AI Compliance for Australian Government Agencies: APS Framework
In February 2024, the Australian Public Service Commission published the APS AI Policy—a mandatory framework applying to all Australian federal government agencies. By July 2025, every agency had to maintain a public AI Register and document their AI governance. Yet a Freedom of Information (FOI) analysis by the Grattan Institute found that fewer than 60% of agencies had completed a compliant register by the deadline.
For government agencies struggling to understand their obligations, the stakes are high: failure to comply risks ministerial direction, budget consequences, and loss of public trust. This article explains what the APS AI Policy requires and how agencies should implement it.
The APS AI Policy: Mandatory Framework and Scope
The APS AI Policy applies to all Australian Public Service agencies and statutory authorities. Its core principle is “responsible AI”—agencies must use AI in ways that are lawful, ethical, transparent, and accountable to the public.
The policy mandates four key obligations: First, identify and register all AI systems in use (the “AI Register”). Second, establish AI governance frameworks with clear accountability. Third, ensure appropriate human oversight of AI decisions, particularly for decisions affecting individual rights or welfare. Fourth, maintain transparency—agencies must be able to explain to the public and to Parliament how AI is being used and why.
The policy applies to AI systems used for internal operations (e.g., administrative automation, predictive analytics) and to systems that affect the public (e.g., automated benefit eligibility assessment, service chatbots, content moderation).
The Mandatory AI Register
Every APS agency must maintain and publish a public AI Register listing all AI systems in use. The register must include: the system name and description; the business function it supports; the AI vendor (if external) or development team (if internal); deployment date; and a risk rating (low, medium, high, or very high).
For high-risk systems—particularly those making decisions affecting individuals (benefit eligibility, visa assessments, welfare determinations)—the register must also document: the decision type, the data inputs used, how the system is monitored, any limitations known to the agency, and how individuals can request explanation or review of AI-made decisions.
Agencies publish their registers on their websites, so public scrutiny is inevitable. Some agencies initially resisted publication, arguing commercial sensitivity or security concerns, but the Department of Prime Minister and Cabinet (PM&C) clarified that transparency is non-negotiable—agencies can redact limited details (vendor pricing, security architecture) but must disclose the AI’s purpose and function.
The register is a living document. When an agency deploys a new AI system, it must be added to the register within 30 days. When a system is retired, it must be marked as decommissioned. Failure to maintain an accurate register is a breach of the APS AI Policy and can trigger compliance reviews.
Agency-Specific AI Obligations
While the APS AI Policy is government-wide, specific agencies face additional sector-specific requirements. Services Australia, which administers benefits to millions of citizens, has implemented AI systems for income-testing and eligibility assessment. Any such system must meet additional safeguards: documented testing for bias (particularly against vulnerable cohorts like Indigenous Australians), human review protocols (no automated final denial without human review), and a dispute resolution mechanism for individuals who believe the AI made an error.
The Australian Taxation Office (ATO) uses AI for compliance analytics, risk assessment, and fraud detection. The ATO’s AI governance requires: validation of risk models against historical audit outcomes, regular retraining to prevent performance drift, and audit trails showing what data the AI considered when flagging a tax file number for human review. The ATO also publishes high-level transparency reports (e.g., “our AI system flagged 250,000 tax returns for further review in 2024”) to maintain public confidence.
Home Affairs uses AI for visa assessment, border control, and security risk determination. Here, the stakes are highest: errors can result in individuals being detained or deported incorrectly. Home Affairs must maintain the strictest oversight: all AI recommendations are reviewed by human officers before final decisions, regular audits ensure consistency, and individuals have appeal rights when AI recommendations are disputed.
Smaller agencies often lack specialised AI governance expertise. The APS Commission has published guidance and templates to help, and PM&C offers peer learning forums where agencies can share best practices. However, compliance ultimately remains each agency’s responsibility.
Procurement Requirements for AI Vendors
When APS agencies procure AI systems from external vendors, they must conduct appropriate due diligence. The APS Procurement Rules require agencies to assess vendor proposals against criteria including: technical security (data encryption, audit trails, uptime guarantees); governance maturity (does the vendor have documented testing and monitoring practices); transparency (can they explain how the AI works); and support (will they assist with post-deployment monitoring and incident response).
