
On June 15, 2026, the first mandatory enforcement date under the Digital Transformation Agency's Policy for the Responsible Use of AI in Government arrived. Every one of Australia's 94 non-corporate Commonwealth entities is now legally required to maintain an internal register of in-scope AI use cases with an accountable owner assigned to each one.
All 94 published public AI transparency statements ahead of the date. This is not aspirational guidance. It is the first concrete enforcement milestone in a mandatory policy framework that runs through December 2026 and beyond.
For government agencies, the obligations are well-documented. What is less understood is what they mean for the considerably larger group of organisations that supply services to government, and who now find the contracting environment has shifted around them.
What the DTA Policy Actually Requires
The DTA's Policy for the Responsible Use of AI in Government Version 2.0 came into effect in December 2025. It established a three-part governance structure for Commonwealth entities: an AI register maintained internally and shared with the DTA every six months; AI Impact Assessments completed before any in-scope AI system is deployed; and accountable officials designated for both AI strategy and for each individual use case.
The June 15 date activated the first element. The register requirement is specific about what must be captured. Agencies must record each in-scope AI use case, assign an accountable owner with documented responsibilities and share the register with the DTA every six months from the date of creation.
In-scope AI use cases are those where an AI system materially affects government decision-making, service delivery or public interactions. That definition is deliberately broad. It captures not just purpose-built AI applications but AI-assisted features within procured software, AI functions embedded in productivity platforms and AI tools used in any workflow that affects government decisions or services.
The December 2026 phase adds the assessment and oversight layer: mandatory AI Impact Assessments before deploying any in-scope AI system, formal approval processes for each use case and AI incident reporting. For agencies that have been treating the June 15 date as the entire obligation, December 2026 is a significant additional requirement that needs planning now.
The Supplier Accountability Dimension
This is the element the broader market has not absorbed.
The DTA's procurement guidance, published alongside the updated policy, maps AI considerations across each phase of the digital sourcing lifecycle and addresses contract clauses specifically. Agencies are guided to require that suppliers disclose when and how AI is used in delivering contracted services. Accountability for that AI use is required to rest with the supplier.
The practical consequence: if your organisation delivers services to a Commonwealth entity and uses AI tools in that delivery, whether that is AI-assisted drafting, AI-supported analysis, AI-powered research or AI-enabled service management, you may now be required by contract to disclose that use and accept accountability for it.
For many suppliers, that accountability question has not been resolved internally. Technology vendors have deployed AI features into platforms without a clear position on who is responsible when those features produce incorrect, biased or harmful outputs in a government context. Professional services and consulting firms have adopted AI tools in their delivery workflows without establishing documented governance around how those tools are reviewed, supervised or verified.
The DTA guidance signals that government procurement will increasingly weight AI governance capability as a qualifying criterion, not just price and technical competence. Suppliers that can demonstrate a structured AI governance programme, a documented use-case register for their own AI deployments and clear accountability for AI outputs in service delivery are in a stronger position in government tenders than those that cannot.
What Good Compliance Looks Like
For government agencies, the June 15 requirements established the inventory. That means an active register, accountable owners named and the register shared with DTA. For agencies that have not done this, the work is overdue.
But the register is only the start of what effective compliance looks like. An accurate register requires a systematic process for identifying in-scope use cases, which in turn requires an intake mechanism that captures AI use across business units, not just the AI systems IT formally manages. Many agencies using AI-assisted features in Microsoft 365, Adobe, Salesforce or other platforms have use cases that are in scope but not yet in the register.
For the December 2026 phase, agencies need to design their AI Impact Assessment process now. The DTA has provided an assessment tool, but the process to complete it, the responsible party, the approval workflow and the documentation regime need to be established well before December. Building governance infrastructure under deadline pressure consistently produces gaps.
For AI incident reporting, the agencies that will find this easiest are those that already have a clearly defined notion of what an AI incident is, who is responsible for identifying and reporting it and where it goes when reported. Most do not have this yet.
Why This Matters for Non-Government Organisations
The DTA's mandatory framework is the first set of compulsory, enforceable AI governance requirements applied consistently across a large group of Australian organisations. What those 94 entities are now required to build is exactly what independent analysis across APRA, OAIC, ISO 42001 and the EU AI Act consistently identifies as foundational: a use-case register, accountability assignment, impact assessment before deployment and incident reporting after.
