Back

AI governance in investigations: The question behind the question

Jason Chase | Chief Technology Officer | Comtrac

Jul 15, 2026

4

Min Read

There's a question I know is on a lot of your minds right now. Not "is this useful," most teams have already answered that one. The real question is: can I actually get this past our AI governance requirements? 

Fair question. And a hard one right now, because the goalposts are moving fast. 

As CTO at Comtrac, I oversee the AI systems behind our platform, so this is the question I spend most of my time answering, in one form or another, for the agencies we work with. 

The gap between confidence and comfort 

Australians are, broadly, more comfortable with government AI than most of the OECD. The 2025 OECD Trust Survey found Australia scores above the OECD average on six separate measures of confidence in government AI use, and trust in public institutions overall hit a record high of 51% in 2025, up from 38% in 2021. 

But look closer and the comfort is conditional. On the specific questions that matter to anyone running an investigations platform, the numbers are far more guarded: only 38% of Australians are confident government will protect personal information when using AI, 39% believe human oversight will be maintained, and 40% think government will be transparent about how AI is used. 

That's the gap our AI features are designed to close. Not "AI is popular so let's ship it" — "people will only accept this if oversight, privacy and transparency are demonstrably built in." 

The regulatory picture isn't static, and it isn't optional 

If your organisation is still treating AI governance as a future problem, the timeline has already moved past you. 

The National Framework for the Assurance of Artificial Intelligence in Government was agreed by all federal, state and territory governments in June 2024, giving Australia a nationally consistent, principles-based approach to AI assurance in the public sector. Each jurisdiction then operationalises it differently.  

At the Commonwealth level, the timeline has real teeth. Since 15 June 2026, every non-corporate Commonwealth entity has been required to maintain a register of in-scope AI use cases with a named accountable owner, and all 94 mandatory agencies have already published public AI transparency statements. The next wave lands in December 2026: mandatory AI Impact Assessments, staff training, oversight processes and incident reporting all come into force. If your organisation is working through its own AI Impact Assessment ahead of that deadline, you are not early. You are on schedule with the rest of the sector. 

Why certifications matter more than marketing claims 

Anyone can say "we take AI governance seriously." Fewer can point to independent, audited proof of it. That distinction matters more than it used to: Deloitte's State of Generative AI in the Enterprise research found that while 87% of executives claim their organisation has an AI governance framework, fewer than 25% have actually operationalised it end to end. Paper policies are common. Working ones are not. 

This is the gap ISO/IEC 42001 exists to close. Published in December 2023, it's the first international certifiable standard for an AI management system, covering risk management, human oversight, transparency and lifecycle accountability for AI. Because it shares the same high-level structure as ISO/IEC 27001, organisations that already hold information security certification are generally positioned to implement it faster than those starting from nothing, since much of the governance scaffolding is already in place. 

Comtrac holds ISO/IEC 27001 certification today, and we're progressing towards ISO/IEC 42001 on that same foundation. We've also self-assessed against multiple state AI assurance frameworks and put the AI layer through active security testing: prompt handling, model behaviour under adversarial conditions, and downstream output risk. 

What actually matters to the teams we work with 

Strip away the acronyms, and two things tend to decide whether an agency will trust an AI-assisted investigations tool. 

The AI is decision-support only. Every output has to be reviewed and accepted by a human before it touches a case file. This isn't a caveat. Given only 39% of Australians currently believe government will maintain human oversight of AI, it's the single most important design decision we've made. 

Your data stays yours, and stays here. Nothing entered into Comtrac is used to train underlying models. It's held in a private Azure tenancy, hosted and processed in Australia. 

The bottom line 

Every framework, deadline and certification covered above exists because trust in these systems has to be earned in public, not assumed in private. Agencies will be judged on it. Vendors will be judged on it. And the organisations that treat governance as core design, rather than paperwork bolted on after the fact, will be the ones still operating in this space in five years' time. 

That's the standard we've built Comtrac's AI features against, and it's the standard we think the rest of this sector should be held to as well.  

Book a demo today to see how Comtrac can help law enforcement and regulatory agencies with streamlining investigations and digital briefs of evidence. 

Jason Chase is an experienced technology leader with deep expertise in designing, delivering, and supporting software solutions for government and private sector organisations. He combines deep technical expertise with a strong focus on innovation, usability and helping customers achieve better investigation outcomes.