Approach

Defensible is a standard, not a feeling.

Most AI adoption does not fail on the model. It fails on the gap between the people building the tool and the people who have to answer for it. Our method exists to close that gap with evidence.

Defensible means that when someone with the power to ask says "show me", you can state your position plainly and produce the evidence behind it. A policy nobody follows is not defensible. A tool everybody uses but nobody documented is not defensible either. The gap is rarely the technology; it is the records.

The instrument

Five questions every AI use must answer.

Our defensibility assessment puts fifteen controls under five questions. A control is met only when the evidence exists and could be produced on request.

01

Is the intended use clearly defined and bounded?

Name what the tool is for, and what it is not for. An unbounded use cannot be governed, and a named person must be accountable for it.

02

Does the data handling satisfy the Australian Privacy Principles?

Trace the data path. Collection limited to the purpose (APP 3), every disclosure lawful and known (APP 6), security and retention settled (APP 11). If the path runs through a vendor, the controls live in the contract.

03

Are the risks of model error understood and mitigated?

A plausible wrong answer is the risk that matters. Failure modes described, no autonomous clinical decisions, and an incident pathway that exists before it is needed.

04

Can a qualified person review and override every output?

Judgement stays with the clinician. The tool informs; it does not decide. Review before care, staff trained on the limits, overrides logged.

05

Is the decision recorded so it survives an audit?

A written position, an accountable signature, and a review date. This is the question that converts good intentions into a defensible position.

The output

Three positions. Computed, not chosen.

Defensible

The use meets the standard

All fifteen controls met, with evidence. The use may proceed, with a review date set.

Conditional

Proceed with named conditions

The non-negotiable controls are met. Every gap is converted into a condition with a named owner and a date. A condition without an owner is not a condition; it is a gap wearing a label.

Not yet defensible

Do not rely on it yet

A non-negotiable control is unmet, or too many gaps remain. Saying so is the first defensible thing an organisation does; the gaps are usually fixable in weeks.

Frameworks

Anchored to the instruments you already answer to.

Every recommendation links a framework control to the underlying Australian obligation, so the governance work stands up to real scrutiny, not just a standard.

The law. The Privacy Act 1988 (Cth) and the Australian Privacy Principles, and the Notifiable Data Breaches scheme. Health information is sensitive information; the obligations follow the data.

The professions and sectors. AHPRA professional obligations, the NDIS Practice Standards, and aged-care obligations. Clinical accountability is not delegable to a tool.

The governance references. The National AI Centre's Guidance for AI Adoption (which evolves the Voluntary AI Safety Standard), ISO/IEC 42001, and the NIST AI Risk Management Framework. These are frameworks, not certificates: where formal certification is the goal, an accredited body grants it, and our role is to make you ready for it.

AI-augmented delivery

We practise what we advise.

Nitivra delivers with AI assistance. That is how a principal-led practice produces evidence-heavy work in weeks rather than months, and it is governed by the same discipline we bring to clients.

  • A named accountable human signs every deliverable. The output is reasoned work, not model output with a logo.
  • No client or sensitive data leaves a privacy-safe, local environment. The founder runs his own analysis models on his own hardware.
  • AI does the legwork. The framework, the judgement, and the accountability are the founder's.

Next step

Put one tool through the five questions.

Request a briefing