Most AI Policies in New Zealand
Are Not Fit for Purpose
A real assessment reveals the governance gaps most organisations don’t see.
Based on an independent evaluation aligned to ISO/IEC 42001
IINDEPENDENT ASSESSMENT | ISO/IEC 42001 ALIGNED | NEW ZEALAND CONTEXT
What an AI Governance Assessment Actually Finds
When Ethos Advisory conducts an independent AI governance assessment for a New Zealand organisation, the findings are consistent — and they are rarely what leadership teams expect.
Most organisations believe they have AI governance in hand. They have issued a policy, appointed someone to oversee AI tools, or added AI to a risk register. What the assessment reveals is that these measures, while well-intentioned, typically do not constitute governance. They constitute documentation.
Real AI governance requires structured board oversight, defined accountability for AI decisions, operational controls across the AI lifecycle, alignment to recognised standards, and active risk management. When evaluated against these criteria, most New Zealand organisations score poorly.
A Real Assessment Example
The example below is drawn from an independent AI policy assessment conducted by Ethos Advisory, evaluated against ISO/IEC 42001 — the international standard for AI management systems.
Assessment score: 28 out of 100
This result indicates a high-risk AI governance position.
A score of 28/100 is not unusual. It reflects an organisation that has taken early steps — perhaps drafting a policy or issuing guidance to staff — but has not yet established the governance foundations that boards and regulators will increasingly expect.
What does a score of 28/100 mean in practice?
At this governance maturity level, organisations typically exhibit the following characteristics:
No structured board oversight of AI AI decisions and adoption are occurring at operational level without board visibility, defined reporting lines, or governance accountability. The board cannot effectively oversee what it cannot see.
Absent or informal risk assessment AI tools are adopted and used without formal assessment of the risks they introduce — including privacy risk under the New Zealand Privacy Act 2020, bias risk, security risk, and reputational risk from AI-generated errors.
No defined accountability for AI decisions When an AI system produces an incorrect, biased, or harmful output, there is no defined process for identifying accountability, investigating the failure, or notifying affected parties.
No lifecycle controls AI tools are deployed without governance over how they are monitored, reviewed, updated, or decommissioned. A tool that was low-risk at deployment may become high-risk as its use expands.
No alignment to recognised standards The organisation has not assessed its AI practices against ISO/IEC 42001, NIST AI RMF, or applicable New Zealand regulatory guidance. This creates exposure if a regulator, auditor, or counterparty seeks evidence of governance maturity.
Why This Matters for New Zealand Boards
Directors in New Zealand have existing legal obligations under the Companies Act 1993 and sector-specific legislation to exercise oversight of organisational risk. As AI becomes a material risk factor — through its operational, legal, and reputational dimensions — boards that cannot demonstrate active AI governance oversight face increasing exposure.
The Office of the Privacy Commissioner has signalled ongoing attention to AI-related privacy risks. The New Zealand Government’s National AI Strategy emphasises responsible AI governance across both public and private sectors. International trading partners and investors are increasingly asking about AI governance maturity as part of due diligence.
The question for New Zealand boards is not whether AI governance will be expected. It is whether your organisation will be ready when it is.
Where Does Your Organisation Stand?
Most organisations significantly overestimate their AI governance maturity. The gap between what leadership believes is in place and what an independent assessment reveals is one of the most consistent findings in our work.
An Ethos Advisory AI Governance Assessment provides your board with an independent, structured view of your current position — and a clear, prioritised path to a defensible governance posture.
Related Ethos Advisory Services
Independent review of AI governance maturity aligned to ISO/IEC 42001. Designed for New Zealand boards and executive teams.
Develop a responsible, governed approach to AI adoption aligned to your organisational objectives and risk appetite.
Establish controls, oversight mechanisms, and accountability structures for responsible AI use.