AI impact assessment built for Aotearoa's legal and cultural context.

New Zealand has no mandated AI impact assessment regime. The Privacy Act 2020, the Companies Act 1993, and the Code of Health and Disability Services Consumers' Rights all create liability for AI-driven decisions. The gap between no specific AI law and no legal exposure is where organisations get into trouble.

See methodology

Built for

Crown entities · Te Whatu Ora providers · Boards and directors · Financial services firms · Local government
Assessed against: Privacy Act 2020 / Health Information Privacy Code 2020 / Companies Act 1993 / Te Tiriti o Waitangi / Code of Health and Disability Services Consumers' Rights / OECD AI Principles

What you receive.

Our assessment process

Cultural safety assessment

Disparate impact analysis across NZ ethnic populations, Māori and Pacific outcome testing aligned with Māori data sovereignty, and recommendations for culturally appropriate AI governance.

Te Tiriti impact review

Assessment against partnership, protection, and participation principles, Māori data governance evaluation using Te Mana Raraunga principles, and a remediation plan for identified gaps.

Legal liability report

Privacy Act 2020 and HIPC analysis per system, Companies Act 1993 director duty risk assessment, and vendor contract gap analysis for offshore AI providers.

Ongoing monitoring framework

AI performance monitoring templates, escalation paths, cultural safety review cycles aligned with Treaty obligations, and accountability assignment per system.

International frameworks were not built for Aotearoa.

Most AI risk frameworks originate from the EU, UK, or North America. They assume different population structures, different legal traditions, and different cultural obligations. Applying them directly to New Zealand creates blind spots that put organisations and communities at risk. Waitemata Healthcare discovered this when international AI frameworks proved inappropriate for their clinical context.

  1. 01
    No mandate, real liability

    The absence of specific regulation is not the absence of consequence.

    New Zealand does not mandate AI impact assessments. The Privacy Act 2020, Consumer Guarantees Act, Fair Trading Act 1986, and Companies Act 1993 all apply to AI-driven decisions. Directors cannot claim ignorance of AI harms as a defence. The FMA and RBNZ expect regulated entities to manage these risks under existing obligations.

  2. 02
    Cultural safety gap

    Imported fairness metrics distort outcomes for Māori and Pacific peoples.

    AI systems trained on international datasets produce discriminatory outcomes for Māori and Pacific populations. Healthcare triage algorithms, credit scoring models, and recruitment tools all carry this risk. Standard fairness metrics do not account for the specific equity obligations New Zealand organisations hold under Te Tiriti o Waitangi and the OECD AI Principles commitment to inclusive growth.

  3. 03
    Vendor questions

    Procurement contracts rarely answer the hard questions.

    What happens to personal data if your AI vendor is acquired or goes bankrupt? Who is accountable when a system fails? Are conflicts of interest between your AI provider and your organisation documented? Who monitors performance after deployment? The RBNZ has flagged vendor concentration risk as a concern for financial stability. Our assessments answer these questions.

  4. 04
    Off-the-shelf gaps

    What standard assessments miss in New Zealand.

    Te Tiriti obligations around AI impacts on Māori communities have no international equivalent. Cultural safety for Māori and Pacific populations requires bias testing calibrated for Aotearoa's demographic mix. Healthcare AI sits inside the Health Information Privacy Code 2020. Directors face personal exposure for AI harms under Companies Act 1993 duties. Māori data sovereignty raises kaitiakitanga obligations that have no analogue in international standards.

Methodology built for Aotearoa.

We do not adapt international templates. Our NZ methodology was built from the ground up, aligned with OECD AI Principles and Te Tiriti o Waitangi. AI operating in Aotearoa must be assessed against Aotearoa's legal landscape, population needs, and cultural obligations.

Phase 01

Scoping and context mapping

1-2 WEEKS

We identify every AI system in scope, map the populations they affect, and document the legal and cultural obligations that apply. Stakeholder interviews cover leadership, operations, and where relevant, iwi or community liaison. We define which NZ-specific standards apply, from the Privacy Act 2020 through to Māori data sovereignty.

Phase 02

Technical and cultural assessment

2-6 WEEKS

Parallel workstreams assess technical performance and cultural safety. Bias testing uses NZ demographic benchmarks. Privacy Act 2020 and HIPC compliance is evaluated. Te Tiriti impact is reviewed. Third-party vendor arrangements are tested for contractual and data protection gaps. For financial services, alignment with FMA conduct and RBNZ operational resilience requirements is included.

Phase 03

Findings and liability mapping

1-2 WEEKS

Our specialists consolidate findings into a structured report that maps each risk to its legal basis: Privacy Act provision, Companies Act duty, Treaty principle, or consumer rights obligation. Risks are rated by severity and likelihood. Recommendations include specific remediation steps with accountability owners. Findings align with OECD AI Principles to provide internationally recognised benchmarks.

