Supply Chain Risk

Third-Party AI Risk Management for New Zealand

The RBNZ has identified vendor concentration as a systemic risk in New Zealand's financial sector. A small number of AI providers serve most NZ organisations, creating shared points of failure that standard vendor management does not address. When your AI vendor's model changes behaviour, your customers feel it first.

Our specialists help New Zealand businesses and government agencies evaluate, govern, and monitor third-party AI relationships with frameworks built for NZ's Privacy Act 2020 requirements, Government Procurement Rules, and Treaty of Waitangi obligations. We deliver practical solutions for risk management that your team can implement and maintain.

NZ Requirements
Third-Party AI Vendor Risk Dashboard

Concentration Risk Alert | RBNZ Flagging AI Vendor Dependencies Across NZ Financial Sector

NZ Faces a Unique Third-Party AI Risk Profile

New Zealand's market size means most organisations draw from the same small pool of global AI providers. This creates concentration risk, data sovereignty challenges, and governance blind spots that standard vendor management does not address. Proactive oversight is essential for Aotearoa's organisations.

Vendor Concentration Risk

A handful of global AI platforms serve the majority of New Zealand enterprises. When multiple organisations in the same sector depend on the same AI provider, a single model failure or outage becomes a systemic event. The RBNZ has explicitly identified this concentration as a risk to financial stability. ANZ NZ, BNZ, Westpac NZ, ASB, and Kiwibank may share common AI infrastructure. Your vendor assessment needs to account for what happens when your provider is also your competitor's provider.

Data Leaves the Country by Default

Most global AI vendors process data offshore. Under the Privacy Act 2020, Information Privacy Principle 11 requires you to ensure overseas recipients provide comparable privacy protections before disclosing personal information. For Māori data, offshore processing raises additional questions about sovereignty, cultural appropriateness, and tino rangatiratanga. These concerns are unique to Aotearoa and central to Te Tiriti o Waitangi obligations. Standard procurement processes rarely assess these obligations.

No Exit Strategy, No Leverage

Government Procurement Rules require exit strategy provisions for critical vendors, reflecting best practice from digital.govt.nz guidance. Yet many New Zealand organisations adopt AI tools without planning how to leave them. When a vendor changes pricing, alters terms, or degrades service quality, the absence of exit provisions means you have no practical way to transition. This lack of strategic planning undermines operational resilience, a concern the RBNZ takes seriously for regulated businesses.

NZ Regulatory Expectations for Third-Party Artificial Intelligence

Multiple New Zealand frameworks set expectations for how organisations govern AI vendor relationships. Together, they require a level of rigour that standard procurement and vendor management processes were not designed to deliver. Our consultants help your team navigate this compliance landscape.

Government Procurement Rules: AI Vendor Evaluation

Mandatory for Government Agencies | Best Practice for Private Sector

The Government Procurement Rules, supported by digital.govt.nz guidance on responsible AI procurement, require agencies to conduct thorough vendor assessments when procuring AI systems. These rules establish evaluation criteria that go beyond traditional procurement considerations, addressing the specific risks AI systems create. The Public Service AI Framework reinforces these requirements with additional guidance on data traceability and exit strategies.

Required evaluation criteria for AI vendors:

  • Supplier reputation, track record, and organisational capability for AI delivery
  • Privacy and security controls appropriate to the data processed under the Privacy Act 2020
  • Data residency arrangements and offshore processing safeguards (IPP 12 compliance)
  • Supply chain dependencies and sub-contractor transparency
  • Exit provisions ensuring service continuity and data return

RBNZ: Vendor Concentration and Outsourcing Risk

BS13 Outsourcing Policy | Ongoing Supervisory Focus

The Reserve Bank of New Zealand has identified vendor concentration in AI as a risk to the NZ financial system. In its "Rise of the Machines" analysis, the RBNZ noted that a small number of providers serve multiple banks and insurers, meaning a failure at one vendor could affect the entire sector simultaneously. Material outsourcing arrangements involving AI require board-level oversight and ongoing monitoring under existing prudential expectations.

