In force
Dec 2020
Privacy Act 2020
Replaced the 1993 Act. The 13 information privacy principles apply to all AI data handling.
AI governance built for Aotearoa's regulators and Te Tiriti obligations.
We advise New Zealand banks, insurers, government agencies, and Crown entities on AI governance under the Privacy Act 2020, Te Tiriti o Waitangi, FMA / RBNZ expectations, and the Public Service AI Framework.
Built for
Boards & risk committees 路 Chief risk officers 路 Chief information officers 路 General counsel 路 Public-sector AI leads
We work against: Privacy Act 2020 / Te Tiriti o Waitangi / Public Service AI Framework / FMA / RBNZ guidance / ISO/IEC 42001 / EU AI Act / NIST AI RMF
What you walk away with.
Full engagement methodologyAI inventory & risk register
A documented map of every AI system in use, classified by risk tier and tied to a named accountable owner.
Mapped controls
Controls mapped against the 13 Privacy Principles, ISO 42001, and the Public Service AI Framework where applicable.
Treaty-aware practice
Governance practices that respect whakapapa, embed kaitiakitanga, and protect tangata whenua in AI outputs.
Audit-ready evidence pack
A single evidence pack a regulator, internal auditor, or external reviewer can work through end to end.
The milestones shaping Aotearoa's AI rulebook.
Domestic milestones and the international frameworks that affect New Zealand organisations.
Active
Feb 2025
Public Service AI Framework
GenAI procurement guidance for government agencies. Traceability, risk assessment, and exit strategies.
Published
Jul 2025
National AI Strategy
New Zealand's first national AI strategy. Signals a shift from fully voluntary to guided governance.
Upcoming
Aug 2026
EU AI Act
Full enforcement. NZ companies serving EU customers must comply.
No AI-specific law. The obligations are already in place.
Aotearoa was the last OECD nation to publish a national AI strategy. Existing law still applies, and the cost of catching up after a regulator asks is materially higher than building the framework first.
- 01In force
Principles without a playbook.
The Privacy Act 2020 sets 13 information privacy principles. The Fair Trading Act prohibits misleading conduct. The Companies Act 1993 requires director due diligence. All of them apply to AI systems, none come with implementation guidance for algorithmic decision-making.
Privacy Act compliance guide - 02Constitutional obligation
Te Tiriti and kaitiakitanga.
Te Tiriti o Waitangi creates obligations around M膩ori data sovereignty that most AI governance frameworks ignore. Kaitiakitanga calls for guardianship, not only compliance. Crown entities, organisations receiving public funding, and any deployer working with M膩ori data need governance that respects whakapapa and protects against AI systems that perpetuate bias against tangata whenua.
M膩ori data governance - 03Active monitoring
Regulators are already watching.
The FMA, RBNZ, and Office of the Privacy Commissioner are each monitoring AI adoption in their respective remits. The Public Service AI Framework sets procurement, traceability, and exit-planning expectations for government agencies using generative AI. Wider regulation is expected to follow the National AI Strategy.
Public Service AI Framework - 04Aug 2026
International frameworks reach NZ exporters.
The EU AI Act applies to any New Zealand organisation placing AI on the European market, with full enforcement from August 2026. ISO/IEC 42001 certification is becoming the de facto international benchmark for AI management systems and is increasingly required by enterprise procurement teams.
Regulatory compliance overview
How we deliver AI governance for Aotearoa.
Three practice tracks, each tied to documented artefacts. Structures that hold up where there is no prescriptive rulebook.
Track A
Governance & strategy
Accountability structures, AI policies, and operating models that satisfy Privacy Act principles and board-level due diligence under the Companies Act 1993.
Track B
Assessment & assurance
Independent evaluation of AI systems against the 13 Privacy Principles, cultural impact for Te Tiriti obligations, and assurance ahead of regulatory tightening.
Track C
Compliance & advisory
Privacy Act obligations, Treaty-aligned data practices, Public Service AI Framework readiness, and leadership education on evolving expectations.
Sector-specific governance work.
From Auckland's financial district to Wellington's public service and Christchurch's technology sector, every industry faces distinct governance pressures.
Start with the AI Risk Calculator. Then talk to us.
The calculator gives you a baseline view of your AI risk exposure against ISO 42001 and EU AI Act lenses in under five minutes. From there we can map your governance against the Privacy Act 2020, Te Tiriti obligations, and FMA / RBNZ expectations.