

MethodologyIn preparation

The Progressive Autonomy Ladder: gating agents on evidence

Shadow, Advisory, Controlled, Full autonomy: the methodology we use to let agents earn trust through evaluation gates, and the artefacts each gate leaves behind for your auditors.

Financial crimeIn preparation

Designing agentic AML/KYC triage that investigators trust

Evidence assembly, draft narratives, recommended dispositions: the human makes every final call. Architecture notes from five years inside Tier-1 financial-crime risk systems.

EngineeringIn preparation

Identity for non-human actors in regulated environments

Agents act, so they need identity, permissions and accountability like any other actor in your estate. What identity for non-human actors means and how to implement it without inventing a parallel IAM.

Prefer the conversation to the PDF?

Most of what will be in these briefings, we'll happily walk through on a call — applied to your estate rather than the general case.

APRA has told you what it expects. Can you evidence it?

Thirty minutes with the founder: we built and led agentic AI to governed production inside a global Tier-1 bank, with 22+ years on Tier-1 banking platforms and five years inside financial-crime risk systems. We map where your AI plans stand against APRA’s expectations, and what the path to auditable production looks like. No pitch deck, no obligation.