AustraliaIn Effect Enforced: 2026-06-15Last updated: Jun 8, 2026

DTA Policy for the Responsible Use of AI in Government: 2026 Mandatory Requirements

An operational guide to the DTA Policy for the responsible use of AI in government (Version 2.0, effective 15 December 2025). Covers the mandatory requirements for non-corporate Commonwealth entities - accountable officials, AI use case registers, AI impact assessments and public transparency statements - their 2026 phasing dates, the new AI procurement guidance, and how Australian agencies and their vendors operationalise the controls.

Non-compliance penalty: The Policy is a mandatory whole-of-government requirement for non-corporate Commonwealth entities issued under the Public Governance, Performance and Accountability Act 2013 and the Digital and ICT Investment Oversight Framework, not a statute carrying civil penalties. It does not impose fines. Non-compliance is managed as a governance and accountability matter: accountable officials are answerable to their agency head, and adherence is visible through whole-of-government reporting to the DTA, the published central register of AI transparency statements, and oversight by the Data and Digital Ministers. Underlying obligations (privacy, security, administrative law) carry their own separate enforcement.

How Areebi helps you comply

Internal AI use case register with accountable use case owners (by 15 December 2026)Strategy and oversight standard

Areebi: Shadow-AI discovery and inventory

Areebi automatically discovers and inventories AI usage across the environment, including unsanctioned tools, giving the accountable official authoritative, continuously updated data to populate and maintain the mandatory use case register rather than relying on self-reported surveys.

AI impact assessment before deployment, assessed against Australia's 8 AI Ethics PrinciplesAI use case impact assessment standard

Areebi: Real-time DLP and policy engine

Areebi's data loss prevention and policy engine reveal exactly what data each use case touches and enforce what may reach which model, supplying concrete, evidenced inputs for the data, privacy and risk sections of the DTA's 12-section impact assessment tool.

Public AI transparency statement and central register (by 15 June 2026)Standard for AI transparency statements

Areebi: Immutable audit logging and dashboard

Immutable, tamper-evident logs and reporting give agencies a defensible factual basis for the claims in their public transparency statement and an evidence trail to keep it accurate as AI use evolves.

Ongoing review of each use case at least every 12 monthsPreparedness and operations standard

Areebi: Audit logging, guardrails and monitoring

Continuous monitoring, guardrails and audit records let accountable use case owners report to their governing board on whether a use case is operating as intended and whether risks remain effectively managed, supporting the periodic review obligation.

AI procurement guidance and assurance expectations on vendors (Plan, Source, Manage)Guidance on AI procurement in government

Areebi: Sovereign deployment, access control and model-agnostic architecture

Private deployment (Docker, Kubernetes, on-premises, private cloud) keeps data in Australia, while access control and model-agnostic routing let agencies and their vendors evidence the data residency, security and assurance controls expected through the procurement lifecycle.

What is the DTA Policy for the responsible use of AI in government?

The Policy for the responsible use of AI in government is the Australian Government's mandatory whole-of-government policy, issued by the Digital Transformation Agency (DTA), that sets binding requirements for how non-corporate Commonwealth entities adopt and use artificial intelligence. Version 2.0 took effect on 15 December 2025 and, for the first time, introduced mandatory requirements: a designated accountable official for AI, an internal AI use case register, mandatory AI impact assessments before deployment, and public AI transparency statements published to a central register.

The Policy was first introduced on 1 September 2024 as a principles-based instrument. Version 2.0 retains that ethical foundation but converts the core controls from "should" to "must", phased through 2026. It is administered through the DTA's policy hub on digital.gov.au and was announced via the DTA media release "AI Policy overhauled with new Impact assessment tool and Procurement guidance".

Who must comply, and who else is affected

The Policy is mandatory for non-corporate Commonwealth entities (most government departments and agencies governed under the Public Governance, Performance and Accountability Act 2013). Corporate Commonwealth entities are strongly encouraged to apply it. In practice it reaches well beyond the public sector: agency CIOs, CISOs and the new accountable officials own delivery, while vendors selling AI products and services to government are pulled into scope because agencies now expect suppliers to evidence the same controls - transparency, impact assessment inputs, and the model and data assurances called for by the accompanying procurement guidance.

