AI Governance for Aotearoa.
Built Before the Rules Arrive.
New Zealand has no AI-specific legislation. But the Privacy Commissioner has flagged AI as a priority concern, the FMA is watching financial sector adoption, and the National AI Strategy is now in play. The voluntary window is narrowing.
PolyGovern designs governance structures for New Zealand organisations navigating the Privacy Act 2020, Treaty of Waitangi obligations, FMA and RBNZ expectations, and international standards like ISO 42001.
July 2025: National AI Strategy
NZ released its first AI strategy, signalling a shift from fully voluntary to guided governance
Of NZ organisations use AI, but only 6% have formal governance in place
New Zealanders worried about AI in decision-making (Privacy Commissioner 2025)
Using AI without clear regulatory guidance from FMA or RBNZ (FMA 2024)
The AI Governance Gap
Aotearoa was the last OECD nation to publish an AI strategy. While Australia and the EU moved to prescriptive rules, New Zealand left it to organisations to self-govern. Most have not started.
Principles Without a Playbook
The Privacy Act 2020 has 13 information privacy principles. The Fair Trading Act prohibits misleading conduct. The Companies Act demands director due diligence. All of these apply to AI systems, but none come with implementation guidance for algorithmic decision-making. Organisations are left to interpret general-purpose law for a specific technology problem.
Privacy Act compliance guideTe Tiriti and Kaitiakitanga
The Treaty of Waitangi creates obligations around Maori data sovereignty that most AI governance frameworks ignore entirely. Kaitiakitanga demands guardianship, not just compliance.
Maori data governanceRegulators Are Watching Closely
The FMA, RBNZ, and Privacy Commissioner are all monitoring AI adoption. The Public Service AI Framework sets procurement expectations for government agencies, and wider regulation is expected to follow.
Framework implementationHow We Deliver AI Governance for New Zealand
Where there is no prescriptive rulebook, you need structures that hold up to scrutiny. We design, assess, and maintain AI governance programmes for New Zealand's unique regulatory environment.
AI Governance & Strategy
Define accountability structures, draft AI policies, and create operating models that satisfy Privacy Act principles and board-level due diligence requirements under the Companies Act 1993.
Assessment & Assurance
Audit existing AI systems against the 13 Privacy Principles, assess cultural impact for Treaty obligations, and provide independent assurance ahead of regulatory tightening.
Compliance & Advisory
Navigate Privacy Act obligations, embed Treaty-aligned data practices, prepare for the Public Service AI Framework, and train your leadership on evolving NZ requirements.
AI Governance and New Zealand's Regulatory Landscape
No single AI regulator. No prescriptive checklist. Instead, overlapping obligations across privacy, consumer protection, financial conduct, and Treaty commitments. We map them into a coherent governance programme.
Privacy Act 2020
Thirteen information privacy principles govern how AI systems collect, store, use, and disclose personal information. Applies to training data, automated profiling, and algorithmic outputs affecting individuals.
In Force — 13 PrinciplesTreaty of Waitangi
Maori data sovereignty requires governance structures that respect whakapapa, embed kaitiakitanga, and ensure AI does not perpetuate bias against tangata whenua. Not optional for Crown entities or organisations receiving public funding.
Constitutional ObligationFMA, RBNZ & Public Service Framework
The Financial Markets Authority and Reserve Bank are monitoring AI in financial services. Government agencies must follow the Public Service AI Framework for GenAI procurement, traceability, and exit planning.
Active MonitoringSector-Specific AI Governance
From Auckland's financial district to Wellington's public sector and Christchurch's growing tech ecosystem, every sector faces distinct governance pressures.
New Zealand AI Governance Timeline
Key milestones in Aotearoa's evolving approach to AI oversight and the international frameworks that affect NZ organisations.
Replaced the 1993 Act. 13 information privacy principles now apply to all AI data handling.
GenAI procurement guidance for government agencies. Requires traceability, risk assessment, and exit strategies.
New Zealand's first AI strategy. Signals a shift from fully voluntary towards guided governance standards.
Full enforcement begins. NZ companies exporting AI products or serving EU customers must comply.
AI Governance Now Costs Less Than Compliance Later
The 81%-to-6% governance gap will not last. When NZ regulation catches up, organisations with frameworks already in place will adapt in weeks. Those without will be starting from zero.