What’s Shaping Investigations and Integrity in Government (Australia, 2025)

Investigations, compliance and integrity functions  in Government are evolving rapidly; complex digital threats, sprawling data landscapes, rising public scrutiny and emerging technologies like AI are a reality and are forcing agencies to rethink how they manage risk, compliance and integrity. In 2025, leading agencies are recognising that integrity at scale requires not just better policy, but better tools, connected data, and proven methods. Here are five key shifts driving the change.

1. Cyber Resilience Is Now Table Stakes

Cybersecurity is no longer just the IT department’s problem – it’s a frontline issue for anyone investigating fraud, managing risk, or handling sensitive data. Cyber-fraud has exploded. In New South Wales, for example, surging by 95% over a three-year period, according to the Bureau of Crime Statistics and Research.

Investigations today are often triggered by digital compromise like phishing, insider attacks, or leaked datasets. Yet most agencies still lack the skills operational visibility and funding to shore up their defences and respond fast enough. Auditors have repeatedly found that government departments are falling short of even basic security benchmarks. In one NSW audit, all agencies reviewed failed to reach minimum maturity on at least three of the Essential Eight security controls, and over 53% of mandatory security requirements were being implemented ad hoc or not at all.

Even as recently as 2024, around 69% of “Protect” controls required by NSW’s Cyber Security Policy were not fully met by agencies. The root cause is often resource constraints – the Auditor-General noted that tight budgets are the number one reason agencies delay critical security upgrades. Compounding the problem is a cyber workforce shortage. A recent analysis found only about 11,400 specialised cyber security professionals in all of Australia – just 3% of the nation’s ICT workforce. In government, that means very few staff with advanced cyber expertise, leaving a small cadre trying to defend an ever-growing attack surface.

New guiding principles for a whole-of-government zero trust culture emphasise that cybersecurity must be integrated into enterprise risk management (not siloed as just an IT issue) and baked into system design from the start. Implementing security by design – instead of retrofitting it later – is seen as crucial for resilience. Of course, achieving true cyber resilience will require serious, long-term investment and likely deeper partnerships with the private sector to bring in expertise.

2. AI: From “Wow” to “How”

Artificial intelligence is no longer on the horizon, it’s already reshaping how governments operate. From accelerating investigations to detecting anomalies in large-scale datasets, AI has the potential to fundamentally improve public sector productivity, service delivery, and decision-making. The challenge is no longer whether to use AI, but how to adopt it safely, confidently, and at scale.

Government agencies are already exploring AI to drive real outcomes: faster case triage, more accurate fraud detection, predictive analytics for compliance risks, and even early indicators of system misuse. These use cases reflect what the Productivity Commission recently highlighted in its Data and Digital Transformation report, AI can unlock huge public value when deployed with discipline and purpose.

But the rules need to keep pace. Unregulated adoption, such as the unauthorised use of ChatGPT in some departments, has exposed gaps in policy, capability, and risk controls. Concerns about data leakage, bias, explainability, and loss of human oversight are legitimate, and in regulated domains like immigration or welfare, they carry serious consequences.

That’s why the Australian Government is taking a structured approach. In 2024, the Digital Transformation Agency and Australian Public Service Commission released the Responsible AI in Government policy. It sets out clear requirements: all agencies must appoint accountable AI officers, publish transparency statements, and apply guardrails to high-risk AI systems. These controls are designed not to slow innovation, but to enable it by giving agencies a common, trusted foundation for safe AI experimentation and scaling.

The DTA has also developed a new technical standard to support responsible implementation. It covers data quality, bias mitigation, auditability, and system security, key elements that turn ethical aspirations into operational capability. It recognises that trustworthy AI requires more than compliance, it requires confidence.

And that confidence is growing. The APS is actively building AI literacy among not just data scientists, but also executives, investigators, and service designers. Pilots like the federal government’s rollout of Microsoft Copilot across 7,600+ staff are giving agencies hands-on experience, helping teams understand both the potential and the pitfalls. Agencies are also establishing AI sandboxes, governance councils, and cross-functional working groups to assess AI risks early and openly.

Importantly, oversight doesn’t mean inaction. Done well, AI governance is a launchpad, not a handbrake. With clear frameworks in place, governments are better positioned to keep pace with private sector innovation, without compromising public trust. As the DTA’s CEO recently put it: “We need to shift from a posture of caution to one of confident capability.”

The path forward is now clearer: rigorous but enabling rules, embedded expertise, and a shared understanding of what responsible, high-impact AI looks like in practice. Agencies that lead on these fronts won’t just mitigate risk, they’ll accelerate innovation and set the benchmark for how government can deliver faster, smarter, and fairer services.

