The APS AI accountable officer mandate is doing what compliance deadlines tend to do. It is pulling the attention of senior APS executives toward the document that has to exist (the internal register, the named accountable officer for each AI use case) and away from the question that decides whether the document will hold. By 15 June 2026 every agency in scope must nominate accountable officers for each AI use case and maintain an internal register (DTA, 2026). The full set of requirements lands in December (DTA, 2026), alongside Privacy Act 2024 transparency obligations for automated decision-making (IAPP, 2025).
In Brief
- The June 2026 mandate requires every APS agency to nominate an accountable officer for each AI use case. The register is the easy part.
- Assigning a name satisfies the compliance requirement. Establishing accountability requires a diagnosis of the conditions the named officer actually operates under.
- Fewer than 20% of organisations have formal governance for non-human identities, which means most agencies will name officers for systems they cannot fully see.
- The diagnostic precedes the assignment: does the named person have the information, authority, and operating headroom to be accountable for what this use case does?
- Privacy Act transparency obligations take effect in December 2026, six months after the register is due. The register is built before its real test arrives.
Most agencies will produce a register on time. It will list use cases, name officers, and meet the requirement on its face. What the register cannot do, by itself, is establish accountability. The gap is where the next twelve months of board, ministerial, and audit attention will land.
The register is not accountability
Compliance is a discrete act: a name is entered against a use case, the register is published internally, and the requirement is met. Accountability is a structural condition. It exists when the named person can see what the system is doing, has the authority to change it, and has enough operating headroom to act before the consequence becomes irreversible. The two get conflated routinely, because compliance produces a visible artefact and the structural condition does not.
An agency that conflates them satisfies the mandate while remaining exposed to exactly the risks the mandate was designed to address. The exposure is not non-compliance. It is the appearance of accountability without the conditions that make it real, and that pattern is harder to detect from inside the agency than from outside it. The register itself becomes the evidence cited when the question is asked.
Three operating boundaries shape the gap between assignment and accountability
This is not a values problem or a capability problem. AI use cases tend to be assembled across three operating boundaries that the existing accountability machinery was not designed to span. One sits between the people who specify the use case and the people who maintain the underlying model. Another sits between the model and the data systems it draws on, which often live in different teams under different governance regimes. The last sits between the moment the system makes a decision and the moment a human becomes aware of it.
Each boundary is well governed in isolation. None of them is governed end-to-end. The Governance Institute of Australia reported in January 2026 that fewer than 20% of organisations have formal governance processes for non-human identities, meaning the service accounts, agent identities, and machine credentials through which AI systems actually act (Governance Institute of Australia, 2026). An officer named in the register inherits accountability for a system whose behaviour is shaped at points the agency does not have a single line of sight on. Naming the officer does not change that condition; it allocates the consequence of it.
The cost of the gap shows up at the next cycle of attention
Once the register is read as a compliance artefact rather than an accountability mechanism, the question is no longer who to name. It is what conditions need to be in place before the name carries weight. A name entered before those conditions are established does not create accountability. It creates an officer answerable for outcomes they were never positioned to influence.
The cost shows up at the next cycle of attention, not the first. The first ANAO inquiry, the first Senate Estimates question, the first incident review will not test whether the register exists. They will test whether the named officer could explain what the system was doing at the moment a particular decision was made, whether they had a mechanism to intervene before the decision propagated, and whether the agency’s records support the explanation.
Privacy Act transparency obligations take effect in December 2026 (IAPP, 2025), six months after the register is due. The register is being written before the conditions it will be measured against are fully in force.
The diagnostic that precedes the assignment
Before a name belongs in the register, three questions are worth resolving inside the agency. They are not steps and they are not a checklist. They are the diagnostic that converts a name into accountability.
The first is what the named officer can actually see. Not what the agency has theoretically documented, but what the officer, on the day they are named, can observe about the system’s behaviour, the data it draws on, and the decisions it produces. Where the answer is less than is needed to be accountable, that is the gap the assignment is sitting on top of.
The second is what the named officer can change. Authority over a use case is rarely held in a single place. The model team can change the model, the data team can change the inputs, the business owner sets the rules of engagement, and procurement controls the contract. The officer holds the accountability. The question is which of those levers they can pull without escalating, and which they cannot pull at all. The honest answer, written down, is the boundary of the role.
The third is the time the named officer has before the consequence becomes irreversible. AI systems compress the interval between a decision being made and the decision having effect. Where that interval is shorter than the time it takes the officer to be notified, review, and act, the role cannot hold. The question is not whether the system is fast. It is whether the human accountability is fast enough to meet it.
These three questions do not produce a different name. They produce a different register. One that names the conditions under which the accountability is real, the levers the officer can pull, and the gaps the agency has chosen to carry. A register that contains that information is doing the work the mandate was designed to do. A register that contains only names is doing the work the mandate appears to ask for.
The executive who runs that diagnostic before assignment is not slowing the compliance work. They are completing it. Agencies that arrive at June with a register in which every named officer can answer those three questions will arrive at the December obligations, and the audits that follow, with the answer in hand.
The question on the next agenda is not who goes in the register. It is what the agency knows about the conditions the named officer will be accountable for once they are in it.
What this means for senior leaders
- Treat the diagnostic that precedes the register as the accountability mechanism. The register records what the diagnostic produced.
- Before nominating an APS AI accountable officer, document what the officer can see, what they can change, and the time they have before the consequence is irreversible.
- Test the register against the audit question that will be asked after an incident, not the compliance question asked before June.
- Use the six months to December as the window to correct structural weaknesses without external visibility.
References
- Digital Transformation Agency. (2026, January). <a href=”https://www.dta.gov.au/articles/ai-policy-update-strengthening-responsible-use-across-government”>AI policy update: strengthening responsible use across government</a>. Australian Government.
- Governance Institute of Australia. (2026, January). <a href=”https://www.governanceinstitute.com.au/news_media/ai-governance-in-2026-from-experimentation-to-maturity/”>AI governance in 2026: from experimentation to maturity</a>.
- International Association of Privacy Professionals. (2025, November). <a href=”https://iapp.org/resources/article/global-ai-governance-australia”>Global AI governance: Australia</a>.
