Defensible
The use meets the standard
All fifteen controls met, with evidence. The use may proceed, with a review date set.
Approach
Most AI adoption does not fail on the model. It fails on the gap between the people building the tool and the people who have to answer for it. Our method exists to close that gap with evidence.
Defensible means that when someone with the power to ask says "show me", you can state your position plainly and produce the evidence behind it. A policy nobody follows is not defensible. A tool everybody uses but nobody documented is not defensible either. The gap is rarely the technology; it is the records.
The instrument
Our defensibility assessment puts fifteen controls under five questions. A control is met only when the evidence exists and could be produced on request.
Name what the tool is for, and what it is not for. An unbounded use cannot be governed, and a named person must be accountable for it.
Trace the data path. Collection limited to the purpose (APP 3), every disclosure lawful and known (APP 6), security and retention settled (APP 11). If the path runs through a vendor, the controls live in the contract.
A plausible wrong answer is the risk that matters. Failure modes described, no autonomous clinical decisions, and an incident pathway that exists before it is needed.
Judgement stays with the clinician. The tool informs; it does not decide. Review before care, staff trained on the limits, overrides logged.
A written position, an accountable signature, and a review date. This is the question that converts good intentions into a defensible position.
The output
Defensible
All fifteen controls met, with evidence. The use may proceed, with a review date set.
Conditional
The non-negotiable controls are met. Every gap is converted into a condition with a named owner and a date. A condition without an owner is not a condition; it is a gap wearing a label.
Not yet defensible
A non-negotiable control is unmet, or too many gaps remain. Saying so is the first defensible thing an organisation does; the gaps are usually fixable in weeks.
Frameworks
Every recommendation links a framework control to the underlying Australian obligation, so the governance work stands up to real scrutiny, not just a standard.
The law. The Privacy Act 1988 (Cth) and the Australian Privacy Principles, and the Notifiable Data Breaches scheme. Health information is sensitive information; the obligations follow the data.
The professions and sectors. AHPRA professional obligations, the NDIS Practice Standards, and aged-care obligations. Clinical accountability is not delegable to a tool.
The governance references. The National AI Centre's Guidance for AI Adoption (which evolves the Voluntary AI Safety Standard), ISO/IEC 42001, and the NIST AI Risk Management Framework. These are frameworks, not certificates: where formal certification is the goal, an accredited body grants it, and our role is to make you ready for it.
AI-augmented delivery
Nitivra delivers with AI assistance. That is how a principal-led practice produces evidence-heavy work in weeks rather than months, and it is governed by the same discipline we bring to clients.
Next step