AI in Government: How AI Control Tower can help

Having the correct AI Conversations

As we move through 2026, the global momentum behind Generative AI (GenAI) and the use of Large Language Models (LLMs) is moving fast. However, within the Australian Federal Government, the reception of Now Assist and Agentic AI has been marked by a unique brand of "conservative curiosity." As a CMA, I had this question pondering in my mind: "The tech is ready, so what are we missing?"  I believe that the answer isn't a lack of features; it is a fundamental gap in Sovereignty, Accountability, and Data Readiness.

Data sovereignty and data security
In Government, "Cloud AI" is often synonymous with the thoughts of "Data Leakage." There is some fear that by enabling GenAI and LLM, sensitive department or agency data, for example Personal Identifiable information (PII), could be used to train a global model or be processed in a jurisdiction outside the reach of the Australian Privacy Act.

From a ServiceNow AI platform and Now LLM perspective, we need to articulate that ServiceNow’s AI architecture is "Sovereign-Ready." Unlike general-purpose LLMs, ServiceNow uses Domain-Specific Models (for ITSM, HR, CRM etc) that are hosted within the same secure infrastructure as the instance itself. For departments/agencies on the Protected Platform (SPP), this means the AI stays within the IRAP-assessed boundary. We aren't just selling "Chatbots"; we are selling a secure, private intelligence layer.

The AI Control Tower

I’ve just attended an AI Activation Workshop in Canberra in June 2026, and whilst the workshop was intended for Sales and Pre-sales partner teams, I found that it was useful to see a live demo of the AI Control Tower (AICT) from a security point-of-view. The session on AICT was run by a ServiceNow GRC/IRM specialist and focused on how AICT supports the governance and implementation of AI assets within an organisation, and supports the risk and security assessment process, before any AI model (Now LLM, GPT, Gemini, Claude etc) is implemented.

Federal government context

ServiceNow has already positioned the ServiceNow Protected Platform (SPP) for Australian government workloads, with references to IRAP alignment and in-country handling for PROTECTED-level use cases. That broader assurance story is important because AICT is only part of the picture; the underlying hosting, tenant controls, support model, and data residency arrangements also need to meet federal security and sovereignty expectations.

There is still one issue though, regarding AI on the Commercial instances, AI is still being processed offshore (i.e. Japan). Although processing is performed ‘in memory’, data is still ‘leaving Australia’ – this is what one of my client’s security team responded. I envisage that ServiceNow will look at building infrastructure onshore for AI processing, similar to the SPP platform infrastructure.

AI governance support

The government policy for responsible AI requires agencies to maintain accountable officials, internal use case registers, impact assessments, staff training, and lifecycle oversight of AI use cases. AICT aligns well with those expectations because it provides a central control point to register AI assets, manage approvals, track risks, monitor ongoing compliance, and keep evidence in one place instead of across spreadsheets and email trails. That makes it particularly useful for demonstrating continuous governance rather than one-off approval at go-live.

The AI Control Tower (AICT) helps agencies meet government compliance standards by acting as a central control point to register AI assets, manage approvals, track risks, and monitor ongoing compliance. By allowing agencies to keep compliance evidence in one place rather than relying on scattered spreadsheets and email trails, AICT is highly effective for demonstrating continuous governance over the entire lifecycle of an AI use case, rather than just a one-off approval at launch.

Additionally, AICT helps departments/agencies by:

• Supporting mandatory risk and security assessments before any AI model (such as Now LLM, GPT, Gemini, or Claude) is implemented in the organisation.
• Aligning directly with government policies for responsible AI, which require agencies to maintain internal use case registers, conduct impact assessments, designate accountable officials, and ensure lifecycle oversight.
• Integrating as part of a broader assurance story where its governance capabilities work alongside underlying hosting, tenant controls, and data residency arrangements to meet strict federal security and sovereignty expectations, such as IRAP alignment.

In conclusion, while Australian Federal Government departments/agencies have understandably approached AI adoption with "conservative curiosity" due to concerns surrounding data sovereignty, data leakage, and offshore processing, the combination of ServiceNow's protected architecture and the AI Control Tower (AICT) can provide a secure path forward. By utilising Domain-Specific Models within the IRAP-assessed ServiceNow Protected Platform (SPP), I believe that ServiceNow is working to provide departments/agencies assurance their sensitive data remains within secure, sovereign boundaries.