RBNZ focus areas for AI vendors:

  • Concentration risk assessment: how many NZ institutions share the same AI provider
  • Board approval and ongoing oversight for material AI outsourcing arrangements
  • Contingency planning for critical AI vendor failure or service disruption
  • Market distortion risks from correlated AI-driven decisions across institutions

Privacy Act 2020 and Treaty of Waitangi: Data in Third-Party Hands

Mandatory Legal Requirements | Evolving Treaty Expectations

When your AI vendor processes personal information, the Privacy Act 2020 obligations remain yours. IPP 12 sets specific requirements for overseas disclosure of personal information. For Māori data processed through vendor AI systems, Te Tiriti o Waitangi principles create additional obligations around Māori data sovereignty, consent, and cultural appropriateness that standard vendor agreements do not address. These obligations are unique to New Zealand and essential for responsible governance.

Privacy and Treaty requirements for vendor governance:

  • IPP 12 compliance assessment for every offshore AI vendor processing NZ personal information
  • Vendor assessment for Māori data handling practices aligned with Te Mana Raraunga principles
  • Contractual safeguards ensuring vendor AI systems do not use your data for model training without consent
  • Data residency mapping for sensitive and culturally significant data categories

What We Deliver: AI Vendor Governance Solutions for NZ

A complete AI vendor risk management programme covering the six evaluation dimensions NZ regulators and the OECD AI Principles expect: supplier capability, privacy and security, data residency, pricing transparency, supply chain dependencies, and exit provisions.

AI Vendor Evaluation Framework

Structured assessment methodology covering all six evaluation criteria. Includes risk-tiered questionnaires for critical, high, and standard vendors, scoring rubrics aligned with your risk appetite, and escalation thresholds. Our team builds frameworks that your procurement specialists can use independently for ongoing vendor assessments.

Concentration Risk Analysis

Mapping of your AI vendor dependencies to identify single points of failure. Includes sector-level concentration assessment, shared sub-processor identification, and contingency planning for critical vendor disruption, addressing the systemic risks the RBNZ has highlighted for New Zealand's financial sector.

Privacy and Treaty Compliance Assessment

Vendor-by-vendor assessment of Privacy Act 2020 compliance, IPP 12 obligations for offshore data processing, and Treaty of Waitangi requirements for Māori data handling. Includes specific questions for vendors about cultural data sensitivity and Māori data sovereignty practices.

Exit Strategy and Transition Planning

Exit provisions for every critical AI vendor relationship. Includes data return requirements, transition timelines, service continuity plans, and alternative vendor identification. Aligned with Government Procurement Rules for public sector organisations and best practice strategies for private sector businesses in New Zealand.

Contract Clause Library

AI-specific contract clauses covering model transparency, data usage restrictions, performance monitoring rights, breach notification, Māori data protections, and exit provisions. Ready for your legal team to incorporate into vendor agreements, supporting your organisation's growth while maintaining compliance.

Ongoing Monitoring Framework

Continuous vendor monitoring protocols that track AI model performance, data handling practices, and compliance with contractual obligations. Includes quarterly review templates, escalation procedures, and board reporting formats aligned with Companies Act 1993 directors' duties for oversight of material vendor relationships.

Our Approach to NZ Third-Party AI Risk

We build on your existing vendor management processes rather than replacing them. The goal is to add AI-specific governance layers that address the risks standard TPRM was not designed for, with New Zealand regulatory requirements and OECD AI Principles woven throughout. Our consultants work alongside your team to ensure knowledge transfer and sustainable internal capability.

Vendor AI Evaluation Process
1

AI Vendor Landscape Mapping (Weeks 1-2)

We identify every AI vendor relationship across your organisation, including embedded AI within broader platform subscriptions. Each vendor is categorised by risk tier, data sensitivity, and criticality to operations. We map concentration risk by identifying shared providers across your sector, building a complete picture that supports informed governance decisions.

2

NZ Regulatory Gap Assessment (Weeks 3-4)

We evaluate your current vendor governance against Privacy Act 2020 IPP requirements, RBNZ outsourcing expectations, FMA conduct standards, Government Procurement Rules, Treaty of Waitangi obligations for Māori data governance, and OECD AI Principles. The output is a prioritised remediation roadmap with clear ownership and timelines for your team.

