For Prime Contractors · National AI Plan Compliance · Supply Chain Governance

Your principals are pushing AI governance into tender schedules. Your supply chain needs to hold up under audit. Getting the flowdown right is the work.

Principals are lifting the AI governance standard across Australian heavy industry. The hard part for Primes isn't meeting that standard once — it's setting flowdown requirements that are clear enough to audit, proportionate enough that your supply chain can actually meet them, and consistent enough that your bid team doesn't rewrite the answer for every project.

Get the weight wrong in either direction and it costs you. Too heavy and your supply chain prices it back or walks away. Too light and your governance team can't attest. The right answer is a single cascade-ready spine, built once, reused across every project, and calibrated to what the National AI Plan actually requires at each tier.

Not sure what your obligations are as a Prime? Check in under 2 minutes, no email required.

Book a 20-Minute Scoping Call Check Where You Need to Comply →
Prime Contractor — supply chain AI governance flowdown

Trusted by leaders from

What's changed for Primes

Four regulatory streams are now flowing through your tender schedules. Your supply chain is exposed on all of them.

The National AI Plan isn't a single regulation. It's four streams running simultaneously, each with different obligations, different timelines, and different exposure profiles depending on what your supply chain's AI is doing.

In force December 2026

Privacy Act ADM

Mandatory disclosure when AI affects decisions about people. Flows to any sub whose AI touches personnel, safety classifications, or contractor assessments. Your subs need a documented disclosure position and a board-signed policy before the deadline.

In force

DTA Policy for Responsible Use of AI v2.0

Mandatory for Commonwealth agency work and flowing into state and territory contracts. Requires use case registration, accountable AI officer documentation, and AI Impact Assessments for high-risk use cases. Primes are responsible for ensuring their supply chain can meet these requirements when the project scope demands it.

First mandatory requirement June 2026

National Framework for Assurance of AI in Government

The assurance framework that principals are using to set governance expectations in tender schedules. Covers state, territory, and Commonwealth projects. Your pre-qual language needs to align to it. Your subbies need to be able to answer against it.

Live

SOCI Act 2018 + CIRMP

22 asset classes now in scope. AI in operational technology is now an in-scope hazard vector under CIRMP. If your project touches critical infrastructure assets, your AI governance position needs to document the CI exposure, assess the risk, and integrate with the asset operator's CIRMP obligations.

A principal doesn't separate the Prime from the supply chain when they're scoring governance. They score the chain.

You're not just managing your own exposure across these four streams. You're managing your subbies' exposure, because their AI governance posture is now your audit surface.

The calibration challenge

Over-asking costs you margin. Under-asking costs you the audit. Here's how to get the weight right.

Most Primes default to one of two positions when they start thinking about AI governance flowdown. Neither works.

Position 1 — push the full obligation set down the chain.

Every sub gets the same enterprise-grade requirements regardless of what their AI does or what data it touches. The supply chain prices it back, or worse, produces documentation that ticks boxes without reducing a single real risk. Your auditor knows the difference.

Position 2 — leave subs to figure it out.

No standardised requirement, no consistent evidence format, no way for your bid team to attest at the Prime level. Every tender produces a different answer and the audit finds the gaps.

The right position

Risk-tiered flowdown.

Requirements scaled by what the sub's AI actually does, what data it touches, and what the project's critical infrastructure exposure is. A civil sub using AI for scheduling has different obligations to a defence sub whose AI touches personnel data. The flowdown framework makes that distinction systematically, not project by project. This is the work: calibrating the ask so it's strong enough to survive audit and proportionate enough to keep a healthy supply chain in the market.

What Primes are actually required to do

Your obligations as a Prime go beyond your own AI use. Here's the full picture.

As a Prime, your AI governance obligations operate at two levels simultaneously: your own AI use and your supply chain's AI use. Both are in scope. Both are assessed.

Your own AI use. Every AI tool your organisation uses needs to be documented, risk-rated, and approved. Your AI Ethics and Usage Policy needs to be board-signed and current. Your Privacy Act ADM disclosure position needs to be documented before December 2026. If your AI touches government work, expect to produce a completed AI Impact Assessment for every high-risk use case — agencies and principals are requiring it through contract.

