Phase 01
2-3 wks
Baseline assessment
We map your AI systems, current governance, sector regulators, Privacy Act 2020 status, and Treaty considerations. Strengths and gaps identified.
Ongoing AI governance advisory for Aotearoa's shifting rulebook.
The National AI Strategy landed in July 2025. The Public Service AI Framework arrived in February 2025. The Privacy Commissioner is interpreting the Privacy Act 2020 for algorithmic decision-making. The FMA and RBNZ are sharpening expectations for AI in regulated sectors.
We provide the ongoing advisory that keeps your compliance posture current as guidance becomes obligation, so your business can pursue innovation with confidence.
Built for
FMA / RBNZ regulated entities · Government agencies · Crown entities · Enterprise compliance teams
We track: Privacy Act 2020 / Public Service AI Framework / National AI Strategy / FMA / RBNZ / CoFI Act 2022 / Te Mana Raraunga developments / EU AI Act / ISO/IEC 42001:2023
Governing AI in a landscape still taking shape.
Unlike jurisdictions with settled regulations, organisations in Aotearoa face a moving target. The rules are being written now through Privacy Commissioner guidance, FMA conduct signals, RBNZ prudential expectations, and National AI Strategy milestones. Continuous advisory makes the difference between readiness and exposure.
- 01Trajectory
Voluntary today, mandatory tomorrow.
The NZ Government's voluntary principles, underpinned by the OECD AI Principles, are the foundation for what comes next. The Algorithm Charter, the National AI Strategy's implementation roadmap, and the Privacy Commissioner's increasingly detailed guidance on automated decision-making all point toward formalisation. When mandatory requirements arrive, organisations that prepared early adapt in weeks. Those that waited face months of costly remediation.
- 02Multiple regulators
No single playbook across regulators.
The FMA is developing conduct expectations for AI in financial services, with particular scrutiny of algorithmic advice and automated credit decisions. The RBNZ is examining AI risk through prudential supervision, asking how model risk and operational resilience apply to machine learning systems. The Privacy Commissioner is interpreting the Privacy Act 2020 for AI contexts. Each regulator moves at its own pace with its own enforcement priorities.
- 03Constitutional obligation
Treaty obligations continue to evolve.
Te Tiriti o Waitangi obligations in the AI context are developing through case law, government policy, and tikanga-based frameworks grounded in kaitiakitanga and tino rangatiratanga. Te Mana Raraunga continues to advance Māori data sovereignty principles. What constituted adequate Māori data governance in 2024 may not meet the standard being set in 2026. Ongoing advisory ensures your governance keeps pace.
Continuous advisory beats periodic projects.
Point-in-time projects produce a snapshot. The regulatory landscape moves around it. A retainer keeps the framework current as guidance evolves.
Periodic engagements
Point-in-time snapshots
- Framework is outdated within months as NZ guidance evolves.
- Privacy Commissioner guidance missed between engagements.
- No one monitoring FMA or RBNZ position development.
- Treaty obligation developments go untracked.
- New consultant each engagement rebuilds organisational context.
- Scramble to respond when mandatory rules arrive.
Continuous advisory
Evolves with the landscape
- Quarterly NZ regulatory briefings on every AI development.
- Proactive alerts when regulators signal new positions.
- Treaty obligation tracking as case law and policy develop.
- A dedicated team that knows your systems, sector, and needs.
- Predictable monthly investment you can plan around.
- Ready to pivot when voluntary guidance becomes mandatory.
What your advisory programme covers.
Built for the NZ regulatory environment. Every deliverable maps to a real governance need your organisation faces as AI rules take shape across Aotearoa.
Track A
Quarterly regulatory briefings
Every quarter, a structured briefing covering every material AI development in New Zealand. National AI Strategy milestones, Privacy Commissioner positions on automated decision-making, FMA conduct expectations, RBNZ prudential signals, Public Service AI Framework changes, OECD AI Principles developments, and Treaty of Waitangi-related Māori data governance developments. Each briefing concludes with prioritised action items tailored to your posture.
Track B
On-demand expert guidance
Direct access to the same team that knows your systems, sector, and governance setup. New AI tool evaluation against Privacy Act 2020 requirements. Treaty of Waitangi obligations for a specific data set. Vendor assessment including cross-border data transfer risks under IPP 12. Fair Trading Act 1986 implications for AI-generated consumer-facing content. Board reporting support when directors need clarity. Most queries answered within 48 hours.
Track C
Board and executive reporting
Quarterly governance summaries prepared for board consumption by advisors who understand both the AI landscape and NZ director duties under the Companies Act 1993. Risk posture updates, regulatory horizon scanning, progress against maturity targets, and emerging compliance obligations from the Privacy Commissioner, FMA, and RBNZ. Treaty status included where relevant. Board-ready language so you can demonstrate the informed oversight that sections 131 through 138 require.
