Trigger: AI may access citizen data or support administrative decisions.

Government AI Evidence Passport

Public-sector AI must be
accountable before access.

Evidence, access boundaries, and audit trails for policy RAG assistants, citizen chatbots, and administrative decision-support tools.

Citizen data boundaryPublic vs internal document gateAudit trail requiredNo legal approval claimed
Policy Navigator RAGPublic Data Only
Public docs onlyInternal memos excluded
Retrieval grounding> 0.78 confirmed
Audit trailAll queries logged
Citizen data in scopeNone — advisory only
RAG GroundingPrivacyHuman Oversight

Document Boundary Active

Public publications only · Internal memos: excluded

Sensitive context

Why public-sector AI faces unique accountability requirements.

Government and public-sector AI systems operate in a context of democratic accountability, public trust, and citizen data obligations. AI influencing public services — from benefits processing to citizen information to internal policy work — carries heightened scrutiny because the affected population is often the entire public.

Data categories in scope

Citizen identity and benefit data
Internal policy and legal memos
Public consultation and feedback data
Administrative decision records
Cross-department data sharing

People affected

Citizens seeking public servicesBenefits claimantsVulnerable individuals interacting with governmentStaff using internal AI toolsPublic accessing government information

Risk scenarios

What typically goes wrong.

Specific failure modes seen in this sensitive context — without structured evidence.

A policy RAG assistant is trained on internal legal memos alongside public documents.

No document boundary. Internal privileged content accessible via retrieval. Public and internal data not separated. No Retrieval Grounding Evidence.

A citizen chatbot provides benefit eligibility guidance that conflicts with legislation.

No faithfulness Signal Receipts. No human escalation gate. Citizens act on incorrect guidance. No audit trail to reconstruct the error.

An administrative triage AI prioritises casework without human oversight.

No human review gate in Passport. Automated decision-making under GDPR Art. 22 not addressed. Challenge and appeal path unclear.

A cross-departmental AI system accesses citizen data from multiple registers.

No data gateway evidence. Legal basis for cross-department sharing not structured. DPO cannot confirm lawfulness of shared access.

Scope

What needs a Passport.

Citizen-facing chatbots and information assistants
Policy and legislation RAG assistants
Administrative decision-support and triage AI
Internal document search and knowledge tools
Benefits and case management AI systems
Public-service workflow automation agents
Cross-department data sharing AI platforms

Stakeholder workflow

From trigger to access decision.

1

Trigger

AI system in scope

2

Evidence Request

Passport initiated

3

Review

DPO · CISO · Specialist

4

Decision

Access condition set

5

Monitor

Tide sweeps · Renewal

Senior Responsible Owner

A public-facing AI system is being procured or deployed.

Require Passport before go-live. Human oversight conditions and audit trail must be explicitly documented.

DPO

Citizen data or cross-department data sharing is involved.

Confirm legal basis, data sharing agreements, and GDPR Art. 22 status. Block clearance until confirmed.

Digital / Technology Lead

A policy RAG assistant is being built over internal and external documents.

Configure document boundary. Require Retrieval Grounding Evidence before deployment.

Access decisions

Context Visa conditions.

The access decisions that apply in this sensitive context — and the evidence conditions that produce them.

Public Data Only
  • RAG retrieval limited to published public documents only
  • No internal memos, legal advice, or unpublished policy in scope
  • Document boundary verified and logged
Review Needed
  • Public/internal document boundary not configured
  • Citizen data processing not confirmed as lawful
  • Audit trail not active
Human Review Required
  • AI influences individual citizen access to services or benefits
  • Human caseworker must review before decision recorded
  • GDPR Art. 22 automated decision-making conditions addressed
Blocked
  • Internal privileged documents accessible via public-facing retrieval
  • Citizen data shared cross-department without legal gateway
  • No audit trail — reconstructing decisions impossible

Measurement

Evidence families we can structure.

The measurable evidence categories relevant to this context and the evidence signals they produce.

Document & RAG Boundary

Evidence of document scope, retrieval faithfulness, and separation between public and internal content.

Audit Trail

Immutable logging of AI decisions, inputs, and outputs enabling reconstruction for accountability or appeal.

Privacy & Legal Basis

Citizen data legal basis, data sharing agreements, and cross-department transfer evidence.

Human Oversight

Evidence that AI outputs affecting individual citizens are reviewed by qualified human staff before action.

Access Control

Policy-as-code governing which roles can invoke AI systems and which document categories are in scope.

Explainability

Where AI influences triage or decisions, feature importance evidence for accountability and appeal.

PrivacyExplainabilityRAG GroundingHuman Oversight

Honest scope

What remains not assessable.

AffectLog does not overclaim. These items require external expertise, regulatory process, or long-term study.

Public law or administrative law compliance

Legal compliance with public law, judicial review exposure, and statutory duty assessment requires legal expertise — not technical evidence tooling.

Instead: Engage government legal service or external public law counsel for legal framework review.

Parliamentary or regulatory approval for AI use

Parliamentary accountability and regulatory authorisation are political and legal processes — outside scope of an evidence platform.

Instead: Follow internal governance frameworks, ministerial approvals, and relevant Cabinet Office AI guidance.

Example

Sample Passport for this context.

AI Evidence PassportCleared with Limits

Policy Navigator RAG

Internal policy and legislation assistant · Central Government

Evidence72%
Expiry31 Dec 2026
Raw data exportoff
ALP-2026-GOV-P5N3

Access conditions

Public documents only — internal memos excluded from retrieval scope
No citizen personal data in RAG context
Retrieval Grounding Evaluation: faithfulness > 0.78 confirmed
Audit trail active for all queries
Human policy owner review required before external publication
GDPR Art. 22 automated decision-making does not apply — advisory only

What we will not overclaim

AffectLog provides technical and operational evidence for public-sector AI access decisions. We do not provide legal sign-off, regulatory approval, parliamentary clearance, or public law advice. We show what evidence exists, what boundaries are configured, and what review is required.

Common questions

Questions this context raises.

We have a government cyber security framework review — that covers AI.

Cyber security frameworks address infrastructure risk. AffectLog addresses AI-specific evidence: document boundaries, RAG grounding, citizen data legal basis, human oversight gates, and audit trails — distinct from infrastructure security.

Our RAG system only uses published government documents.

Published documents is an access condition — not evidence. AffectLog structures the technical evidence that the boundary is enforced: which documents are in scope, Retrieval Grounding Evaluation scores, and that internal memos have not been ingested.

Get started

Build accountable public-sector AI
before it reaches citizen services.

Map your public-sector AI portfolio, establish document boundaries, confirm audit trails, and structure evidence for procurement and DPO review — before any citizen-facing system goes live.

AffectLog provides technical and operational evidence. Not legal advice, public law compliance, or regulatory approval.