3. Data Culture is the Next Strategic Battleground

Government has no shortage of data. But if you’ve ever tried to run an investigation across five different legacy systems, or make sense of a mix of scanned PDFs and free-text reports, you know the pain of poor integration.

We’re seeing agencies push to create a true data culture. The Australian National Audit Office emphasises that agencies which “value data as an asset” – investing in its governance, quality, and security – are far better positioned to make informed decisions and achieve outcomes. This means establishing strong data governance frameworks, and importantly, leadership commitment. Chief Data Officers (CDOs) and dedicated data governance teams are at the core of this change. In practice, this often involves setting up data stewardship roles, cataloguing what data the agency holds, and enforcing standards so that, say, five different systems can actually talk to each other. The whole-of-government Data and Digital Government Strategy calls for consistent data policies and for agencies to regularly assess their data maturity. In short, it’s about moving from a world of fragmented, “owned” information to one of shared, trusted information.

Some agencies are tackling this by building shared data environments – for instance, data lakes or warehouses that pull together information from multiple sources, so investigators and analysts can query across formerly disconnected datasets. Others are leveraging AI and analytics to trawl through unstructured data (like thousands of pages of documents or case files) to flag insights. On the governance side, performance dashboards that track data-driven outcomes are becoming more common, as is a focus on measuring ROI for data initiatives. These efforts might not sound flashy, but they matter. When data flows properly across departments and even between governments, fraud and errors are much easier to detect, and decisions are more evidence-based. The Commonwealth Fraud Prevention Centre notes that “unlocking and sharing data…can be a powerful tool to prevent, detect and respond to fraud” across programs. In fact, they urge agencies to share and match data across the Australian Government and other sectors because scammers exploit gaps between siloed systems – greater data sharing can “better find and combat these fraudsters.”. 

In the end, a modern data culture – one that prizes integration, openness (with proper privacy safeguards), and analytical talent – is becoming the foundation of integrity work.

4. Risk and Compliance Need a Systemic Upgrade

With AI in the mix, cloud services everywhere, and cyber threats rising, risk is now a whole-of-enterprise issue. Yet many agencies are still trying to stitch together fragmented compliance regimes with slow procurement cycles and outdated controls. It’s common to find one team handling IT security risk, another separately handling financial fraud risk, and yet another doing compliance checklists – all without enough coordination. This not only creates blind spots, but also slows response times when issues arise. In 2023–24, over 40% of significant audit findings in Australian government entities were IT control weaknesses, such as poor user access management, indicating that basic controls are being overlooked in siloed compliance efforts. Clearly, the status quo isn’t working.

The leaders in this space are shifting to Integrated Risk Management (IRM). That means having one coherent view of risk across the enterprise – or at least a unified strategy that connects the dots between IT risk, financial risk, operational risks, and compliance obligations. Rather than treating risks as isolated cylinders, forward-looking agencies are creating central risk committees and using enterprise risk management systems to track risks in real time.

Technology is starting to play a big role in this modern approach. Agencies are deploying automation and analytics to monitor transactions and user activities for anomalies, rather than waiting for an audit months later. For example, the Australian Taxation Office has used AI algorithms to analyse data and assess non-compliance risks in near-real time, helping it flag potential fraud or errors for early intervention. Similarly, some internal audit units are exploring AI tools that learn patterns of normal behaviour and raise red flags when something deviates (e.g. an official accessing records they shouldn’t, or an unusual spike in payments within a program). By leveraging these tools, agencies can spot suspicious activity before it snowballs into a major integrity issue. Another pillar of the new approach is “secure by design” and “compliance by design” – building systems and processes with security and compliance controls woven in from the beginning. The Australian Government’s zero-trust guidance explicitly says cybersecurity should be embedded at project planning stages and tied to budget considerations, “so that security measures are considered in modernisation projects” and not bolted on later. Embracing secure-by-design means things like default encryption, automated audit logs, least-privilege access, and user-friendly verification steps are baked into new systems, greatly reducing risk exposure from day one.

The payoff for modernising risk and compliance is big: fewer nasty surprises, more efficient use of resources (since controls can be streamlined once you eliminate overlap), and greater trust from stakeholders that the agency has its act together. In the public sector, where the stakes involve public money and public safety, that kind of resilience is invaluable.