Your supply chain's AI use. You are responsible for setting AI governance requirements for your subcontractors, ensuring those requirements are proportionate and achievable, and maintaining an audit trail that demonstrates your supply chain is meeting them. When a principal asks for AI governance evidence at tender, they are asking about the chain, not just the Prime.

Layer 1 — Foundation

AI Ethics and Usage Policy, board-signed and current. Privacy Act ADM disclosure position documented.

Layer 2 — Core Compliance

AI6 six-pillar compliance system across your own AI use. Cascade-ready flowdown requirements for your supply chain, scaled by risk tier.

Layer 3 — AI Impact Assessment

Full 12-section DTA assessment for every high-risk AI use case. Required through contract on Commonwealth work, appearing in state and territory tender requirements, and expected for any AI in scope under SOCI.

Layer 4 — Full NAIP Coverage

Complete obligation coverage across all four regulatory streams. Cascade Response Engine for principal questionnaires and flowdown compliance. Board attestation evidence assembled automatically.

Layer 5 — TenderPulse

Live compliance dashboard mapped to the specific project and principal. Gap alerts before the bid team finds them. Audit trail building in real time.

See the Full Infrastructure →

The Prime Track

One engagement. One governance spine. Built to last across every project.

The Prime Track is a single engagement that builds, configures, and deploys the full compliance infrastructure stack, calibrated to your organisation, your supply chain's risk profile, and your principal's requirements. It is not a framework delivered in a document. It is a live system left running after the engagement closes.

Step 1 — The visible entry point

Board AI Governance Briefing

$5,500 + GST · fixed scope · delivered within three weeks

A 90-minute board or ELT session plus a written brief: where your AI governance position stands against the National AI Plan, AI6, the December 2026 ADM disclosure obligations, and the flow-down clauses your principals are drafting now. Includes a gap summary across your current pockets of AI activity and a sequenced 12-month obligation map.

Priced to be approvable on a single signature. Scoped to give your leadership a defensible position — and a clear-eyed view of whether the full Prime Track is warranted.

Book the Board Briefing

Supply chain governance, end to end

AI Governance & Tender Compliance — Prime Track

Build the AI governance framework your principals can score, your bid team can reuse, and your subcontractors can actually comply with. Delivered through the full pre-built infrastructure stack, configured to your project, populated during the engagement, and left running after it closes.

Layer 1 — AI Ethics & Usage Policy Builder
Board-ready AI Ethics and Usage Policy aligned to the National AI Plan. Privacy Act ADM disclosure position documented. Multi-signatory sign-off workflow. Annual re-attestation trigger. Auto-generated board minutes reference paragraph.
Layer 2 — AI6 Governance Spine
Risk-tiered supply chain AI requirements aligned to the National AI Plan and critical infrastructure exposure. Flow-down language that separates low-risk admin tools from higher-risk project or data use. Reusable tender response pack. Subbie onboarding pack — your subs sign once, your audit trail closes. Supplier evidence checklist that protects audit confidence without inflating bid cost.
Layer 3 — AI Impact Assessment
Full 12-section DTA assessment for every triggered use case. AI drafts answers from your own documents. Every answer source-traced and human-approved. Board- and tender-ready PDF export. Version history and annual re-validation trigger. Australian-hosted, data never leaves the country.
Layer 4 — Full NAIP Coverage + Cascade Response Engine
Complete obligation coverage across all four regulatory streams. Cascade inbox for principal questionnaires, auto-populated responses drawn from your live compliance data across all layers. Board attestation evidence assembled, not chased. Reusable response library that builds with every tender.
Layer 5 — TenderPulse
Live compliance cockpit mapped to your project and principal. Compliance status across all four NAIP streams. Prime requirement vs NAIP baseline gap analysis with flagged alerts. Artefact tracking across every required document. Sovereign AI posture documented and defensible. Dashboard left running and maintained by your team after the engagement closes.
Leadership-ready position
Accountable ownership documented. Data handling framework established. Model behaviour and auditability requirements set. Board attestation evidence structured and ready.

