For some agencies, there may be a temptation to take the foot off the pedal until the next framework lands. But this should not be interpreted as a reduction in expectations. If anything, the signals coming from the NAA point in the opposite direction.

As we enter a transition period, this is not the time for agencies to slow governance activity. Understanding what information exists across the enterprise, where it sits, and whether current governance processes are fit for purpose is becoming more important, not less.

Because regardless of what replaces the Check-up, agencies will still need to demonstrate visibility, oversight and confidence in how information is managed across the organisation.

That’s why Castlepoint Systems has released a complimentary Information Management Check-up Survey to help agencies assess current capability, identify governance gaps, and maintain momentum while the NAA finalises its next strategic direction.

Download Castlepoint's free Check-up Survey and Whitepaper.

‍The conversation is shifting from compliance to enablement

For a long time, information management maturity has largely been framed through a compliance lens: retention, disposal, policy alignment, audit readiness. The Building Trust in the Public Record Strategy, originally due to end in 2025 but now extended to 2028, focuses on digital transformation, data protection, and information reuse.  

Those things still matter, but they are no longer the whole conversation. The NAA has launched its new Strategy 2025–2030: Evolving National Archives. This Strategy will push NAA to elevate information management more to the leadership level across government, and work to position information governance as a strategic enabler, which can provide value in the face of limited resources and capability.

Central and pivotal to this is Artificial Intelligence. The extended Building Trust policy states that: coordinated approaches to information management and emerging technologies, that prioritise ethical considerations through explainable systems, human oversight and data integrity, are foundational to this.  

The Policy and Strategy are all about trust and reliability. They recognise that there is scepticism in the community about the reliability of government records, and transparency of access. And that more can and must be done to safeguard records about First Nations people, and make them better available for redress actions.  

So why was Check-up paused?

There’s no (public) statement on this, but the update to the Building Trust policy notes that:  

The [policy] commenced in 2021. During that time, annual information management surveys, conducted by National Archives, have identified incremental progress in agency implementation across most of the mandatory and recommended actions attached to the policy. The policy is now extended to 31 December 2028. This enables agencies more time to fully implement policy actions and gives National Archives the opportunity to provide support to agencies at risk of not implementing the policy.

Essentially, progress has been very slow, many agencies have not achieved the targets, and likely can’t achieve them soon. Many agencies have achieved significant gains – our Castlepoint clients feature in the top cohort of respondents. But there is a wide gap between agencies who have achieved the mandatory and recommended targets and those who haven’t, and progress has almost stalled.  

The uplift in maturity across agencies only increased by half a percentage point from 2022 to 2023:

And another half a point in 2024:

Despite reducing the targets for agencies to achieve the mandatory action 14 in the Building Trust Policy from 25% to 20%, agencies still only reached 18% in 2024-2025. This means most agencies are never transferring records to the NAA, which has huge implications for future generations. The measure to achieve the Recommended actions was dropped from the 2025 performance statements: fewer than 5% of agencies had achieved them.

A pivot at this juncture makes sense. There is a ‘two-speed economy’ of compliance across government, with some very high performers, and many left behind. 98% of agencies complete the survey, so we can be confident the gap is real.  

Will NAA abandon the stragglers?

It’s not likely. The areas that agencies consistently underperform in are:

• describing information assets (metadata) (maturity score 3.41)
• use, reuse and interoperability (maturity score 3.33)
• appraising and disposing (maturity score 3.30).

None of these things stop being important under law, and they are still essential through the lens of the new NAA Strategy for its own transformation. We can’t preserve the past if we can’t appraise and sentence; we can’t understand the present if we can’t describe our data or make it interoperable; and we can’t inspire the future if we can’t use and reuse the information that government creates.  

The areas agencies generally are lagging on (transfer to archives, protecting records for their lifecycle, and being able to show evidence of business decisions) are the ones that are non-negotiable under law. The Archives Act, PGPA Act, Privacy Act, and the Protective Security Policy Framework are all big ‘sticks’ that agencies need to comply with. The Australian National Audit Office certainly won’t be pausing its assurance program in 2026 – their focus for 2025-2026 is on ethical and accountable government, measured by 'compliance with both the letter and intent of requirements’ (including records management, specifically).  

What should you do next?

