Asset owners in Australian heavy industry now sit at the intersection of four live regulatory streams: the Privacy Act ADM obligations, the DTA Policy for Responsible Use of AI, the National Framework for Assurance of AI in Government, and the SOCI Act CIRMP AI hazard vector. The governance standard you set for your contractors flows in both directions. Set it too light and your assurance position doesn't hold. Set it too heavy and your supply chain prices it back or produces documentation that ticks boxes without reducing a single real risk.
Getting the calibration right is the work. That's what this engagement does.
Not sure where your obligations sit across the four streams? Check in under 2 minutes, no email required.
For most of the last decade, AI in heavy industry was an innovation conversation — pilot programs, proof of concepts, productivity tools. The governance question was internal and optional.
That's no longer the position. AI use in critical infrastructure is now explicitly in scope under the SOCI Act CIRMP framework. The National AI Plan is flowing governance requirements into contractor procurement. The DTA Policy is required for government-adjacent operations. The Privacy Act ADM amendments come into force December 2026.
Asset owners are now responsible for their own AI governance position and for the governance standard they set across the contractor supply chain that delivers and operates their assets. Both are in scope. Both are assessed.
You're the principal that sets the governance standard for everyone who delivers and operates your assets. Your contractor requirements, your pre-qual questions, and your flowdown clauses determine whether your supply chain's AI governance position is actually defensible — or just documented.
Under the SOCI Act, your Critical Infrastructure Risk Management Program must address AI as an in-scope hazard vector if AI is used in operational technology, asset management, or control systems. That's not a future requirement — it's live. If your CIRMP predates this determination, it has a gap a regulator will find.
The most powerful tool an asset owner has for lifting AI governance standards across a supply chain isn't a policy document — it's the pre-qual question and the tender clause. Getting those questions right — specific enough to be meaningful, proportionate enough that the supply chain can answer them — is where the real work happens.
Automated decision-making disclosure obligations apply to any organisation using AI in a way that affects decisions about people — employees, contractors, or community members affected by your operations. This covers AI in safety management, contractor assessments, workforce planning, and any AI-assisted decisions that affect individuals. Your disclosure position needs to be documented and board-signed before December 2026.
Mandatory for Commonwealth agencies and flowing into state and territory government contracts and procurement. If your assets are government-owned or government-operated, or you hold government contracts, your AI use needs to be documented against the DTA Policy standard. AI Impact Assessments are required for high-risk use cases. Your contractor procurement requirements need to align.
The assurance framework principals and government clients are using to assess AI governance in procurement. If you're setting pre-qual requirements for contractors, this is the framework your requirements need to align to. If you're a government-adjacent asset owner, this is the standard your own governance position will be assessed against.
22 asset classes in scope across electricity, gas, water, ports, airports, defence, communications, banking, and food. AI in operational technology, asset management systems, or control environments is now an explicit in-scope hazard vector under CIRMP. Your risk management programme needs to document the AI use, assess the risk, and identify the controls. If your CIRMP was written before AI was in scope, it needs updating.
The pre-qual questions asset owners ask their contractors about AI governance are doing more work than most procurement teams realise. They're setting the de facto standard for AI governance across an entire supply chain. The problem is that most of those questions were written by people who understand procurement, not AI regulation — producing questions that are either too vague to be scored meaningfully, or too heavy for the supply chain to answer without enterprise-level overhead.
"Do you have an AI governance policy?" Yes/No. A tick-box answer that tells you nothing about whether the contractor's AI use is actually controlled, documented, or auditable. Produces compliant-looking documentation that doesn't reduce risk.
Enterprise-grade requirements applied uniformly across the supply chain regardless of what the contractor's AI actually does. A Tier 3 civil contractor whose AI exposure is a scheduling tool gets the same requirement as a Tier 1 Prime whose AI touches personnel data and SCADA systems. The supply chain prices it back or produces documentation it can't maintain.
