AI Policy Development for New Zealand Organisations
New Zealand has no AI-specific legislation, which means your internal policies are the primary governance mechanism for AI use. We build policy suites grounded in the Privacy Act 2020, Te Tiriti obligations, and OECD AI Principles that define the boundaries before a regulator does it for you.
With 81% of New Zealand leaders aware of AI risks but only 6% confident in their governance readiness, the gap between intent and action is where organisational exposure lives.
Why AI Policy Development Cannot Wait for NZ Legislation
New Zealand's voluntary, principles-based approach places the burden of defining acceptable AI use squarely on each organisation. Without internal policies, there is no governance.
The Voluntary Gap
New Zealand released its National AI Strategy in July 2025 and the Public Service AI Framework in February 2025, but both rely on voluntary adoption. Without mandated guardrails, organisations that lack internal policies have no documented standards for how AI should be used, procured, or governed.
Privacy Act 2020 Exposure
The 13 Information Privacy Principles already apply to every AI system that processes personal information. Principle 1 (purpose of collection), Principle 6 (access to information), and Principle 8 (accuracy) all create obligations that most organisations have not mapped to their AI tools. The Privacy Commissioner has signalled increasing scrutiny.
Te Tiriti Obligations Unaddressed
Crown agencies and organisations serving Maori communities face Treaty of Waitangi obligations that extend to AI. Data kaitiakitanga, equitable outcomes, and meaningful partnership are not optional considerations. Yet 25% of NZ leaders identify governance as the missing link in their AI programmes, and Te Tiriti compliance is rarely addressed in generic AI policies.
"The Privacy Act does not distinguish between decisions made by humans and decisions made or assisted by automated systems. The same privacy principles apply regardless of the technology used."
- Office of the Privacy Commissioner, New Zealand
AI Policy Development Suite Built for the NZ Context
Eight interconnected policies that address the specific obligations, cultural expectations, and regulatory realities facing New Zealand organisations.
AI Acceptable Use Policy
Whole-of-organisation boundaries
Sets clear parameters for every employee on which AI tools are sanctioned, what categories of data must never be entered, and when human review is mandatory. Written for the NZ workforce where 76% of leaders are prioritising AI adoption but staff guidelines lag behind.
Te Tiriti & Ethical AI Policy
Treaty-grounded principles
Operationalises OECD AI Principles and Te Tiriti o Waitangi obligations into enforceable internal standards. Addresses data kaitiakitanga, equitable algorithmic outcomes for Maori, whanau-centred impact assessment, and the partnership principle applied to AI system design and deployment.
AI Procurement & Vendor Policy
Offshore vendor risk for NZ
New Zealand organisations rely heavily on offshore AI platforms with data processed outside NZ jurisdiction. This policy covers cross-border data transfer assessments under Privacy Act Principle 12, vendor due diligence criteria, data residency requirements, and contractual protections for a small-market buyer.
AI Development & Deployment Policy
For organisations building or customising AI
Development standards covering model documentation, bias testing against NZ demographic data, deployment gates tied to risk classification, and ongoing monitoring obligations. Aligned to the Public Service AI Framework's tiered risk approach for government agencies.
AI Data Governance Policy
13 Privacy Principles mapped
Maps each of the 13 Information Privacy Principles to practical AI data handling requirements. Covers training data provenance and consent, Maori data governance protocols, accuracy obligations for AI-generated outputs, and the specific cross-border transfer restrictions under Principle 12.
AI Incident Response Policy
Breach notification and escalation
Incident classification tailored to NZ regulatory reporting requirements, including mandatory Privacy Commissioner notification for notifiable privacy breaches involving AI. Covers FMA and RBNZ notification for financial sector AI failures, investigation procedures, and post-incident improvement cycles.
Generative AI Usage Policy
ChatGPT, Copilot, Claude guardrails
Practical guidance addressing the tools NZ employees are already using. Covers which platforms are approved and under what licence terms, prohibited inputs including client data and iwi-sensitive information, output accuracy verification, and intellectual property considerations under NZ law.
AI Training & Capability Policy
Closing the awareness-to-action gap
Structured capability programme addressing the 81%/6% awareness-confidence gap identified across NZ organisations. Tiered training by role: foundational literacy for all staff, practitioner skills for active AI users, technical standards for developers, and governance literacy for boards and leadership.
Our Implementation Approach: Built for Adoption
The challenge in New Zealand is not writing policies. It is writing policies that people follow in an environment where there is no mandatory compliance framework to fall back on. Our approach centres on making governance the path of least resistance.