This page is an operational guide for both audiences. It maps each mandatory requirement to its 2026 deadline and explains how a secure AI control plane can supply the technical evidence - inventory, impact-assessment inputs, and audit-ready records - that the Policy now requires. For the broader landscape, see our overview of AI governance in Australia.

What are the mandatory requirements under Version 2.0?

Version 2.0 introduces four interlocking mandatory requirements for in-scope AI use cases, supported by a mandatory strategic position on AI adoption, mandatory foundational AI training and ongoing review. They are sequenced from governance (who is accountable) through inventory (what AI exists), assessment (what risk it carries) and transparency (what the public is told).

The four mandatory requirements

Designated accountable official(s) for AI. Each entity must identify one or more accountable officials responsible for implementing the Policy and notify the DTA. Per the Strategy and oversight standard, officials must be designated and provided to the DTA within 90 days of the effect date.
Internal AI use case register. Entities must create a register of in-scope AI use cases that lets the accountable official record an accountable use case owner for each. The register must be created within 12 months (by 15 December 2026) and shared with the DTA every 6 months from creation.
AI impact assessments before deployment. Before deploying an in-scope use case, entities must complete an AI impact assessment using the DTA's tool. The mandatory requirement applies to in-scope use cases by 15 December 2026.
Public AI transparency statements. Entities must publish a public statement describing their approach to adopting and using AI within 6 months (by 15 June 2026), now collected on a central register.

Supporting mandatory obligations

Strategic position on AI adoption developed and communicated to staff within 6 months of the effect date, setting out how the entity will identify and embrace AI opportunities.
Mandatory foundational AI training for all staff across the Australian Public Service within 12 months, building a consistent baseline of responsible-AI understanding.
Ongoing review of each in-scope use case at least every 12 months, reporting to the relevant governing board or senior executive on whether the use case operates as intended and whether risks are effectively managed.

For a plain-English primer on the underlying discipline, see what is AI governance and what is responsible AI.

When do the DTA AI policy requirements take effect in 2026?

Although Version 2.0 took effect on 15 December 2025, the mandatory requirements are phased through 2026 so agencies can stand up governance before the harder inventory and assessment obligations land. The first new mandatory requirement begins on 15 June 2026, and the remaining requirements come into effect in December 2026.

Key dates at a glance

15 December 2025 - Version 2.0 takes effect. The new AI impact assessment tool and AI procurement guidance are published alongside it.
~15 March 2026 (90 days) - Accountable official(s) designated and notified to the DTA. (The accountability obligation carried over from the September 2024 policy, so the DTA frames it as continuing rather than new.)
15 June 2026 (6 months) - Public AI transparency statement published and a strategic position on AI adoption developed. This 6-month mark is when the first new mandatory requirements bite, including the public-facing transparency limb of the Policy.
15 December 2026 (12 months) - Internal AI use case register created with accountable use case owners; mandatory AI impact assessments in force for in-scope use cases; mandatory foundational AI training for all staff.
Every 6 months thereafter - Register shared with the DTA.
At least every 12 months - Each use case reviewed and reported to the governing board or senior executive.

The DTA frames this in its update article "AI Policy Update: Strengthening responsible use across government", noting the first new mandatory requirement begins 15 June 2026 with all remaining requirements coming into effect in December 2026. Agencies should treat the December 2025 effective date - not the 2026 deadlines - as the start of the clock, because the 90-day, 6-month and 12-month windows all run from it.

How does the DTA AI impact assessment work?

The AI impact assessment is a structured pre-deployment evaluation that agencies must complete for each in-scope AI use case using the DTA's purpose-built tool. The tool is structured around 12 sections and assesses impacts and risks against Australia's 8 AI Ethics Principles, so it surfaces AI-specific impacts and risks that existing privacy, security or administrative-law assessments may not fully capture.

What it covers and how it relates to other assessments

The assessment is designed to complement, not replace, existing instruments such as privacy impact assessments, security risk assessments and the Protective Security Policy Framework controls. It walks the assessor through the use case context, the data and models involved, the affected people, fairness and contestability considerations, human oversight, and ongoing monitoring. The DTA publishes it as a standalone artificial intelligence impact assessment tool alongside the policy standard for the AI use case impact assessment.

Why the evidence layer matters

An impact assessment is only as good as the facts behind it. To answer questions about what data a use case touches, which models it calls, who can access it, and how outputs are controlled, agencies need an authoritative technical record - not a best-effort survey. This is where a control plane contributes: real-time inventory of AI usage, data-flow visibility from data loss prevention, and immutable audit logs turn the assessment from a static document into a living, defensible artefact. Learn more about the discipline in what is automated decision-making and what is AI risk management.

