Implementation

Application

This version of the policy (v2.0) is effective 15 December 2025. It replaces version v1.1 of the policy which came into effect 1 September 2024.

All non-corporate Commonwealth entities (NCEs), as defined by the Public Governance, Performance and Accountability Act 2013, must apply this policy.

Corporate Commonwealth entities are also encouraged to apply this policy.

National security carveouts

This policy does not apply to:

The NIC includes:

  • Office of National Intelligence (ONI)
  • Australian Signals Directorate (ASD)
  • Australian Security Intelligence Organisation (ASIO)
  • Australian Secret Intelligence Service (ASIS)
  • Australian Geospatial-Intelligence Organisation (AGO)
  • Defence Intelligence Organisation (DIO)
  • Australian Criminal Intelligence Commission (ACIC)
  • the intelligence role and functions of the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australian Federal Police (AFP), the Department of Home Affairs and the Department of Defence.

Defence and members of the NIC may voluntarily adopt elements of this policy where they are able to do so without compromising national security capabilities or interests.

Existing frameworks

The challenges raised by government use of AI are complex and inherently linked with other considerations, such as the APS Code of Conduct, data governance, cyber security, privacy and ethics practices.

This policy has been designed to complement and strengthen – not duplicate – existing frameworks, legislation and practices that touch on government’s use of AI. 

This policy must be read and applied alongside existing frameworks and laws to ensure agencies meet all their obligations. 

Definitions

For the purposes of this policy, agencies should apply the definition of AI provided by the Organisation for Economic Co-operation and Development (OECD) and the following definition of AI use case:

"An AI use case is a specific application of an AI system or systems to achieve certain objectives or perform certain tasks."

Definitions and how to apply them – including an optional approach to group AI use cases for some general-purpose AI solutions – is available in Appendix B. The appendix also defines an AI incident.

Timeframes

This policy provides implementation timeframes for agencies to meet some of its requirements. While agencies may need this time to action requirements, agencies should implement them sooner if practicable. Agencies could consider putting in place interim processes and building out their approach as they reach the specified implementation deadline.

In-scope AI use cases

This policy specifies actions that apply at the use case level. AI use cases in scope of this policy (referred to as in-scope AI use cases) are use cases that meet any criteria in Appendix C.

In addition to the criteria, the appendix lists areas of AI use to consider that are not automatically high risk, but are more likely to involve risks that require careful attention through an impact assessment. It also provides information on how to apply the policy for agencies experimenting with AI.

Next page

Strategy and oversight 

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession