AI strategy¶
AI is embedded in this bank across the full delivery lifecycle — from the design of the platform through to runtime decisions that affect customers. This page defines the four operational modes, the guiding principles that apply across all of them, and the regulatory context for NZ and Australia.
Guiding principles¶
- AI augments, humans decide. For any material outcome — an architectural direction, a credit decision, an account action — a human is accountable. AI informs and accelerates; it does not own outcomes.
- Compliance by design extends to AI. AI systems satisfy the same policy obligations as any other system. A model decision that affects a customer requires the same audit trail as a manual one.
- Assumptions are explicit. AI tools must surface their assumptions rather than embed them silently in artefacts. An AI that infers intent and acts without confirmation creates untraceable decisions.
- Guardrails are additive. Rules are expected to grow as experience accumulates. Every mode has a living ruleset that is updated in this wiki when new patterns or risks are identified.
The four modes¶
| Mode | Phase | Governed by |
|---|---|---|
| 1. Discover & design | Pre-build — architecture, policy, planning | DT-011 |
| 2. Code generation | Build — AI-assisted coding, test generation | DT-011 |
| 3. Analytical inference | Runtime — ML models in banking processes | DT-009 |
| 4. Agentic operations | Runtime — AI agents that initiate actions | DT-009 |
Mode 1: Discover & design¶
AI tools assist with architecture decisions, policy drafting, wiki content creation, and planning. The AI surfaces options and implications; humans decide. All content that enters this wiki is reviewed and approved by a human before commit.
Specific operating rules for AI assistants working in this wiki are also defined in the repository's CLAUDE.md.
Mode 2: Code generation¶
AI tools assist developers in writing application code across the eight system domain repositories. Generated code is subject to the same pipeline gates, code review, and security scanning as human-written code. No special dispensation for AI-generated output.
Mode 3: Analytical inference¶
ML models embedded in banking processes: credit scoring, fraud detection, AML behavioural analysis, transaction categorisation, customer risk scoring. Every model decision that affects a customer is logged with the input, model version, and output. Human override is always available. See DT-009 for the full requirements.
Relevant modules: MOD-017, MOD-023, MOD-028, MOD-039, MOD-041.
Mode 4: Agentic operations¶
AI agents that can initiate actions: automated customer service, internal workflow automation, decision orchestration. Each agent operates within a hard-scoped action boundary. No autonomous financial transactions above defined thresholds. Full audit trail required. See DT-009 for the full requirements.
Specific agent designs have not yet been finalised — rules are defined here to bound future design choices.
Regulatory context¶
Australia¶
Australia is actively developing a mandatory AI guardrails framework targeting high-risk AI applications. Banking and financial services AI — particularly credit decisioning, fraud, and customer-facing agents — will clearly fall in scope.
| Instrument | Status | Relevance |
|---|---|---|
| Australian Voluntary AI Safety Standard (DISR, 2024) | In effect | Baseline responsible AI practices; bank adopts as minimum |
| Mandatory AI guardrails framework (DISR) | Enactment pending (consultation closed 2024) | Will impose binding obligations on high-risk AI; bank designs to this now |
| ASIC guidance on AI in financial services | Evolving | Covers automated advice, credit decisions, and customer communications |
| Privacy Act 1988 (AU) | In effect | Automated decision-making affecting individuals must be disclosed on request |
New Zealand¶
NZ has no dedicated AI legislation currently. Obligations derive from existing frameworks applied to AI contexts.
| Instrument | Status | Relevance |
|---|---|---|
| Algorithm Charter for Aotearoa New Zealand (2020) | Voluntary, government commitment | Transparency and human oversight principles; bank adopts as minimum |
| Privacy Act 2020 (NZ) | In effect | Automated decisions involving personal information; disclosure and correction rights |
| CoFI Act 2022 | In effect | Fair treatment of customers extends to AI-driven processes |
| FMA guidance on technology and data | Evolving | Regulatory expectations for AI in financial services conduct |
Both jurisdictions are expected to tighten. Policy DT-009 carries a review date that must be pulled forward if legislation advances.
Related¶
- DT-009: AI & algorithm policy — runtime AI governance
- DT-011: AI development guardrails — development-phase AI governance
- DT-005: Model risk — model validation and risk management
- MOD-048: System decision log — audit trail for AI decisions