Supply Chain Risk

Third-Party AI Risk Management for New Zealand

The RBNZ has identified vendor concentration as a systemic risk in New Zealand's financial sector. A small number of AI providers serve most NZ organisations, creating shared points of failure. When your AI vendor's model changes behaviour, your customers feel it first.

We help NZ organisations evaluate, govern, and monitor third-party AI relationships with frameworks built for NZ's regulatory expectations, Privacy Act 2020 requirements, and Treaty of Waitangi obligations.

NZ Requirements
Third-Party AI Vendor Risk Dashboard

Concentration Risk Alert | RBNZ Flagging AI Vendor Dependencies Across NZ Financial Sector

NZ Faces a Unique Third-Party AI Risk Profile

New Zealand's market size means most organisations draw from the same small pool of global AI providers. This creates concentration risk, data sovereignty challenges, and governance blind spots that standard vendor management does not address.

Vendor Concentration Risk

A handful of global AI platforms serve the majority of NZ enterprises. When multiple organisations in the same sector depend on the same AI provider, a single model failure or outage becomes a systemic event. The RBNZ has explicitly identified this concentration as a risk to financial stability. Your vendor assessment needs to account for what happens when your provider is also your competitor's provider.

Data Leaves the Country by Default

Most global AI vendors process data offshore. Under the Privacy Act 2020, Information Privacy Principle 11 requires you to ensure overseas recipients provide comparable privacy protections. For Maori data, offshore processing raises additional questions about sovereignty, cultural appropriateness, and tino rangatiratanga. Standard procurement processes rarely assess these obligations.

No Exit Strategy, No Leverage

Government Procurement Rules require exit strategy provisions for critical vendors. Yet many NZ organisations adopt AI tools without planning how to leave them. When a vendor changes pricing, alters terms, or degrades service quality, the absence of exit provisions means you have no practical way to transition. The deeper the integration, the higher the cost of switching.

NZ Regulatory Expectations for Third-Party AI

Multiple NZ frameworks set expectations for how organisations govern AI vendor relationships. Together, they require a level of rigour that standard procurement and vendor management processes were not designed to deliver.

Government Procurement Rules: AI Vendor Evaluation

Mandatory for Government Agencies | Best Practice for Private Sector

The Government Procurement Rules require agencies to conduct thorough vendor assessments when procuring AI systems. These rules establish evaluation criteria that go beyond traditional procurement considerations, addressing the specific risks AI systems create.

Required evaluation criteria for AI vendors:

  • Supplier reputation, track record, and organisational capability for AI delivery
  • Privacy and security controls appropriate to the data processed
  • Data residency arrangements and offshore processing safeguards
  • Supply chain dependencies and sub-contractor transparency
  • Exit provisions ensuring service continuity and data return

RBNZ: Vendor Concentration and Outsourcing Risk

BS13 Outsourcing Policy | Ongoing Supervisory Focus

The RBNZ has identified vendor concentration in AI as a risk to the NZ financial system. A small number of providers serve multiple banks and insurers, meaning a failure at one vendor could affect the entire sector simultaneously. Material outsourcing arrangements involving AI require board-level oversight and ongoing monitoring.

RBNZ focus areas for AI vendors:

  • Concentration risk assessment: how many NZ institutions share the same AI provider
  • Board approval and ongoing oversight for material AI outsourcing arrangements
  • Contingency planning for critical AI vendor failure or service disruption

Privacy Act 2020 and Treaty of Waitangi: Data in Third-Party Hands

Mandatory Legal Requirements | Evolving Treaty Expectations

When your AI vendor processes personal information, the Privacy Act 2020 obligations remain yours. IPP 11 sets specific requirements for overseas disclosure. For Maori data processed through vendor AI systems, Treaty of Waitangi principles create additional obligations around sovereignty, consent, and cultural appropriateness that standard vendor agreements do not address.

Privacy and Treaty requirements for vendor governance:

  • IPP 11 compliance assessment for every offshore AI vendor processing NZ personal information
  • Vendor assessment for Maori data handling practices aligned with Te Mana Raraunga principles
  • Contractual safeguards ensuring vendor AI systems do not use your data for model training without consent
  • Data residency mapping for sensitive and culturally significant data categories

What We Deliver: AI Vendor Governance for NZ

A complete AI vendor risk management programme covering the six evaluation dimensions NZ regulators expect: supplier capability, privacy and security, data residency, pricing transparency, supply chain dependencies, and exit provisions.

AI Vendor Evaluation Framework

Structured assessment methodology covering all six evaluation criteria. Includes risk-tiered questionnaires for critical, high, and standard vendors, scoring rubrics, and escalation thresholds aligned with your risk appetite.

Concentration Risk Analysis

Mapping of your AI vendor dependencies to identify single points of failure. Includes sector-level concentration assessment, shared sub-processor identification, and contingency planning for critical vendor disruption.

