Most organisations know they need an AI policy. Far fewer know what one should actually say. New Zealand’s Government Chief Digital Officer (GCDO) has quietly addressed that gap for the public sector with the release of a Use of Artificial Intelligence policy template — a ready-made, adaptable document published as part of the Public Service AI Toolkit on digital.govt.nz.
It is an unglamorous artefact: a downloadable Word file. But it may prove to be one of the more consequential pieces of New Zealand’s AI governance programme, because it converts high-level principles into something an agency can adopt on a Tuesday afternoon.
From frameworks to forms
New Zealand’s approach to public sector AI has been deliberately layered. At the top sits the National AI Strategy, launched in July 2025. Beneath it, the Public Service AI Framework sets a vision — adopting AI responsibly to modernise public services — and articulates five principles drawn from the OECD’s values-based AI principles: inclusive and sustainable development, human-centred values, transparency and explainability, safety and security, and accountability. Crucially, the Framework does not simply import the OECD wholesale: it situates AI adoption within the Crown’s obligations under Te Tiriti o Waitangi, directing agencies to consider Māori perspectives that treat data as taonga — a treasure to be protected — and to engage with concepts such as tapu and noa when deciding how information may be collected, combined and used. Any agency adapting the policy template is therefore adapting it into a context where Māori data governance is not an optional appendix but part of what “responsible” means.
Frameworks, however, do not run agencies. Policies do. The AI policy template is the connective tissue between the two. It sets out the approach, principles and responsibilities an agency needs to use AI safely and responsibly in the workplace, and it is explicitly designed to be read alongside the Public Service AI Framework and the Responsible AI Guidance for the Public Service.
Nor is it abstract. The core mechanic running through the template — and through individual agency adoptions of it — is a hard line between unapproved public generative AI and approved enterprise AI. Pasting client information, draft policy advice or anything sensitive into a free consumer chatbot sits on one side of that line; using tools that have passed through formal assessment, including a Privacy Impact Assessment, sits on the other. That single distinction does more day-to-day governance work than any principles statement, because it answers the question staff actually ask: can I use this tool for this task?
The template’s provenance matters. Rather than being drafted in the abstract, it reflects best practice from mature New Zealand agencies and their international counterparts. In other words, it codifies what the agencies furthest along the AI adoption curve are already doing, and makes that available to everyone else — including smaller agencies that lack the legal, privacy and technology resources to draft such a policy from scratch.
Why a template, and not a rule
The choice of instrument is telling. Cabinet has committed New Zealand to a light-touch, proportionate and risk-based approach to AI regulation, preferring existing legal mechanisms — the Privacy Act, the Official Information Act, the Public Records Act, the Bill of Rights Act and others — over a standalone AI statute. The Public Service AI Framework itself is encouraged rather than binding.
A policy template fits this philosophy neatly. It does not compel; it lowers the cost of doing the right thing. An agency that adopts and adapts the template gets a defensible governance baseline aligned with the OECD principles and the wider New Zealand policy context, without waiting for legislation that may never come. This is regulation by convenience: make good practice easier than improvisation, and most organisations will take the path of least resistance.
The risk, of course, is that convenience curdles into compliance theatre. A template that can be adopted on a Tuesday afternoon can also be downloaded, re-badged with an agency logo, filed on the intranet and never thought about again — a policy in name that changes no real-world behaviour. Copy-paste compliance is arguably worse than no policy at all, because it manufactures the appearance of governance while leaving practice untouched. The template is a floor, not a finish line; it is only as good as the training, monitoring and enforcement culture built around it.
There is a coordination benefit too. If dozens of agencies start from the same document, their AI policies will share a common vocabulary and structure. That makes cross-agency assurance, audit and comparison far more tractable than a landscape of bespoke policies, each with its own definitions of what counts as “AI” and who is accountable when it goes wrong.
What organisations outside government should take from it
Although written for public service agencies, the template holds three lessons for any organisation grappling with AI governance.
First, anchor policy to principles that outlive the technology. The five Framework principles are technology-agnostic; they apply as readily to a classification algorithm as to a frontier generative model. Policies drafted around specific tools date quickly. Policies drafted around accountability, transparency and human-centred values do not.
Second, assign responsibilities, not just aspirations. The template’s stated purpose includes setting out responsibilities — who approves AI use, who monitors it, who answers for outcomes. Many corporate AI policies fail precisely here, offering values statements with no owner. The GCDO’s Framework is blunt that governance exists to support transparency and human accountability, and a policy that names accountable roles is worth ten that merely gesture at ethics.
Third, treat policy as one layer in a stack. New Zealand pairs the template with records management guidance for AI, GenAI-specific responsible use guidance, and a six-pillar work programme spanning governance, guardrails, capability, innovation, social licence and international engagement. The records layer deserves particular attention from outside observers. Under guidance flowing from the Public Records Act, agencies are expected to treat AI interactions as public records where they inform decisions or service delivery: that can mean retaining the prompts staff entered, capturing the outputs a system produced, and documenting the human edits made before anything was acted on or sent. If a chatbot output influences how a member of the public is treated, there should be a paper trail. For any organisation — public or private — this reframes AI use from an ephemeral productivity habit into an auditable business process. A policy document alone changes little; embedded in training, assurance and record-keeping practices like these, it changes behaviour.
The quiet significance
It is easy to overlook a template amid the noise of AI summits and draft legislation elsewhere in the world. But public trust in government AI use will not be won by strategies; it will be won by thousands of small, consistent decisions inside agencies — what staff may paste into a chatbot, when a human must review an output, how an automated decision is documented and explained.
The AI policy template, published in April 2025 — months before the National AI Strategy landed in July of that year — is the instrument designed to shape exactly those decisions. The sequencing is itself revealing: the GCDO laid down operational infrastructure before the headline strategy arrived, so that agencies had somewhere practical to stand the moment the strategy asked them to move. For agencies, the message is simple: the starting point has been written for you. The remaining work — adapting it honestly to your context, resourcing it, and enforcing it — is where responsible AI actually happens.
The template is available as a free download from the Public Service AI Toolkit at digital.govt.nz.