Digitising the VPS: Shared Platforms, AI and the Responsibilities of Technology Leaders

Why digital and AI sit at the heart of the Review

The Silver Review identifies outdated systems, high transactional volumes and fragmented service delivery as major drags on efficiency and user experience. Over 40 per cent of core departmental systems are approaching end-of-life, public servants waste time navigating bespoke platforms, and citizens face repetitive information requests and manual approvals.

​For CIOs and CTOs, this creates both urgency and opportunity: digital reform is positioned as a system‑wide priority that can unlock savings, improve service quality and free up capacity for higher‑value work, but only if executed with strong governance, risk management and cross‑functional alignment.

​The shared platforms roadmap

The Review proposes a staged, platform‑enabled shared services model led by the Department of Government Services (DGS), targeting repeatable processes across customer services, regulatory functions, corporate services and enabling infrastructure. This shifts the VPS away from departmental silos and towards standardised platforms for transactions, identity management and workflows.

​Technology leaders will need to assess which local systems and processes are ready for migration, where customisation creates unnecessary complexity, and how to sequence changes to avoid service disruption during transition. Governance will be critical to balance DGS‑led standardisation with portfolio‑specific needs and to clarify decision rights, funding responsibilities and accountability for performance.

​AI Centre of Excellence and core digital infrastructure

A proposed DGS‑led AI Centre of Excellence aims to drive safe AI adoption across the VPS, supported by investments in identity management, cloud, APIs, data standards and workforce identifiers. The Government has signalled broad support for these directions as part of its digital reform commitments.

​For CIOs and CTOs, this means reorienting local AI and data strategies toward central standards while maintaining agility for department‑specific use cases. Early focus areas will include data quality, interoperability and ensuring AI tools enhance rather than complicate existing digital estates, with clear ownership for models, data pipelines and monitoring.

​Implications for departmental CIOs and CTOs

Centralisation of repeatable services will reshape local IT operating models, architecture decisions and skills profiles. Departments will need to define clear boundaries between centrally mandated platforms and locally managed applications, while upskilling teams for platform integration, data governance and AI oversight.

​Governance over data and AI will become more distributed but tightly coordinated, requiring CIOs/CTOs to collaborate closely with policy, finance and risk functions. Local innovation will still be needed, but within centrally defined technical, security and ethical guardrails, and with new accountabilities to demonstrate traceability, explainability and effective controls over AI that influences citizen and workforce outcomes.

​Responsible and trustworthy AI in the VPS

Public sector AI demands strong governance covering ethics, transparency, privacy, fairness, human oversight and security. Emerging Australian and global frameworks emphasise risk‑based approaches, with high‑risk applications requiring formal impact assessments, explainability mechanisms and ongoing monitoring of model behaviour and data quality.

Technology leaders must ensure AI initiatives align with these principles from design through deployment, with clear accountability for model performance, data bias and decision impacts. In practice this means AI governance frameworks must be designed and implemented in ways that can be independently tested, monitored and assured, with documented controls, roles and processes that stand up to scrutiny from internal audit, regulators and the community. Cross‑functional governance, spanning CIOs, Chief Data Officers, risk teams and legal, will be essential.

​Using internal audit and targeted reviews to assure AI

Departments should integrate AI risk and control assessments into internal audit plans, covering model risk management, data quality and lineage, algorithmic bias, explainability and accountability structures. Targeted reviews can test whether AI governance frameworks are operating as intended and whether controls mitigate public‑sector‑specific risks such as citizen harm, unfair outcomes or regulatory non‑compliance.

​This reflects a wider shift from viewing AI as a purely technical risk to treating it as a component of the broader control environment, subject to the same expectation of assurance as other high‑impact systems. In regulated sectors, assurance over AI increasingly mirrors current practices for model risk, data quality and decision accountability, enabling executives and audit committees to demonstrate that AI is operating as intended and aligned with public value. Collaboration between technology, audit and risk functions will help identify assurance gaps early and provide confidence that AI is being deployed responsibly.

​Key risks in delivering digital reform

The Review’s ambitions create significant risks that CIOs/CTOs must actively manage, including:

• Over‑customisation of shared platforms, undermining standardisation benefits and increasing long‑term costs.
• ​Under‑estimating change management and business readiness, leading to adoption failures or shadow IT proliferation.
• ​Extracting savings before platforms mature, creating service gaps or workarounds that erode trust and efficiency.
• ​Cybersecurity gaps during platform transitions or AI deployments, as legacy and new environments co‑exist.
• ​Vendor lock‑in from rapid cloud/AI adoption without strategic procurement
• Indirect AI introduced via SaaS and other vendor solutions that may not be fully visible to internal teams. These require deliberate governance and assurance regarding clear ownership, visibility, and accountability.

​Structured risk assessments, staged benefits realisation and independent assurance will be critical to navigate these challenges and to demonstrate that digital reforms are both safe and sustainable.

​How Protiviti Australia can help

Protiviti understands that each VPS department faces unique digital estates, data challenges and reform timelines. That’s why we don’t prescribe uniform solutions but work collaboratively with technology leaders to strengthen governance, risk management and assurance.

• Our public sector specialists support CIOs/CTOs across digital transformation and AI assurance, including:
• Assessments of shared platform readiness and migration risk.
• Design and review of AI governance frameworks and risk/control libraries.
• Independent testing of digital risk management, cybersecurity controls and data governance.
• Assurance over benefits realisation for platform and AI initiatives.
• Targeted internal audit support for high‑risk digital and AI programs.
• Enabling implementations that are responsible by design and demonstrably well‑controlled in practice.

The team has extensive experience with state and federal agencies on platform consolidation, AI governance and transformation assurance. The focus is on helping technology leaders deliver reforms that are secure, ethical, interoperable and aligned with public value.

​What’s next in the series?

This blog has explored the Silver Review's digital and AI agenda for VPS technology leaders, emphasising the need for robust governance, risk management and assurance alongside innovation. The next two blogs in this series will examine how other leadership cohorts can respond:

Blog 3: Silver Review Implications for VPS Financial Decision Makers: Guardrails, Savings and Financial Stewardship explores how finance leaders can navigate strengthened fiscal settings, uplift financial governance and reporting, and provide assurance over savings delivery.

Blog 4: Assuring the Silver Review Reforms – The Critical Role of Risk Management and Assurance discusses how leaders, including Audit and Risk Committees and Chief Risk and Audit Officers can facilitate strategic assurance over workforce, entity, digital and change management reforms, and elevate internal audit as a key partner in safeguarding public value.

For blog 1 in the series, please visit Resetting the Victorian Public Service: What the Silver Review Means for VPS Leaders.