What goes in an AI transparency statement and the central register?

An AI transparency statement is a plain-language public document in which a Commonwealth entity explains how it is adopting and using AI - what AI it uses, for what purposes, how it manages risks, and how members of the public are affected. Under Version 2.0, in-scope entities must publish a statement within 6 months of the effect date (by 15 June 2026), and the DTA has consolidated these onto a central register on digital.gov.au to improve whole-of-government visibility.

What a statement typically addresses

The entity's overall approach to and governance of AI adoption.
The categories of AI use cases in operation, especially public-facing or materially impactful ones.
How the entity manages accuracy, fairness, privacy and security risks.
How people can seek review or raise concerns about AI-affected decisions (contestability).
Accountability - who is responsible, linking back to the accountable official.

The DTA's own published AI transparency statement is a useful reference model, and the agency describes the consolidation effort in "New central register of AI transparency statements for Commonwealth entities". Because the statement must be accurate and kept current - it must be reviewed and updated annually or sooner if the agency's approach changes significantly - it should be backed by the same inventory and register that feed impact assessments. For the concept itself, see what is AI transparency; this requirement also rhymes with the broader automated decision-making transparency reforms under the Privacy Act.

How do the AI procurement guidance and the National assurance framework fit in?

The Policy does not sit alone. It was released alongside new AI procurement guidance and operates as the Commonwealth's implementation of the broader National framework for the assurance of AI in government. Together they tell agencies what to require, and vendors what to provide, across the full lifecycle of buying and running AI.

AI procurement guidance (December 2025)

The DTA's Guidance on AI procurement in government gives buyers step-by-step advice aligned to the Digital Sourcing Lifecycle - Plan, Source and Manage - so agencies can procure AI products and services consistently with the Policy. It complements the existing AI contract clauses and means vendors should expect contractual and pre-tender scrutiny of how their AI handles data, where data resides, how it is secured, and what assurance evidence they can produce. See what is AI vendor risk and what is AI supply chain security.

National framework for the assurance of AI in government

Agreed by Australia's Data and Digital Ministers on 21 June 2024, the National framework sets a nationally consistent, principles-based set of assurance cornerstones - governance, data governance, standards, procurement, and a risk-based approach - mapped to Australia's 8 AI Ethics Principles. The DTA Policy is how the Commonwealth operationalises that framework for non-corporate entities.

Where this connects for regulated buyers and vendors

Agencies adopting AI also intersect related security and assurance expectations - the Essential Eight, the Information Security Manual and IRAP, sovereign AI considerations, and, for critical infrastructure, the Security of Critical Infrastructure (SOCI) Act. Vendors that already meet the privately deployable, audit-ready bar set by an AI control plane are well positioned to support government buyers under all of these at once - see our government solutions and our overview of AI governance in Australia.

How can a secure AI control plane help meet the DTA AI policy?

Areebi is a Secure AI Control Plane for Australian regulated organisations. While the DTA Policy is a mandatory obligation on the entity and its accountable official - not something any product can discharge on the entity's behalf - the right control plane supplies the technical evidence and enforcement the Policy assumes: knowing what AI is in use, controlling what data reaches it, and proving what happened. Areebi is deployable entirely within your own boundary (Docker, Kubernetes, on-premises or private cloud), so data stays in Australia, which matters for sovereign and security-cleared workloads.

Honest scope

Areebi is currently in stealth and pre-named-customer, with SOC 2 readiness in progress (not yet certified). The capabilities below are mapped honestly to what the Policy requires; the accountable governance, decisions and sign-off remain the agency's.

Shadow-AI discovery and inventory feeds the mandatory AI use case register with real usage data rather than self-reported guesses - see what is shadow AI.
Real-time DLP and a policy engine enforce what data may reach which model, providing concrete inputs and controls for the AI impact assessment - see what is AI DLP.
Immutable audit logging creates the defensible record that underpins transparency statements and periodic use-case reviews - see what is an AI audit.
Guardrails, access control and model-agnostic routing let agencies apply consistent controls across any model, supporting the assurance cornerstones and procurement expectations.

To see how this maps to your environment, explore the platform, run the readiness assessment, or book a demo. Vendors selling into government can use the same controls to evidence procurement readiness.

