AI policy development for a voluntary regulatory landscape.

New Zealand has no AI-specific legislation. Your internal policies are the primary governance mechanism and the standard against which regulators and courts will judge your organisation. We build policy suites that translate the Privacy Act 2020, Fair Trading Act 1986, Companies Act 1993, and Te Tiriti o Waitangi obligations into enforceable controls.

Run the free AI risk calculator

Built for

Privacy officers · General counsel · HR & IT leaders · Risk & compliance teams · Crown agency policy leads

We work against: Privacy Act 2020 / Fair Trading Act 1986 / Companies Act 1993 / Te Tiriti o Waitangi / Public Service AI Framework / OECD AI Principles / ISO/IEC 42001

What you walk away with.

Full policy suite

Customised policy suite

Six to eight AI governance policies tailored to your sector, size, and regulatory obligations, in editable format with version control protocols.

Privacy principle mapping

A detailed matrix mapping each of the 13 information privacy principles to your specific AI systems and data flows.

Te Tiriti compliance guide

For Crown agencies and public sector organisations, a standalone guide mapping Treaty of Waitangi obligations to AI governance decisions, including consultation protocols and data kaitiakitanga implementation guidance.

Regulatory horizon scanner

A monitoring framework for tracking changes from the Privacy Commissioner, FMA, RBNZ, and the evolving National AI Strategy, with triggers for policy refresh.

Why AI policy development cannot wait for NZ legislation.

New Zealand's voluntary, principles-based approach places the burden of defining acceptable AI use on each organisation. The Algorithm Charter is opt-in. The Public Service AI Framework applies to agencies, not the private sector. Without internal policies that translate these frameworks into operational controls, there is no governance. 81% of NZ leaders are aware of AI risks, yet only 6% are confident in their governance readiness.

01

Voluntary landscape

The voluntary gap.

The National AI Strategy (July 2025) and Public Service AI Framework both rely on voluntary adoption rather than prescriptive regulation. Without mandated guardrails, staff use generative AI tools without knowing the boundaries. Managers approve deployments without understanding their Privacy Act 2020 obligations. Directors face personal liability under the Companies Act 1993 for failures they may not even know exist.
02

13 principles

Privacy Act 2020 exposure.

The Privacy Act 2020's 13 information privacy principles already apply to every AI system that processes personal information. Principle 1 constrains how data can be used for model training. Principle 6 creates rights for individuals to understand algorithmic decisions about them. Principle 8 demands reliable outputs with correction mechanisms. Principle 12 restricts offshore data flows. Without policies that map these to your AI systems, you have no documented compliance defence.
03

Constitutional obligation

Te Tiriti obligations unaddressed.

Crown agencies and organisations serving Māori communities face Treaty of Waitangi obligations that generic policies never address. Data kaitiakitanga, tino rangatiratanga over information, equitable algorithmic outcomes, and meaningful partnership in system design reflect the constitutional fabric of Aotearoa. The Public Service AI Framework explicitly requires Crown agencies to consider Treaty obligations in AI deployment.

Eight policies built for the NZ context.

Eight interconnected policies addressing the compliance obligations, cultural expectations, and regulatory realities facing New Zealand organisations.

AI Acceptable Use Policy

Whole-of-organisation boundaries

Sets clear parameters for every employee on which AI tools are sanctioned, what data must never be entered, and when human review is mandatory. Covers data classification rules aligned to the 13 information privacy principles, prohibited inputs including client data and iwi-sensitive information, and human-in-the-loop requirements for decisions affecting individuals.

Te Tiriti & Ethical AI Policy

Treaty-grounded principles

Operationalises OECD AI Principles and Te Tiriti o Waitangi obligations into enforceable internal standards. Addresses data kaitiakitanga and the principle that Māori communities retain rangatiratanga over their data regardless of who holds it. Covers equitable algorithmic outcomes through bias testing against NZ demographic data, whanau-centred impact assessment for AI affecting Māori communities, iwi consultation protocols, and alignment with the Public Service AI Framework's Treaty requirements.

AI Procurement & Vendor Policy

Offshore vendor risk for NZ

Covers cross-border data transfer assessments under Privacy Act 2020 Principle 12, vendor due diligence criteria tailored to AI-specific risks including model training on customer data and sub-processor chains, data residency requirements reflecting FMA and RBNZ obligations, and contractual protections that account for the negotiating reality of a small-market buyer dealing with global platforms.

AI Development & Deployment Policy

For organisations building or customising AI

Development standards covering model documentation, bias testing against NZ demographic data including outcomes for Māori and Pacific populations, deployment gates tied to risk classification consistent with the OECD AI Principles, and ongoing monitoring obligations. Aligned to the Public Service AI Framework's tiered risk approach and ISO 42001 requirements.

