AI governance for NZ technology companies selling to government, enterprise, and the EU.
We work with SaaS providers, AI startups, and tech consultancies on the governance evidence that wins NZ government tenders under the Public Service AI Framework, satisfies enterprise procurement, and meets ISO 42001 and EU AI Act expectations.
Built for
What your business walks away with.
Full engagement methodologyEnterprise governance documentation pack
AI governance policy suite, model cards, customer-facing transparency documentation, and a procurement-questionnaire response library.
Privacy Act compliance for AI products
Privacy Impact Assessments per AI feature, cross-border transfer documentation, and consent and transparency notices for end users.
ISO 42001 readiness assessment
Gap analysis against ISO 42001, AI management system design, risk treatment plans, and a certification pathway through Standards New Zealand.
Government tender evidence
Public Service AI Framework alignment, data traceability, exit strategy, and Treaty-aware cultural impact documentation.
Four governance gaps stalling NZ tech deals.
Your AI product works. But governance is the gap between a good product and a signed contract. New Zealand's voluntary, principles-based approach gave many tech companies no domestic requirement to build governance early, and the bill is now arriving.
- 01Active
Government tenders now require governance evidence.
The Public Service AI Framework released in February 2025 set procurement expectations around risk assessment, data traceability, supplier evaluation, exit strategies, Te Tiriti o Waitangi obligations, and Māori data governance. Without documented governance, your tender response carries a visible gap.
Public Service AI Framework readiness - 02Aug 2026
EU AI Act reaches NZ tech exporters.
The Act applies extraterritorially to any NZ company with EU users or customers. High-risk classification triggers conformity assessment, technical documentation, post-market monitoring, and registration. Penalties scale to global turnover, not just EU revenue. Full enforcement begins August 2026.
Map your EU AI Act obligations - 03Enterprise standard
ISO 42001 becoming the procurement default.
Enterprise procurement teams increasingly require formal AI management system assurance. ISO/IEC 42001 certification, or demonstrable alignment, has moved from differentiator to expected. Few NZ tech companies hold certification today, which gives early movers a measurable advantage.
ISO 42001 certification pathway - 04In force
Privacy Act 2020 across every AI feature.
The 13 Privacy Principles apply to every AI feature processing personal information. Purpose limitation constrains how customer data is used for model training. IPP 12's cross-border restrictions affect where models can be hosted. Mandatory breach notification applies to AI-related privacy incidents within 72 hours.
Privacy Act compliance for AI features
The PolyGovern tracks that apply to NZ tech.
Three practice tracks scaled from startup through scaleup, each tied to deliverables sales teams can hand to procurement.
Track A
Product-embedded governance
Model cards, bias detection inside CI/CD, data lineage, explainability features, and audit trails that satisfy your customers' own compliance teams.
Track B
Certification and assurance
ISO 42001 readiness, AI risk assessment, third-party AI risk programmes, and a sales-ready evidence pack for enterprise procurement and government tenders.
Track C
Compliance and market entry
Privacy Act 2020 alignment, EU AI Act roadmap, Public Service AI Framework evidence, Māori data governance for government-facing products, and team training.
Built for Auckland's tech hub and beyond.
From SaaS providers in Wynyard Quarter to startups in GridAKL, Wellington's govtech scene, and Christchurch's innovation precinct, the challenge is the same: governance that keeps pace with product without slowing it down.
SaaS providers
B2B platforms adding AI features that need Privacy Act 2020 compliance and ISO 42001 alignment to move upmarket into enterprise accounts.
AI and ML startups
Companies where AI is the core product. Governance evidence is now part of investor due diligence and enterprise procurement under the EU AI Act and ISO 42001.
Tech consultancies and digital agencies
Building AI solutions for clients in regulated sectors. Governance practice directly affects your clients' Privacy Act 2020, FMA, RBNZ, and Public Service AI Framework exposure.
Questions NZ tech founders ask first.
We are a 20-person startup. Is governance realistic at our stage?
Yes. Early-stage governance is lighter than expected. A startup does not need the same framework as a bank. We typically begin with Privacy Act 2020 compliance for the AI product, a basic ethics policy, and documentation that satisfies enterprise procurement. Most startups complete the initial framework in four to six weeks alongside normal product development.
How does ISO 42001 certification help us win deals?
ISO 42001 is the international standard for AI management systems. Enterprise procurement teams recognise it as third-party validation that practices meet a defined benchmark. Certification, or documented alignment, can be the factor that moves you past shortlisting. Few NZ tech companies hold the certification, so early movers gain measurable differentiation.
How does the Privacy Act 2020 apply to our SaaS AI features?
If your AI features process personal information, the 13 Privacy Principles apply. Key areas for SaaS include purpose limitation (can you use customer data to train your models?), accuracy, disclosure when AI is making decisions about people, and IPP 12 cross-border transfers when models are hosted offshore.
What do NZ government agencies look for in AI vendor governance?
The Public Service AI Framework (February 2025) sets the procurement bar. Agencies evaluate vendors on risk assessment documentation, data traceability, exit strategies, security practices, and cultural considerations including Te Tiriti o Waitangi obligations and Māori data governance.
We are expanding to the EU. What does the AI Act mean for us?
The EU AI Act applies extraterritorially. The first step is risk classification: most B2B SaaS AI features fall into limited or minimal risk, but HR decisions, credit scoring, and biometric systems qualify as high-risk. High-risk compliance applies from August 2026. We build a roadmap specific to your EU market entry plan.
Turn governance into your next signed contract.
Book a 30-minute assessment. We will map your AI product against Privacy Act 2020 requirements, ISO 42001 readiness, Public Service AI Framework alignment, and EU AI Act exposure, then build a practical plan to close the gaps.