NZ Regulatory and Standards Alignment
- Privacy Act 2020 - all 13 Information Privacy Principles
- Te Tiriti o Waitangi and data kaitiakitanga principles
- Public Service AI Framework (February 2025)
- Fair Trading Act and Consumer Guarantees Act
- OECD AI Principles and ISO/IEC 42001:2023
Landscape Mapping
We audit your existing AI footprint, including shadow AI usage, and map applicable obligations under the Privacy Act, sector-specific regulators, and any Te Tiriti requirements. This produces a clear picture of what your policies must address.
Collaborative Drafting
We work alongside your legal, privacy, IT, and HR teams to draft policies that reflect how your organisation actually operates. For Crown agencies, this phase includes consultation on Treaty-aligned language and Maori data governance provisions.
Stakeholder Review
Structured review cycles with governance committees, board risk subcommittees, and where appropriate, iwi or community stakeholders. We facilitate sign-off rather than leaving your team to coordinate approvals across multiple parties.
Adoption and Embedding
We produce communication kits, manager talking points, and staff quick-reference guides in plain language. Policies are embedded into existing workflows rather than sitting in a SharePoint folder. Training materials are tailored to NZ workplace culture.
Review Cycle Design
We establish a structured review cadence with triggers linked to regulatory changes, Privacy Commissioner guidance updates, and shifts in the NZ AI landscape. Policies are living documents that evolve as the environment matures.
What You Receive
A complete governance package, not a set of templates.
Customised Policy Suite
6-8 policies tailored to your sector, size, and regulatory obligations. Delivered in editable format with version control protocols so your team can maintain and update them independently.
Privacy Principle Mapping
A detailed matrix mapping each of the 13 Information Privacy Principles to your specific AI systems and data flows. This becomes your reference document for Privacy Commissioner engagement.
Staff Communication Kit
Plain-language summaries, one-page quick-reference cards, and manager briefing packs designed for NZ workplace culture. Policies are only effective when people understand them.
Te Tiriti Compliance Guide
For Crown agencies and public sector organisations: a standalone guide mapping Treaty obligations to AI governance decisions, including consultation protocols and data kaitiakitanga implementation guidance.
Governance Committee Charter
Terms of reference for an AI governance committee or risk subcommittee, including membership, meeting cadence, decision authority, and reporting lines appropriate for NZ board structures.
Regulatory Horizon Scanner
A structured monitoring framework for tracking changes from the Privacy Commissioner, FMA, RBNZ, and the evolving National AI Strategy. Includes review triggers so policies are updated when the landscape shifts.
Frequently Asked Questions
If there is no AI-specific law in NZ, why do we need AI policies?
Because existing laws already apply. The Privacy Act 2020, Fair Trading Act, Companies Act 1993 director duties, and sector regulations from FMA and RBNZ all create obligations that extend to AI systems. Without policies that map these obligations to your AI usage, you have no documented governance and no defence if something goes wrong. The absence of AI-specific law makes internal policies more important, not less.
How do you handle Te Tiriti obligations in commercial organisations?
Treaty obligations are most direct for Crown agencies and public sector organisations, but commercial entities working with Maori communities, processing Maori data, or delivering services that impact Maori also benefit from Te Tiriti-aligned policies. We tailor the scope based on your organisation's relationship with Maori stakeholders and the nature of your AI use cases.
Our team is small. Do we really need eight separate policies?
Not necessarily. For smaller organisations, we consolidate the suite into fewer, broader documents that cover the same ground without the overhead. A mid-sized NZ organisation might start with three core policies - acceptable use, data governance, and incident response - and expand as AI maturity grows. We right-size the suite to your organisation.
How do the policies address offshore AI platforms like ChatGPT and Microsoft Copilot?
Most AI tools used by NZ organisations process data in overseas jurisdictions. Our policies specifically address cross-border data transfers under Privacy Act Principle 12, contractual protections for data processed offshore, and practical controls for staff using cloud-based AI tools where data may leave NZ. This is a critical gap in most generic AI policies.
Related Services
AI Governance Consulting
End-to-end governance programme design including operating models, committee structures, and accountability frameworks for NZ organisations.
Learn more →Risk Framework Development
AI risk taxonomies and assessment methodologies built for NZ's principles-based regulatory environment.
Learn more →AI Audit and Assessment
Independent assessment of your current AI governance maturity against Privacy Act, Treaty, and sector-specific requirements.
Learn more →Start AI Policy Development Before the Regulator Demands It
In a voluntary landscape, proactive policy development demonstrates governance maturity and positions your organisation ahead of whatever regulatory requirements emerge. Start the conversation about your policy needs.