AI governance built for Australia and New Zealand, not retrofitted from US or UK templates.

PolyGovern is a specialist advisory firm. We work with banks, insurers, superannuation trustees, government agencies, and Crown entities on governance frameworks that hold up against the specific regulators and Treaty obligations that apply on both sides of the Tasman.

Run the free AI risk calculator

We work with

Boards and risk committees · Chief risk officers · Chief information officers · General counsel · Public-sector AI leads

We work against: APRA CPS 230 / ASIC REP 798 / Privacy Act 1988 / Privacy Act 2020 / Te Tiriti o Waitangi / Public Service AI Framework / ISO/IEC 42001 / EU AI Act

What working with us looks like.

Talk to us

Regional specificity

APRA, ASIC, OAIC, FMA, RBNZ, and the Office of the Privacy Commissioner read as named regulators in every deliverable, not as a generic compliance footnote.

Treaty-aware practice

Te Tiriti obligations and Māori data sovereignty are embedded from the start of every NZ engagement, not bolted on as a cultural review at the end.

Documented artefacts

Engagements close with the policy documents, registers, oversight charters, and evidence packs a regulator or internal auditor can read end to end.

Cross-Tasman fluency

For organisations operating in both jurisdictions, a single framework that satisfies APRA in Sydney and the Privacy Commissioner in Wellington without duplication.

Three things we believe about AI governance in ANZ.

Australia is moving toward prescriptive regulation. New Zealand is principles-led and Treaty-bound. The shared problem is that organisations are running AI in production faster than their governance can catch up.

01

ANZ frameworks need ANZ specificity.

Australia has prescriptive prudential regulators (APRA, ASIC) and a Privacy Act amendment landing in December 2026. New Zealand operates through the Privacy Act 2020, the Public Service AI Framework, and Te Tiriti obligations. One global template does not satisfy both. Our frameworks are written against the regulators and statutes that actually apply.
02

Te Tiriti is a constitutional obligation, not an add-on.

For Crown entities, organisations receiving public funding, and any deployer handling Māori data, Te Tiriti o Waitangi creates obligations that most international AI frameworks ignore. We embed Māori data sovereignty, kaitiakitanga, and tikanga from the design stage. That work is led with Māori data experts, not retrofitted as a cultural review at the end.
03

Documented evidence beats stated intent.

A regulator does not award credit for AI policies that exist only in slide decks. Engagements close with a documented AI inventory, a risk register tied to named accountable owners, controls mapped to the relevant standards, and an evidence pack a prudential reviewer, internal auditor, or external assessor can work through end to end.

Two markets, one team.

We operate on both sides of the Tasman, with offices in Sydney, Melbourne, Auckland, and Wellington. Each market is led by people who know its regulators, sectors, and cultural context.

Australia

Sydney, Melbourne

APRA CPS 230 and CPS 234 alignment for AI systems, ASIC responsible-AI expectations, OAIC and Privacy Act ADM readiness, model governance, third-party AI risk, and board-level AI oversight for ADIs, insurers, superannuation trustees, and public-sector deployers.

Explore Australia practice

New Zealand

Auckland, Wellington

Privacy Act 2020 compliance for AI systems, Te Tiriti and Māori data sovereignty integration, Public Service AI Framework implementation for government agencies, and FMA / RBNZ expectations for financial services AI.

Explore New Zealand practice

How we approach Te Tiriti o Waitangi in AI governance.

The Treaty of Waitangi creates constitutional obligations that apply to AI in Aotearoa. For Crown entities, public-sector deployers, and organisations handling Māori data, those obligations are not optional.

Māori data sovereignty

Where AI systems process Māori data, questions of mana over information, kaitiakitanga, and whakapapa apply. We integrate Māori data governance principles into every NZ framework we design, including consultation processes with Māori stakeholders, cultural impact assessment methodologies, and bias-detection protocols for indigenous populations.

Te ao Māori in AI ethics

Western ethical principles do not cover the full set of expectations that apply in Aotearoa. Whanaungatanga, manaakitanga, and tikanga inform how AI systems should be designed, deployed, and decommissioned. We embed these perspectives in collaboration with Māori data experts, not as a downstream review.

Cultural safety

AI systems used in healthcare, social services, or government must be culturally safe for Māori and Pacific communities. Generic fairness metrics do not deliver that. Cultural safety requires context-appropriate methodologies, harm assessments that look at specific populations, and mitigation strategies that survive a Treaty audit.

Partnership model

Partnership, not consultation as an afterthought. That means involving Māori data experts from the scoping stage, respecting tikanga throughout the engagement, and ensuring Treaty obligations are integrated from the start. Government agencies and organisations handling Māori data need this approach to meet their obligations under Te Tiriti.

Māori data governance practice

Want to talk to us about your governance work?

A thirty-minute conversation about how we build governance frameworks tailored to your regulatory environment, whether that is APRA / ASIC in Australia, Privacy Act and Treaty obligations in New Zealand, or both.

Or run the free risk calculator