AustraliaIn EffectLast updated: Jun 8, 2026

IRAP, the ISM and PSPF for AI: Running AI Workloads in Australian Government Environments

An operational guide to running AI workloads in Australian Government environments under the ISM, PSPF 2025 and IRAP. Covers the December 2025 ISM AI controls, the April 2025 IRAP Common Assessment Framework, data sovereignty gates, and how a Secure AI Control Plane maps to the controls baseline.

Non-compliance penalty: The ISM, PSPF and IRAP are administrative and contractual controls baselines rather than statutes with civil penalties. Consequences for non-conformance are operational and contractual: failure to meet the PSPF, the ISM or IRAP assessment expectations can result in an Authorising Officer declining to authorise a system to operate, loss or non-award of government contracts, mandatory PSPF reporting obligations to the entity's accountable authority and portfolio, and remediation directions. Where personal information is involved, the Privacy Act 1988 and the Australian Privacy Principles apply separately, with civil penalties for serious or repeated interference with privacy enforced by the OAIC.

How Areebi helps you comply

ISM (December 2025) - content filtering must detect and block sensitive data exposure and improper output from AI applicationsISM - Guidelines for software development (December 2025)

Areebi: Real-time DLP and content inspection

Areebi inspects every prompt, file and response in real time and blocks classified, sensitive or personal information from leaving the assessed boundary, mapping directly to the ISM's AI content-filtering and data-exposure controls.

ISM (December 2025) - fine-grained, role-based access control restricting access to AI applications and the sensitive data they reachISM - Guidelines for software development (December 2025)

Areebi: Policy engine and access control

Areebi's policy engine enforces least-privilege, role-based rules over who can use which models and data, supporting the ISM access-control expectations and PSPF 2025 zero-trust requirements.

ISM (December 2025) - rate limiting applied to inference queries and resource limits enforced for AI modelsISM - Guidelines for software development (December 2025)

Areebi: Guardrails and policy controls

Areebi applies guardrails and policy-based controls at the inference gateway, including the ability to constrain and throttle AI usage, aligning with the ISM rate-limiting and resource-limit controls.

PSPF 2025 - zero-trust uplift; continuously verify and constrain every identity and data flow (Requirement 0098)PSPF 2025 - Requirement 0098

Areebi: Policy engine with continuous mediation

Areebi mediates every AI request through a single verification and policy point so that no model access is implicitly trusted, operationalising the PSPF 2025 zero-trust direction for AI traffic.

PSPF 2025 - asset visibility and knowing your systems; discover and account for technology in usePSPF 2025 - visibility of technology assets

Areebi: Shadow-AI discovery and inventory

Areebi discovers and inventories sanctioned and unsanctioned AI tools and endpoints in use, giving security teams the visibility PSPF 2025 expects and ensuring the assessed boundary reflects reality.

ISM / PSPF - data residency and sovereignty; sensitive and PROTECTED data hosted onshore in IRAP-assessed environmentsPSPF - secure information lifecycle; DTA Hosting Certification Framework

Areebi: Private, sovereign deployment (Docker, Kubernetes, on-premises, private cloud)

Areebi deploys inside the customer's own Australian environment so prompts, documents, logs and embeddings never leave the sovereign boundary, supporting data-residency gates and IRAP-assessed hosting.

ISM / PSPF / IRAP - tamper-evident records sufficient to evidence controls to an assessor and reconstruct AI activityISM - event logging and monitoring; IRAP evidence expectations

Areebi: Immutable audit logging

Areebi records every AI interaction - prompt, identity, model, policy applied and outcome - in immutable logs, producing the continuous, defensible evidence an IRAP assessor or auditor requires.

ISM (December 2025) - verify the source and integrity of AI models; model-agnostic governance across sovereign and cloud modelsISM - Guidelines for software development (December 2025)

Areebi: Model-agnostic control plane

Areebi sits in front of any model - sovereign open-weight or IRAP-assessed cloud - so governance, logging and policy remain constant as agencies change models, supporting model-integrity and supply-chain controls.

What is required to run AI in an Australian Government environment?

To run AI for or inside an Australian Government environment, the workload must operate in an IRAP-assessed system aligned to the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF), with data residency and sovereignty treated as hard gates and the Australian Privacy Principles applied to any personal information. These are not optional best practices - they are the controls baseline that an Authorising Officer relies on to authorise a system to operate.

