Independent AI audit and assessment for New Zealand organisations.

New Zealand has no prescribed AI audit requirements. When something goes wrong, the only question is whether your organisation did enough. We map every gap between what your AI systems actually do and what the Privacy Act 2020, FMA guidance, RBNZ expectations, Te Tiriti o Waitangi obligations, and international standards demand.

See the process

Built for

Boards & audit committees · Chief risk officers · General counsel · Crown entities · FMA / RBNZ regulated firms
Benchmarked against: Privacy Act 2020 (13 Principles) / OECD AI Principles / ISO/IEC 42001 / Public Service AI Framework / Te Tiriti o Waitangi / NZ National AI Strategy

What you walk away with.

Three ways to scope the audit

Audit findings report

Findings with evidence, severity classification, and root cause analysis. Written for boards, audit committees, and regulatory correspondence.

Privacy Act 2020 gap analysis

A principle-by-principle assessment against each of the 13 information privacy principles, with specific remediation actions.

Te Tiriti compliance assessment

Evaluation of Māori data governance, cultural impact considerations, and alignment with kaitiakitanga and Māori data sovereignty expectations.

Prioritised action plan

A ranked list of remediation actions sorted by risk reduction impact, with ownership suggestions, effort estimates, and recommended sequencing.

Voluntary regulation, real exposure.

New Zealand's light-touch approach to AI regulation shifts the entire burden onto your organisation. Without the right controls, the exposure is unquantified, and the cost of catching up after a regulator asks is materially higher than building the framework first.

  1. 01
    Public expectation

    Expectation has outrun the law.

    81% of New Zealanders want AI regulation, yet only 6% know what actually exists. The gap between public expectation and current law creates reputational and legal exposure that most organisations have not quantified.

  2. 02
    Active monitoring

    Regulators are already watching.

    The FMA surveyed AI use across banking, insurance, asset management, and financial advice in 2024. 9 out of 10 financial firms are already using AI. The RBNZ expects entities to manage AI risks under existing obligations. Voluntary does not mean invisible.

  3. 03
    Constitutional obligation

    Te Tiriti obligations demand more.

    AI systems that process data about Māori communities carry responsibilities rooted in kaitiakitanga and te ao Māori that international frameworks were not designed to address. Waitemata Healthcare found global AI standards inappropriate for the Aotearoa context. Te Tiriti o Waitangi compliance requires purpose-built assessment grounded in Māori data governance principles.

  4. 04
    Principles without playbook

    You set the standard.

    Without AI-specific legislation, NZ organisations must apply existing laws to new technology. The Privacy Act 2020, Fair Trading Act 1986, Companies Act 1993, and CoFI Act 2022 all have implications for AI, but none spell out exactly what compliant looks like. We map your AI systems against every applicable obligation, flag what falls short, and give you a defensible compliance position when regulators come asking.

Three ways to scope the audit.

Every organisation is at a different stage of its AI journey. Pick the audit depth that matches your immediate need, then expand as priorities evolve.

Option A

Privacy Act deep dive

3-4 WEEKS

A focused review of how your AI systems handle personal information against each of the 13 information privacy principles. Covers automated decision-making transparency, cross-border data flows, and individual access rights.

  • 13-principle compliance mapping
  • Privacy Commissioner guidance alignment
  • Mandatory breach notification readiness

Option B

Full governance audit

6-8 WEEKS · RECOMMENDED

A comprehensive examination of your entire AI governance posture: strategy, policies, risk management controls, monitoring, reporting, cultural considerations, and regulatory alignment. Scored against NZ and international benchmarks including OECD AI Principles and the Algorithm Charter.

  • Complete AI inventory and risk classification
  • Treaty compliance and cultural impact
  • Multi-law obligation mapping
  • Maturity scoring with NZ sector benchmarks

Option C

Single system review

4-6 WEEKS PER SYSTEM

A detailed examination of one specific AI system: how it was built, what data it uses, who it affects, whether its controls work, and how it performs against fairness and bias standards relevant to the NZ population.

  • Model lineage and documentation audit
  • Bias testing across NZ demographic groups
  • Human oversight and override verification

How the audit works.

Principles-based, culturally informed, and built to produce findings that hold weight with the FMA, RBNZ, Office of the Privacy Commissioner, and your board alike.

  1. 01

    Discovery and mapping

    We catalogue every AI system in your organisation, including tools teams adopted without formal approval. Shadow AI is where most blind spots live. We map each system to the data it touches, the decisions it influences, and the people it affects.

  2. 02

    Obligation analysis

    We walk through each applicable obligation: the 13 privacy principles, Fair Trading Act consumer protection provisions, Companies Act 1993 director duties, CoFI Act fair conduct requirements, and Treaty responsibilities. For each one we assess whether your current practices satisfy it.

