Who we build for

Risk teams, meet Loxodrome.

APRA said it best: “risk management and internal audit functions [are expected to] possess technical capability and tooling to independently assess AI systems.” This is what Loxodrome delivers.

01First line 02Second line 03Third line 04Boards

The evidence gap

Traditional risk approaches weren't built for AI.

The three lines model works for risks where the system being governed can produce reliable evidence about itself — credit, fraud, cyber. SOC 2s, model validation reports, IT logs, and signed-off policies all rest on that assumption.

AI breaks it. The systems making decisions are the same ones generating the records of what they did, at volumes no first-line team can review by hand, and the vendor whose model is doing the deciding usually has the only complete view of the underlying logs. Point-in-time validation doesn't survive contact with continuous production.

APRA's April 2026 letter to industry said out loud what most risk leaders had already concluded: governance, risk management, assurance and operational resilience are not keeping pace with the scale, speed and complexity of AI adoption. The finding cut across all three lines, and across boards.

What's missing isn't another framework or another vendor questionnaire. It's a single ledger that sits outside the systems being governed, capturing decisions as they happen, and giving all three lines and the board an independent record and attestation.

Reconstruct any decision, fast

When a customer disputes an outcome, you should be able to pull the decision in minutes: model, inputs, output, override. Without that, you're trawling logs across three systems for three weeks.

Know what AI is actually running in your area

Shadow AI and unsanctioned vendor APIs sit inside CPS 234 scope, and APRA's April 2026 letter flagged that detective and policy-only controls aren't enough. The expectation is enforceable technical restrictions. Absence of monitoring is itself evidence.

Surface drift early

Override rates rising, decision consistency dropping — Loxodrome surfaces it as it happens, so the next conversation with second line is a remediation discussion rather than a finding.

Evidence your controls are working

A signed-off policy is documentation, not evidence. CPS 230 attestations need continuous, verifiable records, the kind that survive being challenged.

“I can demonstrate my AI is doing what it's supposed to — and when it isn't, I'm the one who knows first.”

🌟 This is where Loxodrome really shines.

The capability APRA now expects you to have

APRA's April 2026 letter set the expectation directly: second-line risk and internal audit need the technical capability and tooling to "independently" assess AI systems, including probabilistic models. Loxodrome is that tooling.

Evidence that didn't come from the business

APRA's review found overreliance on vendor presentations and summaries without verification of operations. Loxodrome's ledger sits outside first-line systems, and records are sealed at ingestion in a way that can't be altered after the fact — including by us. That's genuine independence, not an internal log with a different name.

You're not waiting to be told something went wrong

Continuous signal monitoring (fairness drift, override rates, decision anomalies) comes directly to you in real-time. Not via the model owner, after an incident, or through a vendor briefing.

A defensible answer to "how do you know?"

CPS 230, CPS 234, and ASIC s912A require you to demonstrate control, not describe it. A process narrative won't satisfy an APRA examination; a tamper-evident audit trail will.

Board reporting with substance

Move past traffic lights. Loxodrome gives the board numbers rather than assurances: breach rates, remediation timelines, and instrumentation gaps.

“I can challenge the first line with evidence that's mine — not theirs. And I can show the regulator what oversight actually looks like.”

Test what the first and second line say is happening

CPS 234 puts AI controls, including those held by third-party vendors, squarely in your audit scope. Loxodrome gives you the evidence base to do that work without depending on the systems you're auditing.

Independent verification, on demand

A single command produces cryptographic confirmation that nothing's been altered and nothing's missing. You're not waiting on the business or the vendor to produce records about itself.

A pre-engagement gate for material AI outsourcing

CPS 230 makes you the gatekeeper for material AI vendor arrangements before they're signed. Loxodrome's coverage assessment makes that real: what gets captured, what doesn't, and what residual gap remains.

Findings that hold up

Audit findings often turn on whose records you're reading. Loxodrome's ledger isn't held by the business or the model owner, so findings grounded in it don't get re-litigated on the question of evidence integrity.

One control set, every audit cycle

The same evidence layer maps to CPS 230, CPS 234, ASIC s912A, the EU AI Act, and ISO 42001. Build the audit programme once, then re-use it across regulators and across years.

“I don't need to take the model owner's word for it. I can verify the evidence myself — and so can the regulator.”

Director liability is no longer theoretical

ASIC v RI Advice [2022] FCA 496 confirmed that AFS licensees must manage technology risks under s912A, and KWM, Norton Rose Fulbright, and MinterEllison have all said the same logic applies to AI. Since the 2019 reforms, the maximum civil penalty for an individual contravention of s180 is the greater of 5,000 penalty units (around $1.565 million) or three times the benefit derived. Disqualification under s206C sits over the top.

Board accountability is non-delegable

CPS 230 puts AI oversight squarely on the board. CPS 220 requires technology and operational risks — including AI — to be captured in the board-approved risk framework. APRA's April 2026 review found board papers without AI content across multiple entities. That absence is itself evidence of inadequate oversight, and the documented pathway to s180 stepping-stone exposure for individual directors.

FAR exposure is personal

Accountable persons under the Financial Accountability Regime face disqualification and forfeiture of variable remuneration for failing to take reasonable steps. Data management, operational risk, and IT are all in scope. AI sits inside all three.

APRA now expects directors to be AI literate

APRA's April 2026 letter set the bar: boards must "maintain sufficient understanding and literacy with respect to AI in order to set strategic direction and provide effective challenge and oversight." Overreliance on vendor presentations and summaries was specifically called out. CPS 520 fit and proper assessments will follow.

Independent evidence is what holds up under challenge

When a director asks "how do we know?", the answer should not come from the people running the system, or from the vendor that built it. Loxodrome gives the board its own record: interrogable, verifiable, mapped to CPS 230, CPS 220, and the AICD's framework for AI governance.

“As a director, I can ask "how do we know?" and get an answer that didn't come from the people running the system or the vendor that built it.”

Want to learn more?

Request a demo

Loxodrome's product is purpose-built to manage AI risk in Australian financial services. If you lead risk, compliance, or audit at a regulated institution, or sit on the board, we'd love to show you.