Activitee for Your Industry

Every regulated sector has its own compliance blind spots, identity risks, and AI governance gaps. Activitee was built to close them — with controls mapped to your frameworks, not ours.

Activitee for ClimateTech

Renewable energy, smart grids, carbon markets, DER management, and climate-data analytics

The problem

Energy companies are deploying AI agents across grid dispatch, carbon verification, and demand forecasting — but most lack governance over how these agents access SCADA systems, sensor networks, and operational technology. A misconfigured AI model adjusting grid load or falsifying carbon credits doesn't just create compliance risk — it creates physical safety risk. AESCSF, SOCI/CIRMP, IEC 62443, and the emerging NIST SP 1800-2 all require documented controls over automated systems, but none of the existing compliance tools understand the intersection of OT identity, AI autonomy, and climate-specific regulation.

Compliance Engine

  • Pre-built AESCSF, SOCI/CIRMP, IEC 62443, and Essential Eight assessment templates with energy-specific control mapping
  • Continuous compliance scoring across NERC CIP, NIST SP 1800-2, and ISO 27019 — updated as regulations evolve
  • Evidence vault capturing every policy change, access review, and control attestation for AEMO and state regulator audits
AESCSFSOCI/CIRMPIEC 62443Essential EightNERC CIP

Privacy

  • Manage smart meter data as personal information under the Privacy Act — consent, retention, and subject access requests for household energy data
  • Track EV charging data, solar generation profiles, and demand response participation as privacy-sensitive assets
  • Automated DPIA for AI systems that process consumer energy consumption patterns
Privacy ActGDPRCDR (Energy)

Resilience

  • Recovery readiness scoring for SCADA systems, grid management platforms, and carbon registries
  • Drift detection on OT backup configurations — alert when backup schedules for critical control systems change
  • Business impact modelling for grid outage scenarios tied to recovery time objectives
SOCI CIRMPNERC CIP-009ISO 22301

TrustLens

  • DER Agent Registry — govern every AI agent dispatching solar inverters, wind turbines, and battery systems through the RARD lifecycle
  • Bounded Autonomy Policy Engine — set hard limits on what a grid-dispatch AI can do (e.g., never shed load above 50MW without human approval)
  • IoT Compliance Register with firmware attestation, calibration tracking, and data provenance chain for every sensor feeding AI decisions
  • AI-BOM (Bill of Materials) for energy AI systems — track which models, datasets, and APIs drive grid decisions
AESCSFIEC 62443NIST AI RMFISO 42001

Activitee for Critical Infrastructure

Water, transport, telecommunications, ports, and national security assets

The problem

Critical infrastructure entities under Australia's SOCI Act face mandatory Cyber Incident Reporting (within 12 hours for critical incidents), CIRMP obligations, and positive security obligations — but most operate with legacy OT environments where identity governance barely exists. Service accounts run SCADA systems with passwords that haven't changed in a decade. Vendor engineers VPN in with shared credentials. AI is being introduced for predictive maintenance and anomaly detection, but nobody has mapped which AI agents can reach which operational systems, or what happens when a model drifts. When the Home Affairs auditor asks for your CIRMP evidence, your team is scrambling through spreadsheets.

Compliance Engine

  • SOCI/CIRMP assessment with all 4 hazard categories mapped: cyber, supply chain, personnel, physical
  • Cyber Incident Reporting templates pre-aligned to CISC reporting requirements and 12/72-hour deadlines
  • Essential Eight maturity model with continuous scoring — track your journey from Maturity Level 0 to 3
  • Cross-map to ISM (Information Security Manual) for government-connected infrastructure
SOCI ActCIRMPEssential EightISMPSPF

Privacy

  • Manage public-facing data collected by critical infrastructure (e.g., passenger data in transport, customer data in telcos) under the Privacy Act and NDB scheme
  • Track data flows between OT and IT environments — know where personal data crosses network boundaries
  • Automated NDB breach assessment when AI systems processing personal data are compromised
Privacy ActNDB SchemeTelecom Act

Resilience

  • 8-dimension recovery readiness scoring for each critical system — Business Impact, Backup Compliance, Encryption, Immutability, Geo-Redundancy, RTO, RPO, Tested Restores
  • CIRMP-aligned recovery planning: model the impact of losing each critical system and validate your recovery capability
  • Continuous drift detection: alert when backup configurations for SCADA, historian, or control systems change unexpectedly
SOCI CIRMPISO 22301NIST CSF RC

TrustLens

  • Non-Human Identity Compliance Mapping — govern every service account, API key, and automated credential across OT and IT
  • Shadow AI Discovery finds unapproved AI tools being used by operations staff — ChatGPT in control rooms, Copilot on engineering laptops
  • External Identity Governance — manage every vendor, contractor, and government agency with access to your critical systems
  • Prompt Injection Defence for AI agents connected to operational systems — prevent adversarial inputs reaching SCADA-adjacent AI
SOCIEssential EightNIST AI RMFISM