That convergence is worth taking seriously. Organisations that have been watching governance requirements develop and wondering which framework to align with are watching those frameworks converge on the same core elements. The DTA's framework is Australian government-sourced, mandatory and specific. It is a reasonable proxy for what other regulators and large enterprise procurement will require in the near term.
For any organisation that supplies to government, the DTA framework is also a practical template. Building AI governance to DTA standard is not only a requirement for government contracts. It is preparation for the broader regulatory and enterprise procurement environment that is taking shape around it.
Worth noting specifically: the DTA model clauses for AI procurement require suppliers to disclose AI use in service delivery and to bear accountability for it. Once those clauses become standard in government contracts, the organisations without governance infrastructure to support those disclosures will face a structural disadvantage in government procurement.
The Question of What "In-Scope" Actually Means
One of the practical challenges for both agencies and suppliers is determining which AI use cases are in scope. The DTA's definition of in-scope AI use cases covers activities where an AI system materially affects government decision-making, service delivery or interactions with the public.
The breadth of that definition surprises many organisations. AI features embedded in widely used software platforms that assist in drafting correspondence, classifying documents, prioritising work queues or generating summaries can all satisfy the definition if they materially affect how a government decision is reached or how a service is delivered.
For agencies, this means the register is almost certainly larger than what the IT team initially identifies. Business units need to be engaged. Informal or self-initiated AI use needs to be surfaced through the intake process. A culture of disclosure around AI use is a prerequisite for an accurate register.
For suppliers, this means that AI features embedded in the platforms they deliver, not just purpose-built AI applications, may need to be disclosed under the contract. Reviewing which features of your delivery platforms are AI-powered, and whether those features affect government decisions or services, is a necessary step before signing contracts that include DTA-aligned procurement clauses.
What This Means for Your Organisation
If you are a government agency: the June 15 register requirement is live. The December 2026 assessment and incident reporting requirements need planning now, not in November.
If you are a supplier to government: review your AI use in delivering contracted services. Identify where AI tools are involved in government-facing workflows. Build the disclosure and accountability position that the DTA procurement guidance requires, before your client's procurement team asks for it in a tender response or a contract renewal.
If you are neither, but are watching where enterprise AI governance requirements are heading: the DTA framework describes the floor. What the Australian government now requires of its own agencies and their suppliers is a reasonable indication of what other regulated sectors and large enterprise procurement will require as the regulatory calendar continues to fill.
Key Takeaways
- June 15, 2026 was the first mandatory enforcement date under the DTA's AI policy: 94 Commonwealth entities must now maintain an AI use-case register with accountable owners, shared with DTA every six months
- December 2026 adds mandatory AI Impact Assessments before deployment, formal approval processes and AI incident reporting for Commonwealth entities
- DTA procurement guidance requires AI suppliers to disclose AI use in government service delivery and accept accountability for AI outputs under contract
- The DTA framework's core elements, use-case register, accountable ownership, pre-deployment assessment and incident reporting, are converging with requirements across APRA, OAIC and ISO 42001
- Government suppliers that can demonstrate structured AI governance capability are better positioned in tenders than those that cannot
How Trusenta Can Help
AI Governance delivers the use-case register, accountable owner assignment and risk classification infrastructure that Commonwealth entities need to meet the June 15 and December 2026 DTA obligations, and that government suppliers need to demonstrate AI governance capability in procurement processes.
Compliance Management tracks obligations across the DTA AI policy requirements, the Privacy Act's automated decision-making obligations and ISO 42001, giving organisations a single view of what AI governance compliance requires across all applicable frameworks rather than managing each obligation separately.
AI Governance Foundations establishes the governance structure, accountability model and use-case intake process for organisations that need to build AI governance infrastructure quickly to meet DTA requirements, government procurement expectations or the converging standards of the broader regulatory environment.
The Infrastructure That Is Now Required
The DTA's mandatory requirements represent something new in the Australian governance landscape: a clear, enforceable, government-sourced standard for what AI governance must include. It is not aspirational guidance. It is a register with names attached, submitted to a regulator on a regular schedule.
For government agencies, the obligation is live. For suppliers, it changes what clients require. For the broader enterprise market, it signals direction.
AI governance must be an organisational capability the organisation owns. The June 15 requirements, the December 2026 obligations and the supplier accountability provisions describe what "owning" that capability means in practice: an inventory, accountable owners, assessment before deployment and a record of incidents after.
That is the minimum. Building to it before it is required under regulatory pressure is the difference between governance as a capability and governance as a consequence.
