Trustworthy AI in the federal administration: strengthening ethical standards

Public administration bears a particular responsibility with regard to the use of AI, as it has access to extensive data that it is required to safeguard. Furthermore, there is a risk that citizens could lose trust and show reluctance to accept administrative processes due to inadequate accountability, transparency and traceability in the use of AI systems. In the report „Artificial Intelligence in the Federal Administration“ („Künstliche Intelligenz in der Bundesverwaltung“) submitted today, the ACA examined, among other things, the guidelines for the use of AI in the Federal Administration, particularly in the Federal Chancellery, the Ministry of Finance, the former Ministry of Climate Action, the former Ministry of Civil Service and the BRZ Federal Computing Centre GmbH (limited liability company). In many cases, the ACA found that AI applications already in use lacked appropriate risk classifications and showed inadequate application of AI-specific standards. There was no complete overview of all AI applications in the Federal Government. The audit period principally covers the years 2021 to 2023.

As of June 2024, 35 AI applications and AI projects were in use in the four Federal Ministries audited. Due to the highly dynamic development of AI, its areas of application will be further expanded in the future.

For instance, the Federal Chancellery used AI for image processing, while the Ministry of Finance used AI primarily in the area of predictive analysis – a process that uses historical data to predict future events using mathematical models. In the former Ministry of Climate Action, AI was used in connection with the processing of the Klimabonus payments, and in 2024 the Ministry of Civil Service launched the AI project „Departmental chatbot for easier information retrieval“ („Ressort-Chatbot zur erleichterten Informationsbeschaffung“) in cooperation with the Ministry of Social Affairs.

In the corresponding descriptions of the applications provided by the Ministries, the ACA found that risk classifications, AI-specific certifications or standards, and consideration of the „Digital Administration and Ethics“ guidelines („Digitale Verwaltung und Ethik“) developed by the Ministry of Civil Service were often missing.

The ACA therefore recommends encouraging cooperation and promoting the development of a standard procedure in the the project planning and implementation of AI applications. Particular attention should be paid to AI-specific risk assessments, the establishment of AI-specific standards and certifications, the application of AI-specific development and life cycle models, and the implementation of trust-building principles.

Preparing for the timely implementation of the AI Act 

The EU AI Act was of utmost importance to Austria, partly due to the lack of national legislation on the use of AI. It entered into force in August 2024 and was effective immediately, although individual provisions will become applicable at different times.

The AI Act imposes extensive obligations on providers and operators of AI systems, which means that there is a need for action by all public institutions. The ACA recommends a timely preparation for the requirements of the AI Act, in particular with regard to AI competence, risk and quality management, documentation and transparency requirements, and exclusion of prohibited practices. In order to avoid duplication of processes and inconsistent risk assessments, the relevant measures should be closely coordinated. 

Demarcating the responsibilities clearly

In Austria, the Digitalisation Section of the Federal Chancellery is responsible for the national implementation plans specified in the AI Act. By August 2025, each Member State must designate at least one notifying authority – to review, notify and monitor conformity assessment bodies – and one market surveillance authority. The market surveillance authority’s responsibilities include monitoring high-risk AI systems and supervising the AI regulatory sandboxes to be set up by August 2026.

The organisational structures associated with the AI Act are complex. Therefore, provisions for nationwide coordination must be made already when designing the relevant administrative structures. For example, it would be important to clearly demarcate responsibilities.

The ACA also sees a risk of duplication of processes because, although many AI committees have been set up, no overall coordination at federal level has been established to date.

Strengthening the binding nature of the ethics guidelines

In 2023, the Ministry of Civil Service published the non-binding practical guide “Digital Administration and Ethics” to provide guidance on assessing ethical issues related to AI. The ACA recommends that these guidelines be updated and subsequenltly submitted to the Council of Ministers. The Council should work towards a decision requiring Federal Ministries to commit to complying with and implementing the principles of trustworthy AI.

Guidelines for employees on the use of AI were largely lacking

In addition to the use of internal AI applications, the audited agencies must regulate the use of freely accessible AI applications (such as ChatGPT, Google Gemini, DeepL) by employees in the course of their work. No mandatory regulations on the use of AI-based applications were issued for employees in the Federal Chancellery, in the Ministry for Climate Action, in the Ministry of Civil Service or in the Federal Computing Center (BRZ). Of the agencies reviewed, only the then Ministry of Climate Action advised its employees to disclose the use of AI applications.

Developing the competence of employees

Only the Ministry of Finance employed staff specially trained to handle AI-related matters. The ACA considers recruitment of employees with the necessary AI expertise to be central to future personnel planning in order to respond to the challenges in this area. It also recommends further intensifying the training and continuing education of staff working with AI and adapting it to the constantly changing requirements.