The point: a standard ask with room for judgement. Strong enough to survive audit. Proportionate enough to keep a healthy supply chain in the market. Built once. Reused across every project. Solvable in 90 days.

This is AI governance scoped to the National AI Plan. It complements your enterprise GRC system rather than replacing it — every register, log and evidence pack is structured to feed your existing GRC platform and audit programme.

Discuss Your Governance Framework See What Gets Deployed →
The supply chain challenge

Your subbies are not all going to get there on their own. Here's how to bring them with you.

The governance spine built in the Prime Track includes a sub-contractor onboarding pack — a set of right-sized, tier-appropriate requirements your subs can adopt without each one needing a separate consultancy engagement. This is the part most Primes miss when they approach AI governance as an internal exercise.

Your supply chain's compliance posture is your audit exposure. The onboarding pack closes that loop systematically.

What the sub onboarding pack covers

  • Risk-tiered requirements, scaled by what the sub's AI does, what data it touches, and their critical infrastructure exposure
  • Clear documentation standard — what format, what evidence, what's acceptable
  • Pre-qual checklist your subs complete once and reuse across every bid on your projects
  • Sign-once onboarding flow — your subs attest against the standard, your audit trail closes
  • Plain-English guidance so a Tier 3 sub with no governance background can meet the standard without over-investing

For subs who need more help: James works directly with sub-contractors through a dedicated Sub Track engagement. Primes who refer their supply chain to the Sub Track get a consistent evidence standard across the chain without managing the sub-contractor engagement themselves.

See the Sub-Contractor Track →
Operating in Defence?

The March 2026 Defence Responsible AI policy is binding, not voluntary — and it reaches your supply chain. If you hold or are bidding Defence work, your flowdown obligations are already set.

See the Defence track →
The upside

The compliance infrastructure is also the data foundation that lets your supply chain run better.

The same governance registers that satisfy the audit also give you visibility into your supply chain that monthly PDFs never could. Once the compliance infrastructure is in place and running, the data foundation is there for tools that deliver real operational value.

Live supply chain visibility

API-enabled subbie performance feeds replace manual reporting. Earlier signal on cost and schedule slippage. Risk flags that surface before they become variations.

Sovereign AI posture

Documented and defensible. A stronger pre-qual position against international competitors who can't demonstrate Australian data residency and governance controls. Where the project demands sovereign hosting — digital twins, project hubs, live progress data — it's available through Kipanga's ISO 27001 certified Australian infrastructure.

Board-level AI performance evidence

The same audit trail that satisfies the governance question also becomes the evidence base for board-level AI performance reporting. Win rate at target margin. Rework cost. Bid efficiency relative to conversion. The variables that determine whether your AI is actually delivering, not just running.

Digital-twin-ready operations layer

For the projects where the scope and data maturity warrant it, the governance infrastructure is the foundation. The registers, the data classification, and the access controls are already in place.

This is not a regulatory burden problem. It is a supply chain capability problem — and it is solvable in 90 days.

Why this works

I've built the bids. I've set the requirements. I've sat on both sides of the table that determines what a supply chain needs to prove.

Thirty years directing major projects and leading business development across Oil and Gas, Defence, Energy, and Infrastructure for FTSE 100 and ASX contractors. I've architected $2B+ defence bids, led Asia Pacific strategy across seven business units and four countries for Wood PLC, and been in enough post-shortlist governance reviews to know exactly what principals are testing and what auditors are looking for.

That experience is what sits behind every flowdown decision in the Prime Track. When I say proportionate requirements, I mean proportionate to what a principal will actually score and what a sub can actually carry without pricing it back into your bid. When I say audit-ready, I mean ready for the specific conversation your governance team has when the principal asks for evidence.

The infrastructure is pre-built. The judgement behind how it's configured is not.

No innovation theatre. No enterprise overhead for its own sake. A governance position built to hold up when it needs to, and proportionate enough that your supply chain stays in the market.