Privacy and Treaty Compliance Assessment

Vendor-by-vendor assessment of Privacy Act 2020 compliance, IPP 11 obligations for offshore data processing, and Treaty of Waitangi requirements for Maori data handling. Includes specific questions for vendors about cultural data sensitivity.

Exit Strategy and Transition Planning

Exit provisions for every critical AI vendor relationship. Includes data return requirements, transition timelines, service continuity plans, and alternative vendor identification. Aligned with Government Procurement Rules for public sector organisations.

Contract Clause Library

AI-specific contract clauses covering model transparency, data usage restrictions, performance monitoring rights, breach notification, Maori data protections, and exit provisions. Ready for your legal team to incorporate into vendor agreements.

Our Approach to NZ Third-Party AI Risk

We build on your existing vendor management processes rather than replacing them. The goal is to add AI-specific governance layers that address the risks standard TPRM was not designed for, with NZ regulatory requirements woven throughout.

Vendor AI Evaluation Process
1

AI Vendor Landscape Mapping (Weeks 1-2)

We identify every AI vendor relationship across your organisation, including embedded AI within broader platform subscriptions. Each vendor is categorised by risk tier, data sensitivity, and criticality to operations. We map concentration risk by identifying shared providers across your sector.

2

NZ Regulatory Gap Assessment (Weeks 3-4)

We evaluate your current vendor governance against Privacy Act 2020 IPP requirements, RBNZ outsourcing expectations, FMA conduct standards, Government Procurement Rules, and Treaty obligations for Maori data. The output is a prioritised remediation roadmap with clear ownership and timelines.

3

Framework, Tools, and Clause Development (Weeks 5-8)

We develop your AI Vendor Risk Management Framework: evaluation questionnaires with Maori data governance sections, risk scoring methodology, contract clause library, exit strategy templates, and ongoing monitoring criteria. All tools are designed for your procurement and risk teams to use independently.

4

Implementation and Knowledge Transfer (Weeks 9-12)

We train your procurement and risk teams on the new framework, conduct pilot assessments of your highest-risk AI vendors, integrate the AI-specific processes into your existing TPRM programme, and prepare board papers for material AI outsourcing arrangements requiring governance sign-off.

Common Questions

Why does the RBNZ care about AI vendor concentration?

New Zealand's financial sector is served by a small number of global AI and cloud providers. When multiple banks, insurers, and fund managers depend on the same underlying AI platforms, a single provider failure could disrupt the entire sector simultaneously. The RBNZ views this as a systemic risk requiring board-level oversight, contingency planning, and ongoing monitoring of concentration levels.

How do Treaty obligations apply when a global vendor processes Maori data through their AI systems?

Treaty of Waitangi principles of partnership, participation, and protection extend to how Maori data is collected, processed, and stored by third parties. When a vendor's AI system processes data that includes whakapapa, health, or cultural information about Maori, your organisation must ensure the vendor understands and respects Maori data sovereignty. This includes assessing whether the vendor's data handling aligns with Te Mana Raraunga principles and whether appropriate consent mechanisms exist.

What does an exit strategy look like for a critical AI vendor?

A robust exit strategy covers data return and deletion obligations, transition timelines that allow operational continuity, identification of alternative providers or in-house capability, contractual provisions that prevent vendor lock-in through proprietary data formats, cost estimates for transition, and communication plans for affected stakeholders. Government agencies must include exit provisions in line with Government Procurement Rules. Private sector organisations benefit from the same discipline.

Does the Privacy Act 2020 apply to AI vendors processing data offshore?

Yes. Information Privacy Principle 11 requires agencies disclosing personal information to overseas recipients to ensure comparable privacy protections exist in the receiving jurisdiction, or to obtain explicit consent, or to put contractual safeguards in place. For AI vendors, this means assessing not just where your data is stored but where it is processed, whether it is used for model training, and whether sub-processors in other jurisdictions have access. The obligation to ensure comparable protection remains with your organisation regardless of what the vendor's standard terms say.

Related Services

AI Governance Consulting

Build comprehensive AI governance frameworks that cover both internal AI development and third-party AI use.

Learn more →

AI Audit and Assessment

Independent assessment of your AI governance maturity, including third-party AI risk management effectiveness.

Learn more →

Regulatory Compliance

Navigate overlapping AI compliance requirements across RBNZ, FMA, Privacy Act 2020, and Treaty obligations.

Learn more →

Take Control of Third-Party AI Risk Before Your Regulator Asks

Whether you are addressing RBNZ concentration risk concerns, ensuring Privacy Act 2020 compliance for offshore AI processing, evaluating vendor Treaty obligations for Maori data, or building exit strategies for critical AI dependencies, we help NZ organisations take control of third-party AI risk.