Exempt by Design: The AI Governance Gap in the National Intelligence Community

The TL;DR is that we assume the most consequential users of AI must be the most tightly governed, and in Australia it runs the other way. The mandatory framework for government AI, the Digital Transformation Agency's policy now at v2.0 with a mandatory use-case register, exempts the Defence portfolio and the National Intelligence Community (NIC) (Digital Transformation Agency, 2025). The National AI Plan shelved the proposed mandatory high-risk guardrails and stood up an AI Safety Institute instead (Department of Industry, Science and Resources, 2025). What is left for the community is point-in-time authorisation under the Protective Security Policy Framework and an oversight office that has appointed a single Chief AI Officer (Inspector-General of Intelligence and Security, 2025).
So for the same class of AI decision, a suburban retailer now carries more binding AI-specific obligations than an intelligence agency. This piece argues that the carve-out itself is defensible on classification, mission and tempo grounds. What is not defensible is that exemption from the framework quietly became exemption from any equivalent discipline. The gap is the missing substitute, not the exemption.
When the agencies with the sharpest tools are exempt from the rules written for everyone else, what exactly is doing the governing?
Juvenal asked the older version of it two thousand years ago: 'quis custodiet ipsos custodes' translated... 'who guards the guardians'. AI just made this question load-bearing again.
Introduction
Picture two rooms. In the first, a retail chain switches on facial recognition at the front door to spot known shoplifters. That deployment answers to the Privacy Act, to the Office of the Australian Information Commissioner (OAIC), and, if a shopper complains, potentially to the Administrative Review Tribunal (ART). A bank running the same class of model answers to all of that plus APRA and AUSTRAC. A service-delivery Department answers to the DTA's mandatory requirements: a named accountable official, published use-case transparency, and since 15 June 2026 a use-case register. From 10 December 2026, it also answers to the new Automated Decision Making (ADM) transparency provisions in the Privacy Act (Digital Transformation Agency, 2025).
In the second room, an Intelligence Agency runs a model over data that is vastly more consequential to a person's liberty. It answers to none of those AI-specific instruments.
That is the inversion, and you did not come here for me to pretend it is a simple scandal. It is more interesting than that. The exemption is deliberate and, on its face, sensible. The problem is what filled the space it left, which for AI-specific assurance is close to nothing public. This is the governance equivalent of the pacing problem: law and oversight structurally lag the technologies they govern (Marchant et al., 2011). Australia has already named its own version of it. The Richardson Review found that the National Intelligence Communities (NIC) legislative framework had been outpaced by technology (Richardson, 2020).
The Inversion
Let us peel back the layers and walk the ladder, because the shape of the thing only becomes obvious when you climb it.
The retailer. Deploys facial recognition, bound by the Privacy Act and answerable to the OAIC and, on review, the ART. AI-specific obligations: the general privacy regime, soon the ADM transparency provisions.
The bank. Everything the retailer carries, plus prudential obligations to APRA and reporting obligations to AUSTRAC. More binding instruments, higher stakes, tighter watch.
The service-delivery agency. A non-corporate Commonwealth entity, so the DTA policy applies in full: accountable official, transparency statement, and from 15 June 2026 the mandatory use-case register (Digital Transformation Agency, 2025).
The police force. Privacy obligations, warrant regimes, and its own accountability bodies, with AI decisions increasingly folded into existing oversight.
The intelligence agency. Processes the most consequential data of the lot, and sits outside the AI-specific instruments entirely.
The mechanics matter here, so let me be precise. The DTA policy applies to non-corporate Commonwealth entities but carves out the Defence portfolio and the NIC. The v2 text names the exempt bodies, including ASD and ASIO and the intelligence functions of AUSTRAC, the AFP, Home Affairs and Defence. The Privacy Act, for its part, has long exempted the intelligence agencies from its core operation. Stack those two carve-outs and the community sits outside both of the instruments that bind everyone below it on the ladder.
I am going to be honest about what comes next. A bar graph at the end of this section counts binding AI-relevant obligations per actor for the same AI decision, and the bars fall as the consequence rises. Read it as illustrative, not gospel. It counts instruments, it does not weigh them, and a single well-drafted obligation can do more than five thin ones. The point is not the exact height of each bar. It is the direction of travel, and the direction is upside down.
What Actually Covers the Community Today
Strip away the AI-specific instruments and the community is not ungoverned. It is governed by machinery built for a different job.
The first layer is security, not assurance. Systems are authorised to operate under the Protective Security Policy Framework, with the Information Security Manual setting ongoing-monitoring expectations. That gives you a point-in-time authority to operate and an expectation of monitoring, but not codified continuous authorisation. It is the cATO gap again, the same one I described in Starved by Design: you certify a system on a Tuesday and trust that it has not drifted by Friday, which is a stretch for anything that retrains.
The second layer is oversight. On 24 January 2024 the Inspector-General of Intelligence and Security opened an own-motion preliminary inquiry into AI use across the community under section 14(2) of the IGIS Act, covering AGO, ASD, ASIO, ASIS, DIO and ONI (Inspector-General of Intelligence and Security, 2024). Its public report found varied maturity across agencies, AI mainly augmenting human analysts rather than acting on its own, and no autonomous action. It did not proceed to a full inquiry. Since then IGIS has appointed its Assistant Inspector-General, Agency Oversight as its Chief AI Officer (Inspector-General of Intelligence and Security, 2025).
