Government AI Governance

The Public Service AI Framework Is Voluntary. Your Agency Still Needs to Implement It.

Digital.govt.nz released the Public Service AI Framework to guide how government agencies across Aotearoa adopt artificial intelligence responsibly. While not binding, agencies that ignore it face compliance gaps under the Privacy Act 2020, Government Procurement Rules, and Treaty of Waitangi obligations. We help your team implement the framework with practical governance, not bureaucratic overhead.

See Framework Requirements

Public Service AI Assurance Framework Dashboard

The Challenge for Government Agencies

Your agency is procuring AI tools, but the Public Service AI Framework provides principles rather than step-by-step implementation guidance. You need practical support that translates the framework's requirements into procurement criteria, governance processes, and risk assessment workflows your team can execute.

No Clear Procurement Criteria for AI

The framework says to assess AI systems for transparency, fairness, and privacy compliance. But what questions do you ask vendors? How do you evaluate their answers against the OECD AI Principles? What documentation must you require under Government Procurement Rules? Most agencies across Aotearoa are improvising their approach to AI procurement, creating inconsistency and compliance risk.

Risk Assessment Without Specialist Resources

The framework requires robust risk assessment for AI, but your agency may not have AI risk specialists on the team. Business units across your organisation are deploying tools faster than governance can assess them. You need practical assessment templates that non-technical staff can use to evaluate AI systems before procurement decisions are finalised.

Data Traceability for AI Systems

The framework emphasises data traceability as a core requirement, but what does that mean for your procurement of enterprise AI tools? Where does the data go when your team uses a chatbot for public enquiries? How do you document data flows through offshore vendors for Privacy Act 2020 compliance? What records satisfy the Privacy Commissioner if they investigate? These are practical questions that require practical answers.

Our Approach to Framework Implementation

We translate the Public Service AI Framework into practical governance tools your agency can use immediately: procurement criteria, risk assessment templates, vendor evaluation checklists, and data traceability procedures aligned with Government Procurement Rules and Privacy Act 2020 requirements.

Assess Your Current Artificial Intelligence Landscape

We inventory existing AI systems across your agency: what tools are deployed, who approved them, what data they process, whether they comply with the Privacy Act 2020, and how they align with the Algorithm Charter for Aotearoa if your agency is a signatory. We identify quick wins for compliance improvement and high-risk systems that need immediate governance attention. This assessment gives your team a complete picture of your AI footprint and the gaps the Public Service AI Framework is designed to address.

Deliverable: AI system inventory, risk register, compliance gap analysis, prioritised remediation roadmap

Develop Procurement Evaluation Criteria for AI

We create practical vendor assessment tools aligned with Government Procurement Rules, the Public Service AI Framework, and the OECD AI Principles that underpin New Zealand's National AI Strategy. This includes vendor question templates covering transparency, data handling, algorithmic fairness, and cultural considerations; scoring rubrics that enable consistent evaluation across procurement teams; and documentation requirements that satisfy both the framework and Privacy Act 2020 obligations. These integrate with your existing procurement processes rather than creating parallel workflows.

Deliverable: Vendor questionnaire templates, evaluation criteria, procurement playbook, integration with existing processes

Build Internal Risk Assessment Capability

We develop risk assessment tools tailored to your agency's context: practical templates that business units can use to evaluate AI systems before procurement. We train your team on how to identify AI-specific risks, assess severity against a tiered classification model, determine appropriate controls, and escalate decisions that require senior governance attention. This capability-building approach ensures your organisation can sustain risk assessment for AI independently within your agency's existing programme structures.

Deliverable: Risk assessment frameworks, tiered classification model, training materials, decision trees, escalation protocols

Implement Data Traceability and Compliance Protocols

We establish procedures for documenting where data goes when AI systems process it. This includes data flow mapping for every AI tool in your inventory, vendor data processing agreements aligned with Privacy Act 2020 Information Privacy Principles, records management that satisfies the Privacy Commissioner's expectations, and protocols for assessing Treaty of Waitangi obligations when AI systems process Māori data. These procedures are critical for compliance and for maintaining public trust in your agency's use of AI.

