AI Governance7 min read

The Australian Government Now Requires an AI Use-Case Register. If You Supply to Government, That Changes Your Contracts.

On June 15, 2026, Australia's DTA made AI use-case registers mandatory for 94 Commonwealth entities. A second wave of obligations, including mandatory AI Impact Assessments and incident reporting, arrives in December 2026. DTA procurement guidance now requires AI suppliers to disclose AI use in government service delivery and accept accountability for it. Here is what the requirements mean for agencies and the organisations that supply to them.

Mark MillerBy Mark Miller
DTA AI Policy: Mandatory Register and Supplier Obligations

On June 15, 2026, the first mandatory enforcement date under the Digital Transformation Agency's Policy for the Responsible Use of AI in Government arrived. Every one of Australia's 94 non-corporate Commonwealth entities is now legally required to maintain an internal register of in-scope AI use cases with an accountable owner assigned to each one.

All 94 published public AI transparency statements ahead of the date. This is not aspirational guidance. It is the first concrete enforcement milestone in a mandatory policy framework that runs through December 2026 and beyond.

For government agencies, the obligations are well-documented. What is less understood is what they mean for the considerably larger group of organisations that supply services to government, and who now find the contracting environment has shifted around them.

What the DTA Policy Actually Requires

The DTA's Policy for the Responsible Use of AI in Government Version 2.0 came into effect in December 2025. It established a three-part governance structure for Commonwealth entities: an AI register maintained internally and shared with the DTA every six months; AI Impact Assessments completed before any in-scope AI system is deployed; and accountable officials designated for both AI strategy and for each individual use case.

The June 15 date activated the first element. The register requirement is specific about what must be captured. Agencies must record each in-scope AI use case, assign an accountable owner with documented responsibilities and share the register with the DTA every six months from the date of creation.

In-scope AI use cases are those where an AI system materially affects government decision-making, service delivery or public interactions. That definition is deliberately broad. It captures not just purpose-built AI applications but AI-assisted features within procured software, AI functions embedded in productivity platforms and AI tools used in any workflow that affects government decisions or services.

The December 2026 phase adds the assessment and oversight layer: mandatory AI Impact Assessments before deploying any in-scope AI system, formal approval processes for each use case and AI incident reporting. For agencies that have been treating the June 15 date as the entire obligation, December 2026 is a significant additional requirement that needs planning now.

The Supplier Accountability Dimension

This is the element the broader market has not absorbed.

The DTA's procurement guidance, published alongside the updated policy, maps AI considerations across each phase of the digital sourcing lifecycle and addresses contract clauses specifically. Agencies are guided to require that suppliers disclose when and how AI is used in delivering contracted services. Accountability for that AI use is required to rest with the supplier.

The practical consequence: if your organisation delivers services to a Commonwealth entity and uses AI tools in that delivery, whether that is AI-assisted drafting, AI-supported analysis, AI-powered research or AI-enabled service management, you may now be required by contract to disclose that use and accept accountability for it.

For many suppliers, that accountability question has not been resolved internally. Technology vendors have deployed AI features into platforms without a clear position on who is responsible when those features produce incorrect, biased or harmful outputs in a government context. Professional services and consulting firms have adopted AI tools in their delivery workflows without establishing documented governance around how those tools are reviewed, supervised or verified.

The DTA guidance signals that government procurement will increasingly weight AI governance capability as a qualifying criterion, not just price and technical competence. Suppliers that can demonstrate a structured AI governance programme, a documented use-case register for their own AI deployments and clear accountability for AI outputs in service delivery are in a stronger position in government tenders than those that cannot.

What Good Compliance Looks Like

For government agencies, the June 15 requirements established the inventory. That means an active register, accountable owners named and the register shared with DTA. For agencies that have not done this, the work is overdue.

But the register is only the start of what effective compliance looks like. An accurate register requires a systematic process for identifying in-scope use cases, which in turn requires an intake mechanism that captures AI use across business units, not just the AI systems IT formally manages. Many agencies using AI-assisted features in Microsoft 365, Adobe, Salesforce or other platforms have use cases that are in scope but not yet in the register.

For the December 2026 phase, agencies need to design their AI Impact Assessment process now. The DTA has provided an assessment tool, but the process to complete it, the responsible party, the approval workflow and the documentation regime need to be established well before December. Building governance infrastructure under deadline pressure consistently produces gaps.

For AI incident reporting, the agencies that will find this easiest are those that already have a clearly defined notion of what an AI incident is, who is responsible for identifying and reporting it and where it goes when reported. Most do not have this yet.

Why This Matters for Non-Government Organisations

The DTA's mandatory framework is the first set of compulsory, enforceable AI governance requirements applied consistently across a large group of Australian organisations. What those 94 entities are now required to build is exactly what independent analysis across APRA, OAIC, ISO 42001 and the EU AI Act consistently identifies as foundational: a use-case register, accountability assignment, impact assessment before deployment and incident reporting after.

That convergence is worth taking seriously. Organisations that have been watching governance requirements develop and wondering which framework to align with are watching those frameworks converge on the same core elements. The DTA's framework is Australian government-sourced, mandatory and specific. It is a reasonable proxy for what other regulators and large enterprise procurement will require in the near term.

For any organisation that supplies to government, the DTA framework is also a practical template. Building AI governance to DTA standard is not only a requirement for government contracts. It is preparation for the broader regulatory and enterprise procurement environment that is taking shape around it.

Worth noting specifically: the DTA model clauses for AI procurement require suppliers to disclose AI use in service delivery and to bear accountability for it. Once those clauses become standard in government contracts, the organisations without governance infrastructure to support those disclosures will face a structural disadvantage in government procurement.