Pre-qual questions that don't map to Privacy Act ADM, DTA Policy, the Assurance Framework, or SOCI CIRMP produce answers that satisfy the procurement process but not the regulator. When an incident occurs or an audit lands, the gap between what was asked and what was required becomes your exposure.
The right approach
Scaled by what the contractor's AI does, what data it touches, and what your asset's critical infrastructure classification is. Specific enough to be scored. Proportionate enough that the supply chain can answer without adding cost that doesn't reduce risk. Mapped to the four regulatory streams so the answers satisfy both your procurement process and your regulatory obligations. That calibration work is what this engagement delivers.
The Asset Owner engagement is not a fixed-price, fixed-scope sprint. Asset owner obligations vary significantly depending on asset class, ownership structure, government relationship, operational AI footprint, and supply chain complexity. The engagement is scoped to your situation after the initial call — but there are five consistent work streams across every engagement.
Before any governance framework is designed, the regulatory position needs to be clear — which of the four streams apply, at what level of obligation, and with what timeline. Not a desk review of publicly available guidance. A structured assessment of your specific asset class, operational AI footprint, government relationship, and CIRMP status against the current regulatory standard.
If your CIRMP was written before AI was an in-scope hazard vector, it needs updating. Not a rewrite of the entire programme — a targeted update that documents the AI use in your operational environment, assesses the risk against the CIRMP standard, identifies the controls in place and the gaps, and produces an updated CIRMP section that satisfies the regulatory requirement.
The pre-qual questions, the flowdown clauses, and the contractor evidence requirements — calibrated to what the National AI Plan actually requires at each tier of your supply chain. This is the work that sets the governance standard across every contractor that delivers and operates your assets.
Your own AI use, your Ethics and Usage Policy, your Privacy Act ADM position, your DTA Policy alignment, your AI Impact Assessments for high-risk use cases. Deployed through the same pre-built infrastructure stack used in the Prime and Sub tracks, configured to your organisation and operational context.
This is AI governance scoped to the National AI Plan. It complements your enterprise GRC system rather than replacing it — every register, log and evidence pack is structured to feed your existing GRC platform and audit programme. And Sovereign AI is not bundled in: running your own AI tools on Australian-hosted systems is a requirement that exceeds the NAIP baseline. Our infrastructure is Australian-hosted; if your operational context requires sovereign hosting of your AI stack, that's its own scope, available through our technology partner Kipanga's ISO 27001 certified Australian infrastructure — scoped explicitly, priced explicitly, never assumed.
Asset owners carry a board governance obligation that Primes and Subs don't carry in the same way. Directors have personal liability exposure under the SOCI Act and under the DTA Policy for responsible AI use. The board briefing translates the regulatory position, the CIRMP update, and the governance framework into commercial language for board consumption — not a slide deck about AI, but a structured briefing on what the board is personally obligated to do and what the evidence position looks like.
The Prime and Sub tracks are built around deploying pre-configured compliance systems — the Infrastructure page describes those systems in detail. Asset owner engagements use those same systems for the "own AI governance" work stream, but the defining work is different.
It's the regulatory position assessment. The CIRMP update. The supply chain governance calibration. The board briefing. These are advisory work streams that require judgement, industry knowledge, and regulatory fluency — not just system configuration.
James brings thirty years of asset-side and contractor-side experience to this engagement. He has sat at the commercial table on both sides of the principal-contractor relationship — he knows what principals are actually testing when they assess contractor AI governance, because he's been the contractor building the response and the advisor helping the principal write the question.
That's the experience behind the calibration work. Getting the flowdown weight right isn't a framework exercise. It's a commercial judgement call that requires knowing what both sides of the table can actually carry.
A governance position built to hold up when the regulator, the auditor, or the incident response team asks the question.
The March 2026 Defence Responsible AI policy is binding, not voluntary — and where your assets sit within Defence-related supply chains, your contractor governance standard needs to reflect it.