AI Data Governance Policy

13 information privacy principles mapped

Maps each of the Privacy Act 2020's 13 information privacy principles to practical AI data handling requirements. Covers training data provenance and purpose limitation (Principles 1-4), access and correction rights for algorithmic decisions (Principles 6-7), accuracy obligations (Principle 8), retention limits (Principle 9), and cross-border transfer restrictions (Principle 12). Includes Māori data governance protocols for data sets that engage Treaty of Waitangi obligations.

AI Incident Response Policy

Breach notification and escalation

Incident classification tailored to NZ regulatory reporting. Covers mandatory Privacy Commissioner notification under the Privacy Act 2020's breach regime, FMA and RBNZ notification procedures for financial sector failures, Treaty of Waitangi impact assessment for incidents affecting Māori communities, and post-incident improvement cycles.

Generative AI Usage Policy

ChatGPT, Copilot, Claude guardrails

Practical governance for the AI tools NZ employees are already using. Covers approved platforms and licence terms, prohibited inputs including client data and iwi-sensitive information, output accuracy verification to mitigate hallucination risks, intellectual property considerations under the Copyright Act, and Fair Trading Act 1986 obligations for consumer-facing AI-generated content.

AI Training & Capability Policy

Closing the awareness-to-action gap

Tiered training by role: foundational AI literacy for all staff covering Privacy Act 2020 basics, practitioner skills for active users including sector-specific compliance from the FMA and RBNZ, technical standards for developers aligned to OECD AI Principles and ISO 42001, and governance literacy for boards covering Companies Act 1993 director duties and Treaty of Waitangi obligations.

Implementation approach. Built for adoption.

The challenge in New Zealand is not writing policies. It is writing policies that people follow when there is no mandatory AI compliance framework to fall back on. We make governance the path of least resistance.

Landscape mapping

We audit your existing AI footprint, including shadow AI, and map applicable compliance obligations under the Privacy Act 2020, sector-specific regulators (FMA, RBNZ), the Fair Trading Act 1986, Companies Act 1993 director duties, and any Treaty of Waitangi requirements. We then assess your current policy posture against the OECD AI Principles and identify gaps.

Collaborative drafting

We work alongside your legal, privacy, IT, and HR teams to draft policies that reflect how your organisation actually operates. For Crown agencies, this includes Treaty of Waitangi-aligned language and Public Service AI Framework alignment. For regulated entities, we embed FMA and RBNZ conduct expectations.

Stakeholder review

Structured review cycles with governance committees, board risk subcommittees, and where appropriate, iwi or community stakeholders. We facilitate sign-off rather than leaving your team to coordinate approvals across multiple parties.

Adoption and embedding

We produce communication kits, manager talking points, and staff quick-reference guides in plain language. Policies are embedded into existing workflows rather than sitting in a SharePoint folder.

Review cycle design

We establish a structured review cadence with triggers linked to regulatory changes, Privacy Commissioner guidance updates, and shifts in the NZ AI landscape. Policies are living documents that evolve as the environment matures.

Frequently asked questions.

If there is no AI-specific law in NZ, why do we need AI policies?

Because existing laws already apply. The Privacy Act 2020 governs every AI system that processes personal information. The Fair Trading Act 1986 prohibits misleading conduct regardless of whether a human or an algorithm generates it. The Companies Act 1993 creates personal liability for directors who fail to exercise reasonable oversight. The Human Rights Act 1993 prohibits algorithmic discrimination. The absence of AI-specific law makes internal policies more important, not less.

How do you handle Te Tiriti obligations in commercial organisations?

Treaty of Waitangi obligations are most direct for Crown agencies, where the Public Service AI Framework explicitly requires Te Tiriti considerations in AI deployment. Commercial entities working with Māori communities or processing Māori data also benefit from Te Tiriti-aligned policies. We tailor the scope based on your organisation's relationship with Māori stakeholders and the nature of your AI use cases.

Our team is small. Do we really need eight separate policies?

Not necessarily. For smaller organisations with fewer AI systems, we consolidate the suite into fewer, broader documents that cover the same compliance ground. A mid-sized NZ organisation might start with three core policies (acceptable use, data governance, and incident response) and expand as maturity grows.

How do the policies address offshore AI platforms like ChatGPT and Microsoft Copilot?

Most AI tools used by NZ organisations process data in overseas jurisdictions, creating compliance obligations under the Privacy Act 2020 that generic policies do not address. Our policies cover cross-border data transfers under Principle 12, contractual protections for data processed offshore, practical controls for staff using cloud-based tools where data may leave NZ, and due diligence procedures for evaluating vendor hosting and sub-processors.

Start AI policy development before the regulator demands it.

In New Zealand's voluntary landscape, proactive policy development demonstrates governance maturity and positions your organisation ahead of whatever requirements emerge from the National AI Strategy, the Privacy Commissioner's evolving guidance, and FMA and RBNZ scrutiny.

Run the free calculator