Additionally, the APS Protective Security Policy Framework (PSPF) applies stricter requirements when the AI system processes sensitive government data. Vendors must comply with the PSPF’s security and data residency requirements, often necessitating on-shore deployment or government cloud infrastructure.
Contracts must include explicit clauses addressing AI governance: rights to audit the system’s performance; notification requirements if the vendor detects data breaches or model failures; data retention and deletion obligations; and clear termination rights so the agency can exit if the vendor fails to meet obligations.
Some vendors resist transparency clauses, arguing that their AI algorithms are proprietary. Agencies should not accept this argument. The policy position is clear: if your system affects government decisions affecting the public, the agency and public have a right to understand how it works. Vendors must provide sufficient transparency—through model documentation, test reports, and impact assessments—or lose the government contract.
Public Accountability and FOI Implications
The APS AI Policy creates significant FOI implications. Citizens can request records explaining how AI decisions were made (e.g., “what data did the ATO use to assess my tax risk”). Government agencies must be able to respond with documentation, which requires maintaining detailed logs of AI inputs, outputs, and decisions.
Some agencies have resisted FOI requests for AI documentation, arguing the system is too complex or that explaining it would reveal proprietary algorithms. Courts have increasingly sided with requesters: the principle is that government decision-making must be transparent, and AI doesn’t change that principle. If an agency can’t explain a decision to the public and Parliament, it shouldn’t be making that decision by AI.
This creates a practical challenge: agencies must balance transparency with security. They should have processes to redact sensitive information (e.g., specific modelling parameters used for security purposes) while releasing enough detail to allow public understanding. Failure to manage this properly can result in lengthy legal disputes and reputational damage.
State and Territory Government Approaches
The APS AI Policy applies only to federal agencies. However, state and territory governments are adopting parallel frameworks. NSW has published an AI governance guide; Victoria is developing a state-wide AI policy; and other states are following suit. The approaches are largely consistent with the APS framework—register, governance, human oversight, transparency—but implementation timelines and specific requirements vary.
Agencies operating across state and federal levels (e.g., a health system receiving federal funding) may need to comply with multiple frameworks. This creates compliance complexity, but the core principles are consistent: if you’re using AI to make government decisions, you must be able to explain and justify those decisions to the public.
FAQ
Q1: Does every government AI system need to be on the public register?
A: Effectively yes. The APS AI Policy requires all AI systems to be documented internally. The question is whether they must be published on the public register. Low-risk internal systems (e.g., robotic process automation for document handling) may be registered with minimal detail. High-risk systems (those affecting public entitlements or individual rights) must be published transparently. Agencies shouldn’t hide systems from the public register without strong justification—if they can’t justify the system’s use publicly, they shouldn’t deploy it.
Q2: What happens if an agency violates the APS AI Policy?
A: The APS Commission can issue compliance warnings, require remedial actions (e.g., decommission a non-compliant system), or recommend to the agency’s Minister that the agency’s budget or operations be scrutinised. More significantly, public disclosure of non-compliance (through media, FOI, or parliamentary inquiries) damages agency credibility and can trigger political consequences. Agencies take compliance seriously to avoid these reputational risks.
Q3: Can an agency use AI for high-stakes decisions like visa or benefit denials?
A: Yes, but with extensive human oversight and individual appeal rights. The policy permits AI to support decision-making but expects human officers to review recommendations, particularly for high-impact decisions. Fully automated final decisions (no human review) are permitted only for low-risk, repetitive tasks. For visa or benefit decisions, the AI typically flags cases for human assessment, but final decisions must be made by human officers who can articulate their reasoning.
Next Steps
If you’re a government agency, audit your AI Register for completeness and accuracy. Ensure all high-risk systems are documented with sufficient detail for public transparency. Review your vendor contracts to ensure AI governance clauses are in place. Establish or refresh your internal AI governance committee with cross-functional membership (ICT, policy, risk, legal). Provide staff training on the APS AI Policy and on oversight requirements for AI systems in their areas. Prepare for increased FOI requests for AI documentation—build processes to manage these efficiently and transparently.
Need assistance with APS AI compliance? Contact Anitech to develop or audit your government AI governance framework.