What operational-risk records look like when the operator is an agent. Four short pages.
CPS 230 is APRA's Prudential Standard on Operational Risk Management. It requires an APRA-regulated entity to manage its operational risk and to keep records that evidence operational-risk events and the controls around them.
When an agent carries out an operational process, the obligation does not move. The entity still has to be able to show what happened and how the control operated, after the event.
On 30 April 2026, APRA issued its first published, AI-specific expectations for boards and accountable executives, drawn from a targeted supervisory review conducted in late 2025. It names four areas to act on:
CPS 234, Information Security, sits next to CPS 230 and covers the security of the systems that hold those records. Read together, they ask an entity to manage the risk and to be able to evidence what happened.
When an agent takes the action, you still owe APRA a record of what it did and why. Arkna keeps that record. Arkna does not provide legal or compliance advice, and does not certify an entity under CPS 230 or CPS 234.
Every claim on this page traces to APRA's own material below.