AI governance consulting for New Zealand organisations.
81% of New Zealanders want artificial intelligence regulation. Only 6% know what rules exist today. We design governance programmes grounded in te ao Māori, aligned to the Public Service AI Framework and OECD AI Principles, and built to satisfy the FMA, RBNZ, and Office of the Privacy Commissioner.
Built for
What your organisation walks away with.
Full engagement methodologyNZ-specific governance framework
Committee structure, accountability matrix, and board-level AI risk reporting templates designed for how New Zealand organisations actually operate.
Policy suite aligned to NZ law
Responsible AI Use, Risk Classification, AI Vendor Due Diligence, and Māori Data Sovereignty policies mapped to the 13 information privacy principles.
Treaty-aware practice
Governance practices that respect whakapapa, embed kaitiakitanga, and protect tangata whenua in AI outputs.
Regulatory readiness pack
Privacy Act assessment, Public Service AI Framework alignment, and FMA / RBNZ mapping a regulator or auditor can work through end to end.
Three governance gaps holding New Zealand organisations back.
Aotearoa New Zealand was the last OECD country to publish a national AI strategy. That delay created a vacuum, and organisations across Auckland, Wellington, and Christchurch are filling it with guesswork, borrowed overseas frameworks, or nothing at all.
- 0175-point gap
The awareness gap.
Most New Zealanders, and most boards, cannot name a single regulation that applies to AI. The Privacy Act 2020, Fair Trading Act 1986, and Companies Act 1993 already impose obligations on AI use. Organisations that do not realise this are already exposed.
Privacy Act compliance guide - 02Constitutional obligation
Treaty of Waitangi obligations without a playbook.
How does your AI system handle Māori data? Does your algorithmic decision-making respect tino rangatiratanga? Kaitiakitanga demands guardianship of data, not only compliance with it. Te Tiriti o Waitangi creates constitutional obligations that standard overseas frameworks ignore. Māori data sovereignty is a requirement for responsible governance in Aotearoa, not a nice-to-have.
Māori data governance - 03Active monitoring
Voluntary does not mean optional.
The FMA expects financial services firms to manage AI risk under existing obligations. The Privacy Commissioner enforces the 13 information privacy principles. The RBNZ expects operational resilience that includes technology risk. 25% of NZ leaders say governance is the missing link in their AI strategy. When regulation hardens, and the National AI Strategy signals it will, organisations with governance already in place will be ready.
Public Service AI Framework
A governance programme built for how New Zealand actually works.
We do not import governance templates from other jurisdictions and swap the regulator names. Every programme is built from the ground up around your regulatory context, your Treaty of Waitangi obligations, your organisational culture, and your risk appetite.
01
Map the landscape
A forensic inventory of every AI system, algorithm, and automated decision in your organisation. Who built it, who approved it, what data it touches, and whether it affects Māori communities or data. The board's first complete picture of AI exposure.
02
Embed cultural governance
Māori data sovereignty principles and Treaty of Waitangi obligations integrated into the governance structure from the start, not as a bolt-on appendix. Data classification aligned to iwi expectations, tikanga-informed impact assessments, and kaitiakitanga-based stewardship models for data relating to tangata whenua.
03
Design the operating model
Clear accountability structures covering who owns AI risk, who signs off on new deployments, who monitors ongoing performance, and who reports to governance committees. Aligned to the Public Service AI Framework for government agencies and to FMA and RBNZ expectations for financial services.
04
Write the policies that matter
Policies drafted to NZ-specific obligations, not generic templates. Each one maps to the 13 information privacy principles under the Privacy Act 2020, Fair Trading Act 1986 requirements for AI-generated content, Companies Act 1993 director duties, and the Algorithm Charter principles for government agencies.
05
Activate and sustain
Team training, tabletop exercises, reporting rhythms, and internal capability building so governance becomes part of how your organisation operates. A framework nobody uses is worse than no framework at all.
What your organisation walks away with.
Every deliverable is written for New Zealand. Not adapted from an overseas template, not a theoretical document. Practical governance your teams will use on Monday morning.
NZ-specific governance framework
Governance committee structure with terms of reference. Accountability matrix mapping AI ownership. Treaty of Waitangi compliance mapping for all AI systems. Board-level AI risk reporting templates and dashboards aligned to NZ business practices.
Policy suite aligned to NZ law
Responsible AI Use Policy mapped to the 13 Privacy Principles. AI Risk Classification and Triage Policy. Māori Data Governance and Sovereignty Policy reflecting Te Tiriti o Waitangi obligations. AI Vendor and Third-Party Due Diligence Policy.
Regulatory readiness package
Privacy Act 2020 compliance assessment for all AI systems. Public Service AI Framework alignment report for government agencies and suppliers. FMA and RBNZ expectations mapping for financial services. OECD AI Principles alignment and gap analysis against New Zealand's National AI Strategy.
Activation and capability building
12-month phased implementation roadmap with clear milestones. Governance team training programme and workshop materials. Tabletop exercise scenarios for AI incident response aligned to Privacy Commissioner breach notification requirements. Governance maturity scorecard with quarterly benchmarks.
