How Every Engagement Is Delivered

The governance infrastructure is pre-built. The process is steered by someone who's run the bids.

Most governance consultants deliver a report. What you get here is a pre-configured compliance infrastructure, built to Australia's National AI Plan, populated with your data, and left running after the engagement closes.

Five systems handle automated data ingestion, compliance dashboards, audit pack generation, and tender response drafting from your live compliance data. The decisions, the data gathering, the face-to-face sessions, the risk calls — that's where James works. The apps and the advisory run together, not in place of each other.

What gets deployed depends on where you sit in the supply chain and what your AI does. Every engagement starts at Layer 1 and builds from there.

The pre-built compliance infrastructure — five deployed systems
The Deployment Ladder

Not every contractor needs every layer. Here's how it works.

LayerSystemWho gets it
1AI Ethics & Usage Policy Builder + Privacy Act ADMEvery client
2AI6 Guidance Compliance SystemEvery client
3AI Impact Assessment App (AIIA)Government-facing scopes · High-risk CI · AI affecting employees
4Full Compliance App — Complete NAIP CoveragePrime Contractors (requires Layers 2 + 3)
5TenderPulse — Live Compliance DashboardPrimes + Tier 2 Subs with complex scopes

Three deployment profiles in practice:

Tier 2/3 Sub — standard scope

Layers 1 + 2 as standard. Layer 3 added where AI use touches government work, critical infrastructure, or employees.

Tier 2/3 Sub — complex tender or government scope

Layers 1 + 2 + 3, plus TenderPulse where the tender scope warrants it.

Prime or significant Sub — government, defence, or critical infrastructure

Full stack. All five layers, sequenced in order. Solvable in 90 days.

Layer 1 · Foundation · All clients

Every contractor using AI needs this in place before anything else.

AI Ethics & Usage Policy Builder + Privacy Act ADM Update

Australia's Privacy Act ADM obligations come into force December 2026. Every business using AI in a way that affects decisions about people — employees, customers, contractors — needs a documented disclosure position and a board-signed usage policy before that date. This is also the first thing principals and auditors ask for.

The policy builder generates a complete, board-ready AI Ethics and Usage Policy tailored to your organisation, guided by your AI maturity and the sectors you work in. It's not a template you fill in — it's a structured, section-by-section process that produces a document ready for board sign-off and tender submission.

This is the foundation every other layer builds on. Nothing above Layer 1 is possible without it.

James's role at this layer

Policy framing decisions, sector classification, ADM threshold judgement calls, board presentation if required. The app structures and generates — James steers the decisions that determine what goes in.

What gets produced

  • Board-ready AI Ethics and Usage Policy, aligned to the National AI Plan
  • Privacy Act ADM disclosure statement, documenting how automated decisions are made and notified
  • Multi-signatory sign-off workflow — two authorised signatories required before a policy version goes live
  • Annual re-attestation trigger, 30-day reminder before policy anniversary
  • Auto-generated board minutes reference paragraph
  • Version archive — immutable record of every policy change, who signed, and when
  • Policy included in all audit evidence pack exports

Layer 2 · Core Compliance · All clients

The six-pillar system that turns your AI use into an audit-ready evidence pack.

AI6 Guidance Compliance System

The AI6 Guidance is the emerging standard for responsible AI governance in Australian commercial and government contracting. Principals are already referencing it in tender schedules. The six pillars — accountability, transparency, data governance, human oversight, incident management, and training — are what assessors score against in pre-qual.

This system doesn't ask you to build those pillars from scratch. It deploys a pre-configured structure, populated with your business's actual AI use, your vendors, your approval chains, and your data exposure, during the engagement. What comes out the other end is an audit-ready evidence pack your team can maintain without ongoing consultancy.

James's role at this layer

AI use mapping across the business, risk classification decisions, data exposure assessment, vendor documentation review, tender language sign-off. The system structures and stores — James makes the calls that determine what's recorded and how it's classified.