Deliverable: Data flow documentation, vendor agreement templates, record-keeping procedures, Treaty compliance protocols

Public Service AI Framework Requirements

The key governance elements your agency needs to implement from the framework, interpreted through the lens of existing legal obligations under the Privacy Act 2020, Government Procurement Rules, and Treaty of Waitangi requirements.

Traceability of Data in AI Systems

Document data sources, processing locations, and retention periods for every AI system your agency deploys. This means knowing where your data goes when your team uses an AI tool, especially when offshore vendors process New Zealand personal information. Data traceability is not just a framework recommendation. It directly supports Privacy Act 2020 compliance under Information Privacy Principles 1, 3, and 12, and helps your organisation demonstrate responsible data stewardship to the Privacy Commissioner.

Robust Risk Management for AI

Identify and assess AI-related risks before deployment, with governance that matches assessment rigour to risk level. Higher-risk systems, such as those making decisions about individuals, processing sensitive data, or operating in areas with Treaty of Waitangi implications, need more rigorous assessment and ongoing monitoring. We build practical risk assessment tools that your team can use across your organisation without requiring specialist AI expertise in every business unit.

Cross-Team Collaboration and Integrated Governance

AI procurement cannot be managed in isolation. Your governance needs to integrate with existing procurement processes under Government Procurement Rules, information security requirements, Privacy Act 2020 assessments, and Treaty of Waitangi compliance. The Public Service AI Framework expects agencies to bring together commercial, security, privacy, and business teams when evaluating AI solutions. We help organisations build these collaborative processes into their standard operating procedures.

Privacy and Security Evaluation

Every AI system needs privacy and security assessment before deployment. This means understanding how the system processes personal information, where data is stored and processed, what security controls the vendor maintains, and whether cross-border data flows comply with Privacy Act 2020 requirements. For agencies that have signed the Algorithm Charter for Aotearoa, privacy evaluation also includes transparency about how algorithms make or inform decisions that affect New Zealanders.

Treaty of Waitangi and Māori Data Considerations

Government agencies have explicit Treaty of Waitangi obligations that extend to their adoption of AI. The Public Service AI Framework sits alongside the Public Service Act 2020's requirements for agencies to maintain the spirit of the Treaty partnership. When AI systems process Māori data or make decisions affecting Māori communities, agencies must integrate Māori data governance principles into their assessment and governance. We help agencies address these obligations with practical, culturally grounded approaches.

Alignment with OECD AI Principles and National AI Strategy

New Zealand's National AI Strategy adopted the OECD AI Principles as its foundation for responsible AI governance. The Public Service AI Framework operationalises these principles for government agencies. Your implementation should demonstrate alignment with OECD requirements for transparency, accountability, robustness, and human oversight. Our governance approach maps directly to these principles, ensuring your agency can demonstrate compliance with both the national strategy and international best practice.

Integrating the Algorithm Charter for Aotearoa

The Algorithm Charter for Aotearoa New Zealand, signed by government agencies, establishes commitments to transparency, accountability, and fairness in how the public sector uses algorithms and AI. While the Public Service AI Framework provides operational guidance, the Algorithm Charter sets the principles that agencies have publicly committed to uphold. Together, they create a comprehensive governance landscape that we help agencies navigate.

For agencies that have signed the Charter, implementing the framework is not just about risk assessment. It is about delivering on public commitments to New Zealanders. The transparency requirements mean agencies must be able to explain how AI systems make or inform decisions. The fairness commitments require testing for bias, particularly against Māori and Pacific communities. The accountability provisions require clear governance structures with defined roles and escalation paths. We build frameworks that satisfy both the Charter and the Framework in an integrated approach.

Agencies that have not yet signed the Algorithm Charter can still benefit from its principles. As the Public Service AI Framework matures and becomes the de facto standard for government AI governance across Aotearoa, organisations that have already embedded these principles will be better positioned for any future mandatory requirements. Our approach is designed to be forward-looking, preparing your agency for the regulatory trajectory New Zealand is on.

Which Organisations Need Framework Implementation

Central Government Agencies

Public Service departments and ministries implementing the Public Service AI Framework alongside Government Procurement Rules for AI. We work with agencies across Wellington and throughout Aotearoa to build governance that integrates with existing compliance obligations, including Privacy Act 2020 requirements, Treaty of Waitangi obligations, and the OECD AI Principles adopted by New Zealand's National AI Strategy.