Compliance Checklist

Identify and notify your designated accountable official(s) for AI to the DTA within 90 days of the 15 December 2025 effect date (by approximately 15 March 2026).

Develop and communicate a strategic position on AI adoption to staff within 6 months (by 15 June 2026).

Publish a public AI transparency statement describing your approach to adopting and using AI within 6 months (by 15 June 2026) and list it on the central register on digital.gov.au.

Establish and maintain an internal AI use case register with an accountable use case owner for each in-scope use case, created within 12 months (by 15 December 2026), and share it with the DTA every 6 months from the date you create it.

Complete an AI impact assessment using the DTA's 12-section tool before deploying each in-scope use case, with the mandatory requirement in force by 15 December 2026.

Assess each AI impact assessment against Australia's 8 AI Ethics Principles and ensure it complements existing privacy, security and administrative-law assessments rather than duplicating them.

Ensure all staff complete mandatory foundational AI training within 12 months and embed a periodic review of each use case at least every 12 months, reporting to the governing board or senior executive.

Apply the AI procurement guidance across Plan, Source and Manage, and require vendors to evidence data residency, security and assurance controls aligned to the National assurance framework cornerstones.

Frequently Asked Questions

Is the DTA Policy for the responsible use of AI in government mandatory?

Yes. Version 2.0, effective 15 December 2025, is mandatory for non-corporate Commonwealth entities and introduces binding requirements: a designated accountable official, an AI use case register, AI impact assessments before deployment, and public transparency statements. Corporate Commonwealth entities are strongly encouraged to apply it.

When do the DTA AI policy mandatory requirements start?

The Policy took effect on 15 December 2025, but the requirements are phased. The first new mandatory requirement begins 15 June 2026 (6 months in), which includes publishing a public AI transparency statement and developing a strategic position on AI adoption. The remaining requirements, including the AI use case register and mandatory AI impact assessments, come into effect in December 2026 (by 15 December 2026).

Who is the accountable official under the DTA AI policy?

Each in-scope entity must designate one or more accountable officials responsible for implementing the Policy and overseeing the entity's responsible use of AI. The official(s) must be designated and notified to the DTA within 90 days of the 15 December 2025 effect date, and they are answerable to the agency head for compliance.

What is the DTA AI impact assessment tool?

It is a structured, 12-section pre-deployment assessment the DTA published alongside Version 2.0, with risks assessed against Australia's 8 AI Ethics Principles. Agencies must complete it for each in-scope AI use case. It complements existing privacy and security assessments by surfacing AI-specific risks, and becomes mandatory for in-scope use cases by 15 December 2026.

What must an AI transparency statement include?

A plain-language public account of how the entity adopts and uses AI: the categories of use cases (especially public-facing or materially impactful ones), how risks to accuracy, fairness, privacy and security are managed, how people can contest AI-affected decisions, and who is accountable. Statements are collected on a central register on digital.gov.au and must be reviewed and updated at least annually.

Does the DTA AI policy apply to vendors selling AI to government?

Not directly - it binds the agency - but it reaches vendors in practice. The accompanying AI procurement guidance (Plan, Source, Manage) means government buyers will require suppliers to evidence data residency, security, and assurance controls, and to provide inputs for impact assessments and transparency statements. Vendors that already meet these controls are far easier to procure.

How does the Policy relate to the National framework for the assurance of AI in government?

The National framework, agreed by Data and Digital Ministers on 21 June 2024, sets nationally consistent assurance cornerstones - governance, data governance, standards, procurement and a risk-based approach - mapped to Australia's 8 AI Ethics Principles. The DTA Policy is how the Commonwealth operationalises that framework for non-corporate entities.

What happens if an agency does not comply with the DTA AI policy?

The Policy carries no statutory fines; it is a mandatory governance requirement. Non-compliance is managed through accountability rather than penalties: officials answer to their agency head, and adherence is visible through whole-of-government reporting to the DTA, the public central register, and Data and Digital Ministers oversight. Underlying privacy, security and administrative-law obligations carry their own separate enforcement.

Related Resources

Ready to achieve DTA Policy for the Responsible Use of AI in Government: 2026 Mandatory Requirements compliance?

See how Areebi maps to DTA Policy for the Responsible Use of AI in Government: 2026 Mandatory Requirements requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page