Bid Director — Australia's largest naval shipbuilding programme ($2B+ Defence EPC)
VP Strategy & Development, Asia Pacific — Wood PLC (FTSE 100), 7 business units, 4 countries
Energy Transition architect — pivoting O&G portfolios to low-carbon markets
Alliance model pioneer — reduced Defence ship upgrade cycles from 4 years to 18 months
MBA · University of New England Certified Master Project Director · AIPM AI Fluency Professional · USyd Certified AI Lead Partner · Mindhive
What clients say

Trusted by industry leaders

★★★★★

"James provides fractional support as both the Lead Account Partner and GTM Focal Point. We have a global mandate and James brings the strategic clarity and industry depth to operate at that level."

CEO
Accenture engagement
★★★★★

"Working alongside James, I was always impressed by his tenacity in getting after opportunities and his rigorous approach to ensuring outcomes were achieved."

Chief Operating Officer
Heavy industry contractor
★★★★★

"He led our AsiaPac Strategy process, focused on growth and diversification. Thanks to his unique knowledge across the region and industry, he was invaluable — delivering exactly what we needed."

Paul McCarthy
Regional Director, EnerMech
★★★★★

"We knew little about AI previously, except we were falling behind. The pilot process was easy, we learned a lot, and the AI agent has everyone excited. We are now developing our AI Scaling Strategy with James."

Common questions

Straight answers to the questions Primes ask before they book a call.

We already have an internal governance framework. Do we need this?

Possibly not from scratch, but almost certainly for the supply chain layer and the regulatory alignment. Most internal frameworks were built before the National AI Plan, the Privacy Act ADM amendments, and the SOCI CIRMP AI in-scope determination. The readiness audit tells you exactly where your existing framework holds and where the gaps are without assuming you need to rebuild everything.

How does this fit with our enterprise GRC platform?

It complements it rather than replacing it. This is AI governance scoped to the National AI Plan — every register, log and evidence pack is structured to feed your existing GRC platform and audit programme. If you're evaluating enterprise GRC tooling, that's a separate decision; the outputs here slot into whichever platform your governance team runs.

How do we manage flowdown without blowing out our subbies' costs?

That's the calibration work. The Prime Track builds risk-tiered requirements, so a Tier 3 civil sub using AI for scheduling gets a proportionate standard, not the same requirements as a defence sub whose AI touches personnel data. Getting that tiering right is what keeps your supply chain in the market while your governance position holds up under audit.

What do we tell principals in the tender when we're mid-engagement?

The tender response pack is one of the first outputs of the engagement. You don't need the full system in place to have a defensible tender response — you need a documented position and a credible implementation plan. We build that position first so your bid team has something to work with while the system is being completed.

Our subbies are at very different levels of AI maturity. How does that work?

The sub onboarding pack is tiered precisely for this reason. Subs with no existing governance get a minimum viable standard they can meet in five days. Subs with more mature systems get a more detailed requirement. Both produce an evidence format your governance team can assess consistently. For subs who need hands-on help, the Sub Track engagement is available.

How long does the Prime Track take?

90 days is the headline. The sequence is Layer 1 and 2 first, typically weeks one through four. Layer 3 runs in parallel for any triggered use cases, typically weeks two through six. Layer 4 and 5 build on the data from the first three layers, typically weeks five through twelve. The tender response pack is available from week two. TenderPulse is live from week four.

What happens after the engagement closes?

The systems are yours. The dashboards run. The registers are maintained by your team. Annual re-attestation triggers are built in. James is available for check-ins, new tender support, and scope additions as your project pipeline changes, but none of that is mandatory or ongoing.

We're on a specific government or defence project with a tight timeline. Can this be accelerated?

Yes — for active tender situations the engagement sequence can be compressed. The Tender AI Response engagement covers the immediate submission while the full system is built in parallel. Scope and timeline are covered in the scoping call.

The Primes who set the governance standard early own the pre-qual conversation. The ones who wait are responding to someone else's standard.

A 20-minute scoping call covers your specific obligation profile across the four NAIP streams, what the Prime Track engagement looks like for your organisation and supply chain, what the 90-day sequence involves, and what it costs. If you're not ready for a call yet, the compliance check tool tells you your obligation tier in under 2 minutes.

Book a 20-Minute Scoping Call Check Where You Need to Comply →