3

Framework, Tools, and Clause Development (Weeks 5-8)

We develop your AI Vendor Risk Management Framework: evaluation questionnaires with Māori data governance sections, risk scoring methodology, contract clause library, exit strategy templates, and ongoing monitoring criteria. All tools are designed for your procurement and governance teams to use independently.

4

Implementation and Knowledge Transfer (Weeks 9-12)

We train your procurement and risk teams on the new framework, conduct pilot assessments of your highest-risk AI vendors, integrate the AI-specific processes into your existing TPRM programme, and prepare board papers for material AI outsourcing arrangements requiring governance sign-off. Our specialists ensure your team has the capability to maintain the programme independently.

Common Questions

Why does the RBNZ care about AI vendor concentration?

New Zealand's financial sector is served by a small number of global AI and cloud providers. When multiple banks, insurers, and fund managers depend on the same underlying AI platforms, a single provider failure could disrupt the entire sector simultaneously. The RBNZ views this as a systemic risk requiring board-level oversight, contingency planning, and ongoing monitoring of concentration levels. This concern was highlighted in the RBNZ's financial stability analysis and reflects the reality of New Zealand's compact financial market.

How do Treaty of Waitangi obligations apply when a global vendor processes Māori data through their AI systems?

Te Tiriti o Waitangi principles of partnership, participation, and protection extend to how Māori data is collected, processed, and stored by third parties. When a vendor's AI system processes data that includes whakapapa, health, or cultural information about Māori, your organisation must ensure the vendor understands and respects Māori data sovereignty. This includes assessing whether the vendor's data handling aligns with Te Mana Raraunga principles and whether appropriate consent mechanisms exist. No other jurisdiction requires this level of cultural consideration in vendor governance. It is unique to Aotearoa New Zealand.

What does an exit strategy look like for a critical AI vendor?

A robust exit strategy covers data return and deletion obligations, transition timelines that allow operational continuity, identification of alternative providers or in-house capability, contractual provisions that prevent vendor lock-in through proprietary data formats, cost estimates for transition, and communication plans for affected stakeholders. Government agencies must include exit provisions in line with Government Procurement Rules and digital.govt.nz guidance. Private sector organisations benefit from the same discipline as part of their broader risk management strategies.

Does the Privacy Act 2020 apply to AI vendors processing data offshore?

Yes. Information Privacy Principle 11 requires organisations disclosing personal information to overseas recipients to ensure comparable privacy protections exist in the receiving jurisdiction, or to obtain explicit consent, or to put contractual safeguards in place. For AI vendors, this means assessing not just where your data is stored but where it is processed, whether it is used for model training, and whether sub-processors in other jurisdictions have access. The obligation to ensure comparable protection remains with your New Zealand organisation regardless of what the vendor's standard terms say.

How does your approach align with the OECD AI Principles?

New Zealand's National AI Strategy adopted the OECD AI Principles as its foundation, including transparency, accountability, and robustness requirements. Our vendor assessment frameworks incorporate these principles directly: we evaluate vendor transparency about how their models work, establish accountability mechanisms for vendor AI failures, and assess the robustness of vendor systems against operational disruption. This alignment ensures your vendor governance supports New Zealand's broader strategies for responsible AI adoption.

Related Services

AI Governance Consulting

Build comprehensive AI governance frameworks that cover both internal AI development and third-party AI use for your organisation.

Learn more →

AI Audit and Assessment

Independent assessment of your AI governance maturity, including third-party AI risk management effectiveness across your organisation.

Learn more →

Regulatory Compliance

Navigate overlapping AI compliance requirements across RBNZ, FMA, Privacy Act 2020, and Treaty of Waitangi obligations with our specialist consultants.

Learn more →

Take Control of Third-Party AI Risk Before Your Regulator Asks

Whether you are addressing RBNZ concentration risk concerns, ensuring Privacy Act 2020 compliance for offshore AI processing, evaluating vendor Treaty of Waitangi obligations for Māori data governance, or building exit strategies for critical AI dependencies, our specialists help New Zealand organisations take control of third-party AI risk with practical solutions.