What gets produced

  • AI use case register — every AI tool in use, risk-rated and categorised
  • Vendor register — every AI vendor, data handling assessed and documented
  • Training log — who has been trained, on what, and when
  • Incident log, pre-structured for capture and reporting
  • Quarterly monitoring schedule, built in from the start
  • Audit trail — full change logging across all registers
  • Tender response language mapped to the five evidence pillars assessors score
  • One-click audit and pre-qual export pack — under 15 pages, version-controlled

Layer 3 · AI Impact Assessment · Required where triggered

Every government AI use case now needs an Impact Assessment. Here's how it gets done right.

AIIA — AI Impact Assessment App

The DTA's AI Impact Assessment has been mandatory for Commonwealth agencies since December 2025. It is now appearing in tender requirements across defence primes, state government infrastructure projects, and critical infrastructure asset operators. If your AI touches government work, critical infrastructure assets, or decisions affecting your employees, agencies and principals are now requiring it through contract — if you're bidding that work, expect to produce one.

The assessment covers 12 sections across accountability, transparency, fairness, privacy, security, reliability, contestability, and human oversight. It is document-intensive, judgement-heavy, and the risk matrix determines whether a full independent review is required. Done wrong, it creates more exposure than not having one.

The AIIA app guides the full assessment, ingests your existing documentation, and drafts answers traced directly to source passages in your own files. Every suggestion shows exactly where it came from. You accept or reject each one. The AI drafts, never decides.

Sovereign and secure. Australian-hosted, AWS Sydney. Tenant-isolated and encrypted. Full access and change logging on every assessment. Your data never leaves the country.

James's role at this layer

Risk classification judgements, threshold decisions, human oversight framework design, privacy exposure assessment, board and principal presentation where required. The app ingests and drafts — James makes the risk calls and steers the decisions that determine the assessment outcome.

AIIA app — every drafted answer traced to its source passage. The AI drafts, never decides.

What gets produced

  • Full 12-section DTA AI Impact Assessment, completed and documented
  • AI-drafted answers from your own vendor docs, contracts, specifications, and policies — every answer source-traced
  • Auto-computed risk matrix with threshold branching — the system tells you whether a full assessment is required and why
  • Version history and re-validation — re-assessment triggered automatically 12 months after completion or if use case classification changes
  • One-click board- and tender-ready PDF export, versioned and audit-ready
  • Integrated into the Layer 2 use case register — AIIA tab appears automatically on high-risk use cases

Layer 4 · Full NAIP Coverage · Prime Contractors · Requires Layers 2 + 3

When a principal sends compliance requirements down the chain, this is what responds.

Full Compliance App — Complete NAIP Obligation Coverage

AI6 and the AIIA cover the core obligations. But for Primes operating across government, defence, and critical infrastructure, there are additional NAIP obligations that sit outside those two frameworks. Layer 4 closes the full picture.

The centrepiece of this layer for bid teams is the Cascade Response Engine. When a principal sends AI compliance requirements — questionnaires, pre-qual schedules, flowdown clauses — down the supply chain, the app ingests them and automatically drafts responses pulled from the stored compliance data built across Layers 1, 2, and 3. Your bid team doesn't start from a blank page. They review, approve, and submit.

This is the layer that turns the governance infrastructure built in Layers 1 through 3 into a commercial asset. The data doesn't sit in registers — it answers tenders.

James's role at this layer

Principal requirement interpretation, flowdown calibration, commercial response strategy, board attestation sign-off process. The engine assembles — James steers what gets used and how it's positioned in the tender response.

