AI Use Policy for NZ Businesses: A Board-Ready Framework for 2026

AI Use Policy for NZ Businesses: A Board-Ready Framework for 2026

AI Use Policy for NZ Businesses: A Board-Ready Framework for 2026

Your staff are already using AI. The question is whether your organisation has a policy that governs how they use it. A 2025 survey by the Institute of Directors (IoD) found that most New Zealand boards recognise AI as a strategic priority, yet many organisations still lack a formal AI use policy that NZ regulators and stakeholders now expect. Without one, you are relying on individual judgement to manage privacy risks, data sovereignty obligations, and ethical considerations that carry real organisational liability.

This guide provides a practical framework for building an AI use policy that aligns with New Zealand’s regulatory landscape — the Privacy Act 2020, the NZ AI Strategy, IoD governance principles, Te Tiriti o Waitangi obligations, and the international ISO 42001 standard. Whether you are a government agency, a university, or a mid-sized business, this framework gives your board and leadership team a structure they can adapt, approve, and implement.

Does New Zealand Have AI Regulation? Understanding the 2026 Landscape

New Zealand does not have AI-specific legislation. The Government’s position, outlined in the NZ AI Strategy “Investing with Confidence” released by MBIE in July 2025, is deliberately principles-based rather than prescriptive. The strategy aligns with the OECD’s AI principles — respecting rule of law, human rights, fairness, privacy, robustness, and safety — while encouraging adoption through guidance rather than compliance mandates.

This matters for your AI use policy framework in two ways:

  • No AI Act equivalent exists. Unlike the EU AI Act, there is no risk-classification system or mandatory conformity assessment for AI systems in New Zealand. This gives organisations flexibility, but it also means the regulatory floor is set by existing law — primarily the Privacy Act 2020 — rather than a purpose-built AI framework.
  • Voluntary guidance carries weight. Alongside the strategy, MBIE released responsible AI guidance for businesses recommending governance practices including board oversight, AI risk registers, change controls, transparency, and explainability. While voluntary, these practices increasingly represent the standard of care regulators and courts will reference when assessing whether an organisation acted reasonably.

The practical takeaway: your AI use policy does not need to comply with an AI-specific law, but it does need to demonstrate that your organisation has thought carefully about how AI intersects with existing obligations — particularly privacy, data governance, and te Tiriti.

What an AI Use Policy Should Cover: Seven Core Components

A robust AI use policy for a New Zealand organisation should address these seven areas. Each maps to at least one regulatory or governance framework relevant in this country.

1. Scope and Definitions

Define what “AI” means within your organisation. This sounds basic, but scope creep is common. Does your policy cover only generative AI (large language models like ChatGPT, Claude, Gemini), or also predictive analytics, robotic process automation (RPA), and AI features embedded in existing software like Microsoft 365 Copilot?

Specify which staff the policy applies to — all employees, contractors, board members — and whether it covers AI used in decision-making about people (hiring, performance, customer eligibility).

2. Approved Tools and Platforms

List which AI tools are sanctioned for use, under what conditions, and at which data classification level. For example:

  • Unrestricted use: AI assistants for drafting, summarisation, and research using non-sensitive data
  • Restricted use: AI tools processing internal data, requiring approved enterprise platforms with appropriate security controls
  • Prohibited use: Feeding personal information, classified data, or commercially sensitive material into public AI tools without explicit security and privacy assessment

Organisations handling sensitive data increasingly deploy private AI platforms where data stays within controlled infrastructure — removing the risk of information being retained or used by external model providers.

3. Privacy Act 2020 Compliance

The Privacy Commissioner’s guidance is explicit: organisations considering generative AI must conduct a Privacy Impact Assessment (PIA) before deployment, have senior leadership explicitly approve its use, and ensure transparency about how personal information will be handled.

Key Information Privacy Principles that intersect with AI use:

  • IPP 1 (Purpose of collection): If you use AI to process personal information, the purpose must be clearly defined and lawful.
  • IPP 5 (Storage and security): Personal information fed into AI tools must be protected by reasonable security safeguards. Public AI tools where data may be retained for model training do not meet this standard.
  • IPP 8 (Accuracy): AI outputs used in decisions about individuals must be checked for accuracy. Hallucinated or incorrect AI-generated content that affects someone is a compliance risk.
  • IPP 12 (Cross-border disclosure): If AI tools process data offshore, IPP12 obligations apply. Your policy should specify whether offshore processing is permitted and under what safeguards.

Your AI policy should require a PIA for any new AI use case involving personal information and mandate human review of AI outputs used in consequential decisions.

4. Te Tiriti o Waitangi and Māori Data Sovereignty

This is where most international AI policy templates fall short. NZ organisations — particularly in the public sector and education — have obligations under Te Tiriti that extend to how AI systems collect, process, and generate insights from data relating to Māori.

The principles of Māori data sovereignty, grounded in tino rangatiratanga and kaitiakitanga, mean that:

  • Māori data requires specific governance. Data about Māori people, communities, resources, and taonga is not simply generic data. Your policy should acknowledge this distinction and establish processes for identifying and appropriately handling Māori data.
  • Engagement, not assumption. AI systems trained on data that includes Māori information should involve meaningful engagement with relevant Māori communities. Karaitiana Taiuru’s framework for Māori AI and Data Governance provides practical guidance on moving from intention to implementation.
  • Bias and representation. AI models can perpetuate biases that disproportionately affect Māori. Your policy should require bias assessment for AI systems used in decisions about people, with specific attention to equitable outcomes for Māori.

