Download
Introduction
Assurance research series: 01
Assurance research series: 01
Appendix
Research references
Digital Transformation Agency (DTA)
- Assurance Framework for Digital and ICT-enabled Investments
- 2023 Digital and ICT Oversight Framework 2024
Department of Finance
- Guidance on the Assurance Reviews Process (RMG 106) 2023
- Gateway Reviews Process 2023
Academic and Industry Papers
- APM (2016). Measures for Assuring Projects. Association for Project Management.
- Jewer, J., & Van Der Meulen, N. (2022). Governance of Digital Transformation: A Review of the Literature. Paper presented at the Hawaii International Conference on System Sciences.
- López Muñoz, J., & Escribá Esteve, A. (2022). Executives’ role in digital transformation. International Journal of Information Systems and Project Management, 10(3), 84-103.
- Vial, G., Cameron, A., Giannelia, T., & Jiang, J. (2023). Managing artificial intelligence projects: Key insights from an AI consulting firm. Information Systems Journal, 33(3), 669-691.
- Rees, D. (2023). Review of the Modernising Business Registers Program. Retrieved from Canberra, Australia.
- Iriarte, C., & Bayona, S. (2020). IT projects success factors: a literature review. International Journal of Information Systems and Project Management, 8(2), 49-78.
- Ayat, M., Imran, M, Ullah, A., Kang, C. (2020). Current trend analysis and prioritization of success factors: a systematic literature review of ICT Projects. International Journal of Managing Projects in Business. DOI 10.1108/IJMPB-02-2020-0075.
- NAO, (2021). The challenges in implementing digital change. National Audit Office. www.nao.org.uk
- Filatotchev, I., Lanzolla, G., & Syrigos, E. (2022). The corporate governance of digital transformation: The CEO’s digital orientation and board impact. Paper presented at the Academy of Management Proceedings.
- Kane, G., Phillips, A., Copulsky, J., & Andrus, G. (2019a). How Digital Leadership Is (n’t) Different. MIT Sloan Management Review, 60(3), 34-39.
- Kane, G., Phillips, A., Copulsky, J., & Andrus, G. (2019b). The technology fallacy: people are the real key to digital transformation (Vol. 62): Tantor Media.
- Warner, K., & Wäger, M. (2019). Building dynamic capabilities for digital transformation: An ongoing process of strategic renewal. Long Range Planning, 52(3), 326-349.
- Garland, R., & Morey, A. (2022). Project, Programme and Portfolio Governance: The Stationery Office.
- Stouten, J., Rousseau, D., & De Cremer, D. (2018). Successful organizational change: Integrating the management practice and scholarly literatures. Academy of Management Annals, 12(2), 752-788.
- Cook, D. & Maylor, H. (2023). Delivering the Major Programme Dividend. Deloitte.
- Vial, G., Cameron, A., Giannelia, T., & Jiang, J. (2023). Managing artificial intelligence projects: Key insights from an AI consulting firm. Information Systems Journal, 33(3), 669-691.
- Volberda, H. W., Khanagha, S., Baden-Fuller, C., Mihalache, O. R., & Birkinshaw, J. (2021). Strategizing in a digital world: Overcoming cognitive barriers, reconfiguring routines and introducing new organizational forms. Long Range Planning, 54(5), 102110.
- Davenport, T., Westerman, G. (2018). Why So Many High-Profile Digital Transformations Fail. Harvard Business Review, 2018.
- NAO, (2024). Digital transformation in government: A guide for senior leaders and audit and risk committees. National Audit Office.
- IPA, Project Assurance Reviews Delivery Confidence Guide for Review Teams. Infrastructure and Projects Authority. Link
- New Zealand Government, (2019). All-of-government Payroll Programme: Assessing delivery confidence for payroll projects.
- DTA, (2024). Benefits Management guides and tools. Digital Transformation Agency.
- DTA, (2023). Benefits Management Policy For Digital & ICT-Enabled Investments. Digital Transformation Agency.
- Australian Government et al. (2024) National framework for the assurance of artificial intelligence in government, Australian Government, accessed 30 June 2024.
Your responsibilities
To successfully meet this criterion, agencies will need to:
- adopt transparent data handling
- implement security measures
- maintain a reliable service
- be accountable for the service.
When to apply
Apply Criterion 5 throughout Beta to protect users’ digital rights and ensure robust security measures are in place.
As cyber threats become more prevalent and sophisticated, adhere to this criterion across the Service design and delivery process.
Questions for consideration
- How are users informed about the collection, use and storage of data?
- How will informed consent be obtained from users?
- Which encryption and authentication mechanisms will provide the most robust security?
- How does the service comply with data protection legislation and policies?
- What processes are in place to prevent misinformation?
- How is the service built to be resilient against cyber threats?
- What assurances are in place to promote ethical use of data?
How to apply criterion 5
Assurance research series: 01
Introduction
Using public generative AI tools safely and responsibly in the Australian Government
Using public generative AI tools safely and responsibly
Use this guidance to understand how to safely and responsibly engage with public generative artificial intelligence (AI) tools
This guidance is intended for all Australian Government personnel working with government information – including employees, contractors and consultants.
Your agency may have enterprise generative AI tools that are not public and may offer enhanced security, privacy, or tailored functionality. You should refer to your agency’s guidance on how to use these tools.
