In 2025, the Queensland Audit Office (QAO) published a critical review of how Queensland Government entities manage the ethical risks of artificial intelligence. The report identified significant gaps in governance, transparency, and data protection — noting that the pace of AI adoption across government was rapidly outrunning the frameworks designed to control it.
Simultaneously, the Queensland Government Enterprise Architecture (QGEA) mandated a strict new Artificial intelligence governance policy, requiring agencies to implement robust controls over AI usage across their entire technology estate.
"Without appropriate ethical risk management frameworks in place, government entities are exposed to significant risks, including privacy breaches, biased decision-making, and the erosion of public trust in government services."
— Queensland Audit Office, Strengthening ethical risk management of artificial intelligence systems (2025)
These are not theoretical risks. They are the direct consequences of deploying AI without adequate governance — consequences that expose Queensland citizens to harm and expose departmental leaders to regulatory and reputational damage.
The governance gap identified by the QAO must be closed immediately to comply with QGEA mandates. Songlines Control® was built specifically to close that gap. This paper maps the QAO's key findings to the specific capabilities Songlines Control provides, and explains what those capabilities mean in practice for departmental CIOs, CISOs, and digital leaders.
What the QAO Found: Structural Governance Failures
The QAO's review highlighted several interconnected structural governance failures across Queensland Government entities. These can be grouped into three primary gaps.
Gap 1: No Visibility, No Inventory
The QAO found that many government entities could not readily identify all AI systems operating within their department. A lack of a centralised AI inventory meant that senior leadership did not have clear visibility of their AI use, making it impossible to assess or manage the associated risks.
"Entities cannot effectively manage the risks of AI if they do not know where and how it is being used across their organisation."
— QAO Report
Without a complete, real-time inventory of every AI model in use — including third-party models — it is impossible to govern what you cannot see. For departmental leaders, this is not merely an operational inconvenience; it is a failure to meet the transparency requirements of the QGEA AI Governance Policy.
| QAO Concern | Songlines Control® Response | Departmental Impact |
|---|---|---|
| No AI inventory or dispersed model registers | Centralised model and provider registry with real-time status, sovereignty flags, and viability classification | Compliance teams can produce a complete AI asset register for the QAO within minutes, not weeks |
| Leadership lacks visibility of AI use | Executive dashboard with request volumes, cost, and policy events by model — updated in real time | Departmental CIOs can view the status of organisational AI governance in an instant, ensuring they are meeting QGEA mandates |
| Models missing from registers | Every request automatically attributed to a registered model; unregistered models cannot route through the platform | Eliminates the risk of shadow AI — models deployed without governance oversight — which is the single most common cause of the governance gap the QAO identified |
Gap 2: Governance Lagging Deployment
The QAO noted instances where entities deployed AI systems without conducting thorough ethical risk assessments prior to implementation. This "deploy first, govern later" approach exposes government services to significant ethical and operational risks, and directly contravenes the QGEA AI Governance Policy's requirement for pre-deployment risk assessment.
The governance gap described by the QAO — where AI is deployed before governance frameworks are in place — is structurally impossible in a Songlines Control® deployment. The platform enforces a policy-first architecture: AI requests are evaluated against the department's governance policies before they are routed to any model. A request that would violate a policy is blocked, modified, or escalated for human review — it does not reach the model.
| Policy Type | What It Does | Departmental Impact |
|---|---|---|
| PII Detection | Detects embedded personally identifiable information and prevents sensitive citizen data from being sent to any AI model without authorisation | Ensures compliance with the Information Privacy Act 2009 (Qld) and protects against data breaches before they occur |
| Sovereignty Policy | Ensures regulated data does not leave Australian data residency — enforced at the infrastructure layer, not the application layer | Satisfies QGEA data sovereignty requirements without relying on developer compliance or manual policy adherence |
| Approval-Required Policy | Mandates human review and sign-off for AI requests in designated high-risk use cases | Provides the "human in the loop" oversight that the QAO explicitly requires for citizen-impacting decisions |
Gap 3: Insufficient Transparency and Contestability
The QAO found that transparency — the ability for citizens to know AI was being used and to challenge its outputs — was "relatively immature" across government entities. Few entities had documented requirements about disclosure of AI use to citizens, and contestability arrangements were often absent.
"Citizens must be informed when AI is used in decision-making processes that affect them, and they must have a clear pathway to contest those decisions."
— QAO Report
Songlines Control® shifts this dynamic by making transparency and contestability mechanisms technical rather than procedural. The platform's immutable audit trail records, for every AI request: the timestamp, request ID, model used, workflow attribution, user attribution, token counts, cost, latency, status, policy decision (allowed, blocked, modified, or escalated), and IP address. Records are cryptographically signed and cannot be altered after the fact.
| QAO Concern | Songlines Control® Response | Departmental Impact |
|---|---|---|
| No disclosure arrangements for AI use | Immutable audit log records every citizen-impacting AI request with cryptographic signing | Provides the documented evidence base for citizen disclosure obligations — every interaction is traceable, timestamped, and exportable |
| No contestability arrangements | Complete request-level audit trail with exportable CSV and PDF compliance reports | If a citizen contests an AI-influenced decision, the department can produce a complete, tamper-proof record of exactly what the AI did and why |
| Algorithmic bias not tested | Anomaly detection monitoring with alert history and severity classification | Ongoing monitoring for unexpected model outputs — the "monitoring process" that the QAO found absent in its review |
Procurement: Ready for Queensland Government
Songlines Control® is designed to be easily procured and deployed by Queensland Government entities. We understand that lengthy tender processes delay critical governance implementations, which is why we have ensured the platform is available through existing government procurement channels.
- Microsoft Azure Marketplace: Songlines Control® is available today on the Azure Marketplace. Departments can procure the platform using their existing Microsoft enterprise agreements, bypassing complex tender processes.
- QITC Framework: We are fully prepared to contract under the Queensland Information Technology Contracting (QITC) framework.
- Sovereign Infrastructure: Cetus AI is a sovereign, Queensland-based company (Brookwater, QLD). Songlines Control® is deployed entirely within Australian borders, ensuring all data remains onshore and subject to Australian jurisdiction.
To see how Songlines Control® can close the AI governance gaps in your department, contact us to request a tailored architecture session with our Queensland Government team.
Download the Full White Paper
Get the complete analysis including all technical mappings and regulatory references in a formatted PDF suitable for sharing with your procurement and legal teams.
Download PDF