Agencies have a reprieve from Check-up reporting this year, but not from meeting compliance obligations. We may not see Check-up in its previous format again, and we can perhaps predict that it will be reborn as something more focused on the opportunity that is created when records are managed well. There will possibly be more of a ‘carrot’ built into the NAA governance process – but the ‘stick’ of wider government privacy and security compliance will certainly still loom large.

We can also predict that there may be more of a focus on continuous assurance and capability modelling, rather than major surveys annually, as this can have less overhead and higher effectiveness.  

So right now, agencies should be setting up their own independent self-assessment. This is explicitly what the NAA have recommended during the pause, and will also lay the foundations for a new continuous assurance system.

The areas agencies generally are lagging on (transfer to archives, protecting records for their lifecycle, and being able to show evidence of business decisions) are the ones that are non-negotiable under law. The Archives Act, PGPA Act, Privacy Act, and the Protective Security Policy Framework are all big ‘sticks’ that agencies need to comply with.  The Australian National Audit Office certainly won’t be pausing its assurance program in 2026 – with a focus for 2025-2026 on ethical and accountable government, measured by 'compliance with both the letter and intent of requirements’.  

Practical next steps

First, contact the Archives. Agencies can reach out to information.management@naa.gov.au for general and specific advice on how to maintain good practice and assurance processes in 2026.

Second, you can make use of our free tool to track your compliance with the Building Trust policy ongoing, and to benchmark your agency against all others in the last year of reporting. This tool is easy to use, and available in a simple spreadsheet so that you can socialise it and update it without needing access to the official Check-up portal.  

We have also developed a Check-up Whitepaper, explaining the obligations in more detail, and discussing areas that government have not been achieving overall. As well as these ongoing problematic gaps, we can well assume (based on the updated preface to the Building Trust Policy) that the NAA will be adding a new focus on Artificial Intelligence in the next phase of assurance.

Investing some time now to review your agency’s approach to AI for information governance – not only where you should be taking advantage of opportunities, but also considering inherent AI risks such as security, privacy, and – very importantly – explainability – will pay dividends when the assurance program reignites (and when or if the ANAO include your agency in their plans for 2027).

Download Castlepoint's free Check-up Survey and Whitepaper.

‍The role of Artificial Intelligence

Information no longer sits neatly within a single records system. It exists across collaboration platforms, cloud environments, shared drives, business applications and legacy repositories, and is often duplicated, disconnected and governed inconsistently.

That creates operational blind spots, particularly when teams are still trying to apply governance models designed for a much smaller and more contained environment. And the technology landscape is now getting more complex, not less. Agencies are rapidly increasing their use of AI, both in systems they already use that become more ‘AI enabled’ with each software update, and with the adoption of new AI-first platforms.  

As AI becomes embedded into operations and decision-making, the quality, visibility and governance of underlying information becomes significantly more important. If agencies already cannot confidently identify what information exists, where it sits, how it is classified, or whether it can be trusted, the risk profile ramps quickly and steeply.  

And at the same time, agencies are facing increasing pressure to explain how information decisions are made, especially where AI or any automation is involved.  

The bottom line

The NAA’s direction is already fairly clear, with greater emphasis to be placed on information value, reuse, discoverability, and top-down oversight. AI explainability will be expected to be baked in from the outset, not left to the last step of adoption.  

The agencies best positioned for what comes next will be the ones that already understand their information environment. The ones with visibility across the enterprise, and who are able to govern information where it lives, rather than relying on fragmented oversight or manual intervention.

Ultimately, the pause of Check-up is not a signal to slow down: it’s a signal that the model is evolving. The core obligations have not changed, the risks have not diminished, and scrutiny is only increasing as information becomes more complex, more distributed, and more critical to government outcomes. What has changed is the expectation: agencies are no longer going to be asked simply to prove compliance through an annual survey, but to demonstrate continuous visibility, control and accountability across their information environment.  

The agencies who treat this moment as an opportunity to strengthen governance, embed capability, and prepare for a more dynamic assurance model will be far better placed when the next framework lands — because in the end, the real test was never the Check-up itself, but whether you can confidently stand behind the information your organisation creates, manages, and relies on every day.

If you would like access to any of our free guides, such as the Data Minimisation Checklist or Essential Guide to Explianable AI, or to see how Castlepoint can help keep your organisation compliant, get in touch.