New Zealand | A New Regulatory Landscape Is Taking Shape

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

A New Regulatory Landscape Is Taking Shape

New Zealand | A New Regulatory Landscape Is Taking Shape

The regulatory environment for artificial intelligence is evolving faster than most enterprise compliance frameworks can absorb. Technology and security leaders who are waiting for the dust to settle before acting are already behind. The organisations that will navigate this landscape well are those building governance structures today – structures flexible enough to adapt as regulations mature. 

The Major Frameworks You Need to Know 

EU AI Act 

The European Union’s AI Act is the world’s first comprehensive AI regulation, and its reach extends well beyond Europe. Any organisation serving EU customers or operating with EU-based employees must understand it. 

The Act classifies AI systems by risk: 

  • Unacceptable risk (prohibited): social scoring, AI using subliminal, manipulative, or deceptive techniques to distort behaviour causing significant harm, or AI that exploits vulnerabilities such as age, disability, or socioeconomic status to distort behaviour, real-time remote biometric identification in public spaces (prohibited in principle, with narrow law enforcement exceptions under strict conditions)
  • High risk (heavily regulated): AI used in employment decisions, credit scoring, critical infrastructure, law enforcement
  • Limited risk: chatbots and systems that must disclose their AI nature
  • Minimal risk: most AI applications, with light-touch obligations 

For most enterprise AI deployments – HR tools, customer service automation, procurement AI – the high-risk category is where CISOs need to focus. High-risk systems require conformity assessments, technical documentation, human oversight mechanisms, and registration in a central EU database. 

NIST AI Risk Management Framework (AI RMF) 

The US National Institute of Standards and Technology released the AI RMF in 2023 as a voluntary framework for managing AI risks. While not legally binding, it is beginning to be referenced in some government procurement contexts and sector-specific guidance in the US. 

The AI RMF organises around four functions: Govern, Map, Measure, Manage. CISOs should pay particular attention to the Govern function, which addresses organisational policies, accountability structures, and culture – the foundations that everything else rests on. 

ISO/IEC 42001 

The ISO 42001 standard establishes requirements for an AI Management System (AIMS) - the AI equivalent of ISO 27001 for information security. It provides a certifiable framework that organisations can use to demonstrate responsible AI management to customers, regulators, and partners. 

For CISOs who have implemented ISO 27001, ISO 42001 will feel familiar. It follows the same high-level structure (HLS), making integration with existing management systems straightforward. 

What Governance Structures Do You Actually Need? 

Regulation sets the floor. Good governance aims higher. 

AI Inventory and Risk Classification 

You cannot govern what you cannot see. The foundation of any AI governance programme is a comprehensive inventory of AI systems: every model, every AI-assisted workflow, every automated decision system operating in your environment. 

For each system, document: 

  • The intended use case and the actual use (these often diverge) 
  • The data it accesses and the outputs it produces 
  • The risk classification under relevant frameworks 
  • The owner and accountable executive 

Accountability Chains 

The EU AI Act, ISO 42001, and the NIST AI RMF all emphasise accountability. Someone must be responsible for each AI system – its safety, its performance, its compliance. In practice, this means: 

  • A designated AI Owner for each system (typically a business unit leader)
  • A Technical Accountability Lead (often from IT or data science)
  • Executive sponsorship at the CISO or CTO level for high-risk systems 

Policies You Need to Write Now 

If you do not have these policies, you are not ready for an AI audit: 

  1. AI Acceptable Use Policy - what employees can and cannot use AI for 
  2. AI Procurement Policy - what due diligence is required before adopting a new AI tool 
  3. AI Incident Response Procedure - how you respond when an AI system causes harm or behaves unexpectedly 
  4. AI Data Usage Policy - what data can be sent to AI systems (including third-party AI APIs) 
  5. AI Transparency Policy - when and how you disclose AI use to customers and regulators 

Audit and Monitoring 

Governance without monitoring is theatre. Your AI governance programme needs: 

  • Regular algorithmic audits for high-risk systems – at minimum annually, ideally on a rolling basis 
  • Performance monitoring for drift and degradation 
  • Incident logging - every AI-related near-miss, failure, or complaint must be captured 
  • Third-party AI vendor assessments - your AI providers must meet your governance standards, not just your own internal tools 

The CISO’s Role in AI Governance 

AI governance is not a compliance team problem that occasionally touches security. It is a security problem that requires compliance expertise. 

CISOs bring exactly what AI governance needs: a risk-based mindset, experience with complex regulatory environments, and the authority to enforce standards across business units. 

The most effective AI governance programmes place the CISO in a central coordinating role – not as a blocker, but as the architect of a framework that lets the business use AI at speed without stumbling into regulatory, reputational, or security risk. 

The Competitive Advantage of Getting This Right 

Organisations that build robust AI governance frameworks gain something beyond compliance: they gain trust. Trust from customers who need to know their data is handled responsibly. Trust from regulators who see a mature organisation. Trust from partners who are making their own AI governance decisions. 

Insentra works with CISOs and technology leaders to design AI governance frameworks that satisfy regulatory requirements without slowing the business down. Contact us to understand where your current posture stands and what a mature programme looks like.  

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

New Zealand | A New Regulatory Landscape Is Taking Shape

Insentra maintains ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certifications

We are proud to announce that Insentra has successfully maintained its ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certifications