  3. 03

    Cultural impact review

    We assess how your AI systems interact with Māori data, communities, and cultural values grounded in te ao Māori. This includes evaluating Māori data governance practices, consent mechanisms aligned with kaitiakitanga, and whether algorithmic outputs risk disproportionate impact on tangata whenua and Pacific peoples.

  4. 04

    Controls and evidence testing

    We verify that governance controls work in practice, not just on paper. Approval processes, human oversight mechanisms, monitoring dashboards, and incident escalation paths. We test whether they function when it matters.

  5. 05

    Gap scoring and prioritisation

    Every finding gets a severity score based on regulatory exposure, reputational risk, and remediation complexity. We rank gaps so your team can focus resources where they will reduce the most risk fastest, turning audit findings into an actionable plan.

  6. 06

    Reporting and defence strategy

    You receive a full audit report, an executive briefing, and a prioritised remediation plan. The report is structured to serve as evidence of proactive governance if the FMA, RBNZ, or Privacy Commissioner ever requests it.

Signs you need this audit.

If any of these describe your organisation, the gaps in your AI governance are likely larger than you think.

01

You cannot list every AI tool your organisation uses.

Teams adopt AI tools faster than governance can keep up. If your AI inventory is incomplete or non-existent, your exposure is unknown.

02

Your board has asked about AI risk and you could not answer precisely.

25% of NZ leaders say governance is the missing link in their AI strategy. Directors need evidence-based answers, not reassurances.

03

You operate in a sector the FMA or RBNZ supervises.

With 9 out of 10 NZ financial firms already using AI, regulators are building their understanding of industry practice. An audit positions you ahead of that curve.

04

Your AI systems process data about Māori or Pacific communities.

Te Tiriti o Waitangi obligations and Māori data governance principles create responsibilities that standard frameworks do not address. A culturally informed audit grounded in kaitiakitanga closes that gap.

05

You are scaling AI usage and want to do it responsibly.

76% of NZ leaders are prioritising AI agents. Scaling without a governance baseline is how organisations end up in reactive crisis mode instead of proactive management.

06

You deliver public services or government contracts.

The Public Service AI Framework sets clear expectations for government AI use. If you serve the public sector, alignment with this framework is becoming a baseline requirement.

Common questions about AI audits in NZ.

What triggers the need for an AI audit in New Zealand?

There is no mandatory artificial intelligence audit requirement in NZ law. The triggers are practical, not regulatory: your organisation is deploying AI at scale, a board or audit committee wants assurance, you are entering a sector supervised by the FMA or RBNZ, you handle Māori or community data subject to Māori data governance principles, or you want a defensible compliance position before regulation catches up. With Gen AI projected to contribute 15%+ to NZ GDP by 2038, the organisations that build governance now will be the ones trusted to lead.

How do Te Tiriti o Waitangi obligations factor into an AI audit?

Te Tiriti creates obligations around partnership, participation, and protection that directly affect how AI systems should handle Māori data and serve Māori communities. Our audit assesses whether your AI practices align with data sovereignty expectations, whether algorithmic outputs risk disproportionate impact, and whether governance structures include appropriate cultural oversight. This is not a box-ticking exercise. It reflects principles of kaitiakitanga that are fundamental to responsible AI in Aotearoa.

What does the FMA expect from organisations using AI?

The FMA's 2024 research covered AI use across asset management, banking, financial advice, and insurance. While the FMA has not issued prescriptive AI rules, it expects firms to manage AI risks under their existing licence obligations, including fair conduct, customer outcomes, and operational resilience. The RBNZ holds the same expectation. Our audit maps your practices against what these regulators look for during supervisory reviews.

We already have a privacy programme. Is that enough?

A privacy programme covers personal information handling, but AI introduces risks that privacy frameworks alone do not address: algorithmic bias, explainability of automated decisions, model drift, shadow AI adoption, and cultural impact. An AI audit assesses the full governance picture, with Privacy Act 2020 compliance as one critical component of a broader review.

Can we use the audit results if a regulator contacts us?

Yes, and that is one of the primary reasons organisations commission an audit. Our reports are structured to demonstrate proactive governance effort. If the FMA, RBNZ, or Office of the Privacy Commissioner requests evidence of your AI governance posture, the audit findings, gap analysis, and remediation plan serve as documented proof that your organisation took responsible steps.

After the audit.

An audit tells you where the gaps are. These services close them.

01
AI governance consulting
Framework build
02
AI risk assessment
Risk taxonomy
03
Privacy Act 2020 compliance
13 principles
04
Māori data governance
Te Tiriti aligned

Book your AI audit and assessment.

Get an independent, NZ-specific AI audit that covers Privacy Act 2020 compliance, Te Tiriti o Waitangi obligations, FMA and RBNZ expectations, and international best practice. Know exactly where your organisation stands and what to fix first.

Or view governance services

Get in Touch