Treat IGIS fairly here, because it deserves it. This is an oversight office of modest size, built to examine human decisions and paper trails: who authorised what, on what basis, with what warrant. It did the responsible thing by looking early and looking hard. But an office built to audit paper is now expected to oversee model behaviour, and one Chief AI Officer, however capable, is not an evaluation capability. That is not a criticism of the people. It is a statement about the tooling they have been handed.
What the Review Actually Asked For
None of this went unnoticed. The 2024 Independent Intelligence Review by Dr Heather Smith PSM and Richard Maude, the unclassified report released on 21 March 2025, made 67 recommendations and secured $44.6 million over four years to ONI for initial implementation (Smith & Maude, 2025). It recommended community-wide AI governance frameworks and stronger enterprise leadership on the technology (Recommendation 32). The reviewers looked at the same inversion and said, in effect, that the community needs its own discipline for this.
Then look at what the wider policy settings actually deliver for the enclave. The National AI Plan treats national security briefly: risks are handled inside existing structures, incidents run through the Crisis Management Framework, and the PSPF governs the authorising of AI systems (Department of Industry, Science and Resources, 2025). The new Australian AI Safety Institute is operational, and its work is real. Its head spoke publicly on 7 July 2026 about testing frontier models. But that institute tests models for the public sphere. Nothing public says its assurance work reaches inside the classified enclave. So the review asked for a substitute, and the instruments that followed largely pointed back at the security machinery that was already there.
Here is the same picture as a map. Read the value chain left to right, and read the instruments as bands sitting over it. The uncovered band is the one to watch.
The So What?
So if the exemption stays, and I think it should, what does a community-grade substitute look like? Here is the design sketch. And yes, I am aware of the irony. This is a series that opened by attacking compliance theatre, and here I am arguing for more paperwork. The difference is the whole point: I want discipline that changes behaviour, not paperwork that transfers blame.
A register with a cleared reader. Build a classified AI use-case register, mirrored to IGIS. A register nobody outside the enclave can read is still a register the overseer can walk. The transparency instrument for everyone else was sunlight. Here the substitute is a reader with a clearance.
Assurance at one governed seam. Route model use through a single governed seam that logs every call, evaluates outputs and carries provenance, so oversight inspects the seam rather than every system. This is the thin-model-layer pattern from earlier pieces (see Starved by Design), and it is what makes oversight tractable at all.
Evaluation before authorisation, and continuously after. A point-in-time ATO is not enough for systems that retrain. Borrow the continuous-authorisation argument wholesale: evaluate before you authorise, then keep evaluating, because the thing you certified is not the thing running next quarter.
Oversight tooling, not just remit. Give IGIS the technical means to match the systems it oversees: eval harnesses, log access, the ability to look inside a model's behaviour rather than only its paperwork. The review's implementation funding is the vehicle to ask for exactly this.
Report the shape, not the secrets. Publish annual counts and categories of AI use across the community, the way interception statistics are already reported. You can disclose the shape of the thing without disclosing a single operation.
The Governance Gap Map interactive sits at the end of this section. Pick an actor and a use case, and watch which instruments actually bind.
Conclusion
Reframe the whole thing through the pacing problem and it stops looking like a conspiracy and starts looking like physics. Oversight lags capability by default. The gap between what the community can now do with a model and what any AI-specific instrument requires of it is not a scandal that someone engineered. It is the ordinary trajectory of law and institutions trailing technology (Marchant et al., 2011), the same trajectory Richardson named when he found the legal framework had been outpaced (Richardson, 2020). Scandals are simply how democracies discover the gap later, at the worst possible time, in a report with a person's name on the cover.
The carve-out earned its place. Classification, mission and tempo are real, and pretending the community can just be dragged inside the DTA policy is as lazy as pretending the gap does not matter. But a carve-out is a promise to do the equivalent work differently, not a licence to skip it. The 2024 review saw that and asked for the substitute. The interesting work now is designing it before the incident writes it for us.
So here is the question I would put to any oversight body reading this. If the systems you are meant to watch walked in the door tomorrow, would you know what to ask for?
Thanks for reading.
The views expressed in this article are my own and do not represent those of my employer, or any of my clients.
See related articles: Starved by Design and The Compliance Clock.
References
Department of Industry, Science and Resources. (2025). National AI Plan. Australian Government. https://www.industry.gov.au/publications/national-ai-plan
Digital Transformation Agency. (2025). Policy for the responsible use of AI in government (v2.0). Australian Government. https://www.digital.gov.au/ai/ai-in-government-policy
Inspector-General of Intelligence and Security. (2024). Public report: Preliminary inquiry into the use of artificial intelligence by the National Intelligence Community. Australian Government. https://www.igis.gov.au/sites/default/files/2024-06/Public%20Report%20AI%20Preliminary%20Inquiry%202024.pdf
Inspector-General of Intelligence and Security. (2025). Annual report 2024-25. Australian Government. https://www.igis.gov.au/sites/default/files/2025-10/IGIS%20Annual%20Report%202024-25.pdf
Marchant, G. E., Allenby, B. R., & Herkert, J. R. (Eds.). (2011). The growing gap between emerging technologies and legal-ethical oversight: The pacing problem. Springer.
Richardson, D. (2020). Report of the comprehensive review of the legal framework of the national intelligence community. Australian Government. https://www.ag.gov.au/national-security/publications/report-comprehensive-review-legal-framework-national-intelligence-community
Smith, H., & Maude, R. (2025). 2024 Independent Intelligence Review (unclassified report released 21 March 2025). Commonwealth of Australia. https://www.pmc.gov.au/news/2024-independent-intelligence-review