The Australian regime for government AI is built from three instruments that work together rather than a single statute:

The ISM - the technical controls catalogue published by the Australian Signals Directorate (ASD), updated regularly. The December 2025 ISM added 21 new AI security controls - placed within the Guidelines for software development and Guidelines for personnel security - covering models that are developed, trained, fine-tuned, integrated with, or consumed as external services.
The PSPF - the Commonwealth's protective security policy, owned by the Department of Home Affairs. The PSPF 2025 annual release (published 24 July 2025) embeds zero trust, the Essential Eight, secure information lifecycle management, and use of IRAP-assessed cloud.
IRAP - the Information Security Registered Assessors Program, the independent assessment pathway that evaluates a system against the ISM and PSPF. ASD released the IRAP Common Assessment Framework version 1.0 in April 2025 to standardise assessor methodology.

An AI feature does not change the obligation - it raises the stakes. Generative and agentic AI introduce new data egress paths, new third parties, and non-deterministic outputs, all of which the controls baseline now expects you to govern. The practical question for a government CISO or a vendor selling AI to government is therefore not "are we allowed to use AI?" but "can we evidence that every AI data flow stays inside an IRAP-assessed, sovereign boundary and conforms to the December 2025 ISM AI controls?"

What does the December 2025 ISM say about AI specifically?

The December 2025 ISM update added 21 new AI security controls - integrated primarily into the Guidelines for software development, with the AI usage policy control placed in the Guidelines for personnel security - alongside modernised password requirements aligned to NIST SP 800-63B-4 and the deprecation of fax. The AI controls apply to systems that develop, train, fine-tune, or integrate with AI models, and explicitly to systems that consume external AI services - which captures most enterprise generative-AI deployments. You can confirm the current text in the published ISM on cyber.gov.au.

The new and reinforced control themes that matter most for an AI control plane include:

AI usage policy - a general-purpose artificial intelligence usage policy is developed, implemented and maintained.
Content filtering and data exposure - content filtering is implemented by AI applications to detect and block sensitive data exposure and improper output.
Fine-grained access control - access to AI applications and the sensitive data they reach is restricted through role-based, least-privilege controls.
Model integrity and supply chain - the source and integrity of AI models is verified, and data validation techniques protect the reliability of training data.
Rate limiting and resource limits - rate limiting is applied to inference queries and resource limits are enforced for AI models.
Safe model storage - AI models are stored in a file format that does not allow arbitrary code execution.

Two implications follow. First, the relevant baseline is now the December 2025 ISM - an assessment performed against an earlier ISM will not evidence conformance with these AI controls, so vendors and agencies should confirm which ISM version an IRAP assessment was conducted against. Second, several of these controls (DLP-style content filtering, least-privilege access to AI, query rate limiting, immutable evidence of model provenance) are control-plane functions that sit in front of the model rather than inside it. That is precisely the layer the ISM now expects you to operate and evidence.

How does PSPF 2025 change the picture for government AI?

PSPF 2025, published on 24 July 2025, makes zero trust a core expectation, reinforces the Essential Eight as the technical baseline, and requires entities to maintain a cybersecurity strategy and uplift plan managed to the ISM. For AI, this means an agency cannot treat a model endpoint as a trusted black box - every request, identity and data flow into and out of an AI system must be continuously verified, logged and constrained.

The PSPF is mandatory for non-corporate Commonwealth entities and is applied as policy by many corporate Commonwealth entities and state agencies. Key PSPF 2025 hooks relevant to AI workloads:

Zero trust uplift - PSPF Requirement 0098 directs entities to develop, implement and maintain a cybersecurity strategy and uplift plan aligned to the ISM and to the Guiding Principles to embed a Zero Trust Culture. AI access paths fall squarely inside that perimeter.
Essential Eight - the Essential Eight Maturity Model (most recently revised in November 2023) remains the baseline for mitigation, including application control and restricting administrative privileges - directly relevant to who can connect AI tooling to government data.
Secure information lifecycle - data must be classified, handled and disposed of according to its sensitivity across its whole lifecycle, including when it is sent to or generated by AI.
IRAP-assessed cloud and certified hosting - PSPF and supporting policy expect sensitive and PROTECTED systems to use IRAP-assessed cloud and, for hosting, providers certified under the Digital Transformation Agency's framework.

Because PSPF 2025 elevates zero trust, the burden of proof shifts. An agency must be able to show not only that controls exist but that they are continuously enforced and independently evidenced - which is why immutable audit logging and a centralised policy point for AI traffic have become practical PSPF necessities rather than nice-to-haves.

What is IRAP, and is an IRAP assessment a certification?

