Third-party AI risk management built for NZ's concentrated vendor market.
The RBNZ has identified vendor concentration as a systemic risk in New Zealand's financial sector. A small number of AI providers serve most NZ organisations, creating shared points of failure that standard vendor management does not address. When your AI vendor's model changes behaviour, your customers feel it first.
Built for
What we deliver.
NZ regulatory expectationsVendor evaluation framework
Structured methodology with risk-tiered questionnaires, scoring rubrics aligned with your risk appetite, and escalation thresholds. Built for your procurement team to use independently.
Concentration risk analysis
Mapping of your AI vendor dependencies, sector-level concentration assessment, shared sub-processor identification, and contingency planning for critical vendor disruption.
Treaty-aware data review
Vendor-by-vendor assessment of Privacy Act 2020 compliance, IPP 12 obligations for offshore data, and Te Tiriti requirements for M膩ori data handling aligned with Te Mana Raraunga.
Exit strategy and clause library
Data return requirements, transition timelines, service continuity plans, and AI-specific contract clauses ready for your legal team to incorporate.
Aotearoa's third-party AI risk profile is unique.
New Zealand's market size means most organisations draw from the same small pool of global AI providers. That creates concentration risk, data sovereignty challenges, and governance blind spots that standard vendor management does not address.
- 01Concentration risk
The RBNZ has flagged shared AI dependencies as a systemic risk.
A handful of global AI platforms serve the majority of New Zealand enterprises. When multiple organisations in the same sector depend on the same AI provider, a single model failure or outage becomes a systemic event. ANZ NZ, BNZ, Westpac NZ, ASB, and Kiwibank may share common AI infrastructure. Your vendor assessment needs to account for what happens when your provider is also your competitor's provider.
- 02Sovereignty
Data leaves the country by default.
Most global AI vendors process data offshore. Under the Privacy Act 2020, Information Privacy Principle 11 requires you to ensure overseas recipients provide comparable privacy protections before disclosing personal information. For M膩ori data, offshore processing raises additional questions about sovereignty, cultural appropriateness, and tino rangatiratanga. These concerns are unique to Aotearoa and central to Te Tiriti o Waitangi obligations.
- 03Exit strategy
No exit strategy, no leverage.
Government Procurement Rules require exit strategy provisions for critical vendors, reflecting best practice from digital.govt.nz guidance. Yet many New Zealand organisations adopt AI tools without planning how to leave them. When a vendor changes pricing, alters terms, or degrades service quality, the absence of exit provisions means you have no practical way to transition. This undermines operational resilience, a concern the RBNZ takes seriously for regulated businesses.
NZ regulatory expectations.
Multiple frameworks set expectations for how organisations govern AI vendor relationships. Together they require a level of rigour that standard procurement processes were not designed to deliver.
Framework
Government Procurement Rules
MANDATORY 路 GOVERNMENT
Supported by digital.govt.nz guidance on responsible AI procurement, the rules require agencies to conduct thorough vendor assessments. The Public Service AI Framework reinforces these requirements with additional guidance on data traceability and exit strategies.
- Supplier reputation and capability
- Privacy and security under Privacy Act 2020
- Data residency and IPP 12 compliance
- Supply chain transparency
- Exit provisions for service continuity
Framework
RBNZ BS13 outsourcing
PRUDENTIAL 路 ONGOING
The Reserve Bank of New Zealand has identified vendor concentration in AI as a risk to the NZ financial system. In its "Rise of the Machines" analysis, the RBNZ noted that a small number of providers serve multiple banks and insurers. Material outsourcing arrangements involving AI require board-level oversight under existing prudential expectations.
- Concentration risk assessment
- Board approval for material AI outsourcing
- Contingency planning for vendor failure
- Market distortion from correlated decisions
Framework
Privacy Act 2020 and Te Tiriti
MANDATORY 路 EVOLVING
When your AI vendor processes personal information, Privacy Act 2020 obligations remain yours. IPP 12 sets requirements for overseas disclosure. For M膩ori data processed through vendor AI systems, Te Tiriti o Waitangi principles create additional obligations around M膩ori data sovereignty, consent, and cultural appropriateness that standard vendor agreements do not address.
- IPP 12 compliance for every offshore vendor
- Vendor assessment aligned with Te Mana Raraunga
- Contract bar on unconsented training use
- Data residency for culturally significant data
Vendor governance, end to end.
A complete AI vendor risk management programme covering the six evaluation dimensions NZ regulators and the OECD AI Principles expect.
AI vendor evaluation framework.
Risk-tiered questionnaires for critical, high, and standard vendors, with scoring rubrics aligned to your risk appetite and escalation thresholds your team can run independently.
Concentration risk analysis.
Vendor dependency mapping to identify single points of failure, sector-level concentration assessment, shared sub-processor identification, and contingency planning addressing the systemic risks the RBNZ highlighted.
Privacy and Treaty compliance assessment.
Vendor-by-vendor assessment of Privacy Act 2020 compliance, IPP 12 obligations for offshore processing, and Te Tiriti requirements for M膩ori data, with specific questions on cultural data sensitivity.