What gets produced

  • Complete NAIP obligation coverage beyond AI6 and AIIA — all four regulatory streams closed
  • Cascade inbox — ingest principal questionnaires by manual upload or email forward
  • Auto-populated pre-qual and tender response answers, drawn from live compliance data across all layers
  • Audit evidence pack export — one-click bundle mapped to exactly what the principal is asking for
  • Governance policy multi-sig workflow and version archive
  • Board attestation evidence assembled automatically, not chased at year end
  • Reusable response language — every tender builds the library for the next one

Layer 5 · Live Bid Cockpit · Primes + Tier 2 Subs with complex scopes

Your compliance position, mapped to the project, the principal, and all four NAIP streams — in real time.

TenderPulse — Live Compliance Dashboard

TenderPulse is not a reporting tool. It is a live compliance operating environment mapped to a specific project and a specific principal's requirements. It shows compliance status across every required artefact, flags gaps before the bid team finds them, and tracks the distance between what the principal is asking for and what the NAIP baseline actually requires.

For bid managers, it replaces the manual compliance chase before submission. For governance teams, it provides the audit trail that builds as the engagement progresses. For boards, it provides attestation evidence that is assembled, not reconstructed after the fact.

The dashboard is configured at the start of the engagement and left running after it closes. Your team maintains it. It doesn't require ongoing consultancy to keep it current.

James's role at this layer

Gap analysis interpretation, commercial response strategy for requirements that exceed the NAIP baseline, sovereign AI positioning, principal negotiation support where required. TenderPulse surfaces the gaps — James decides how to respond to them.

TenderPulse — live AI governance compliance dashboard mapped to a project and principal

What the dashboard shows

  • Live compliance status across Privacy Act ADM, DTA Policy v2.0, National Assurance Framework, and SOCI Act
  • NAIP Project Classification — critical infrastructure scope, data sovereignty assessment, obligation tier
  • Prime requirement vs NAIP baseline gap analysis — every gap flagged with a commercial response prompt
  • Artefact tracking across every required document — published, in progress, missing, with owner and due date
  • Our AI Strategy and AI Win Strategy sections — compliance narrative and tender positioning in one place
  • Alert system — live flags when principal requirements exceed NAIP baseline, requiring commercial response
  • Sovereign AI posture documented and defensible

Not sure where you sit? Three questions tell you.

The compliance check tool covers this in under 2 minutes. Based on the sectors you work in and what your AI does, it determines your obligation tier and tells you which layers apply to your business. No email. Instant result.

The tool was built for this exact question. Use it before you book a call — it will make the conversation more useful.

Check Where You Need to Comply →
Scope note

Pre-built infrastructure means faster delivery. It doesn't mean less rigour.

These systems are pre-built to the NAIP standard, which means the structure, registers, templates, and export formats are ready before the engagement starts. What isn't pre-built is the content, the judgement, or the decisions.

Every engagement involves significant face-to-face work. AI use mapping across the business. Risk classification sessions. Data exposure reviews. Principal requirement interpretation. Tender strategy conversations. Board presentations where needed.

The apps handle the structure, the storage, the drafting, and the export. James handles the decisions that determine what goes in and how it's positioned. Both are required. Neither replaces the other.

This is AI governance scoped to the National AI Plan. It complements your enterprise GRC system rather than replacing it — every register, log and evidence pack is structured to feed your existing GRC platform and audit programme. And Sovereign AI is not bundled in: running your own AI tools on Australian-hosted systems is a requirement that exceeds the NAIP baseline. Our infrastructure is Australian-hosted; making your AI stack sovereign is its own scope — if your tender asks for it, TenderPulse flags it and we'll tell you straight what it takes.

This is also a compliance infrastructure — not a digital twin, not a live API integration layer, not a general AI strategy engagement. If those are what you need, that conversation starts with a scoping call.

Book a 20-Minute Scoping Call

Ready to understand what your engagement looks like?

A 20-minute scoping call covers which layers apply to your business, what the engagement sequence looks like, what your obligation timeline is, and what it costs. No obligation.

If you're not sure whether you need a call yet, the compliance check tool tells you your obligation tier in under 2 minutes.

Book a 20-Minute Scoping Call Check Where You Need to Comply →