Activitee for HealthTech

Hospitals, diagnostics, clinical AI, telehealth, health insurance, and pharmaceutical

The problem

Healthcare AI is moving faster than governance. AI-assisted diagnostics, clinical decision support, and automated claims processing handle Protected Health Information at scale — but most healthcare organisations can't answer basic questions: Which AI models access patient data? Who approved them? When was the last access review? What happens when a clinical AI misdiagnoses? Staff are pasting Medicare numbers into ChatGPT. Locum doctors retain EMR access months after their contracts end. Medical device firmware updates silently change the data feeding diagnostic AI. The Privacy Act's A$50M penalty, TGA's SaMD classification, and My Health Records Act obligations make this the highest-stakes AI governance challenge in any sector.

Compliance Engine

  • Pre-built HIPAA, TGA SaMD, My Health Records Act, and NSQHS Standards assessment templates
  • FDA 21 CFR Part 820 controls for AI-as-a-medical-device with continuous monitoring
  • CPS 234 mapping for health insurers regulated by APRA (Medibank, nib, BUPA)
  • Audit evidence packages auto-generated for TGA, OAIC, and state health department reviews
HIPAATGA SaMDMy Health RecordsCPS 234FDA 21 CFR 820

Privacy

  • PHI-specific DPIA templates covering clinical AI, diagnostic imaging AI, and patient-facing chatbots
  • Medicare number, IHI, and clinical data tracked as high-sensitivity assets with retention and disposal controls
  • Automated NDB assessment for healthcare breaches — calculates severity based on data types exposed and patient count
  • Patient consent management for AI-assisted diagnoses: which patients consented to AI screening?
Privacy Act APP 6My Health Records Act S59HIPAA 164.312

Resilience

  • Recovery readiness for clinical systems: EMR, PACS imaging, pathology, pharmacy — with clinical safety impact modelling
  • Track backup compliance for My Health Records obligations — ensure patient records can be restored within regulatory timeframes
  • Immutability verification for clinical audit logs — prove that diagnostic records haven't been tampered with
HIPAA BRNSQHS 1.4ISO 22301

TrustLens

  • Clinical AI Agent Registry — register every diagnostic AI, decision support tool, and claims processor with TGA classification and risk tier
  • Decision Explainability for clinical AI — generate human-readable explanations of why the AI reached a diagnosis, mapped to GDPR Article 22
  • IoT Compliance for medical devices — calibration tracking, firmware attestation, and data provenance chain from sensor to clinical report
  • AI Incident Response playbook for clinical safety events — detect, contain, recall, and report to TGA within regulatory deadlines
  • Shadow AI Discovery catches staff pasting patient data into personal AI tools — with PHI-specific detection patterns
TGA SaMDNIST AI RMFISO 42001GDPR Art 22

Activitee for Banking & Finance

Banks, insurers, wealth management, payments, and fintech

The problem

Australian financial institutions under APRA supervision face CPS 234, CPG 234, CPS 230 (operational resilience), and the incoming Financial Accountability Regime — all of which now touch AI systems. Credit assessment AI, fraud detection models, and customer-facing chatbots make decisions that affect consumers' financial lives, yet most institutions can't demonstrate to APRA how these AI systems are governed. ASIC's RG 209 requires responsible lending, but nobody has mapped which AI models influence credit decisions or whether those models have drifted since their last review. Vendor service principals have admin access to core banking with no expiry date. AML/CTF obligations require transaction monitoring, but the AI doing the monitoring has never been attested.

Compliance Engine

  • CPS 234, CPG 234, CPS 230, and DORA assessment templates with APRA-specific evidence requirements
  • AML/CTF Act compliance mapping for AI-powered transaction monitoring — prove to AUSTRAC that your AI is governed
  • SOC 2, ISO 27001, and PCI DSS continuous compliance for payment infrastructure
  • ASIC RG 209 responsible lending controls mapped to credit assessment AI
CPS 234CPS 230AML/CTFDORASOC 2PCI DSS

Privacy

  • Consumer Credit Code and Privacy Act APP 6 controls for AI-driven credit decisions — which data is used, how long it's retained, who can access it
  • CDR (Open Banking) data management — track which third-party fintech apps access customer data and under what consent
  • Automated breach notification assessment aligned to APRA reporting timelines and OAIC NDB scheme
Privacy ActCDRNDBCredit Code

Resilience

  • CPS 230 operational resilience: recovery readiness scoring for critical banking services (payments, lending, treasury)
  • Tolerance impact testing — model the business and regulatory impact of losing each critical system against defined tolerance levels
  • Continuous backup compliance verification for APRA-regulated data with immutability and encryption checks
CPS 230DORA Art 11ISO 22301

