AI Governance Consulting for New Zealand Organisations
81% of New Zealanders want artificial intelligence regulation. Only 6% know what rules exist today. That 75-point awareness gap is where governance risk lives, and where we help organisations build the structures that turn ambiguity into competitive advantage.
We design governance programmes grounded in te ao Māori, aligned to the Public Service AI Framework and OECD AI Principles, and built to satisfy the FMA, RBNZ, and Office of the Privacy Commissioner before mandatory requirements arrive. Practical, not theoretical. Built for how New Zealand organisations actually operate.
Three governance gaps holding New Zealand organisations back
Aotearoa New Zealand was the last OECD country to publish a national AI strategy. That delay created a vacuum, and organisations are filling it with guesswork, borrowed overseas frameworks, or nothing at all. We see the same patterns across Auckland, Wellington, and Christchurch.
The 75% awareness gap
Most New Zealanders, and most boards, cannot name a single regulation that applies to AI. The Privacy Act 2020, Fair Trading Act 1986, and Companies Act 1993 already impose obligations on AI use. Organisations that do not realise this are already exposed. We help them understand exactly what applies and build compliance from the ground up.
Treaty of Waitangi obligations without a playbook
How does your AI system handle Māori data? Does your algorithmic decision-making respect tino rangatiratanga? Kaitiakitanga demands guardianship of data, not just compliance with it. Te Tiriti o Waitangi creates constitutional obligations that standard overseas frameworks ignore entirely. Māori data sovereignty is not a nice-to-have. It is a requirement for responsible governance in Aotearoa.
Voluntary does not mean optional
New Zealand's light-touch regulatory approach means governance is technically voluntary. But the FMA expects financial services firms to manage AI risk under existing obligations. The Privacy Commissioner enforces the 13 Information Privacy Principles. The RBNZ expects operational resilience that includes technology risk. And 25% of NZ leaders say governance is the "missing link" in their AI strategy. When regulation hardens, and the National AI Strategy signals it will, organisations with governance already in place will be ready. Those without it will be scrambling.
of NZ leaders are prioritising AI agents in their organisations
potential GDP contribution from generative AI by 2038
of NZ leaders say governance is the "missing link" in their AI strategy
CAGR growth in global AI governance services market
A governance programme built for how New Zealand actually works
We do not import governance templates from other jurisdictions and swap the regulator names. Our team builds every programme from the ground up: your regulatory context, your Treaty of Waitangi obligations, your organisational culture, your risk appetite. The result is a governance programme that drives real outcomes, not just compliance.
Map the landscape
We audit every AI system, algorithm, and automated decision in your organisation. We identify who built it, who approved it, what data it touches, and whether it affects Māori communities or data. This is not a questionnaire. It is a forensic inventory that gives your board its first complete picture of AI exposure across the business.
Embed cultural governance
We integrate Māori data sovereignty principles and Treaty of Waitangi obligations into the governance structure from the start, not as a bolt-on appendix. This includes data classification aligned to iwi expectations, tikanga-informed impact assessments, and kaitiakitanga-based stewardship models for data that relates to tangata whenua. Māori data governance is woven through every policy and process we deliver.
Design the operating model
We build clear accountability structures: who owns AI risk, who signs off on new deployments, who monitors ongoing performance, and who reports to governance committees. We align these to the Public Service AI Framework for government agencies and to FMA and RBNZ expectations for financial services organisations, tailored to your sector and scale.
Write the policies that matter
We draft the policies your organisation needs, not the ones a generic template vendor sells. Every policy maps to specific NZ legal obligations: the 13 Information Privacy Principles under the Privacy Act 2020, Fair Trading Act 1986 requirements for AI-generated content, Companies Act 1993 director duties around emerging technology risk, and the Algorithm Charter principles for government agencies pursuing algorithmic accountability.
