In force
1 Jul 2025
APRA CPS 230
Operational risk management for AI systems at APRA-regulated entities.
AI governance for regulated industries in Australia and New Zealand.
We advise banks, insurers, superannuation trustees, government agencies, and Crown entities on governance frameworks built for the specific regulators and Treaty obligations that apply on each side of the Tasman.
Built for
Boards and risk committees 路 Chief risk officers 路 Chief information officers 路 General counsel 路 Public-sector AI leads
We work against: APRA CPS 230 / ASIC REP 798 / Privacy Act 1988 / Privacy Act 2020 / Te Tiriti o Waitangi / Public Service AI Framework / ISO/IEC 42001 / EU AI Act
Three practice tracks across the AI governance lifecycle.
Engagements typically run six to twelve weeks with a defined evidence pack at close. Each track is tied to documented artefacts a regulator, auditor, or general counsel can read end to end.
- 01
Governance and strategy.
Frameworks, policies, and operating models that hold up under board, regulator, or audit scrutiny. AI strategy, AI policy, risk framework development, board-level oversight, and model governance.
- 02
Assessment and assurance.
Independent evaluation of AI systems and the governance wrapping them. AI audit, impact assessment, ISO 42001 certification, third-party AI risk, and the free AI risk calculator.
- 03
Compliance and advisory.
Ongoing alignment with Australian and New Zealand regulators. Privacy Act readiness, Treaty-aligned data practice, Public Service AI Framework, board education, and standing advisory support.
The dates governance plans have to anchor to.
Australian and New Zealand milestones, plus the international frameworks that affect both markets.
In force
Dec 2020
NZ Privacy Act 2020
The 13 Information Privacy Principles apply to AI processing personal information.
Upcoming
Aug 2026
EU AI Act
Full enforcement for AU and NZ organisations placing AI in the European market.
Upcoming
10 Dec 2026
Privacy Act ADM
Australian automated decision-making transparency requirements take effect.
Pick the region that fits your work.
The Australian and New Zealand practices share methodology and tooling, but the underlying regulators, statutes, and Treaty obligations differ. Each region has its own service catalogue.
AU
Australia practice
APRA, ASIC, OAIC, EU AI Act, ISO 42001, Voluntary AI Safety Standard.
Sydney 路 Melbourne
NZ
New Zealand practice
Privacy Act 2020, Te Tiriti, M膩ori data sovereignty, Public Service AI Framework, FMA / RBNZ.
Auckland 路 Wellington
FREE
AI risk calculator
Classify any AI system against EU AI Act, AU and NZ frameworks, ISO 42001, and NIST AI RMF in three minutes.
No login
Start with the AI Risk Calculator. Then talk to us.
The calculator gives you a baseline view of your AI risk exposure against EU AI Act, ISO 42001, AU, and NZ lenses in under five minutes. From there we can map your inventory against APRA, ASIC, the Privacy Acts, and Treaty obligations, and outline the work needed to close any gaps.