Governing AI in the Software Delivery Pipeline
Strategic Context
Across NSW, multiple policy and risk signals are converging on the same executive reality: AI is being used in day-to-day engineering, security and delivery workflows faster than governance models can keep up. The NSW AI Assessment Framework, evolving privacy expectations around automated decision-making, and the state’s cyber priorities collectively raise the stakes on provable controls — not just intent — when AI touches code, deployment decisions, and service outcomes. For leaders accountable for citizen-facing services, the question is no longer “are we using AI?”, but whether the organisation can evidence control, auditability, and compliance across the delivery chain, without slowing delivery or fragmenting the platform further.
Key discussion points:
Define what “governed AI in the pipeline” actually means: Establish the minimum control set leaders should expect across source, build, deploy and operations when AI is involved.
Protect sovereignty and accountability (data, model, audit chain): Clarify how to maintain demonstrable oversight of data access, model behaviour, and decision trails in secure environments.
Operationalise compliance without killing delivery: Identify practical patterns that enable engineering teams to move fast and meet regulatory/cyber expectations (guardrails, not theatre).
Make platform decisions that reduce risk at scale: Explore where consolidation, standardisation, and agentic controls reduce exposure and improve assurance across teams.