The AI frontier is moving fast. Claude, Gemini, GPT-4o, and their successors are not arriving gradually — they are already inside your business, whether or not you know it. Your staff are using AI tools to draft emails, summarise contracts, and analyse customer data. That is good news for productivity. It is also a governance problem you probably have not solved yet.

For IT leads, CEOs, CIOs, and startup founders in New Zealand, the question is no longer whether to build IT governance. It is whether you build it deliberately — or let events force you into it.

74%
NZ business leaders admit their organisation lacks an AI plan
NSP Research, 2025
$7.8M
Lost to cybercrime in NZ in Q1 2025 alone — up 14.7% from prior quarter
NCSC Q1 2025 Report
68%
NZ SMEs with no immediate plans for AI evaluation or investment
NZ AI Strategy, MBIE 2025
⚠ The shadow AI problemIBM's 2025 Cost of a Data Breach Report found that organisations with high levels of shadow AI — staff using AI tools without oversight — faced an average of $670,000 more per breach than those with low or no shadow AI usage. This is the governance gap that frontier models are now making very expensive.

What IT Governance Actually Means for an SME

Strip away the enterprise jargon and IT governance comes down to four questions your organisation must be able to answer:

QuestionWhat it looks like in practice
Who decides?One named person owns IT risk and AI tool decisions — not "the IT team" collectively
What are the rules?Clear policies on data access, acceptable AI use, and password standards — written down and communicated
How do we know it's working?Basic monitoring: who has access to what, whether backups run, whether unusual logins are flagged
Does IT serve the business?Technology spending and risk decisions are aligned with what the organisation actually needs to grow

For a small organisation, answering these four questions concisely — and reviewing those answers once a year — is the entirety of IT governance. The framework gives you the structure for doing so consistently.

The NZ Regulatory Landscape You Must Know

New Zealand has not introduced AI-specific legislation yet. The government's stated position is a light-touch, principles-based approach — meaning your existing legal obligations under current law already apply to how you use AI and manage your IT.[1]

Law / FrameworkWhat it requiresApplies to SMEs?
Privacy Act 2020Mandatory breach notification to OPC within 72 hours; personal data must be secured and used only for the purpose it was collected — including AI training dataMust
NZ AI Strategy 2025 (MBIE)Voluntary guidance for businesses on responsible AI adoption; OECD AI Principles adopted by Cabinet (June 2024)Should
Public Service AI Framework (Feb 2025)Mandatory for government agencies; sets the standard private sector will increasingly be benchmarked against by procurement teamsShould
Algorithm Charter for Aotearoa NZRequired for public sector algorithmic decisions — transparency, human oversight, and Māori data sovereignty considerationsIf public sector
RBNZ / FMA ExpectationsRegulated financial entities must manage AI risk within existing governance, risk, and compliance arrangementsIf regulated
Consumer Guarantees Act 1993 / Fair Trading Act 1986AI-generated outputs used in customer-facing decisions (pricing, recommendations) must still meet consumer protection standardsMust
📌 Key point on AI and the Privacy ActIf your organisation is using customer data to train or prompt an AI model, Privacy Principle 10 applies — personal information must not be used for a purpose other than the one for which it was collected. This should be a standard checkpoint in any AI tool adoption process.

The Right Framework for Your Starting Point

Two frameworks are the most practical starting points for NZ SMEs. Used together, they cover both governance accountability and security operations.

NIST Cybersecurity Framework 2.0 — Start Here

The NIST CSF is free, non-prescriptive, and globally recognised. Version 2.0 (released 2024) added a sixth function — Govern — which now sits above Identify, Protect, Detect, Respond, and Recover. For SMEs, this is your entry point: assign accountability before you work through anything else.

COBIT Core Model — For Governance Structure

Published by ISACA, the COBIT Core Model addresses how IT decisions are made and how IT aligns with business strategy. Where NIST CSF gives you security controls, COBIT gives you the governance structure around them. For leadership teams unsure who owns IT risk, COBIT's accountability model is the clearest starting point available.

🤖 Add This for AI: ISO/IEC 42001:2023The ISO/IEC 42001 standard (AI Management System) was released in 2023 and is the only internationally recognised framework specifically for AI governance. It integrates directly with ISO 27001. For NZ SMEs adopting AI tools, even a lightweight self-assessment against ISO 42001 gives you a defensible governance position and a head start if you ever pursue formal certification.

What Not to Do

01

Don't attempt a full enterprise framework first

ISO 27001 is a multi-year effort even for experienced teams. Starting there before your basics are in place stalls momentum and leaves you more exposed, not less.

02

Don't hand governance entirely to your MSP

Your managed service provider can implement controls. Under the Privacy Act 2020, accountability for data handling sits with your organisation — not your vendor.

03

Don't let AI tool adoption happen without a policy

If there is no clear rule on which AI tools staff can use and with what data, shadow AI fills the gap immediately — at a cost your organisation did not budget for.

04

Don't treat governance as a one-time project

Governance is not a deliverable. It is an ongoing practice. Reviewing it once a year and after every significant technology change is the minimum viable cadence.

A 90-Day Starting Plan

The goal is not perfection — it is having something real in place that you can build on. Here is a grounded sequence.

Days 1–30 · Identify
  • List every system, device, and cloud service in use
  • Map all personal information your org holds and where it lives
  • Identify who has admin access to each system
  • Assign one named IT governance owner internally
  • Audit which AI tools staff are already using
Days 31–60 · Protect
  • Enable MFA on every system that supports it
  • Confirm tested backups exist and are stored off-site or in separate cloud
  • Remove access for staff who have left
  • Draft a one-page Acceptable AI Use policy
  • Brief your team on phishing — use a real recent NZ example
Days 61–90 · Respond
  • Write a one-page incident response plan — who to call, what to do first
  • Test your backup restoration (not just that it exists)
  • Complete a Privacy Impact Assessment for your riskiest data process
  • Register with NCSC's free Phishing Disruption Service
  • Schedule an annual governance review date
✅ Free NZ resourceThe NCSC's Phishing Disruption Service (PDS) is free for all NZ organisations. Forward suspicious links to phishpond@ops.cert.govt.nz. The NCSC analyses them and blocks verified threats across its network — protecting every organisation that participates.[4]

Key Takeaways

References

  1. Buddle Findlay. (2025). Government releases New Zealand's first AI strategy. buddlefindlay.com
  2. NSP Research. (2025). Fastest Technology Adoption Has the Slowest Governance Response. blog.nsp.co.nz
  3. MBIE. (2025). New Zealand's Strategy for Artificial Intelligence: Investing with Confidence. mbie.govt.nz
  4. NCSC / CERT NZ. (2025). Q1 2025 Cyber Security Insights Report. cert.govt.nz
  5. digital.govt.nz. (2025). Public Service AI Framework. digital.govt.nz
  6. IBM Security. (2025). Cost of a Data Breach Report 2025. ibm.com/security
  7. Microsoft NZ / Nemko Digital. (2025). New Zealand AI Strategy 2025 Analysis. digital.nemko.com
  8. ISACA. (2024). COBIT Core Model. isaca.org
  9. NIST. (2024). Cybersecurity Framework 2.0. nist.gov
  10. ISO/IEC 42001:2023. Artificial Intelligence Management System Standard. iso.org