5. Trust Isn’t Soft – It’s Strategic

Last but absolutely not least: Trust. At the end of the day, trust is the currency of digital government. It’s what makes people feel safe sharing their data, believe the outcomes of investigations, and stick with public institutions through change. Far from being a “soft” issue, trust is now viewed as a strategic asset to be actively managed. In 2025, building digital trust and confidence in government services remains a critical focus. Why? After numerous high-profile data breaches and failures, citizens increasingly demand transparency, data security, and accountability from government agencies. In response, public sector organisations are “prioritising digital trust” by adopting more responsible data practices and stringent security measures. The federal government’s recent $1.8 billion cyber investment, for example, isn’t just about technology – it’s about reassuring the public that their online interactions with government are secure.

Trust gets built – or broken – in how agencies communicate and engage, especially when things go wrong. The best agencies are bringing in strategic communications experts early in the process of investigations or reforms, not as after-the-fact PR. This means when a fraud incident or a cyber breach happens, the response includes timely, transparent communication to the public and stakeholders. We’ve seen examples where swift, candid communication contained the damage of an incident, whereas silence or spin only deepened public distrust. In fact, the OECD’s trust research indicates that reliability, openness, and fairness in public services directly bolster trust in institutions.

Crucially, trust isn’t just about citizen relations – it’s also about collaboration within and across governments. Complex fraud or integrity cases rarely sit neatly in one department’s silo. They often sprawl across multiple agencies, jurisdictions, or even sectors. We now see multi-agency taskforces targeting things like transnational crime, fraud rings, or corruption, combining their powers and data. The idea is that a united front is faster and more effective. A prominent trend in Australia for 2025 is increased cross-department and cross-jurisdiction collaboration, precisely because many problems can’t be solved in isolation. For example, the states and Commonwealth have formed joint data-sharing agreements on issues from firearm licensing to child protection – recognising that if each holds a piece of the puzzle, they must trust each other enough to put it together. This extends to partnering with the private sector and NGOs as well; when appropriate, bringing in external expertise or data (say, from banks in the case of financial fraud, or telecommunications companies in the case of cyber threats) can dramatically increase the speed and scale of response. A recent analysis noted that by “cross-boundary collaboration – between agencies, private sector, nonprofits, and communities – governments can achieve far greater mission effectiveness, even on ‘wicked’ problems”. In other words, collaboration is a force-multiplier, and it hinges on trust.

Integrity at Scale Requires Alignment

Cyber, AI, data, risk, and trust are all connected. What’s clear in 2025 is that public integrity isn’t built through any single system or team. It’s built through aligned, capable organisations that treat these issues as interconnected levers of public value.

The public sector is under pressure to do more, faster, and with greater transparency. Those who modernise not just their tools but their culture, who treat integrity as a shared responsibility rather than a compliance task, will be the ones best positioned to lead.

Join us at XLR8/25 – Sydney, 23 September, Sydney Opera House

From ethical AI to data governance, the issues shaping public trust are front and center at Nuix XLR8/25. With The Hon. Victor Dominello joining our stage, you’ll hear firsthand from one of Australia’s leading voices in digital government. Secure your place among leaders driving responsible innovation:

https://www.nuix.com/xlr8-25

Special offer for PSN members - we have a limited number of guest passes available. Please contact [email protected] for more information

Sources:

1. NSW Bureau of Crime Statistics and Research – Trends and Characteristics of Cybercrime in NSW (via PS News)psnews.com.au
2. NSW Auditor-General – Compliance with the NSW Cyber Security Policy (Audit Office report)audit.nsw.gov.au
3. NSW Auditor-General – Cyber Security Insights 2025 (via GovTech Review)govtechreview.com.au
4. CIBIS News – NSW Cyber Security Audit Highlights Growing Risks (Tony Heitmeyer quote)cibis.com.au
5. ACS Information Age – “Australia’s cyber security skills gap remains pressing” (StickmanCyber analysis)computerweekly.com
6. Government News – “Embedding a zero trust cybersecurity strategy”governmentnews.com.augovernmentnews.com.au
7. The Mandarin – “Defence staff used ChatGPT thousands of times without authorisation”themandarin.com.authemandarin.com.au
8. Information Age – “Govt agencies ramp up AI but no policies in place” (ANAO audit findings)ia.acs.org.au
9. Digital.gov.au – Policy for Responsible AI in Government (2024)digital.gov.au
10. Reuters – “Australia plans AI rules on human oversight, transparency”reuters.com
11. ANAO Insights – Governance of Data (2024)anao.gov.auanao.gov.au
12. Commonwealth Fraud Prevention Centre – Use data to counter fraud guidancecounterfraud.gov.au
13. Deloitte Gov Insights – “Crossing boundaries to transform mission effectiveness”deloitte.com
14. Capgemini – “Trends in 2025: Australian Public Sector”capgemini.comcapgemini.com
15. OECD OPSI – Global Trends in Government Innovation 2024oecd-opsi.orgoecd-opsi.org