Activate and sustain
A framework that nobody uses is worse than no framework at all. We train your teams, run tabletop exercises, establish reporting rhythms, and build internal capability so governance becomes part of how your organisation operates, not a document that lives in SharePoint. We measure success by whether governance enables your teams, not whether it slows them down.
What your organisation walks away with
Every deliverable is written for New Zealand. Not adapted from an overseas template. Not a theoretical document. Practical governance your teams will use on Monday morning.
NZ-Specific Governance Framework
- Governance committee structure with terms of reference for responsible AI oversight
- Accountability matrix mapping AI ownership across the organisation
- Treaty of Waitangi compliance mapping for all AI systems
- Board-level AI risk reporting templates and dashboards aligned to NZ business practices
Policy Suite Aligned to NZ Law
- Responsible AI Use Policy mapped to the 13 Privacy Principles under the Privacy Act 2020
- AI Risk Classification and Triage Policy for structured risk management
- Māori Data Governance and Sovereignty Policy reflecting Te Tiriti o Waitangi obligations
- AI Vendor and Third-Party Due Diligence Policy for managing supply chain risk
Regulatory Readiness Package
- Privacy Act 2020 compliance assessment for all AI systems
- Public Service AI Framework alignment report for government agencies and suppliers
- FMA and RBNZ expectations mapping for financial services organisations
- OECD AI Principles alignment and gap analysis against New Zealand's National AI Strategy
Activation and Capability Building
- 12-month phased implementation roadmap with clear milestones
- Governance team training programme and workshop materials for staff at all levels
- Tabletop exercise scenarios for AI incident response aligned to Privacy Commissioner breach notification requirements
- Governance maturity scorecard with quarterly benchmarks for continuous improvement
Designed for organisations navigating New Zealand's unique AI landscape
Every sector in Aotearoa faces different AI governance pressures. We tailor our approach to match your specific compliance requirements, industry context, and objectives.
Government agencies and public service
Central and local government bodies, from Te Whatu Ora to Auckland Council and Wellington City Council, implementing the Public Service AI Framework and managing AI procurement under Cabinet expectations. We help agencies operationalise the Algorithm Charter and build algorithmic accountability into decision-making.
Financial services under FMA and RBNZ oversight
Banks like ANZ NZ, BNZ, ASB, Westpac NZ, and Kiwibank deploying AI for credit decisions, fraud detection, and customer service, where the Financial Markets Authority and Reserve Bank of New Zealand expect governance proportionate to risk. We build compliance aligned to CoFI Act obligations and operational resilience requirements.
Organisations handling Māori data
Any organisation, public or private, that collects, processes, or makes decisions using data relating to Māori communities, iwi, hapu, or whanau. Treaty of Waitangi obligations demand Māori data governance that goes beyond standard privacy compliance. We ensure your AI practices respect data sovereignty and kaitiakitanga principles.
Healthcare organisations under HIPC
Hospitals, DHBs, Te Whatu Ora, and health tech organisations deploying AI for diagnostics, clinical decisions, or patient management. Waitemata Healthcare found international frameworks inappropriate for the NZ context. We deliver governance built for the Health Information Privacy Code 2020 and Code of Health and Disability Services Consumers' Rights.
Businesses preparing for mandatory regulation
Forward-thinking New Zealand organisations that recognise voluntary frameworks are a stepping stone, not a destination. Build governance now and avoid the scramble when rules harden. Proactive governance is a competitive advantage that supports sustainable growth.
Why New Zealand needs its own AI governance approach
Importing an Australian or European framework and swapping the regulator names does not work. Aotearoa New Zealand has distinct regulatory, cultural, and constitutional requirements that demand a purpose-built approach.
Light-touch regulation requires self-governance
Unlike jurisdictions with prescriptive AI rules, New Zealand relies on voluntary frameworks and existing legislation. That means organisations bear the full responsibility for defining what "reasonable" AI governance looks like. We give organisations the structure and confidence to lead in this environment.