Track D
Policy & framework maintenance
As NZ AI guidance evolves, policies need to keep pace. The Privacy Act 2020's interpretation for AI contexts is being refined by the Privacy Commissioner. The National AI Strategy may introduce new expectations. OECD AI Principles continue to develop internationally and flow through to NZ policy settings. Annual review, policy updates for new regulatory expectations, gap analyses against emerging compliance requirements.
Track E
Team capability building
Annual governance training tailored to the NZ regulatory context. Workshops covering Māori data sovereignty and kaitiakitanga, Privacy Act 2020 obligations for AI-driven decision-making, Government Procurement Rules for AI products, or FMA and RBNZ expectations for your sector. Executive briefings when significant developments emerge, such as a new Privacy Commissioner position paper or a National AI Strategy milestone.
Track F
Incident response guidance
When an AI system produces unexpected outcomes, the clock starts immediately. We help you assess governance implications, determine whether mandatory Privacy Commissioner notification is triggered under the Privacy Act 2020's notifiable breach regime, evaluate Treaty of Waitangi impacts where Māori data governance is engaged, and consider FMA or RBNZ reporting obligations for regulated businesses. Expert support when the stakes are highest, from a team that already understands your systems.
How the engagement works.
A repeating cycle, anchored by a baseline assessment and refreshed annually.
Phase 02
Quarterly
Regulatory cycles
Each quarter opens with a briefing covering all NZ AI developments. What changed, what it means for you, prioritised action items.
Phase 03
48 hrs
Responsive support
Between cycles, direct access for ad-hoc questions. New procurement, board prep, policy interpretation, Treaty guidance, incident response.
Phase 04
Annual
Governance review
Year-end review of governance maturity, framework and policy updates, recalibration against current Privacy Commissioner, FMA, and RBNZ requirements.
Who this is for.
Continuous advisory works for organisations with an existing governance footprint. If you are starting from scratch, build the foundation first.
Start with foundational consulting01
FMA or RBNZ-regulated entities deploying or evaluating AI.
02
Government agencies aligning with the Public Service AI Framework.
03
Organisations processing Māori data with Treaty obligations to uphold.
04
Enterprises with established governance that needs continuous maintenance.
05
Compliance teams without dedicated AI governance resource.
Common questions.
What NZ-specific developments do you track?
Every material AI governance development affecting New Zealand organisations. National AI Strategy milestones and any legislative activity that flows from it. Public Service AI Framework updates. Privacy Commissioner guidance, enforcement actions, and evolving interpretation of the Privacy Act 2020 for automated decision-making. FMA expectations for AI in financial services. RBNZ positions on AI in prudential supervision. Treaty of Waitangi developments relevant to Māori data governance. Fair Trading Act 1986 implications for AI-generated content. Relevant international developments including EU AI Act implementation, OECD AI Principles evolution, and ISO/IEC 42001:2023 adoption.
How do you handle Treaty of Waitangi obligations as they evolve?
Treaty obligations in the AI context develop through multiple channels: case law that tests Crown obligations in digital contexts, government policy that extends Treaty principles to technology deployment, and frameworks like Te Mana Raraunga that advance Māori data sovereignty at a practical level. We track these developments and advise on implications for your governance. Quarterly briefings include a dedicated Treaty and Māori data sovereignty section, and on-demand guidance is available when specific decisions engage Te Tiriti obligations.
What happens when voluntary NZ guidance becomes mandatory regulation?
This transition is exactly why continuous advisory exists. The trajectory in Aotearoa is clear: the National AI Strategy, the Public Service AI Framework, and the Privacy Commissioner's increasingly detailed guidance all point toward formalisation of what is currently voluntary. We monitor every policy signal that indicates movement toward mandatory requirements, including consultation papers, ministerial statements, regulatory speeches, and international precedents like the EU AI Act. When the shift happens, organisations on advisory already have governance aligned to the voluntary OECD AI Principles, so the transition to mandatory compliance is an update rather than a rebuild.
Can advisory support our government procurement and AI evaluation processes?
Yes. Government procurement of AI products and services involves compliance considerations spanning multiple regulatory frameworks. We provide guidance on evaluating vendors against Government Procurement Rules and the Public Service AI Framework's supplier criteria. We help your team assess suppliers for Privacy Act 2020 compliance, particularly around cross-border data transfers under IPP 12 and the accuracy obligations of IPP 8. We also evaluate data residency risks, model hosting arrangements, and supply chain dependencies. Vendor tools are checked against your Treaty of Waitangi obligations for Māori data governance, including data sovereignty and exit strategies that protect rangatiratanga over information.
NZ AI governance rules are being written now. Keep pace.
A short call walks through what is included, how the quarterly cycle works, and whether your governance maturity is ready for ongoing support. From Privacy Act 2020 compliance to Treaty obligations, from FMA and RBNZ expectations to National AI Strategy implementation.