Designed for organisations operating in Aotearoa's unique AI landscape.
Every sector faces different AI governance pressures. We tailor our approach to match your specific compliance requirements, industry context, and objectives.
Government agencies and public service
Central and local government bodies, from Te Whatu Ora to Auckland Council and Wellington City Council, implementing the Public Service AI Framework and managing AI procurement under Cabinet expectations. We help agencies operationalise the Algorithm Charter and build algorithmic accountability into decision-making.
Financial services under FMA and RBNZ oversight
Banks like ANZ NZ, BNZ, ASB, Westpac NZ, and Kiwibank deploying AI for credit decisions, fraud detection, and customer service, where the Financial Markets Authority and Reserve Bank of New Zealand expect governance proportionate to risk. We build compliance aligned to CoFI Act obligations and operational resilience requirements.
Organisations handling Māori data
Any organisation, public or private, that collects, processes, or makes decisions using data relating to Māori communities, iwi, hapu, or whanau. Treaty of Waitangi obligations demand Māori data governance that goes beyond standard privacy compliance.
Healthcare organisations under HIPC
Hospitals, DHBs, Te Whatu Ora, and health tech organisations deploying AI for diagnostics, clinical decisions, or patient management. We deliver governance built for the Health Information Privacy Code 2020 and Code of Health and Disability Services Consumers' Rights.
Businesses preparing for mandatory regulation
Forward-thinking New Zealand organisations that recognise voluntary frameworks are a stepping stone, not a destination. Build governance now and avoid the scramble when rules harden.
Why New Zealand needs its own AI governance approach.
Importing an Australian or European framework and swapping the regulator names does not work. Aotearoa New Zealand has distinct regulatory, cultural, and constitutional requirements that demand a purpose-built approach.
Light-touch regulation requires self-governance
Unlike jurisdictions with prescriptive AI rules, New Zealand relies on voluntary frameworks and existing legislation. Organisations bear the full responsibility for defining what "reasonable" AI governance looks like. We give organisations the structure and confidence to lead in this environment.
Te Tiriti is a constitutional obligation
The Treaty of Waitangi creates requirements around partnership, participation, and protection that no other jurisdiction shares. AI systems affecting Māori communities need governance that addresses Māori data sovereignty, cultural safety, and equitable outcomes, not just privacy compliance.
OECD principles need local interpretation
New Zealand's National AI Strategy is built on the OECD AI Principles, but translating those high-level principles into operational governance for a Christchurch manufacturer or a Wellington government agency requires deep knowledge of local context.
Questions New Zealand organisations ask us.
NZ has no mandatory AI laws. Why invest in governance now?
Because existing laws already apply. The Privacy Act 2020 regulates how AI systems collect and use personal information. The Fair Trading Act 1986 prohibits misleading conduct, including by AI. The Companies Act 1993 requires directors to act with reasonable care, which increasingly includes oversight of AI risk. The National AI Strategy signals that regulation will tighten.
How do you integrate Treaty of Waitangi obligations into a governance framework?
We start with the principle of kaitiakitanga. We classify data relating to Māori communities, iwi, hapu, or whanau and build specific governance controls around it: who can access it, how AI systems can use it, what consultation is required before automated decisions affect tangata whenua, and how Māori data sovereignty principles are enforced through your technology stack.
Our agency needs to implement the Public Service AI Framework. Where do we start?
The Public Service AI Framework (February 2025) sets expectations for how government agencies procure, deploy, and govern artificial intelligence. We map your current AI systems against the Framework's requirements, identify gaps in algorithmic accountability, and build an implementation plan that satisfies Cabinet expectations. The starting point is an AI inventory: you cannot govern what you cannot see.
What does the FMA expect from financial services firms using AI?
The Financial Markets Authority has not published prescriptive AI rules, but it expects licensed entities to manage material risks, and AI is increasingly material. Under the CoFI Act 2022, fair conduct obligations extend to how you use AI in customer-facing decisions. The RBNZ expects operational resilience that includes technology risk management. We build controls that map directly to these expectations.
Can we use this framework to align with international standards like ISO 42001?
Yes. We design governance programmes that satisfy New Zealand requirements while maintaining alignment with ISO/IEC 42001, OECD AI Principles, and the NIST AI Risk Management Framework. Callaghan Innovation supports ISO 42001 adoption in New Zealand, and our programmes are structured to be certification-ready from day one.
How long does this take and what does the engagement look like?
A typical governance programme runs 10 to 14 weeks across five phases: landscape mapping, cultural governance design, operating model development, policy drafting, and activation. Government engagements run in phases aligned to procurement cycles and budget approvals.
Start with the AI Risk Calculator. Then talk to us.
The calculator gives you a baseline view of your AI risk exposure against ISO 42001 and EU AI Act lenses in under five minutes. From there we can map your governance against the Privacy Act 2020, Te Tiriti obligations, and FMA / RBNZ expectations.