When old rules meet new use(r)s

By Alex Roberts, Director Enablement - AI Delivery and Enablement Division

Have you ever come across a confusing process or rule and thought – who have they written this for, because it certainly doesn’t seem to be me? In this piece I’ll explore how generative AI is bringing a much wider audience into contact with rules and processes that were never really written with them in mind — and what that means for Enablement as part of AIDE. 

Democratisation changes the audience for our rules 

Generative AI has suddenly put previously advanced IT capabilities in the hands of hundreds of millions. Regardless of whether you have an IT background or not, you can now use everyday language to realise IT outcomes that until recently were only achievable by skilled programmers. Whether it’s vibe coding(Opens in a new tab/window) (a software development practice assisted by artificial intelligence), or otherwise leveraging powerful models to do tasks previously limited to experienced and knowledgeable people, a whole bunch of people are now doing big things. 

And that means there’s whole sets of rules that were once aimed at a relatively small, specialist audience and are now hitting a much broader group. 

For instance, before GenAI, most public servants did not have to think too hard about Personally Identifiable Information (PII). With GenAI tools, such as Copilot, suddenly a lot of public servants need to be conscious of the risk of exposing PII than they were before. 

At a more general level, IT builds were limited and controlled because the skills needed and the associated costs of doing them meant that there were only a small number undertaken at a time. No agency could afford to do every IT project, and the interdependencies between different products meant there had to be careful prioritisation and deliberate thought about which to proceed with. That meant the people interested in the rules for IT production were also relatively limited. But now that many more people are suddenly able to develop IT builds with the aid of LLMs, those rules apply to a far wider audience, who may be far less familiar with how to navigate them. The need for those rules may not have changed but their relevance and scope has.

And when you have an audience who has to follow rules but is not deeply familiar with the underlying logic or the subject matter… Well, that means you either need to have really clearly written rules, really good support in the form of people/ tools that can help, or get the new people up to speed on the rules and the associated knowledge/thinking that underpins them. In many cases it might also mean revisiting those rules to see if the new context requires rethinking how things will work. All of those things are easier said than done, however. 

A new audience will have new needs and new questions 

If a policy team can now get generative AI to do advanced IT things, they’re unlikely to think about it in the way that existing IT functions do. Their needs are going to be different, and so they’re going to use it differently. A lot of innovation comes from making something available to people who previously had to rely on others, and seeing how it is applied. 

That means that a lot of the scenarios that rules are based on are unlikely to be adequate anymore. 

An illustrative example of this I think is vibe-coding. Vibe-coding offers a lot of great opportunities to explore, test and prototype. From an IT perspective it’s going to make a lot of people nervous however – there’s a lot of security unknowns and potential risks. Yet from a policy perspective, many of those issues are not necessarily material – what you want is instead to learn and to see what is possible. You might be able to use dummy data, test things with stakeholders, and just try it out. Or it might be based on public data and the risks are manageable to the context. 

Thus, you can easily have a situation where the IT rules are going to be very strict about vibe-coding solutions, whereas the actual need for it isn’t to have a secure perfect solution, but to take advantage of that speed, iteration and good-enough nature to address a previously unmet need. And so it is easy to imagine tension between these competing needs and expectations of the technology. 

Institutions respond cautiously when there’s uncertainty about rules 

But what happens when those responsible for ensuring compliance with rules are confronted by a whole bunch of new people engaging with those rules and asking difficult questions or even challenging those rules? 

A general – perhaps unfair but certainly predictive – rule of thumb for the public service is that when there’s uncertainty about how a rule should be interpreted, the incentives are to take a cautious, even conservative, approach. Most people don’t want to get in trouble for taking a more liberal view of a rule unless they’re confident. 

So when you have a set of rules being applied to circumstances that were not envisaged when the rules were developed, being managed by people who are unlikely to be confident in the subject matter (because the technology and its implications are still new), then their answers are often going to either be ‘no’ or grudging okays tied to stringent requirements. 

This isn’t a criticism – it’s simply recognising the nature of bureaucracy: most often uncertainty will mean sticking with what is known, rather than sticking your neck out for something that is messy and may lead to questions later on about what was appropriate. 

With a new technology in flux, uncertainty is unavoidable 

When you’re doing something that hasn’t been done before in your context, uncertainty is common. And when you’re doing something that hasn’t been done before in your context, and the context keeps changing (because the technology keeps changing), then you have to prioritise learning to reduce that uncertainty. 

If we take vibe-coding again, we might for instance need to work out how it can be done safely, how to use it without unrealistically raising citizen and public servant expectations, how and when it can be integrated into secure environments (and under what conditions), and what new risks it raises or how it changes existing risks. 

That might mean having to negotiate a whole bunch of different rules (and even whether new or different rules are needed), governance and IT arrangements. 

This calls for both integrity and bravery 

All of this is asking a lot of the public service and individuals. We need to make sure that we’re keeping faith with the rules – both their intent and their application – while also questioning and testing them against the new realities introduced by a technology not anticipated by most of the current iteration of those rules. We need to balance learning with compliance. 

Often that is going to require bravery – the willingness to take some risks, to engage with uncertainty, to work with situations where the rules don’t fit perfectly and there is no straightforward answer or interpretation about how they fit. 

Agentic AI will only exacerbate this further 

Agents will require very clear rules that set out what is and is not appropriate for them. What AI agents need as an audience for rule sets which may not align perfectly with what us little ol’ humans might need. 

Agentic AI is also likely to expose a lot of implicit rules and workarounds that exist and force us to make them more explicit. In many cases, human systems work because people fill in gaps with judgement, precedents and informal understanding. Agentic AI will put pressure on that ambiguity, requiring us to be much clearer about intent, boundaries, escalation points and acceptable discretion. 

The shared areas of interest for agents and us when it comes to rules will likely include: 

• Being very clear about the intent 
• Being very explicit what that intent means in practice 
• Yet leaving some flexibility recognising that the technological capabilities are changing at a fast rate, that there’s ongoing learning, and so how the intent is realised may need to change quite quickly. 

Enablement is here to help rule-makers, rule keepers, and those navigating the rules through the new 

In short – generative AI is exposing a mismatch between who many of our rules were written for and who now need to navigate them. 

AIDE is here to help with exactly this. The Enablement team is set up to help learn from those breaking new ground with generative AI. We’re looking to understand where rules and processes are unclear or confusing in the context of GenAI, or where they may no longer be fit-for-purpose. We aim deal with many of these once across the whole of the public service, rather than every agency navigating the issue on their own and potentially coming up with myriad different responses. That means working with and learning from lots of different parts of the APS. 

We’ve started work on clarifying some of the expectations around key areas (e.g. privacy and records management) and are looking at how we can work with individual agencies to surface and tackle key concerns that might be hindering their adoption journeys. We’ll be sharing more soon as we work through how to support agencies make sense of their compliance needs while also integrating this powerful new technology. 

If/when your agency encounters uncertainty about the intersection of rules and GenAI (including agentic AI), we’re keen to hear from you. We’re also keen to hear from those navigating the rules who have examples of how they may no longer fit. We want to make it easier for everyone – both rule makers and rule takers – to operate in this world of AI.