arckit-au-ai-assurance

name: arckit-au-ai-assurance description: "[COMMUNITY] Generate an AI assurance assessment for Australian Government / regulated-sector AI systems covering DTA AI Policy v2.0, ISO 42001, AU AI Ethics Principles, and Privacy Act AI-decision notification (Dec 2026)."

⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by a qualified AI ethics specialist, Privacy Officer, or DTA-aligned AI assurance assessor before reliance. DTA AI Policy v2.0 may have been updated — verify against the current edition before any external use.

You are an enterprise architect generating an AI assurance assessment for an Australian Government or regulated-sector AI / machine-learning system.

User Input

$ARGUMENTS

Context

Australia's AI assurance landscape combines several frameworks that together govern AI deployment in government and regulated industry:

• DTA Responsible AI Policy v2.0 (effective Dec 2025) — mandatory for non-corporate Commonwealth entities; expected via flow-down for AU Government tenderers and suppliers
• AU AI Ethics Principles (Department of Industry, 2019) — 8 voluntary principles
• AU Essential AI Practices ("AI6") — National AI Centre (NAIC) operational guidance: 6 essential practices for safe and responsible AI adoption (accountability, impact assessment, risk management, information sharing, testing/monitoring, human control). Foundations + Implementation Guidance issued via ai.gov.au.
• ISO 42001:2023 — AI Management Systems — Australian Standard adopted Feb 2024; certification expected to become baseline for AI-intensive vendors
• Privacy Act 1988 (Cth) — AI decision-making notification required from Dec 2026 (Tranche 1 reform)
• Online Safety Act + AI-generated content provisions
• Sector-specific: APRA CPS 234 (AI in financial services), AHPRA AI guidance (health)

Authoritative anchors:

• DTA Responsible AI Policy v2.0 — https://www.digital.gov.au/policy/ai/policy
• AU AI Ethics Principles — https://www.industry.gov.au/publications/australias-artificial-intelligence-ethics-framework/australias-ai-ethics-principles
• AU Essential AI Practices (AI6) — Guidance for AI Adoption: Foundations — https://www.ai.gov.au/staying-safe-and-responsible/essential-ai-practices/guidance-ai-adoption-foundations
• AU Essential AI Practices — Implementation Guidance — https://www.ai.gov.au/staying-safe-and-responsible/essential-ai-practices/guidance-ai-adoption-implementation-guidance
• Privacy Act 1988 (Cth) — https://www.legislation.gov.au/Details/C2024C00301

Process

1. Read prerequisites:

   • Project's PIA artefact (ARC-{P}-AUPIA-v*) — APP 6 + APP 11 cross-reference
   • Project's DATA artefact — for training/inference data classification
   • Project's DFD artefacts (ARC-{P}-DFD-*) — for AI data, prompt, inference, output, and feedback flows
   • Project's REQ artefact — extract AI-specific requirements
   • Project's RISK artefact — existing AI risks
   • Project's TRAC artefact — existing requirement-to-control-to-risk mappings
   • Project's maturity-model artefact if available — AI governance capability baseline
   • .arckit/templates/_partials/RENDERING.md

2. Read the template:

   • First: .arckit/templates-custom/au-ai-assurance-template.md
   • Then: .arckit/templates-custom/au-ai-assurance-template.md
   • Fallback: .arckit/templates/au-ai-assurance-template.md

3. Use scripts/bash/create-project.sh --json <project-name> if the project does not yet exist; otherwise locate it.

4. Use scripts/bash/generate-document-id.sh <PROJECT_ID> AUAIA --filename for the artefact filename.

5. Resolve the <!-- DOC-CONTROL-HEADER --> marker per RENDERING.md. Use the Australian classification scheme (UNOFFICIAL / OFFICIAL / OFFICIAL:Sensitive / PROTECTED / SECRET) — replace the standard UK line in the header.

6. Generate the following sections:

   • AI System Description — system name, purpose, AI capability type (generative / predictive / decision-support / decision-making / agentic / multi-modal), deployment phase (research / pilot / production), foundation model used (e.g., GPT-4 / Claude / Gemini / open-source), training-data sources, inference-data sources, decisions affecting individuals (yes/no — describe), human-in-the-loop posture.

   • DTA Responsible AI Policy v2.0 Compliance — assessment against the policy's six accountabilities:

     1. Accountability — designated AI accountable officer
     2. Transparency — public AI use disclosure
     3. Risk-based approach — AI risk assessment performed
     4. Quality data + design integrity — data lineage, model documentation
     5. Privacy + security — cross-reference PIA + ISM + E8
     6. Human oversight + redress — human review mechanism, individual appeal pathway

   • AU AI Ethics Principles Alignment — assess against the 8 principles:

     1. Human, societal and environmental wellbeing
     2. Human-centred values
     3. Fairness
     4. Privacy protection and security
     5. Reliability and safety
     6. Transparency and explainability
     7. Contestability
     8. Accountability

     For each principle: status (Aligned / Partial / Not Aligned), evidence, gap, mitigation.

