AI risk frameworks for Aotearoa's light-touch regulatory landscape.
New Zealand has no AI-specific risk regulation. The entire burden of identifying, classifying, and managing AI risk falls on your organisation, and under the Companies Act 1993, on your directors personally. We build the risk frameworks aligned to the Privacy Act 2020, Fair Trading Act 1986, and Te Tiriti o Waitangi obligations.
Built for
What we deliver.
MethodologyNZ AI risk taxonomy
Classification covering Privacy Act 2020 violations, Fair Trading Act breaches, Treaty of Waitangi obligation failures, Māori data sovereignty risks, and algorithmic bias against Māori and Pacific communities.
Director liability analysis
Board-ready analysis of personal liability exposure under Companies Act 1993 sections 131-138, with evidence trail showing reasonable care.
Treaty impact assessment
Evaluation of how your AI systems affect Māori communities, covering data sovereignty, cultural safety, equitable outcomes, and partnership principles.
Risk register and controls library
Pre-populated AI risk register with NZ-specific risks plus 50+ controls covering Fair Trading Act checks, Privacy Act safeguards, cultural safety reviews, and Algorithm Charter alignment.
The voluntary approach has a catch.
Light-touch regulation sounds like freedom. In practice, every AI risk decision your organisation makes is a judgement call. If that judgement turns out to be wrong, there is no prescribed standard to point to as a defence. 25% of NZ organisations say governance is the missing link in their AI strategy.
- 01Personal liability
Director exposure under the Companies Act.
Section 137 of the Companies Act 1993 requires directors to exercise reasonable care, diligence, and skill. If an AI system causes harm and the board cannot demonstrate it understood and managed the risks, directors face personal liability. Most boards have no AI risk framework to rely on.
Board-level AI governance - 02Constitutional obligation
Treaty obligations add unique complexity.
AI systems that process data relating to Māori and Pacific communities carry risk dimensions that do not exist anywhere else. Māori data sovereignty, cultural safety, and Treaty of Waitangi obligations create risk categories that no off-the-shelf framework addresses. Te Tiriti o Waitangi demands controls built specifically for Aotearoa.
Māori data governance - 03Multiple statutes
Multiple laws, no unified view.
Privacy Act 2020 covers personal information. Fair Trading Act 1986 covers misleading conduct. Companies Act 1993 covers director duties. Consumer Guarantees Act covers service quality. Your AI risks sit across all of them, but no single framework connects the dots. We build the integrated risk view your organisation needs.
Privacy Act compliance guide
Built for a market without a rulebook.
Importing an overseas risk framework and bolting it onto your organisation does not work. Aotearoa's regulatory landscape is principles-based, light-touch, and shaped by obligations unique to this country.
01
NZ regulatory risk mapping
We map every AI use case against specific NZ legislation: Privacy Act 2020 information privacy principles, Fair Trading Act misleading conduct provisions, Companies Act director duties, and sector-specific obligations from the FMA or RBNZ. Every risk is tied to an actual legal obligation.
02
AI risk taxonomy for Aotearoa
A risk classification system that includes the categories generic frameworks miss: Māori data sovereignty risks, cultural safety impacts for Māori and Pacific populations, Treaty of Waitangi obligation breaches, vendor concentration risks from offshore AI providers, and algorithmic bias affecting communities already underserved.
03
Director liability assessment
We analyse your AI portfolio through the lens of Companies Act section 137 duties, identifying where directors are most exposed. The output is a clear liability map showing which AI systems carry the highest personal risk and what controls demonstrate reasonable care and diligence.
04
Controls and mitigations design
For each identified risk: Privacy Act 2020 compliance checkpoints, Fair Trading Act content review processes, cultural safety evaluation workflows, vendor dependency thresholds, and model performance boundaries. Controls are practical enough to actually implement.
05
Governance integration and reporting
We embed AI risk into your existing governance structures rather than layering on another committee. Board reporting templates translate AI risk into language directors can act on, with clear escalation triggers and decision rights tied to your organisational risk appetite.
What we deliver.
Every deliverable is built for Aotearoa's legal and cultural context. Nothing is borrowed from another jurisdiction and relabelled.
NZ AI risk taxonomy
A classification system covering Privacy Act 2020 violations, Fair Trading Act breaches, Treaty of Waitangi obligation failures, Māori data sovereignty risks, algorithmic bias against Māori and Pacific communities, and vendor concentration exposure. Delivered as a structured document and Excel file for GRC integration.
Privacy Act risk mapping
Detailed mapping of each AI system against the 13 information privacy principles. Identifies where automated processing creates compliance exposure, what notifications are required under breach reporting obligations, and where cross-border data flows raise sovereignty concerns.