A practical starting point: include a section in your policy that acknowledges Te Tiriti obligations, commits to identifying Māori data within AI workflows, and establishes a consultation process for AI use cases that affect Māori communities.

5. Board Accountability and Governance Structure

The IoD’s “Directors Guide to AI Board Governance” outlines nine principles for board oversight. The core message: AI governance cannot be delegated entirely to IT. The board holds ultimate accountability.

Your policy should define:

  • Who owns AI governance. A named executive or committee responsible for AI policy, risk, and compliance decisions.
  • Board reporting cadence. Regular updates on AI adoption, risk incidents, and policy compliance — quarterly at minimum.
  • AI risk register. A maintained register of AI systems in use, their risk profiles, data inputs, and the controls applied to each.
  • Change approval process. New AI use cases or tools require formal assessment and approval before deployment. The IoD recommends that boards do not need to be AI experts, but they need sufficient understanding to ask the right questions and make informed decisions.

6. International Standards Alignment: ISO 42001

ISO/IEC 42001, published in December 2023, is the world’s first AI management system standard. It provides a Plan-Do-Check-Act framework for governing AI development, deployment, and operation. While certification is voluntary, ISO 42001 is becoming the de facto governance standard for organisations operating in regulated markets or selling into jurisdictions with AI-specific legislation.

For NZ organisations, aligning your AI use policy with ISO 42001 provides three benefits:

  • Structured risk management. The standard requires identifying and assessing AI-specific risks — bias, accuracy, security, transparency — with documented controls for each.
  • International credibility. If your organisation exports services or partners with EU entities, ISO 42001 alignment covers approximately 70 per cent of EU AI Act high-risk documentation requirements.
  • Audit readiness. The Plan-Do-Check-Act cycle means your policy is not a static document. Regular reviews, incident analysis, and improvement actions are built into the framework.

Your AI policy does not need to achieve ISO 42001 certification immediately, but structuring it to align with the standard’s requirements positions your organisation for certification when the business case warrants it.

7. Acceptable Use Guidelines for Staff

This is the most visible part of your policy — the section that staff will actually read and follow. It should be clear, specific, and practical:

  • What staff can use AI for: drafting content, summarising documents, code assistance, research, brainstorming
  • What requires approval: processing customer data, generating content for external publication, using AI for recruitment or performance evaluation
  • What is prohibited: entering personal information into unapproved tools, using AI outputs without human review for legal, financial, or medical decisions, sharing proprietary information with public AI services
  • Incident reporting: how to report AI errors, privacy concerns, or suspected misuse

Write this section in plain language. If your acceptable use guidelines require a law degree to interpret, they will not be followed.

Tailoring Your AI Policy by Sector

The right AI policy looks different depending on your sector. Here is how to adjust the emphasis.

  • Education (universities, schools, polytechnics). Student data protections are paramount. Address AI use in assessment (academic integrity policies), research ethics for AI-assisted research, and the tension between encouraging AI literacy and preventing misuse. Te Tiriti obligations are typically embedded in institutional charters and should flow through to AI governance.
  • Public sector (councils, government agencies). NZISM requirements overlay Privacy Act obligations. Government AI use is increasingly subject to public scrutiny and OIA (Official Information Act) requests. Your policy should address transparency about AI-assisted decision-making and align with the Government’s own voluntary AI guidance.
  • SMBs (small and medium businesses). Keep it proportionate. A 50-person company does not need ISO 42001 certification, but it does need clear rules about which AI tools are approved, what data can be entered, and who reviews AI outputs used in customer-facing decisions. Focus on the acceptable use guidelines and Privacy Act compliance as the minimum viable policy.
  • Enterprises operating internationally. If you serve customers or partners in the EU, ISO 42001 alignment and documented AI risk assessment become competitive advantages. Your policy should address cross-jurisdictional data flows and demonstrate alignment with both NZ and international frameworks.

Moving from Template to Board Approval

An AI use policy is not a one-off project — it is a living document that needs regular review as AI capabilities and the regulatory landscape evolve.

  1. Start with a risk assessment. Audit which AI tools your organisation already uses (including shadow AI — tools adopted without IT approval). Understand your data flows and identify where personal or sensitive information intersects with AI.
  2. Draft the policy. Use the seven components above as your structure. Involve legal, IT, HR, and Māori engagement leads where appropriate.
  3. Conduct a Privacy Impact Assessment. The Privacy Commissioner expects this. Document the risks, the mitigations, and the residual risk your organisation accepts.
  4. Present to the board. Frame it in business terms: risk reduction, regulatory compliance, competitive positioning, and operational efficiency. Include the AI risk register and a recommended review schedule.
  5. Communicate and train. A policy only works if staff know it exists and understand it. Run training sessions, create quick-reference guides, and establish a clear channel for questions.
  6. Review regularly. Set a quarterly review cycle for the AI risk register and an annual review of the full policy. The NZ AI Strategy and Privacy Commissioner guidance will evolve — your policy should keep pace.

ASI Solutions works with NZ organisations across education, government, and enterprise to implement secure AI platforms that align with these governance requirements. ASI Secure Chat provides an enterprise AI platform hosted in New Zealand, giving your organisation the technical controls — NZ data residency, access management, audit logging — that make your AI use policy enforceable rather than aspirational.

If your board is evaluating AI governance and you want to understand how NZ-hosted AI infrastructure supports your policy requirements, book a meeting with the ASI Solutions team.

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading