What Commonwealth Bank's Public Record Reveals About Its AI Readiness

What Commonwealth Bank's Public Record Reveals About Its AI Readiness

Commonwealth Bank wants you to know it leads Australian banking into AI. The frontier partnerships with Anthropic and OpenAI, the Seattle tech hub, the 30,000-plus employees through AI training, the 2,000 models running against 157 billion data points, it's all on the record, announced and amplified for analysts and shareholders to absorb. What no one outside the bank does is read that record the way a regulator or a short seller would.

So that's the exercise here. This is a WAVE assessment of Commonwealth Bank of Australia, scored across the four pillars of the framework, Watch, Adapt, Verify, Empower plus AGI readiness, built entirely from public material. Filings, press releases, executive remarks, partnership announcements, regulatory disclosures. No interviews, no internal access, no proprietary data. Just what any outsider could already assemble without being let inside.

I'm using CBA as the worked example of the Intelligence Age Scorecard, but the method is the point. It is based on my WAVE methodology I first published in my latest book Now What?

The bank reads as confident from the front of the house and exposed once you trace the connections: a genuinely impressive deployment surface sitting on top of a verification spine that hasn't kept pace. The things you can announce, partnerships, training numbers, model counts, are best-in-class. The things you have to evidence under audit, provenance, output validation, decision rights, capability-discontinuity planning, are where the structural risk concentrates. And in a world of exponential change, that gap isn't academic.

Here's the full assessment. As you read it, the sharper question isn't whether I've scored CBA correctly, it's whether your own public posture would survive being read back to you by someone with no inside access and the regulatory calendar in their other hand.

What CBA already sees coming

The scanning apparatus is real. Anthropic at the engineer-to-engineer level. A Seattle outpost with a cohort focused on agentic systems. An MIT Sloan collaboration on managing AI risk. Group CIO Gavin Munroe describing quarter-on-quarter acceleration in conversations with US frontier labs.

Few Australian incumbents are sourcing signal from that many directions at once, and the evidence supports a high gateway score on Watch. The weakness sits further down. CEO Matt Comyn's long-term framing is consistent and public, but no published scenario set, no named foresight function, and no signal-evaluation framework appears in the disclosure record.

The synthesis layer is executive-curated rather than institutionally engineered. The specific consequence: scams and fraud are tracked superbly, the Apate.ai partnership proves that. Longer-horizon shifts, stablecoin rails, tokenized deposits, embedded finance compressing the deposit franchise, sit beyond the window a bank of CBA's systemic importance should hold open.

Pilots multiplying faster than the operating model

Adapt is the lowest pillar. CBA is not a bank that struggles to start things. ChatGPT Enterprise was rolled out at a scale described as among the largest in global financial services. The AWS data-platform migration moved 61,000 data pipelines from legacy to cloud inside eleven months. The Customer Engagement Engine has been in production for years. Starting is not the problem. The drag is in reallocation speed and feedback-loop discipline, the two dimensions where incumbent banks consistently lose ground to faster entrants.

CPS 230, live since 1 July 2025, treats material AI vendors as service providers requiring full operational risk treatment, which lengthens, not shortens, the path from pilot to production. The Privacy Act's automated-decision-making disclosures land on 10 December 2026 and add another layer. Meanwhile the Australian fintech market is on course to roughly double by 2031, with challengers iterating on monthly cycles. Annual budget rhythms will not defend deposit share against operators rebuilding their roadmap every four weeks.

Where the spine doesn't match the surface

Verify is where the structural exposure concentrates. CBA's February 2026 report on how the bank ideates, develops, deploys, and manages AI is a genuine governance disclosure, and the MIT collaboration on managing AI risk reinforces it. The visible work is being done. The invisible work is uneven. The provenance score is the one to stare at.

With CPS 230 already in force, ASIC's REP 798 having flagged the audit-mechanism gap at industry level, and the Privacy Act's automated-decision-making obligations biting in December 2026, a bank running one of the largest ChatGPT Enterprise deployments in global financial services has to be able to answer where training data, model outputs, and downstream decisions originated across the Anthropic, OpenAI, and AWS estate.

The public record does not show that it can. With ACL penalties for AI-washing now reaching AUD $100 million per contravention and ASIC's 2025-26 Corporate Plan explicitly prioritizing AI oversight, this is the exposed flank. Fast and reckless is not the CBA brand. The provenance seam needs to close before someone closes it from the outside.

Trained, not yet empowered

The training dimension is best-in-class by any Australian banking benchmark. More than 30,000 employees through the AI learning series. ChatGPT Enterprise rolled out at scale. The Seattle hub rotating 200 employees per year. An approximately $90 million Future Workforce Program over three years, with around 5,000 employees moved into new internal roles in the past year.

The AI-for-All framing is not marketing, the throughput is real. The weakness is structural, not cultural. Decision distribution and role redesign both sit at the lower end, meaning people are trained but authority and job architecture have not been re-engineered around augmented work.

A relationship banker who has completed the AI literacy program but still routes every non-standard decision up the chain has been upskilled without being empowered. And this couples directly to the Verify gap: decision rights cannot safely be distributed until provenance and output validation are trusted at the point of use. The unlock is not more training. It is fewer roles redesigned end-to-end with the validation layer engineered underneath them.

What is not on the agenda

The AGI Readiness score lands at 1.0/4, and the reason is direct: publicly available evidence does not address it. There is no disclosed framework for workforce displacement under capability discontinuity. No disclosed decision-authority matrix mapping which calls AI owns autonomously, which require human ratification, and which remain human-only.

No disclosed stress test of CBA's intermediation-based revenue model against agentic commerce or embedded finance routing around it. No disclosed governance posture for systems whose reasoning exceeds the supervisor's. This is not a fabrication of absence, the absence itself is the finding.

A bank of CBA's systemic weight, with frontier partnerships and a #4 global AI maturity ranking in financial services, has every reason to be the institution proposing the framework to APRA, ASIC, and the new Australian AI Safety Institute.

The structural risk of not doing so is straightforward: inherit a framework written by regulators on their cadence rather than yours. The operational competence visible across Watch, Adapt, Empower, and the surface of Verify has not yet translated into preparation for the moment when current playbooks expire entirely.

The fault line, named

The compound pattern across the five groupings tells one story. Strong Watch but soft synthesis means CBA sees what is coming but does not yet route it into a planning horizon long enough to act on.

Strong Adapt at the gateway but weak reallocation means pilots accumulate faster than the operating model can absorb. Strong Empower in training but weak decision distribution means literacy without authority. And the connective tissue is Verify, specifically the provenance gap. Without provenance, decision rights cannot safely be pushed down. Without output validation, reallocation cannot safely be sped up. Without capability-discontinuity governance, none of the above scales into the next decade.

The Verify seam is not one weakness among four. It is the structural constraint that keeps the other three from compounding. Close it, and the rest of CBA's investment thesis compounds. Leave it open, and APRA, ASIC, and the AISI will eventually close it on terms not written in Sydney.

What this means for the reader

If a stranger scored your organization from public material, press releases, partnerships, executive remarks, training disclosures, regulatory filings, what would they see? Most large incumbents have built the announceable layer of AI readiness. Far fewer have built the verifiable layer beneath it.

The asymmetry between what your front of house communicates and what your back of house can evidence under audit is the precise space regulators, journalists, acquirers, and short sellers now occupy. The question is not whether you are doing the work. The question is whether the work you are doing would survive being read back to you by someone with no inside access and the regulatory calendar in their other hand. That is the test CBA's public posture sits inside today. It is the test your public posture sits inside, too.

CBA leads Australian banking into AI. Whether it leads the sector through the verification reckoning, or becomes the case study cited in the next prudential update, depends on what the next twelve months close, not what the last twelve announced.