Treaty impact assessment
Evaluation of how your AI systems affect Māori communities and Te Tiriti o Waitangi obligations. Covers Māori data sovereignty, cultural safety, equitable outcomes, and partnership principles. Designed for organisations in government, health, education, and financial services.
Director liability analysis
A board-ready analysis of personal liability exposure under Companies Act 1993 sections 131-138. Maps each AI system to director duties, identifies highest-risk scenarios, and provides the evidence trail directors need to demonstrate reasonable care.
Cultural safety risk evaluation
Assessment of how your AI systems affect Māori and Pacific populations specifically. Evaluates algorithmic bias, representational harm, language and cultural assumptions in training data, and equitable access to AI-driven services. A risk dimension unique to Aotearoa.
Risk register and controls library
Pre-populated AI risk register with NZ-specific risks, control mappings, and assessment fields. Includes 50+ controls covering Fair Trading Act compliance checks, Privacy Act 2020 safeguards, cultural safety reviews, vendor dependency management, and algorithmic accountability measures aligned to the Algorithm Charter.
Who needs an AI risk framework.
If your organisation is deploying AI in New Zealand and nobody has asked "what could go wrong, and who is liable?", this is where you start.
Financial services under FMA and RBNZ
Banks, insurers, and fund managers who need to demonstrate they are managing AI risks within their existing regulatory obligations before the Financial Markets Authority or Reserve Bank of New Zealand asks. We build compliance aligned to CoFI Act fair conduct requirements and operational resilience expectations.
Government and public sector
Agencies subject to the Public Service AI Framework that need to operationalise risk controls for AI systems affecting New Zealanders, with particular attention to Treaty of Waitangi obligations and algorithmic accountability under the Algorithm Charter.
Organisations serving Māori and Pacific communities
Health, education, and social service providers whose AI systems must account for cultural safety, Māori data sovereignty, and equitable outcomes for underserved populations.
Directors and board members
Directors who want documented evidence that AI risks are being managed, because under Companies Act 1993, "we did not know" is not a viable defence.
Common questions about AI risk frameworks in NZ.
What AI risks are unique to New Zealand?
Three categories stand out. First, Treaty of Waitangi obligations create risk dimensions around Māori data sovereignty, cultural safety, and equitable outcomes. Second, New Zealand's small market means heavy reliance on offshore AI vendors, creating concentration risks. Third, the absence of AI-specific regulation means your organisation bears full responsibility for defining "reasonable" risk management.
How do Treaty of Waitangi obligations affect AI risk?
Te Tiriti principles of partnership, participation, and protection apply to how AI systems collect, process, and make decisions about Māori. Risks include training data that underrepresents or misrepresents Māori, algorithms that produce inequitable outcomes for Māori and Pacific populations, and Māori data sovereignty issues when Māori data is processed offshore without appropriate governance.
What does the FMA expect regarding AI risk management?
The Financial Markets Authority expects regulated entities to manage AI risks under their existing obligations, including conduct licensing, fair dealing, and client care duties under the CoFI Act 2022. The RBNZ holds the same expectation for operational resilience. We build risk frameworks that align to these expectations and position your organisation ahead of any future formalisation.
Can directors be personally liable for AI failures?
Yes. Under sections 131-138 of the Companies Act 1993, directors must act in good faith, in the best interests of the company, and with reasonable care, diligence, and skill. If an AI system causes significant harm and the board cannot demonstrate it took reasonable steps to understand and manage those risks, individual directors face personal liability. A documented AI risk framework is the clearest evidence of due diligence.
How does this integrate with OECD AI Principles and ISO 42001?
New Zealand's National AI Strategy is built on the OECD AI Principles, and our risk frameworks align to these international standards while addressing NZ-specific requirements. For organisations pursuing ISO 42001 certification, our risk assessment methodology maps directly to Annex B control requirements. Your risk framework serves double duty: local compliance and international recognition.
How long does this take and what does the engagement look like?
Most engagements run 8 to 14 weeks: regulatory mapping and discovery (2 to 3 weeks), taxonomy and assessment design (3 to 5 weeks), controls development and Treaty impact assessment (2 to 3 weeks), and integration and delivery (1 to 3 weeks). The timeline depends on the number of AI systems in scope and the regulatory complexity of your sector.
Build your AI risk framework for New Zealand.
In a market with no prescribed AI risk framework, the organisations that build their own set the standard. Talk to us about developing a risk framework that reflects NZ law, Treaty of Waitangi obligations, and the reality of how your organisation actually uses AI.