AI in NZ's public sector

Artificial Intelligence in New Zealand’s Public Sector 
The release of New Zealand's Strategy for Artificial Intelligence (AI) in July of 2025 showed that 67% of larger New Zealand business are "utilising some form of AI". It therefore comes as no surprise that The New Zealand Government is looking to the public sector to lead by example through the responsible use and adoption of AI across government. So, what is AI? What are the benefits? And what does the safe adoption of AI look like? 

What is Artificial Intelligence? 
Put simply, AI is the use of computer systems to complete tasks similarly to the way a real human would, including recognising patterns, understanding language, cross examining, and making predictions. At its core, AI is about enabling machines to learn from data and improve over time, and while the consequences of AI usage are heavily debated, many Kiwis believe that the adoption of AI solutions is a requirement to remain competitive as a nation. 

Public Service AI Framework 
To support New Zealand’s public sector in adopting AI, Digital Government have released The New Zealand Public Service AI Framework that looks to provide guidance on the safe implementation of AI technologies. The framework highlights that AI is not a one-size-fits-all technology and that Agencies must ensure AI solutions are adopted on a case-by-case basis, with careful consideration to data sources, intended outcomes, and societal implications. The Framework proposes 5 key principles that should be considered when evaluating AI initiatives or developing AI solutions, policies, guiderails, and training programmes: 

1. Inclusive, sustainable development. 
2. Human-centred values. 
3. Transparency and explainability. 
4. Safety and security. 
5. Accountability. 

Examples of AI Integrations 
While every context is different, below are some case studies PrivSec has recently been involved in. 

Weekly Email Summaries 
To reduce the time staff spent collating information for weekly communications, one of our clients decided to start using an AI writing assistant to automatically generate email summaries based on internal reports and updates. Through targeted consultations, workshops and the preparation of a risk memo, PrivSec ensured that: 

• Executive staff were reassured that sensitive data was handled securely, with appropriate safeguards around information processing and storage. 

• The safe adoption of the solution enabled staff to work more efficiently, cutting preparation time from hours to minutes. 

• The business gained clear guidance on establishing acceptable use, ensuring the tool supported productivity without compromising risk. 

As the AI assistant was just the latest addition to a larger suite of services that the client was already consuming , and had already undergone the Certification and Accreditation (C&A) process, the risk memo approach provided good value for money while ensuring due processes were followed. 

Customer Chatbot Pilot 
To improve customer engagement and lessen the workload for frontline staff, another client decided to deploy an AI Chatbot utilising AWS Bedrock as a pilot project. The chatbot was trained to handle common queries and provide 24/7 assistance which freed up staff for complex interactions. PrivSec ensured that: 

• The deployment was aligned with security and privacy best practices, ensuring sensitive data was not exposed. 

• Leadership had clear oversight of AI risks, owing to structured assessment and ongoing monitoring. 

• Integration of AI assets did not expose the existing resources to unintended or unacceptable risk. 

• Potential misuses of the Chatbot were tested and prevented. 

• Customers received fast and accurate response while ensuring that customer data was  processed securely. 

Since this project was considered high profile and a potential showcase for future uses across the sector, a comprehensive C&A was required. Efficiencies were however gained by consuming existing C&As for supporting infrastructure and a Controls Validation Audit was only completed for areas that were specific to the AI Chatbot. A focus was given on AI specific scenarios during the penetration test with AI to ensure risks of prompt injections, context manipulation or confabulation attacks were addressed.   
 
PrivSec’s High-Level Approach to Responsible AI Adoption 
PrivSec has and will continue to work with clients to help with their adoption of AI. The four key principles that PrivSec follows to ensure that clients experience the benefits of adopting AI technologies and solutions, while prioritising privacy, security, and compliance are: 

1. Discover – Identify the business challenge that the project intends to solve, and how AI solutions would be integrated. 
2. Assess – Evaluate the risks, including data privacy, ethical considerations, and security posture from an AI specific lens. 
3. Validate – Align with client C&A policy and process requirements to assess the security of AI solutions using modern testing techniques to ensure they meet compliance, governance, and performance requirements. 
4. Recommend – Provide clear and actionable guidance on safe adoptions and ongoing monitoring. 

Final thoughts 

AI is not going anywhere, and we can not just hide under a rock regarding its use. While bringing both opportunities and risks, it is the responsibility of New Zealand’s public sector to drive innovation, improve services, and set the example that New Zealand’s priority is the ethical and secure use of AI. 
If you are looking to adopt AI solutions or technologies, whether from in-house development or integration of well-established products, or you just want to chat with security and privacy professionals that understand AI, please reach out to us at [email protected]. 
 
References: 

• New Zealand’s Strategy for Artificial Intelligence: https://www.mbie.govt.nz/assets/new-zealands-strategy-for-artificial-intelligence.pdf  

• Public Service AI Framework: https://www.digital.govt.nz/standards-and-guidance/technology-and-architecture/artificial-intelligence/public-service-artificial-intelligence-framework  

 
Author: Quinn Simmons