What generative AI is
Generative AI refers to AI tools that generate content – such as text, images, software code, audio or video – based on patterns learned from large volumes of data.
ChatGPT, Gemini and Claude are some of the well-known public generative AI tools you can access using a browser or app. These tools allow you to enter a question or instruction and get AI-generated answers. Your input is called a prompt, and the AI’s reply is the output.
Increasingly, generative AI is being built into everyday services or software. It now appears across commonly used digital tools, including search engines, communication platforms, and productivity applications.
Because it’s often embedded in tools you already use, it’s not always obvious when generative AI is active. If a tool helps you write, summarise, design, or generate ideas based on your input, it’s likely using AI.
Differentiating public generative AI from enterprise tools
Public generative AI tools are different from non-public or enterprise tools that have been configured to meet agency data control and information security requirements. When you use public tools, your inputs and outputs may be shared with the tool provider.
Make sure you know whether you are using a public or non-public generative AI tool as they may have a similar look and feel. For example, Microsoft 365 Copilot is an enterprise AI solution used by some agencies while Microsoft Copilot is a web-based public tool aimed at individual users.
If you’re not sure, refer to your agency’s policies or ICT support for advice.
How generative AI can help you at work
Generative AI tools can help you work more efficiently and explore new ideas. They’re useful for checking your thinking, making content easier to understand, and supporting everyday tasks.
The Australian Government is focused on unlocking the benefits of AI to improve how we work and help deliver better services. Allowing staff to use public generative AI tools for OFFICIAL level government information is a practical step towards this goal.
Using OFFICIAL level information in public generative AI
You should follow your agency’s policies and guidance on using public generative AI tools in the first instance.
Subject to your agency’s policies, you can use these tools with OFFICIAL level government information (see Protective Security Policy Framework (PSPF) Policy Advisory 001-2025).
You must not put information that is security classified OFFICIAL: Sensitive or above into public generative AI tools. Information security classifications are defined in the PSPF.
Managing access to public generative AI tools
This guidance provides advice for Australian Government agencies on managing access to public generative AI tools for personnel working with government information – including employees, contractors and consultants.
Public generative AI tools include well-known services like ChatGPT, Gemini and Claude, which users can access via web browsers, apps or embedded in other services. This guidance should be read alongside the Policy for the responsible use of AI in government and Protective Security Policy Framework Policy Advisory 001-2025 on OFFICIAL Information Use with Generative Artificial Intelligence. Agencies should adapt this advice to their specific risk profiles and operational requirements.
Strategic context
The Australian Government is focused on capturing the opportunity of AI, broadening our safe and responsible use of this technology while building public trust and confidence.
Generative AI capabilities are increasingly embedded across digital infrastructure including search engines, productivity applications and software platforms, often without explicit user notification. This ubiquitous integration creates both opportunities and governance challenges for government agencies.
Current operational realities include:
- AI literacy is becoming a fundamental expectation for all staff, requiring hands-on experience to develop essential capabilities.
- Restrictive policies drive significant shadow usage outside organisational oversight.
- Traditional technical controls may not address risks related to AI capabilities.
- Enterprise AI solutions can offer enhanced security controls suitable for handling classified government information.
Agencies must address security requirements and workforce capability development to unlock operational effectiveness in an AI-enhanced environment.
Registration terms and conditions
For more information on the program cost and terms please refer to Registration Terms and Conditions.
The Digital Transformation Agency (DTA)
The DTA is the Australian Government’s advisor for its digital transformation agenda. The DTA's mandate is to provide strategic advice, coordination and assurance across the Australian Government's portfolio of digital projects.
For further information and the latest versions of the DTA’s guidance documents and templates please see the Assurance Framework for Digital and ICT Investments or contact the DTA at:
- Proposed investments: investment@dta.gov.au
- In-flight investments: portfolio.assurance@dta.gov.au
- Benefits management: benefits.management@dta.gov.au.
John Grill Institute for Project Leadership, The University of Sydney
The John Grill Institute for Project Leadership conducts breakthrough research into project leadership, delivers world-leading executive education and works with industry, government and communities to shape future projects and their outcomes.
OffPrinciples for using public generative AI tools responsibly
It’s up to all of us to use generative AI safely, ethically and responsibly. That means understanding its benefits and limitations and applying good judgement.
Apply the 3 principles and practices below to responsibly use public generative AI in your work.
Protect privacy and safeguard government information
- Don’t put security classified (OFFICIAL: Sensitive or above) or personal information into public generative AI tools.
- Assume anything you enter into a public generative AI tool could be made public.
- Don’t put third-party copyright-protected information into public generative AI tools.
Use judgement and critically assess generative AI outputs
- Check for fairness, accuracy and bias in generative AI outputs. Generative AI tools may reflect bias that can lead to unfair or misleading outputs.
- Be aware that generative AI can produce convincing but inaccurate content.
- Undertake training to understand generative AI and how to critically assess its outputs.
Be able to explain, justify and take ownership of your advice and decisions
- Remain responsible and accountable for content you create, share or use.
- Generative AI must not make final decisions on government advice, services or outputs.
- Ensure your use of generative AI supports public trust and upholds the standards and frameworks expected of government employees.