Map
You cannot govern what you have not located.
Output
AI system inventory & risk classification
NIST Map 路 ISO 42001 Plan
AI governance services for Aotearoa's regulators, sectors, and Te Tiriti obligations.
Three practice tracks, twenty-plus services. Each engagement closes with a documented evidence pack mapped to the Privacy Act 2020, Te Tiriti o Waitangi, the Public Service AI Framework, FMA and RBNZ expectations, ISO/IEC 42001, and the EU AI Act for NZ exporters.
Engagement formats
Six to twelve-week programmes 路 Board workshops 路 Standing advisory 路 Certification readiness
We work against: Privacy Act 2020 / Te Tiriti o Waitangi / Public Service AI Framework / FMA / RBNZ guidance / HIPC 2020 / ISO/IEC 42001 / EU AI Act
Our methodology
The Evidence-First Method.
Most AI governance work produces a document that describes good intentions. Ours produces evidence that controls exist and are operating, in a form a regulator or your board can read on any given day.
Continuous assurance, not a point-in-time checkbox.
Frame
Every control is mapped to the obligation it discharges, so nothing is governance for its own sake.
Output
Governance framework, policy stack & control-to-regulation matrix
NIST Govern 路 ISO 42001 Plan
Control
Policy that sits in a folder is not a control. We wire it into the workflows that carry risk.
Output
Implemented controls, approval gates & a standing evidence trail
NIST Measure + Manage 路 ISO 42001 Do
Assure
Not an annual snapshot stale the day after sign-off, but a maintained evidence position.
Output
Assurance reports & a regulator-ready evidence pack
NIST Manage 路 ISO 42001 Check + Act
What every engagement closes with.
Back to NZ overviewAI inventory and risk register
A documented map of every AI system in use, classified by risk tier and tied to a named accountable owner.
Mapped controls
Controls mapped against the 13 Privacy Principles, ISO 42001, the Public Service AI Framework, and HIPC 2020 where applicable.
Treaty-aware practice
Governance practices that respect whakapapa, embed kaitiakitanga, and protect tangata whenua in AI outputs.
Audit-ready evidence pack
A single evidence pack a regulator, internal auditor, or external reviewer can work through end to end.
Track A
Governance and strategy.
Accountability structures, AI policies, and operating models that satisfy Privacy Act 2020 principles, Companies Act 1993 director duties, and Cabinet expectations for public-sector deployers.
A1
AI governance consulting
Programme design grounded in the Privacy Act 2020, Fair Trading Act, and Companies Act 1993 director duties, giving boards a defensible framework before regulation catches up.
A2
AI strategy development
A strategy aligned to the National AI Strategy and OECD AI Principles, with use cases prioritised by regulatory exposure and Treaty-aligned community impact.
A3
AI policy development
Policy text, approval workflows, and exception handling drafted for board adoption, with cultural impact considerations grounded in kaitiakitanga.
A4
Risk framework development
AI risk categories integrated into existing risk registers, proportionate controls by risk tier, and monitoring triggers across FMA, RBNZ, and Public Service AI Framework lenses.
A5
Board-level AI governance
Charters, oversight cadences, escalation paths, and reporting packs sized for board approval under Companies Act 1993 director-duty obligations.
A6
Model governance
Validation, monitoring, and lifecycle controls for AI models, with RBNZ-aligned rigour applied wherever models affect credit, capital, or risk decisions.
Track B
Assessment and assurance.
Independent evaluation of AI systems against the 13 Privacy Principles, ISO/IEC 42001, the Public Service AI Framework, and Te Tiriti obligations, with bias testing across M膩ori and Pacific populations.
B1
AI audit and assessment
End-to-end audit of AI systems, governance documentation, and operating controls, sized for internal audit or external review.
B2
AI risk assessment
Risk registers, severity ratings, and prioritised remediation plans against the Privacy Act 2020, Fair Trading Act, and Companies Act 1993 director obligations.
B3
AI impact assessment
Cultural, fairness, and community impact assessments for AI systems affecting M膩ori, Pacific, and other communities, aligned with Algorithm Charter commitments.
B4
ISO 42001 certification
Gap analysis, AI management system design, and certification pathway through Standards New Zealand accredited bodies, structured for the NZ regulatory landscape.
B5
Third-party AI risk
Vendor concentration analysis, foundation-model and cloud dependency mapping, and contingency planning where the RBNZ has flagged systemic risk for NZ financial services.
B6
AI risk calculator (free)
A five-minute self-serve baseline of AI risk exposure against ISO 42001 and EU AI Act lenses, with a tailored next step for NZ deployers.
Track C
Compliance and advisory.
Privacy Act 2020 alignment, Treaty-aligned data practices, Public Service AI Framework readiness, sector-specific advisory, and workforce uplift on evolving FMA and RBNZ expectations.
C1
Privacy Act 2020 compliance
Each of the 13 Information Privacy Principles mapped to your AI systems, with Privacy Impact Assessments, consent mechanisms, and IPP 12 cross-border safeguards.
C2
M膩ori data governance
Te Mana Raraunga-informed principles embedded in AI governance, cultural impact assessments, and safeguards against algorithmic bias that could entrench inequities.
C3
Public Service AI Framework implementation
Structured risk assessments, supplier due diligence, data traceability, and exit planning aligned with Government Procurement Rules and the Responsible AI Guidance for GenAI.
C4
Healthcare AI governance
Clinical AI governance under HIPC 2020 and the Code of Health and Disability Services Consumers' Rights, with M膩ori and Pacific health equity protocols.
C5
Regulatory compliance
Cross-regulator mapping across FMA, RBNZ, the Office of the Privacy Commissioner, and EU AI Act exposure for NZ exporters from August 2026.
C6
AI literacy training
Role-based literacy curricula covering risk, fairness, privacy, and Treaty obligations, calibrated to the seniority and AI exposure of each cohort.
C7
Leadership training
Board and executive briefings on AI risk, Companies Act 1993 director duties, and the FMA / RBNZ supervisory direction of travel.
C8
Ongoing advisory support
Standing advisory retainer for boards, risk committees, and AI councils as regulation matures and supervisory expectations sharpen.
How an engagement runs.
Every engagement starts with a structured analysis of which New Zealand laws, regulations, and voluntary frameworks apply to your AI systems. Frameworks are then built from the Aotearoa regulatory environment outward.
Phase 01
Regulatory mapping
We identify obligations under the Privacy Act 2020, Fair Trading Act, sector-specific codes including HIPC 2020 and CoFI, and Te Tiriti requirements before designing any governance.
Phase 02
Aotearoa-first design
Frameworks built from the New Zealand context outward, with M膩ori data sovereignty principles, National AI Strategy alignment, and the principles-based regulatory culture in mind.
Phase 03
Evidence pack and handover
Each engagement closes with a documented evidence pack a regulator, auditor, or board reviewer can work through end to end, plus a standing advisory option for what comes next.
Sectors we serve in Aotearoa.
Each sector carries distinct governance pressure. Engagements are scoped against the regulatory, prudential, and statutory frameworks that apply to your organisation.
Pick the track that fits. We will scope from there.
Book a 30-minute assessment. We will map your AI systems against New Zealand regulatory requirements, identify the gaps, and recommend the track that closes them fastest, with no obligation and no sales pitch.