IRAP is the Australian Signals Directorate's assessment pathway: ASD-endorsed assessors evaluate an ICT system against the ISM and PSPF and document the findings. An IRAP assessment is not a certification, accreditation or ASD endorsement of the product - it is an independent assessor's report on the extent to which a system meets the controls, which the consuming agency's own Authorising Officer then uses to make a risk-based authorisation decision.

This distinction is frequently misunderstood by buyers, so it is worth stating plainly. "IRAP assessed" means an independent assessor examined the system and produced a Security Assessment Report and a controls matrix; it does not mean ASD has approved or certified it for your use. Responsibility for authorising a system to operate remains with the consuming entity. The IRAP program page on cyber.gov.au sets out the program, and the assessor register lists endorsed assessors.

The IRAP Common Assessment Framework version 1.0, released in April 2025, standardises the methodology assessors apply - scoping, evidence expectations and the way controls are tested - so that assessments are more consistent and comparable across cloud services, gateways and on-premises systems. For an AI vendor, the framework means an assessment of your AI control plane will be tested against a documented, repeatable method rather than each assessor's individual interpretation. Two practical points for AI:

Scope matters more than a label. An IRAP assessment covers a defined system boundary at a defined classification (PROTECTED is the most common level for commercial cloud and SaaS used by government). Confirm whether your AI data flows, model hosting and logging are inside that assessed boundary - not adjacent to it.
Currency matters. Because the December 2025 ISM added AI controls, an assessment performed against an earlier ISM will not evidence those controls. Re-assessment or a delta assessment against the current ISM is the cleanest way to demonstrate AI-specific conformance.

Why is data residency and sovereignty a hard gate for government AI?

For Australian Government AI, data residency and sovereignty are non-negotiable gates: sensitive and PROTECTED data, and the systems that process it, are expected to be hosted onshore in IRAP-assessed environments and, for hosting, by providers certified under the Digital Transformation Agency's Hosting Certification Framework. A model that ships prompts or documents to an offshore inference endpoint can breach these gates regardless of how capable the model is.

The relevant mechanics:

Hosting Certification Framework (DTA). The Hosting Certification Framework defines three tiers - Strategic (the highest assurance), Assured and Uncertified. Since 30 June 2022, all new or extended government hosting contracts for sensitive data, whole-of-government systems and PROTECTED-rated systems must use a Certified Service Provider, with Strategic offering the strongest ownership and control protections.
Sovereignty, not just residency. Residency asks where the bytes sit; sovereignty asks who can compel access to them and under whose law. For AI, this includes where the model is hosted, where inference happens, where logs and embeddings live, and whether any foreign jurisdiction could compel disclosure.
Australian Privacy Principles. Where AI processes personal information, the Australian Privacy Principles under the Privacy Act 1988 apply in parallel, including APP 8 on cross-border disclosure - a separate and additional constraint to the ISM and PSPF.

This is the single most common failure mode for AI in government: a tool is procured for productivity, staff paste classified or personal information into it, and the data leaves the sovereign boundary through an API the agency never assessed. Controlling that egress - discovering shadow AI, enforcing residency at the policy layer, and proving where every byte went - is the core operational challenge, and it is exactly where a privately deployable control plane earns its place.

What does a defensible operating model for government AI look like?

A defensible operating model keeps AI inside the sovereign, IRAP-assessed boundary and puts a control plane in front of every model so that data loss prevention, access control, guardrails and immutable logging are enforced centrally and evidenced for assessors. The model is the same whether the agency builds with open-weight models on-premises or consumes an IRAP-assessed cloud AI service - what changes is where the boundary sits, not whether you need to govern the boundary.

Discover and inventory

You cannot govern what you cannot see. Begin with shadow-AI discovery to inventory every AI tool, endpoint and integration in use, including unsanctioned consumer services, so the assessed boundary reflects reality. This directly supports PSPF visibility expectations and the ISM's emphasis on knowing your systems.

Mediate every AI request

Route AI traffic through a single policy and inspection point. At that point you can apply real-time DLP to block sensitive or classified content from leaving the boundary, enforce role-based access control and least privilege, and apply guardrails against prompt injection and unsafe output - mapping to the December 2025 ISM controls on content filtering, access control and rate limiting.

Keep it sovereign and model-agnostic

Deploy the control plane where your data already lives - Docker, Kubernetes, on-premises or private cloud inside Australia - and keep it model-agnostic so you can switch between sovereign open-weight models and IRAP-assessed cloud models without re-architecting governance. Sovereignty is preserved because prompts, documents, logs and embeddings never leave the boundary you control.

