Many organisations have now published an AI policy. That is a meaningful step. Putting something on paper signals intent and sets baseline expectations for staff.
But a policy is not a governance framework. It needs one around it to have effect. AI governance in New Zealand is still maturing.
Ethos Advisory recently ran its AI governance review against a publicly available AI policy published by a New Zealand territorial authority. The findings illustrate a gap that appears consistently across sectors.
What the policy did well
The policy functions as a staff usage guide. It sets baseline expectations for how AI tools should be used, addresses accountability for accuracy, and references relevant privacy principles. That is where the policy begins.
Where the gaps are
A governance framework requires more than usage guidance. It requires accountability structures, risk processes, and compliance obligations to be clearly assigned and operationalised.
The policy reviewed did not address executive accountability for AI governance. No individual or role is assigned responsibility for oversight of AI use across the organisation. There is no requirement to assess AI tools before deployment or to review them once in use. Vendors are acknowledged but never evaluated for privacy, security, or ethical risk. Privacy Impact Assessments are not required before an AI tool handles personal information.
Two further gaps carry specific legal and partnership weight. The Privacy Act 2020, as amended by the Privacy Amendment Act 2025 and in force from 1 May 2026, requires organisations to take reasonable steps to notify individuals when their personal information is collected indirectly and shared with an AI tool. The policy is silent on this obligation. The policy also contains no recognition of Te Tiriti obligations or Māori data sovereignty principles. For a territorial authority with obligations to Māori communities, that is a significant gap.
What the scores showed
The review assessed the policy against four frameworks: ISO/IEC 42001, the NIST AI Risk Management Framework, the NZ Privacy Act 2020, and Māori Data Sovereignty principles as reflected in He Waka Hiringa. No framework scored above 50 out of 100. The lowest score was 25, against the Māori Data Sovereignty framework. These results suggest there is meaningful work still to do.
Why this matters beyond one organisation
This organisation is not unusual. In every engagement Ethos Advisory has completed to date, a published AI policy and a functioning AI governance framework have been different things. The gap between them is where the legal exposure, the reputational risk, and the accountability questions sit.
If your organisation has published an AI policy, the useful question is not whether the policy exists. It is whether the governance framework around it does.
If you would like to understand where your organisation stands, you can start a conversation at ethosadvisory.co.nz.