TrustLens

  • AI Supply Chain SBOM for every credit, fraud, and AML model — track model provenance, training data, and upstream changes
  • Decision Explainability for credit AI — generate CPS 234-compliant audit trails explaining why the AI approved or denied each application
  • External Identity Governance for vendor service principals with admin access to core banking — flag orphaned accounts, enforce expiry
  • Access Relationship Graph mapping every identity → permission → resource path to sensitive financial data
CPS 234NIST AI RMFISO 42001FINRA 2210

Activitee for Education

Universities, schools, EdTech platforms, and student information systems

The problem

Educational institutions face a perfect storm: students and staff are adopting AI faster than any other sector, but governance structures haven't caught up. Students use ChatGPT for assignments. Lecturers use Copilot to generate assessments. Research teams deploy custom AI models on student data. Meanwhile, most universities can't answer: Which AI tools have access to student records? Are they compliant with the Student Identifiers Act, the Children's eSafety requirements, or ESOS Act obligations for international students? Student information systems hold data on minors — and the Privacy Act's APP 6 restrictions on children's data apply differently to AI processing. When a student asks "what data do you hold on me?", most institutions can't produce a complete answer because AI systems aren't in the data map.

Compliance Engine

  • ESOS Act, Student Identifiers Act, and TEQSA standards mapped to AI governance controls
  • Essential Eight and ISM compliance for universities connected to AARNet and government research networks
  • AI-specific policy templates for academic integrity, assessment generation, and research data governance
ESOSTEQSAEssential EightISM

Privacy

  • Student data classified as Children's Data with enhanced APP 6 protections — consent, collection limitation, and data minimisation
  • DSAR handling for students requesting "what data does the university hold on me" — including AI-processed data
  • International student data governed under ESOS Act cross-border data transfer requirements
Privacy Act APP 6/8ESOSCOPPA

Resilience

  • Recovery readiness for Student Information Systems, LMS platforms, and research data stores
  • Academic record immutability — prove that examination results and academic transcripts haven't been altered
TEQSAISO 22301

TrustLens

  • Shadow AI Discovery across campus networks — find every ChatGPT, Claude, Gemini, and Copilot instance accessing student data
  • AI Agent Registry for institutional AI: plagiarism detectors, automated grading, student support chatbots, research AI
  • Compliance Firewall ensuring no AI tool can access student records without approved policies and consent
NIST AI RMFISO 42001eSafety

Activitee for Government & Defence

Federal, state, and local government agencies, defence industry, and public sector

The problem

Government agencies operate under the strictest identity and information governance requirements in any sector — ISM, PSPF, Essential Eight, and the ASD Top 4 — yet AI adoption is accelerating across citizen services, policy analysis, and intelligence. The Australian Government's Guidelines for the Responsible Use of AI (GfAA) require agencies to document AI risk assessments, but most departments lack tooling to enforce these guidelines consistently. Contractors rotate through agencies with security clearances that aren't always revoked on project completion. Legacy systems share service accounts across departments. When Parliament asks "how is your department governing AI?", most agencies produce a policy document, not operational evidence.

Compliance Engine

  • ISM (Information Security Manual) control assessment with PROTECTED and SECRET classification support
  • Essential Eight maturity model with ASD-aligned continuous scoring — automated patching, MFA, application control tracking
  • PSPF (Protective Security Policy Framework) governance, information, personnel, and physical security assessments
  • GfAA (Guidelines for AI) compliance — structured AI risk assessment framework for government agencies
ISMPSPFEssential EightGfAAASD Top 4

Privacy

  • Australian Privacy Principles (APP) compliance for citizen data processed by AI systems — consent, purpose limitation, cross-border restrictions
  • FOI-ready data inventory — when a Freedom of Information request covers AI-processed data, know exactly what exists and where
  • Automated privacy impact assessments for AI systems handling citizen data under the Privacy (Australian Government Agencies) Governance Code
Privacy ActFOI ActAPP Code

Resilience

  • PSPF-aligned recovery controls for information classified at OFFICIAL:Sensitive and above
  • Recovery testing evidence for parliamentary and audit office reviews — prove systems can be restored within defined timeframes
PSPFISMISO 22301

TrustLens

  • Government AI Agent Registry aligned to GfAA — register, assess, approve, and monitor every AI system in the agency
  • Contractor and security clearance identity governance — track every external identity from onboarding to clearance expiry to decommission
  • Decision Explainability for AI-assisted policy and citizen service decisions — required under administrative law
  • Shadow AI Discovery across government networks — find personal AI use on agency devices and networks
GfAANIST AI RMFISMISO 42001

Not sure where to start?

Book a 30-minute walkthrough. We'll walk through your specific challenges, identify your highest-risk AI agents, and show you exactly how Activitee closes each one.

Book a Walkthrough
1
A
Ace
Activitee Security Assistant
Hey there! 👋 I'm Ace, your Activitee security assistant. I can help with IAM, compliance frameworks, data privacy, and platform questions. What can I help you with?
Just now
Share info Powered by Activitee