Local Government

Councils and local authorities in Auckland, Wellington, Christchurch, and across New Zealand are deploying AI for service delivery, planning, consenting, and internal operations. While the Public Service AI Framework was developed for central government, its governance principles apply equally to local government. We help councils implement practical risk assessment and compliance approaches that account for the unique community obligations local government holds, including Treaty of Waitangi relationships with mana whenua.

Crown Entities and Statutory Bodies

Crown agents and autonomous Crown entities procuring or developing AI systems that affect New Zealanders need governance aligned with the Public Service AI Framework. These organisations operate with significant public trust and must demonstrate responsible practices through transparent, accountable AI governance. We help Crown entities build frameworks that satisfy both the Public Service AI Framework and their specific statutory obligations.

State-Owned Enterprises

State-owned enterprises seeking to adopt public sector AI governance best practices and demonstrate responsible AI use to stakeholders, ministers, and the public. As adoption accelerates across the public sector, SOEs that can demonstrate robust governance build confidence with their shareholder ministers and the communities they serve across Aotearoa.

Frequently Asked Questions

Is the Public Service AI Framework mandatory for our agency?

The framework is voluntary and provides governance guidance rather than binding requirements. However, public sector agencies still have legal obligations under the Privacy Act 2020, Public Finance Act 1989, Official Information Act 1982, and in many cases Treaty of Waitangi requirements. The framework helps your organisation meet these existing obligations in the context of AI adoption. As New Zealand's National AI Strategy matures and the OECD AI Principles become embedded in government expectations, agencies without framework-aligned governance will face growing compliance risk.

How does the framework relate to Privacy Act 2020 compliance?

The framework complements and reinforces Privacy Act 2020 requirements for AI. Data traceability supports Information Privacy Principle 3 (collection from the individual concerned) by documenting where data comes from. Privacy evaluation criteria help your team assess vendors against Information Privacy Principle 12 (overseas disclosure). Risk assessment processes identify privacy impacts early, before deployment creates compliance exposure. We integrate framework implementation with Privacy Act compliance to create a single governance approach rather than duplicating effort across your organisation.

Do we need to assess every AI system, including low-risk tools?

A risk-based approach is appropriate and aligned with the OECD AI Principles adopted by New Zealand. High-risk systems making automated decisions about individuals need rigorous assessment, ongoing monitoring, and senior governance oversight. Lower-risk tools need lighter-touch review through streamlined assessment processes. We provide tiered classification models that match assessment effort to risk level, ensuring your team applies resources where they matter most without creating unnecessary bureaucracy for low-risk tools.

How long does framework implementation take?

Initial implementation typically takes 8-12 weeks for procurement criteria development, risk assessment templates, data traceability protocols, and staff training. We work alongside your team throughout this period to ensure knowledge transfer and sustainable internal capability. Ongoing implementation then operates through your normal procurement and project approval processes, with periodic review and refinement as the Public Service AI Framework evolves and your agency's AI use matures.

How does the framework interact with the Algorithm Charter for Aotearoa?

The Algorithm Charter and the Public Service AI Framework are complementary governance instruments. The Charter establishes principles-level commitments to transparency, accountability, and fairness in algorithmic decision-making. The Framework provides operational guidance for implementing those principles when procuring and deploying AI. Agencies that have signed the Charter can use framework implementation as the mechanism for delivering on their Charter commitments. We address both instruments in an integrated approach, ensuring your agency satisfies all overlapping obligations.

What about Treaty of Waitangi obligations for AI governance?

Government agencies have explicit Treaty of Waitangi obligations under the Public Service Act 2020 that extend to their use of AI. When AI systems process Māori data or make decisions affecting Māori communities, agencies must integrate Māori data governance principles into their assessment and governance. We help agencies build Treaty-aligned governance that operates alongside framework compliance, ensuring that responsible practice in the public sector honours Aotearoa's constitutional foundations.

Ready to Implement the Public Service AI Framework?

Schedule a consultation to discuss your agency's AI landscape and how we can help you develop practical governance that works within your existing processes.