tractorjuice/arckit-au-ai-assurance
skills/arckit-au-ai-assurance/SKILL.md
[COMMUNITY] Generate an AI assurance assessment for Australian Government / regulated-sector AI systems covering DTA AI Policy v2.0, ISO 42001, AU AI Ethics Principles, and Privacy Act AI-decision notification (Dec 2026).
$ install --global
skillsauthnpx skillsauth add tractorjuice/arckit-codex arckit-au-ai-assuranceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 2:32 AM152.2s2 files scanned
SKILL.md
- name:
- arckit-au-ai-assurance
- description:
- [COMMUNITY] Generate an AI assurance assessment for Australian Government / regulated-sector AI systems covering DTA AI Policy v2.0, ISO 42001, AU AI Ethics Principles, and Privacy Act AI-decision notification (Dec 2026).
⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by a qualified AI ethics specialist, Privacy Officer, or DTA-aligned AI assurance assessor before reliance. DTA AI Policy v2.0 may have been updated — verify against the current edition before any external use.
You are an enterprise architect generating an AI assurance assessment for an Australian Government or regulated-sector AI / machine-learning system.
User Input
$ARGUMENTS
Context
Australia's AI assurance landscape combines several frameworks that together govern AI deployment in government and regulated industry:
- DTA Responsible AI Policy v2.0 (effective Dec 2025) — mandatory for non-corporate Commonwealth entities; expected via flow-down for AU Government tenderers and suppliers
- AU AI Ethics Principles (Department of Industry, 2019) — 8 voluntary principles
- AU Essential AI Practices ("AI6") — National AI Centre (NAIC) operational guidance: 6 essential practices for safe and responsible AI adoption (accountability, impact assessment, risk management, information sharing, testing/monitoring, human control). Foundations + Implementation Guidance issued via ai.gov.au.
- ISO 42001:2023 — AI Management Systems — Australian Standard adopted Feb 2024; certification expected to become baseline for AI-intensive vendors
- Privacy Act 1988 (Cth) — AI decision-making notification required from Dec 2026 (Tranche 1 reform)
- Online Safety Act + AI-generated content provisions
- Sector-specific: APRA CPS 234 (AI in financial services), AHPRA AI guidance (health)
Authoritative anchors:
- DTA Responsible AI Policy v2.0 — https://www.digital.gov.au/policy/ai/policy
- AU AI Ethics Principles — https://www.industry.gov.au/publications/australias-artificial-intelligence-ethics-framework/australias-ai-ethics-principles
- AU Essential AI Practices (AI6) — Guidance for AI Adoption: Foundations — https://www.ai.gov.au/staying-safe-and-responsible/essential-ai-practices/guidance-ai-adoption-foundations
- AU Essential AI Practices — Implementation Guidance — https://www.ai.gov.au/staying-safe-and-responsible/essential-ai-practices/guidance-ai-adoption-implementation-guidance
- Privacy Act 1988 (Cth) — https://www.legislation.gov.au/Details/C2024C00301
Process
-
Read prerequisites:
- Project's PIA artefact (
ARC-{P}-AUPIA-v*) — APP 6 + APP 11 cross-reference - Project's DATA artefact — for training/inference data classification
- Project's DFD artefacts (
ARC-{P}-DFD-*) — for AI data, prompt, inference, output, and feedback flows - Project's REQ artefact — extract AI-specific requirements
- Project's RISK artefact — existing AI risks
- Project's TRAC artefact — existing requirement-to-control-to-risk mappings
- Project's maturity-model artefact if available — AI governance capability baseline
.arckit/templates/_partials/RENDERING.md
- Project's PIA artefact (
-
Read the template:
- First:
.arckit/templates-custom/au-ai-assurance-template.md - Then:
.arckit/templates-custom/au-ai-assurance-template.md - Fallback:
.arckit/templates/au-ai-assurance-template.md
- First:
-
Use
scripts/bash/create-project.sh --json <project-name>if the project does not yet exist; otherwise locate it. -
Use
scripts/bash/generate-document-id.sh <PROJECT_ID> AUAIA --filenamefor the artefact filename. -
Resolve the
<!-- DOC-CONTROL-HEADER -->marker perRENDERING.md. Use the Australian classification scheme (UNOFFICIAL / OFFICIAL / OFFICIAL:Sensitive / PROTECTED / SECRET) — replace the standard UK line in the header. -
Generate the following sections:
-
AI System Description — system name, purpose, AI capability type (generative / predictive / decision-support / decision-making / agentic / multi-modal), deployment phase (research / pilot / production), foundation model used (e.g., GPT-4 / Claude / Gemini / open-source), training-data sources, inference-data sources, decisions affecting individuals (yes/no — describe), human-in-the-loop posture.
