The Public Service AI Framework is voluntary. Your agency still needs to implement it.
Digital.govt.nz released the Public Service AI Framework in February 2025. While not binding, government agencies need practical guidance on risk assessment, procurement evaluation, and data traceability. We help you implement the framework without bureaucratic overhead.
The challenge
Your agency is procuring AI tools, but the Public Service AI Framework doesn't tell you exactly how to assess them. You need practical implementation guidance.
No clear procurement criteria
The framework says to assess AI systems for transparency, fairness, and privacy. But what questions do you ask vendors? How do you evaluate their answers? What documentation do you require? Most agencies are making this up as they go.
Risk assessment without resources
The framework requires robust risk management, but your agency doesn't have AI risk specialists. Business units are deploying tools faster than you can assess them. You need practical risk assessment templates that non-technical staff can actually use.
Data traceability sounds good, but how?
The framework emphasises data traceability, but what does that mean for your procurement of Microsoft Copilot? Or your customer service chatbot? Where does the data go? How do you document it? What records do you keep?
Our approach
We translate the Public Service AI Framework into practical tools your agency can actually use: procurement criteria, risk assessment templates, and vendor evaluation frameworks.
Assess your current AI landscape
We inventory existing AI systems across your agency: what tools are deployed, who approved them, what data they use, and whether they comply with Privacy Act 2020. We identify quick wins and high-risk systems that need immediate attention.
Deliverable: AI system inventory, risk register, compliance gap analysis
Develop procurement evaluation criteria
We create practical vendor assessment frameworks aligned with Government Procurement Rules and the Public Service AI Framework. This includes question templates, scoring rubrics, and documentation requirements for AI procurement decisions.
Deliverable: Vendor questionnaire templates, evaluation criteria, procurement playbook
Build risk assessment capability
We develop risk assessment templates tailored to your agency's context: simple tools that business units can use to assess AI systems before procurement. We train your teams on how to identify risks, assess severity, and determine appropriate controls.
Deliverable: Risk assessment templates, training materials, decision trees
Implement data traceability protocols
We establish procedures for documenting where data goes when AI systems process it. This includes data flow mapping, vendor data processing agreements, and records management for AI systems - critical for Privacy Act compliance and Treaty obligations.
Deliverable: Data flow documentation, vendor agreement templates, record-keeping procedures
Public Service AI Framework requirements
Key elements your agency needs to implement from the framework.
Traceability of data
Document data sources, processing locations, and retention periods for AI systems. Know where your data goes, especially when using offshore AI vendors like OpenAI, Microsoft, or Google.
Robust risk management
Identify and assess AI-related risks before deployment. Higher-risk systems need more rigorous assessment and ongoing monitoring. Your agency needs practical tools to do this.
Collaboration with security and commercial teams
AI procurement can't be done in isolation. Your framework needs to integrate with existing procurement processes, information security requirements, and privacy assessments.
Privacy and security evaluation
Every AI system needs privacy and security assessment. This means understanding how the AI processes personal information, where data is stored, and what security controls the vendor has in place.
Who this is for
Central government agencies
Public Service departments and ministries implementing the Public Service AI Framework and managing AI procurement under Government Procurement Rules.
Local government
Councils and local authorities deploying AI for service delivery, planning, or internal operations. While the framework is for central government, the principles apply equally to local government.
Crown entities
Crown agents and autonomous Crown entities procuring or developing AI systems that affect New Zealanders.
State-owned enterprises
SOEs wanting to adopt public sector AI governance best practices and demonstrate responsible AI use to stakeholders.
Frequently asked questions
Is the Public Service AI Framework mandatory for our agency?
The framework is voluntary and provides guidance rather than binding requirements. However, public sector agencies still have obligations under the Privacy Act 2020, Public Finance Act, and in some cases Treaty of Waitangi requirements. The framework helps you meet these existing obligations.
How does this relate to Privacy Act 2020 compliance?
The framework complements Privacy Act requirements. Data traceability supports Privacy Principle 3 (collection from individual), privacy evaluation criteria help you assess vendors against Principle 12 (overseas disclosure), and risk assessment identifies privacy impacts early.
Do we need to assess every AI system, even low-risk tools?
A risk-based approach is appropriate. High-risk systems making decisions about individuals need rigorous assessment. Lower-risk tools like grammar checkers need lighter-touch review. We help you build tiered assessment processes that match effort to risk.
How long does framework implementation take?
Initial implementation typically takes 8-12 weeks for procurement criteria development, risk assessment templates, and staff training. Ongoing implementation happens through your normal procurement and project approval processes.
Related services
AI Governance Consulting
Build comprehensive AI governance frameworks that integrate the Public Service AI Framework with your agency's existing governance structures.
Learn more โPrivacy Act 2020 Compliance for AI
Ensure your AI systems comply with the 13 Privacy Principles, including requirements for automated decision-making and overseas data transfers.
Learn more โAI Risk Assessment
Comprehensive risk assessment for AI systems, identifying operational, privacy, ethical, and regulatory risks before deployment.
Learn more โReady to implement the Public Service AI Framework?
Schedule a consultation to discuss your agency's AI landscape and how we can help you develop practical implementation tools that work within your existing processes.