Exit strategy and transition planning.
Exit provisions for every critical AI vendor: data return requirements, transition timelines, service continuity plans, and alternative vendor identification. Aligned with Government Procurement Rules.
Contract clause library.
AI-specific contract clauses covering model transparency, data usage restrictions, performance monitoring rights, breach notification, M膩ori data protections, and exit provisions, ready for legal to incorporate.
Ongoing monitoring framework.
Continuous vendor monitoring tracking AI model performance, data handling, and contractual compliance. Includes quarterly review templates, escalation procedures, and board reporting formats aligned with Companies Act 1993 director duties.
How the engagement runs.
We build on your existing vendor management processes rather than replacing them. AI-specific governance layers address the risks standard TPRM was not designed for, with NZ regulatory requirements and OECD AI Principles woven throughout.
- 01
AI vendor landscape mapping
WEEKS 1-2
We identify every AI vendor relationship across your organisation, including embedded AI within broader platform subscriptions. Each vendor is categorised by risk tier, data sensitivity, and criticality. We map concentration risk by identifying shared providers across your sector.
- 02
NZ regulatory gap assessment
WEEKS 3-4
We evaluate current vendor governance against Privacy Act 2020 IPP requirements, RBNZ outsourcing expectations, FMA conduct standards, Government Procurement Rules, Te Tiriti obligations for M膩ori data governance, and OECD AI Principles. Output: a prioritised remediation roadmap with clear ownership and timelines.
- 03
Framework, tools, and clause development
WEEKS 5-8
We develop your AI Vendor Risk Management Framework: evaluation questionnaires with M膩ori data governance sections, risk scoring methodology, contract clause library, exit strategy templates, and ongoing monitoring criteria. All tools are designed for your procurement and governance teams to use independently.
- 04
Implementation and knowledge transfer
WEEKS 9-12
We train your procurement and risk teams on the new framework, conduct pilot assessments of your highest-risk AI vendors, integrate the AI-specific processes into your existing TPRM programme, and prepare board papers for material AI outsourcing arrangements requiring governance sign-off.
Common questions.
Why does the RBNZ care about AI vendor concentration?
New Zealand's financial sector is served by a small number of global AI and cloud providers. When multiple banks, insurers, and fund managers depend on the same underlying AI platforms, a single provider failure could disrupt the entire sector simultaneously. The RBNZ views this as a systemic risk requiring board-level oversight, contingency planning, and ongoing monitoring of concentration levels. This concern was highlighted in the RBNZ's financial stability analysis and reflects the reality of New Zealand's compact financial market.
How do Te Tiriti o Waitangi obligations apply when a global vendor processes M膩ori data through their AI systems?
Te Tiriti o Waitangi principles of partnership, participation, and protection extend to how M膩ori data is collected, processed, and stored by third parties. When a vendor's AI system processes data that includes whakapapa, health, or cultural information about M膩ori, your organisation must ensure the vendor understands and respects M膩ori data sovereignty. This includes assessing whether the vendor's data handling aligns with Te Mana Raraunga principles and whether appropriate consent mechanisms exist. No other jurisdiction requires this level of cultural consideration in vendor governance. It is unique to Aotearoa New Zealand.
What does an exit strategy look like for a critical AI vendor?
A defensible exit strategy covers data return and deletion obligations, transition timelines that allow operational continuity, identification of alternative providers or in-house capability, contractual provisions that prevent vendor lock-in through proprietary data formats, cost estimates for transition, and communication plans for affected stakeholders. Government agencies must include exit provisions in line with Government Procurement Rules and digital.govt.nz guidance. Private sector organisations benefit from the same discipline as part of their broader risk management strategies.
Does the Privacy Act 2020 apply to AI vendors processing data offshore?
Yes. Information Privacy Principle 11 requires organisations disclosing personal information to overseas recipients to ensure comparable privacy protections exist in the receiving jurisdiction, or to obtain explicit consent, or to put contractual safeguards in place. For AI vendors, this means assessing not just where your data is stored but where it is processed, whether it is used for model training, and whether sub-processors in other jurisdictions have access. The obligation to ensure comparable protection remains with your New Zealand organisation regardless of what the vendor's standard terms say.
How does your approach align with the OECD AI Principles?
New Zealand's National AI Strategy adopted the OECD AI Principles as its foundation, including transparency, accountability, and robustness requirements. Our vendor assessment frameworks incorporate these principles directly: we evaluate vendor transparency about how their models work, establish accountability mechanisms for vendor AI failures, and assess the robustness of vendor systems against operational disruption. This alignment ensures your vendor governance supports New Zealand's broader strategies for responsible AI adoption.
Related services.
Vendor governance is one part of the picture. These services cover the rest.
Take control of third-party AI risk before your regulator asks.
Whether you are addressing RBNZ concentration risk, ensuring Privacy Act 2020 compliance for offshore AI processing, evaluating vendor Te Tiriti obligations for M膩ori data, or building exit strategies for critical AI dependencies, our specialists help NZ organisations take control with practical solutions.