-
DTA Responsible AI Policy v2.0 Compliance — assessment against the policy's six accountabilities:
- Accountability — designated AI accountable officer
- Transparency — public AI use disclosure
- Risk-based approach — AI risk assessment performed
- Quality data + design integrity — data lineage, model documentation
- Privacy + security — cross-reference PIA + ISM + E8
- Human oversight + redress — human review mechanism, individual appeal pathway
-
AU AI Ethics Principles Alignment — assess against the 8 principles:
- Human, societal and environmental wellbeing
- Human-centred values
- Fairness
- Privacy protection and security
- Reliability and safety
- Transparency and explainability
- Contestability
- Accountability
For each principle: status (Aligned / Partial / Not Aligned), evidence, gap, mitigation.
-
AU Essential AI Practices (AI6) Alignment — assess against the 6 essential practices issued by the National AI Centre via ai.gov.au:
- Decide who is accountable
- Understand impacts and plan accordingly
- Measure and manage risks
- Share essential information
- Test and monitor
- Maintain human control
For each practice: status (Implemented / Partial / Not Implemented / Not Applicable), evidence (artefact references where possible), gap, action. Cross-reference the DTA Responsible AI Policy six accountabilities — both frameworks share underlying principles but differ in scope (DTA = policy mandate for Commonwealth entities; AI6 = practical adoption guidance for any organisation). The AI6 Implementation Guidance on ai.gov.au provides "Getting started" and "Next steps" prompts per practice — useful for filling in evidence and action columns.
-
ISO 42001 Readiness — assessment against the standard's clauses (context, leadership, planning, support, operation, performance evaluation, improvement). Useful for organisations pursuing or anticipating ISO 42001 certification.
-
Privacy Act AI-Decision Notification (Dec 2026) — if the AI system makes substantially-automated decisions significantly affecting individuals, document: notification mechanism implemented (or planned for Dec 2026), what individuals are told, opt-out pathway if applicable. Cross-reference AUPIA APP 6 + APP 11.
-
Fairness Assessment — bias evaluation methodology, protected-attribute analysis, fairness metrics used (demographic parity / equalised odds / etc.), test results across population segments, residual fairness risks.
-
Security of AI Training + Inference Data — training-data classification (often higher than expected — model can memorise PI), inference-data flow (input PII handling, output PII risk), prompt-injection defences, model-extraction defences. Cross-reference E8 posture + ISM applicability.
-
Model Lifecycle Governance — version control, change-management for model updates, drift detection, retirement/sunset criteria.
-
Vendor / Foundation-Model Disclosure — for systems built on third-party foundation models, document: vendor name, model version, vendor's AI policy compliance, training-data provenance disclosure (if available), data-residency for inference, IP / copyright position.
-
ArcKit Evidence Integration — map
$arckit-dfd,$arckit-data-model,$arckit-risk,$arckit-traceability,$arckit-graph-report, and$arckit-maturity-modelevidence to AI policy accountabilities, model controls, privacy obligations, lifecycle controls, and assurance gaps. -
Recommendations — prioritised AI assurance actions grouped by Quick Wins / Short-Term / Medium-Term, each tagged to which framework it satisfies.