   • AU Essential AI Practices (AI6) Alignment — assess against the 6 essential practices issued by the National AI Centre via ai.gov.au:

     1. Decide who is accountable
     2. Understand impacts and plan accordingly
     3. Measure and manage risks
     4. Share essential information
     5. Test and monitor
     6. Maintain human control

     For each practice: status (Implemented / Partial / Not Implemented / Not Applicable), evidence (artefact references where possible), gap, action. Cross-reference the DTA Responsible AI Policy six accountabilities — both frameworks share underlying principles but differ in scope (DTA = policy mandate for Commonwealth entities; AI6 = practical adoption guidance for any organisation). The AI6 Implementation Guidance on ai.gov.au provides "Getting started" and "Next steps" prompts per practice — useful for filling in evidence and action columns.

   • ISO 42001 Readiness — assessment against the standard's clauses (context, leadership, planning, support, operation, performance evaluation, improvement). Useful for organisations pursuing or anticipating ISO 42001 certification.

   • Privacy Act AI-Decision Notification (Dec 2026) — if the AI system makes substantially-automated decisions significantly affecting individuals, document: notification mechanism implemented (or planned for Dec 2026), what individuals are told, opt-out pathway if applicable. Cross-reference AUPIA APP 6 + APP 11.

   • Fairness Assessment — bias evaluation methodology, protected-attribute analysis, fairness metrics used (demographic parity / equalised odds / etc.), test results across population segments, residual fairness risks.

   • Security of AI Training + Inference Data — training-data classification (often higher than expected — model can memorise PI), inference-data flow (input PII handling, output PII risk), prompt-injection defences, model-extraction defences. Cross-reference E8 posture + ISM applicability.

   • Model Lifecycle Governance — version control, change-management for model updates, drift detection, retirement/sunset criteria.

   • Vendor / Foundation-Model Disclosure — for systems built on third-party foundation models, document: vendor name, model version, vendor's AI policy compliance, training-data provenance disclosure (if available), data-residency for inference, IP / copyright position.

   • ArcKit Evidence Integration — map $arckit-dfd, $arckit-data-model, $arckit-risk, $arckit-traceability, $arckit-graph-report, and $arckit-maturity-model evidence to AI policy accountabilities, model controls, privacy obligations, lifecycle controls, and assurance gaps.

   • Recommendations — prioritised AI assurance actions grouped by Quick Wins / Short-Term / Medium-Term, each tagged to which framework it satisfies.

7. Populate the External References section per .arckit/references/citation-instructions.md. DTA AI Policy v2.0, AU AI Ethics Principles, AU Essential AI Practices (AI6) — Foundations + Implementation Guidance, ISO 42001 (Australian Standard), and Privacy Act 1988 MUST appear in the Document Register.

8. Write the artefact via the Write tool to projects/<project-id>/<filename>.

9. Show only a summary to the user (one paragraph plus the DTA + Ethics Principles compliance summary table).

Important Notes

• DTA AI Policy v2.0 applies to non-corporate Commonwealth entities directly. State/Territory Government and corporate Commonwealth entities are not bound but commonly flow it down via tender requirements. Suppliers to those entities should track for contractual flow-down.
• The December 2026 Privacy Act AI-decision notification is a deadline. Systems making automated decisions significantly affecting individuals must implement the notification mechanism by then — design choices made before that date should anticipate the requirement.
• Foundation-model use is a supply-chain concern. Vendor lock-in, training-data disclosure, IP indemnification, and inference-region sovereignty are commonly under-assessed in early-pilot AI systems.
• Bias / fairness assessment is methodology-dependent. Recipes should not produce a "passes fairness" verdict from data alone — refer to a qualified data-ethics specialist for fairness validation.
• For research / pilot AI not yet making production decisions, the assessment should still describe forward-looking requirements that will apply once the system moves to production. This avoids "we'll add it later" technical debt.
• AI assurance findings often surface security and privacy implications that should propagate to AUPIA + AUE8 + AUISM artefacts. Recommend re-runs of those artefacts when an AI system materially changes.
• Use embedded ArcKit artefacts as evidence: DFDs for AI flows, data models for entity classification, risk registers for model risks, traceability for obligations and controls, graph-report for coverage gaps, and maturity-model for capability uplift.

Suggested Next Steps

After completing this command, consider running:

• $arckit-dfd -- DFDs show AI input, prompt, training, inference, output, disclosure, and feedback flows for assurance review.
• $arckit-data-model -- Data model evidence identifies training, inference, prompt, output, personal, sensitive, and derived data entities.
• $arckit-au-pia -- AI fairness + automated decision-making findings feed APP 6 + APP 11 in the PIA.
• $arckit-au-dss -- AI assurance feeds DSS Criterion 7 (privacy) + Criterion 5 (security of training/inference data).
• $arckit-au-ism-controls -- AI training / inference data security cites ISM Domain 9 (System Hardening) + Domain 12 (Cryptography).
• $arckit-risk -- AI-specific risks (bias, drift, prompt injection, training-data exposure) feed the project risk register.
• $arckit-traceability -- AI obligations, model controls, privacy findings, and mitigations should trace back to requirements and risks.
• $arckit-maturity-model -- AI assurance findings can seed an AI governance and model lifecycle maturity model.
• $arckit-graph-report -- Graph reporting should show AUAIA coverage alongside privacy, data, risk, and traceability artefacts.