Te Tiriti is a constitutional obligation
The Treaty of Waitangi creates requirements around partnership, participation, and protection that no other jurisdiction shares. AI systems affecting Māori communities need governance that addresses Māori data sovereignty, cultural safety, and equitable outcomes, not just privacy compliance. We embed these obligations into every framework we build.
OECD Principles need local interpretation
New Zealand's National AI Strategy is built on the OECD AI Principles, but translating those high-level principles into operational governance for a Christchurch manufacturer or a Wellington government agency requires deep knowledge of local context. We bridge the gap between international standards and NZ-specific implementation.
Questions New Zealand organisations ask us
NZ has no mandatory AI laws. Why invest in governance now?
Because existing laws already apply. The Privacy Act 2020 regulates how AI systems collect and use personal information. The Fair Trading Act 1986 prohibits misleading conduct, including by AI. The Companies Act 1993 requires directors to act with reasonable care, which increasingly includes oversight of AI risk. The National AI Strategy signals that regulation will tighten. Organisations that build governance now will be ready. Those that wait will be scrambling when compliance becomes mandatory.
How do you integrate Treaty of Waitangi obligations into an AI governance framework?
We start with the principle of kaitiakitanga (guardianship). We classify data that relates to Māori communities, iwi, hapu, or whanau and build specific governance controls around it: who can access it, how AI systems can use it, what consultation is required before automated decisions affect tangata whenua, and how Māori data sovereignty principles are enforced through your technology stack. This is not a section in an appendix. It is woven through every policy and process.
Our agency needs to implement the Public Service AI Framework. Where do we start?
The Public Service AI Framework (February 2025) sets expectations for how government agencies procure, deploy, and govern artificial intelligence. We map your current AI systems against the Framework's requirements, identifies gaps in algorithmic accountability, and builds an implementation plan that satisfies Cabinet expectations. For most agencies, the starting point is an AI inventory, because you cannot govern what you cannot see. We also help operationalise the Algorithm Charter principles across your decision-making systems.
What does the FMA expect from financial services firms using artificial intelligence?
The Financial Markets Authority has not published prescriptive AI rules, but it expects licensed entities to manage material risks, and AI is increasingly material. Under the CoFI Act 2022, fair conduct obligations extend to how you use AI in customer-facing decisions. The RBNZ expects operational resilience that includes technology risk management. We build controls that map directly to these expectations so you can demonstrate due diligence when regulators ask.
Can we use this framework to align with international standards like ISO 42001?
Yes. We design governance programmes that satisfy New Zealand requirements while maintaining alignment with ISO/IEC 42001, OECD AI Principles, and the NIST AI Risk Management Framework. If your organisation operates across borders or wants international certification, the governance programme we build serves as the foundation. Callaghan Innovation supports ISO 42001 adoption in New Zealand, and our programmes are structured to be certification-ready from day one.
How long does this take and what does the engagement look like?
A typical governance programme runs 10-14 weeks across five phases: landscape mapping, cultural governance design, operating model development, policy drafting, and activation. Government agencies often run phased engagements aligned to procurement cycles and budget approvals. We tailor the timeline to your organisation's pace and capacity. The result is a governance capability your teams actually use, not just a compliance document.
Explore related NZ services
Privacy Act 2020 Compliance for AI
Map your AI systems against all 13 Information Privacy Principles. Address automated decision-making, cross-border data transfers, and Privacy Commissioner expectations.
Learn more →Public Service AI Framework Alignment
Purpose-built guidance for government agencies implementing the February 2025 Framework, including procurement evaluation, risk tiering, algorithmic accountability, and Cabinet reporting obligations.
Learn more →Māori Data Governance
Implement Māori data sovereignty principles, tikanga-informed governance structures, and Treaty-aligned policies for AI systems that process or affect Māori data. A service unique to Aotearoa New Zealand.
Learn more →Start Your AI Governance Consulting Engagement
The organisations that build AI governance now, before mandatory rules arrive, will move faster, face less disruption, and earn more trust. Start with a conversation about where your organisation stands today and what comes next.