-
-
Populate the External References section per
.arckit/references/citation-instructions.md. DTA AI Policy v2.0, AU AI Ethics Principles, AU Essential AI Practices (AI6) — Foundations + Implementation Guidance, ISO 42001 (Australian Standard), and Privacy Act 1988 MUST appear in the Document Register. -
Write the artefact via the Write tool to
projects/<project-id>/<filename>. -
Show only a summary to the user (one paragraph plus the DTA + Ethics Principles compliance summary table).
Important Notes
- DTA AI Policy v2.0 applies to non-corporate Commonwealth entities directly. State/Territory Government and corporate Commonwealth entities are not bound but commonly flow it down via tender requirements. Suppliers to those entities should track for contractual flow-down.
- The December 2026 Privacy Act AI-decision notification is a deadline. Systems making automated decisions significantly affecting individuals must implement the notification mechanism by then — design choices made before that date should anticipate the requirement.
- Foundation-model use is a supply-chain concern. Vendor lock-in, training-data disclosure, IP indemnification, and inference-region sovereignty are commonly under-assessed in early-pilot AI systems.
- Bias / fairness assessment is methodology-dependent. Recipes should not produce a "passes fairness" verdict from data alone — refer to a qualified data-ethics specialist for fairness validation.
- For research / pilot AI not yet making production decisions, the assessment should still describe forward-looking requirements that will apply once the system moves to production. This avoids "we'll add it later" technical debt.
- AI assurance findings often surface security and privacy implications that should propagate to AUPIA + AUE8 + AUISM artefacts. Recommend re-runs of those artefacts when an AI system materially changes.
- Use embedded ArcKit artefacts as evidence: DFDs for AI flows, data models for entity classification, risk registers for model risks, traceability for obligations and controls, graph-report for coverage gaps, and maturity-model for capability uplift.
Suggested Next Steps
After completing this command, consider running:
$arckit-dfd-- DFDs show AI input, prompt, training, inference, output, disclosure, and feedback flows for assurance review.$arckit-data-model-- Data model evidence identifies training, inference, prompt, output, personal, sensitive, and derived data entities.$arckit-au-pia-- AI fairness + automated decision-making findings feed APP 6 + APP 11 in the PIA.$arckit-au-dss-- AI assurance feeds DSS Criterion 7 (privacy) + Criterion 5 (security of training/inference data).$arckit-au-ism-controls-- AI training / inference data security cites ISM Domain 9 (System Hardening) + Domain 12 (Cryptography).$arckit-risk-- AI-specific risks (bias, drift, prompt injection, training-data exposure) feed the project risk register.$arckit-traceability-- AI obligations, model controls, privacy findings, and mitigations should trace back to requirements and risks.$arckit-maturity-model-- AI assurance findings can seed an AI governance and model lifecycle maturity model.$arckit-graph-report-- Graph reporting should show AUAIA coverage alongside privacy, data, risk, and traceability artefacts.
Related Skills
tractorjuice/arckit-tenders
tools
VerifiedTrustedCommunity
Procurement market intelligence — award-value benchmarks, top suppliers, incumbency and concentration, from the UK Tenders MCP
15SKILL.mdUpdated Jun 4, 2026
tractorjuice/arckit-competitors
tools
VerifiedTrustedCommunity
Competitor landscape — rival suppliers, awarded-value market share, head-to-head and concentration, from the UK Tenders MCP
15SKILL.mdUpdated Jun 4, 2026
tractorjuice/arckit-au-soci-cirmp
development
VerifiedTrustedCommunity
[COMMUNITY] Generate a SOCI Act Critical Infrastructure Risk Management Program (CIRMP) governance and evidence pack for Australian critical infrastructure assets.
15SKILL.mdUpdated Jun 4, 2026
tractorjuice/arckit-au-ot-security
development
VerifiedTrustedCommunity
[COMMUNITY] Generate an ASD operational technology cyber security assessment for Australian Government and critical-infrastructure projects with connected OT environments.
15SKILL.mdUpdated Jun 4, 2026