Evidence everything

Maintain immutable audit logging of every AI interaction - prompt, decision, policy applied, identity, model and outcome - so that an IRAP assessor, an internal auditor or an OAIC inquiry can reconstruct exactly what happened. Under a zero-trust PSPF, this continuous, tamper-evident evidence is what turns a claim of control into a demonstrable one.

For vendors selling AI to government, this operating model is also a sales asset: it lets you scope a tight, assessable system boundary and present an assessor with a single, well-instrumented control point rather than a sprawl of ungoverned AI integrations.

Compliance Checklist

Confirm which ISM version your IRAP assessment was conducted against, and ensure it is the December 2025 ISM or later so the 21 new AI security controls are in scope.

Map every AI data flow (prompts, documents, model hosting, inference, logs, embeddings) and confirm each one sits inside the IRAP-assessed system boundary, not adjacent to it.

Verify hosting is with a provider certified under the DTA Hosting Certification Framework (Strategic or Assured) for any sensitive or PROTECTED-rated AI system.

Develop, implement and maintain a general-purpose AI usage policy, as required by the December 2025 ISM.

Enforce real-time DLP / content filtering so classified, sensitive or personal information cannot leave the sovereign boundary through an AI endpoint.

Apply role-based, least-privilege access control over which identities can use which models and reach which data, consistent with PSPF 2025 zero trust.

Apply rate limiting and resource limits to AI inference, and store AI models in a file format that does not allow arbitrary code execution.

Run shadow-AI discovery to inventory all sanctioned and unsanctioned AI tools, then bring them inside the governed boundary or block them.

Maintain immutable, tamper-evident audit logs of every AI interaction sufficient to evidence controls to an IRAP assessor and to the OAIC if personal information is involved.

Assess Australian Privacy Principles obligations (including APP 8 cross-border disclosure) for any AI that processes personal information, separately from the ISM and PSPF.

Document an authorisation pathway: capture the IRAP Security Assessment Report and controls matrix, and obtain an Authorising Officer decision to authorise the system to operate.

Frequently Asked Questions

Is an IRAP assessment the same as ASD certification or accreditation?

No. An IRAP assessment is an independent assessor's report on how well a system meets the ISM and PSPF. ASD does not certify, accredit or endorse the product. The consuming agency's own Authorising Officer uses the report to make a risk-based decision to authorise the system to operate.

What classification level should an AI system be assessed at?

For most commercial cloud and SaaS used by government, PROTECTED is the relevant level. The important point is scope: confirm that your AI data flows, model hosting and logging fall inside the assessed boundary at that classification, rather than sitting outside it.

Does the December 2025 ISM apply to AI services we only consume, not build?

Yes. The December 2025 ISM AI controls apply to systems that develop, train, fine-tune or integrate with AI models, and explicitly to systems that consume external AI services. Most enterprise generative-AI use is consumption, so the new controls apply.

Can we use a public cloud AI model for Australian Government data?

Only if the service is IRAP-assessed at the right classification, keeps data onshore consistent with residency and sovereignty gates, and the data flow sits inside your assessed boundary. If prompts or documents leave to an unassessed or offshore endpoint, that is a likely breach regardless of the model's capability.

What is the difference between data residency and data sovereignty for AI?

Residency is about where the data physically sits; sovereignty is about who can compel access to it and under whose law. For AI you must consider where the model is hosted, where inference happens, and where logs and embeddings live - not just the storage location of source files.

Do the Australian Privacy Principles apply on top of the ISM and PSPF?

Yes. Where AI processes personal information, the Australian Privacy Principles under the Privacy Act 1988 apply in parallel, including APP 8 on cross-border disclosure. They are a separate, additional obligation enforced by the OAIC, not a substitute for the ISM or PSPF.

How does PSPF 2025 zero trust change how we govern AI?

PSPF 2025 means no AI model access can be implicitly trusted. Every identity, request and data flow into and out of an AI system must be continuously verified, constrained and logged, which in practice requires a central policy point and immutable audit evidence in front of every model.

Does Areebi make us IRAP assessed or PSPF compliant?

No tool can make an organisation compliant on its own. Areebi is a privately deployable Secure AI Control Plane that provides DLP, a policy engine, access control, guardrails, shadow-AI discovery and immutable audit logging to help you operate and evidence the ISM, PSPF and IRAP controls for AI. Areebi is pre-launch and SOC 2 readiness is in progress; assessment and authorisation remain the customer's responsibility.

Related Resources

Ready to achieve IRAP, the ISM and PSPF for AI: Running AI Workloads in Australian Government Environments compliance?

See how Areebi maps to IRAP, the ISM and PSPF for AI: Running AI Workloads in Australian Government Environments requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page