Phase 04

Governance implementation support

1-2 WEEKS

We present findings to boards and leadership teams, establish ongoing monitoring frameworks, and transfer the knowledge your organisation needs to maintain AI accountability independently. This includes templates for ongoing cultural safety review and Treaty compliance monitoring.

Sector-specific impact assessment.

Different sectors face different AI risks. Every assessment is tailored to the regulatory obligations, population impacts, and operational realities of your industry.

Sector

Financial services

Banks, insurers, and KiwiSaver providers using AI for credit decisions, claims processing, or customer advice face scrutiny from both the FMA and RBNZ. We evaluate algorithmic fairness in lending and insurance pricing, compliance with the Conduct of Financial Institutions Act 2022, and vendor concentration risks identified by regulators.

Sector

Healthcare

Healthcare organisations including Te Whatu Ora face unique assessment requirements. We evaluate AI systems against the Health Information Privacy Code 2020, the Code of Health and Disability Services Consumers' Rights, and the cultural safety obligations of serving Māori and Pacific patients. Drawing on the Waitemata Healthcare governance model, we deliver context-appropriate assessment for clinical AI that international frameworks cannot provide.

Sector

Government and public sector

Crown agencies and local government bodies such as Auckland Council and Wellington City Council must align with the Public Service AI Framework and the Algorithm Charter. We assess AI systems against these frameworks alongside Te Tiriti obligations, Government Procurement Rules compliance, and the transparency commitments that the New Zealand public expects.

Sector

Technology and mid-market

SaaS companies and technology businesses in Auckland's tech hub face assessment needs driven by customer requirements, international compliance including the EU AI Act for those selling into Europe, and ISO 42001 certification pathways supported by Callaghan Innovation.

Frequently asked questions.

If there is no mandatory AI assessment in New Zealand, why should we do one?

Because the liability exists even without a specific AI law. The Privacy Act 2020 applies to AI systems that process personal information. The Companies Act 1993 creates director duties that extend to AI governance. The Code of Health and Disability Services Consumers' Rights applies to AI in healthcare. The FMA and RBNZ expect regulated entities to manage technology risks under existing obligations. Conducting an assessment proactively is significantly cheaper than responding to a Privacy Commissioner investigation or defending a director liability claim.

How is a cultural safety assessment different from standard bias testing?

Standard bias testing typically checks for disparate outcomes across broad demographic categories using international benchmarks. Cultural safety assessment goes further: it tests against NZ-specific population groups, evaluates outcomes against Te Tiriti o Waitangi principles, assesses whether Māori data sovereignty is respected, and examines whether AI decision-making accounts for the cultural context of the communities it affects. The distinction matters because an AI system can pass generic bias testing while still producing inequitable outcomes for Māori and Pacific populations in Aotearoa.

What if our AI vendor is based overseas?

This creates additional assessment considerations. The Privacy Act 2020 restricts cross-border data transfers. We evaluate vendor contracts for data protection adequacy, assess what happens to your data if the vendor is acquired or ceases operations, identify conflicts of interest, and determine whether your organisation retains meaningful control over AI systems hosted offshore. The RBNZ has specifically identified reliance on a small number of providers as a risk to financial stability.

Do directors really face personal liability for AI harms?

Under the Companies Act 1993, directors must act with reasonable care, diligence, and skill. If a board has no visibility over AI systems operating in the organisation, with no risk register, no impact assessment, no monitoring framework, and those systems cause harm, the lack of governance itself becomes the liability exposure. Our assessment establishes the governance baseline New Zealand directors need. As AI governance becomes mainstream practice, the standard of what constitutes reasonable oversight will only increase.

How long does a NZ-context assessment take?

Typically 4 to 10 weeks depending on scope. A focused assessment of a single high-risk AI system, such as a healthcare triage tool used by Te Whatu Ora, takes 4 to 6 weeks. A comprehensive assessment across an organisation's full AI portfolio, including cultural safety analysis and vendor reviews, takes 8 to 10 weeks. We scope based on your risk profile, the populations your systems serve, and which legal obligations apply.

What ongoing responsibilities remain after the assessment?

AI systems are not static. Models drift, vendor arrangements change, and populations evolve. Our assessment includes an ongoing monitoring framework that defines who is responsible for continued oversight, what triggers a reassessment, and how cultural safety is maintained over time. We build the capability for your organisation to sustain accountability without permanent reliance on external assessors.

Related services.

Impact assessment is one part of a broader governance picture. These services pick up where it ends.

01
AI governance consulting
Framework build
02
Third-party AI risk
Vendor governance
03
Regulatory compliance
Cross-statute

Request an AI impact assessment for your organisation.

An independent assessment built for the New Zealand context gives you clarity on legal exposure, cultural safety, and governance gaps before they become complaints, investigations, or front-page stories. No-obligation initial consultation. Fixed-price engagements. NZ-context methodology.

Or view governance consulting

Get in Touch