AI Governance NZ

Put the policy in place before your team adopts the tools.

AI governance NZ businesses can actually use starts with clear rules for acceptable use, data handling, human oversight, vendor assessment and incident response. Changeable helps organisations make AI adoption safe, defensible and aligned with the Privacy Act 2020 without slowing useful experimentation.

Approved tools and acceptable use
Clear data boundaries
Human review and accountability
Vendor and incident controls
AI governance controls
Governance requirements
01
Approved useDefine permitted tools, tasks and users
02
Data boundariesSeparate open, internal and restricted information
03
Human oversightName who reviews consequential AI output
04
Response and reviewAssess vendors, incidents and ongoing compliance
Governance position
Policy status AI use is visible, controlled and defensible

Staff understand what is permitted, sensitive data is protected and accountability remains with people.

Use Approved and understood
Risk Managed and documented
Governance evidence
Current AI use and shadow AI reviewed
Privacy, data and vendor controls documented
Human oversight and incident ownership assigned
Changeable principle AI can generate and assist. People remain accountable for the decision.
The immediate risk

Your team is already using AI. The question is whether you know about it.

In many New Zealand businesses, staff are already using unapproved AI tools to draft emails, analyse spreadsheets or summarise meetings. The intent is practical, but personal information, client records and commercially sensitive data may be entering systems the organisation has never assessed.

This is shadow AI. It creates legal, operational and reputational exposure because the business cannot see, measure or defend unmanaged use. A practical AI governance framework brings that activity into the open and sets safe boundaries before adoption expands.

Personal information is entering unapproved tools

Customer complaints, HR information, financial records and meeting notes may be uploaded to third-party AI services without a documented purpose, approval or security assessment.

The Privacy Act applies even though it does not name AI

The Privacy Act 2020 requires lawful collection, reasonable security safeguards and limits on using personal information beyond its original purpose.

Public expectations are moving faster than most policies

The Privacy Commissioner’s 2026 annual survey found that 67% of New Zealanders are concerned about how government and business AI systems handle personal data. Clear governance is now part of maintaining trust.

What practical AI governance NZ businesses need

Most SMEs do not need a 50-page policy. They need clear, enforceable rules that staff can understand and leaders can defend.

Acceptable use policy

Define approved AI tools, permitted tasks, authorised users and the types of information that must never be entered without specific approval.

Data boundaries

Classify information as open, internal or restricted so staff know what can be processed freely, what requires an approved tool and what needs a specific controlled workflow.

Human oversight

Require a named person to review AI-generated content, analysis, contractual language or decisions before consequential outputs reach a customer, client or external audience.

Vendor and tool assessment

Confirm where data is processed, whether inputs are retained or used for training, which sub-processors are involved and whether suitable contractual protections exist.

Incident response

Define how staff report unauthorised data entry, harmful outputs or vendor breaches, who assesses the impact and when privacy notification may be required.

Ownership and staff guidance

Assign an accountable owner, communicate the rules, train staff on real examples and review the framework as tools, risks and business use cases change.

How to build the governance framework

A focused implementation sequence turns unmanaged AI activity into clear policy, controlled adoption and practical accountability.

Phase 01

Discover current AI use

Find out which tools staff are using, what information they enter, which workflows depend on AI and where shadow AI is already creating exposure.

  • Staff and leadership discovery
  • Current tool and account inventory
  • Data and workflow use mapping
  • Immediate risk identification
Phase 02

Define acceptable use and data rules

Set clear boundaries for approved tools, permitted tasks and the treatment of open, internal and restricted information.

  • Approved tool register
  • Acceptable and prohibited use
  • Three-tier data classification
  • Exceptions and approval pathways
Phase 03

Establish oversight and vendor controls

Determine which outputs require human review and assess vendor hosting, retention, model training, contractual terms and incident commitments.

  • Human review requirements
  • Decision ownership and escalation
  • Vendor privacy and security review
  • Data processing agreement checks
Phase 04

Implement, train and respond

Publish the policy, train staff using practical scenarios and establish the process for reporting, assessing and documenting AI-related incidents.

  • Policy rollout and staff guidance
  • Named governance and incident owners
  • Privacy breach assessment process
  • Review schedule and policy updates
Governance outputs

An AI policy your team can follow and your leaders can defend.

The goal is not to prevent AI use. It is to make AI use visible, controlled and aligned with New Zealand privacy obligations, business risk and customer expectations.

  • Current AI use and shadow AI risk assessment
  • Approved AI tool and use-case register
  • Acceptable use policy with clear prohibited activities
  • Open, internal and restricted data classification rules
  • Human oversight, approval and accountability requirements
  • Vendor assessment and AI incident response process
Why policy comes first

Governance makes useful AI adoption easier, not slower.

Introducing rules after teams have embedded unapproved tools is harder and feels restrictive. Establishing the framework first gives people safe boundaries and lets the organisation adopt valuable AI with confidence.

Prevent unmanaged habits becoming business dependencies

Early governance stops sensitive workflows being built around personal accounts, free-tier tools or services the organisation cannot control.

Give staff confidence about what they can use

A clear policy removes uncertainty. Staff can use approved AI tools for appropriate work without guessing where the privacy and data boundaries sit.

Respond clearly to clients, auditors and regulators

Documented controls help the business explain which tools it uses, how personal information is protected and who remains accountable for AI-assisted decisions.

Manage incidents before they become crises

The Privacy Act breach process requires timely assessment. Defined reporting and ownership enable a measured response when data or outputs create harm.

Questions

Questions about AI governance NZ?

Common questions New Zealand organisations should address before approving AI tools or allowing sensitive business information to enter them.

What is AI governance?

AI governance is the set of policies, roles, controls and review processes an organisation uses to manage how AI tools are selected, used, monitored and held accountable.

Why do NZ businesses need an AI governance policy?

NZ businesses need an AI governance policy to manage privacy, security, data handling, human oversight, vendor and reputational risks while giving staff clear boundaries for responsible AI use.

Does the Privacy Act 2020 apply to AI tools?

Yes. Although the Act does not name AI, its privacy principles apply when AI tools collect, store, disclose, secure or use personal information. Businesses remain responsible for how personal information is handled.

What is shadow AI?

Shadow AI is the use of AI tools by staff without organisational approval, visibility or assessment. It commonly involves personal accounts, free-tier services or sensitive information entered into tools the business has not reviewed.

What should an acceptable AI use policy include?

It should identify approved tools and users, permitted and prohibited activities, data boundaries, human review requirements, vendor approval rules, incident reporting and the person accountable for governance.

Can employees enter client or personal data into ChatGPT?

Not unless the organisation has assessed and approved the specific tool, account type and workflow for that information. Personal, client, financial and commercially sensitive information should otherwise be treated as restricted.

How long does it take to establish practical AI governance?

A focused SME framework can often be developed through one or two working sessions followed by policy drafting, leadership approval and staff rollout. More complex or regulated organisations may require deeper assessment.

Can Changeable help us build and implement the policy?

Yes. Changeable can assess current AI use, identify shadow AI and privacy gaps, create a practical governance framework, review tools and vendors, train staff and connect governance with your wider AI strategy.

Ready to put governance in place before AI use expands?

Start by mapping what your team is already doing, where sensitive information may be exposed and which rules are needed now. We will help you build a practical AI governance framework your business can implement quickly.