Thirty years directing major projects and leading business development across Oil and Gas, Defence, Energy, and Infrastructure for FTSE 100 and ASX contractors. I've led bids on Australia's largest naval shipbuilding programme, led Asia Pacific strategy across seven business units and four countries for Wood PLC, and sat in enough post-shortlist governance reviews to understand the gap between what an asset owner's pre-qual question asks and what it's actually trying to assess.
The asset owner engagement works because it's built from both sides of that relationship. When I design a pre-qual question for your procurement team, I'm designing it with the knowledge of how a bid team will read it, what they'll include, what they'll avoid, and where the gap between a good-looking answer and a genuinely controlled AI programme actually sits.
That's the judgement that sits behind the supply chain governance calibration work. It's not a template exercise. It's a commercial and regulatory judgement call that requires experience on both sides of the principal-contractor table.
★★★★★"He led our AsiaPac Strategy process, focused on growth and diversification. Thanks to his unique knowledge across the region and industry, he was invaluable — delivering exactly what we needed."
★★★★★"James provides fractional support as both the Lead Account Partner and GTM Focal Point. We have a global mandate and James brings the strategic clarity and industry depth to operate at that level."
★★★★★"Working alongside James, I was always impressed by his tenacity in getting after opportunities and his rigorous approach to ensuring outcomes were achieved."
★★★★★"We knew little about AI previously, except we were falling behind. The pilot process was easy, we learned a lot, and the AI agent has everyone excited. We are now developing our AI Scaling Strategy with James."
Almost certainly, for at least two reasons. First, most existing frameworks predate the SOCI CIRMP AI in-scope determination and the Privacy Act ADM amendments — they need updating. Second, the supply chain governance calibration work — the pre-qual questions and flowdown clauses — is almost never part of an internal governance framework. That's where the live exposure sits for most asset owners.
Directly, only if you're a Commonwealth agency or hold Commonwealth contracts. But the DTA Policy is increasingly being referenced as a governance standard by state and territory governments and by major principals in defence and critical infrastructure procurement. If your contractors are required to meet it, you need to understand it well enough to set the standard and assess the answer.
If the update predates the CIRMP AI hazard vector determination, yes. The determination that AI in operational technology is an in-scope hazard under CIRMP is relatively recent. A CIRMP updated before that determination won't include the AI risk assessment, the controls documentation, or the integration with your AI governance framework — that's a gap a regulator will find.
With the supply chain governance calibration work stream — that's the engagement that produces the right pre-qual questions, the right flowdown clauses, and the contractor evidence standard. If your contractors need hands-on support meeting that standard, the Prime and Sub-Contractor tracks are available to them directly, with a consistent evidence format built into both.
It depends on the scope. The regulatory position assessment and board briefing can be delivered in two to three weeks. The CIRMP update depends on the current state of the programme and the complexity of your operational AI footprint. The supply chain governance calibration is typically a four-to-six-week engagement. Full scope across all five work streams is typically eight to twelve weeks.
Yes. The engagement is subject to a full NDA before any information is exchanged. The regulatory position, the CIRMP gap assessment, and the supply chain governance framework are your documents. They are not shared, not referenced in case studies without explicit consent, and not used to inform work for competitors in your sector.
Yes — and in most cases that's the right model. James covers the operational and commercial AI governance work; legal advisors cover the regulatory interpretation and liability questions. The two streams are complementary. James is experienced working alongside legal teams and can structure the engagement deliverables to integrate with legal advice rather than duplicate or conflict with it.
Asset owner engagements begin under NDA. What's discussed in the scoping call, and everything that follows, stays with you.
A 20-minute scoping call covers your specific regulatory exposure across the four NAIP streams, which work streams are relevant to your situation, what the engagement sequence looks like, and what it costs. Asset owner engagements are scoped individually — the call is where that scoping starts.