The Question of What "In-Scope" Actually Means

One of the practical challenges for both agencies and suppliers is determining which AI use cases are in scope. The DTA's definition of in-scope AI use cases covers activities where an AI system materially affects government decision-making, service delivery or interactions with the public.

The breadth of that definition surprises many organisations. AI features embedded in widely used software platforms that assist in drafting correspondence, classifying documents, prioritising work queues or generating summaries can all satisfy the definition if they materially affect how a government decision is reached or how a service is delivered.

For agencies, this means the register is almost certainly larger than what the IT team initially identifies. Business units need to be engaged. Informal or self-initiated AI use needs to be surfaced through the intake process. A culture of disclosure around AI use is a prerequisite for an accurate register.

For suppliers, this means that AI features embedded in the platforms they deliver, not just purpose-built AI applications, may need to be disclosed under the contract. Reviewing which features of your delivery platforms are AI-powered, and whether those features affect government decisions or services, is a necessary step before signing contracts that include DTA-aligned procurement clauses.

What This Means for Your Organisation

If you are a government agency: the June 15 register requirement is live. The December 2026 assessment and incident reporting requirements need planning now, not in November.

If you are a supplier to government: review your AI use in delivering contracted services. Identify where AI tools are involved in government-facing workflows. Build the disclosure and accountability position that the DTA procurement guidance requires, before your client's procurement team asks for it in a tender response or a contract renewal.

If you are neither, but are watching where enterprise AI governance requirements are heading: the DTA framework describes the floor. What the Australian government now requires of its own agencies and their suppliers is a reasonable indication of what other regulated sectors and large enterprise procurement will require as the regulatory calendar continues to fill.

Key Takeaways

  • June 15, 2026 was the first mandatory enforcement date under the DTA's AI policy: 94 Commonwealth entities must now maintain an AI use-case register with accountable owners, shared with DTA every six months
  • December 2026 adds mandatory AI Impact Assessments before deployment, formal approval processes and AI incident reporting for Commonwealth entities
  • DTA procurement guidance requires AI suppliers to disclose AI use in government service delivery and accept accountability for AI outputs under contract
  • The DTA framework's core elements, use-case register, accountable ownership, pre-deployment assessment and incident reporting, are converging with requirements across APRA, OAIC and ISO 42001
  • Government suppliers that can demonstrate structured AI governance capability are better positioned in tenders than those that cannot

How Trusenta Can Help

AI Governance delivers the use-case register, accountable owner assignment and risk classification infrastructure that Commonwealth entities need to meet the June 15 and December 2026 DTA obligations, and that government suppliers need to demonstrate AI governance capability in procurement processes.

Compliance Management tracks obligations across the DTA AI policy requirements, the Privacy Act's automated decision-making obligations and ISO 42001, giving organisations a single view of what AI governance compliance requires across all applicable frameworks rather than managing each obligation separately.

AI Governance Foundations establishes the governance structure, accountability model and use-case intake process for organisations that need to build AI governance infrastructure quickly to meet DTA requirements, government procurement expectations or the converging standards of the broader regulatory environment.

The Infrastructure That Is Now Required

The DTA's mandatory requirements represent something new in the Australian governance landscape: a clear, enforceable, government-sourced standard for what AI governance must include. It is not aspirational guidance. It is a register with names attached, submitted to a regulator on a regular schedule.

For government agencies, the obligation is live. For suppliers, it changes what clients require. For the broader enterprise market, it signals direction.

AI governance must be an organisational capability the organisation owns. The June 15 requirements, the December 2026 obligations and the supplier accountability provisions describe what "owning" that capability means in practice: an inventory, accountable owners, assessment before deployment and a record of incidents after.

That is the minimum. Building to it before it is required under regulatory pressure is the difference between governance as a capability and governance as a consequence.

Mark Miller

Written by

Mark Miller

Mark brings a rare blend of C-suite leadership and hands-on consulting experience to Trusenta. As former SVP of Services, SVP of Business Operations, Managing Director and CIO he brings a breadth of experience in his specialty in guiding organisations through AI strategy, governance and adoption; bridging ambition with practical execution. His focus is on helping clients embed AI responsibly, at scale and in service of real business outcomes.

Connect on LinkedIn

More from AI Governance

Australia Just Created an Office of AI Inside the Prime Minister's Department. Here Is What It Means for Your Governance Programme

Australia has created an Office of AI inside the Department of the Prime Minister and Cabinet to coordinate AI standards across government. Here is what the move signals for organisations already juggling DTA, APRA and ACCC obligations, and what to build now regardless of what standards the Office eventually publishes.

Read

ACCC Is Now Looking at AI-Powered Consumer Manipulation. With Penalties Doubled, Here Is What Your Customer-Facing AI Deployments Need.

ACCC's 2026-27 enforcement priorities explicitly target AI-enabled dark patterns and consumer manipulation. Penalties doubled to $100 million per contravention in March 2026. The Unfair Trading Practices Bill 2026 proposes further obligations with AI-enabled manipulation explicitly in scope. Here is what customer-facing AI deployments need, why most governance programmes have not mapped this risk and what a proportionate response looks like.

Read

AI Gets Answers Wrong. Courts, Regulators and Clients Are Starting to Notice. Here Is the Governance Response.

Stanford's 2026 AI Index found hallucination rates of 22% to 94% across top AI models. Courts are imposing sanctions on organisations whose AI produced wrong outputs. The AI Incident Database recorded 362 incidents in 2025, up 55% from 2024. Most enterprise AI governance frameworks approved systems at deployment and then stopped. Here is what the governance response to AI output accuracy risk actually requires.

Read

Ready to transform your AI strategy?

Partner with Australia's AI strategy and governance specialists. From adoption roadmaps to ISO 42001 audit readiness.