Who’s in charge of your AI? Governance and accountability under New Zealand’s Responsible AI Guidance

AI adoption in New Zealand businesses is accelerating, but a familiar question keeps surfacing in boardrooms: when an AI system makes a call that goes wrong, who is accountable? The Ministry of Business, Innovation and Employment’s Responsible AI Guidance answers this bluntly. Responsible AI starts with governance, and governance means clear, cross-business lines of oversight and accountability that everyone can point to.

This article unpacks the “Governance and accountability” pillar of MBIE’s guidance and what it means in practice for New Zealand organisations of any size.

Governance is a team sport, not a job title

MBIE’s guidance is realistic about resourcing. Most New Zealand businesses cannot afford a dedicated Chief AI Officer, and the guidance doesn’t ask for one. AI governance responsibilities may only be a portion of someone’s role. What matters is that the right perspectives are at the table.

The guidance suggests drawing on people with responsibility or expertise across strategic leadership and ethics, security, data and AI governance, technology and data science, legal and compliance, privacy, HR and training, and communications. In a ten-person firm, that might be three people wearing several hats each. In a larger organisation, it might be a formal working group with senior sponsorship.

In Aotearoa, that mix of perspectives has a distinctly local dimension. Responsible AI adoption here must take into account tikanga, mātauranga Māori and Māori data sovereignty — so understanding cultural risk and culturally appropriate data governance belongs at the governance table alongside legal, technical and commercial expertise. For businesses whose AI systems touch data about Māori individuals or communities, this is not an optional extra; it is part of what “the right perspectives” means.

The point of assembling this mix is alignment. AI decisions made in isolation — a marketing team quietly adopting a generative AI tool, a developer trialling a new model on customer data — are where risk accumulates. Governance structures exist to bring those decisions into the open, share information strategically, and support consistent decision-making through overarching oversight mechanisms and clear AI policies.

One of the simplest and most valuable steps the guidance recommends is also the most overlooked: document who is in charge of what, so everybody knows their role. If you cannot name the person accountable for a given AI system in your business, that is your first governance gap.

The law already applies to your AI

A persistent myth in New Zealand is that AI operates in a regulatory vacuum because we have no AI-specific statute. MBIE’s guidance dismantles this by cataloguing the existing laws that already reach AI use, including:

  • Commerce Act 1986 — AI systems must not restrict competition, including through algorithmic pricing collusion
  • Fair Trading Act 1986 — outputs and uses of AI tools must not amount to misleading or deceptive conduct
  • Privacy Act 2020 — obligations for handling personal information apply whether it flows through a spreadsheet or a large language model, and any business handling personal information must have a privacy officer
  • Human Rights Act 1993 and Bill of Rights Act 1990 — AI-informed decisions must not discriminate on protected grounds
  • Companies Act 1993 — directors’ duties of due care and diligence extend to decisions about AI adoption
  • Consumer Guarantees Act, Contract and Commercial Law Act, intellectual property law and media law — each with its own points of contact with AI systems, from ownership of AI outputs to obligations around harmful digital communications

A quick win hiding in that list: if your business handles personal information, you almost certainly have a privacy officer already. Rather than building AI oversight from scratch, expand that person’s remit to audit how AI tools are ingesting and processing customer data. It is the fastest way to put an accountable human between your customers’ information and your AI systems.

MBIE case study: the accidental cartel

Three companies dominating the smart thermostat market each independently adopt the same third-party AI pricing tool. The tool pools their non-public pricing data and recommends uniform prices. Six months later, prices across all three brands are rising in lockstep, competition has evaporated, and the Commerce Commission is investigating potential cartel conduct under section 30 of the Commerce Act 1986 — a criminal offence carrying substantial penalties and potential imprisonment.

No one at the three companies ever spoke to each other. The algorithm did the colluding for them. The lesson: “the algorithm did it” is not a legal defence.

The broader point of the scenario is that legal exposure from AI is not hypothetical or futuristic. It sits inside statutes that have been on the books for decades.

For businesses operating internationally, the picture is broader again — and closer to home than many realise. The EU AI Act is now in force and has extraterritorial reach: if a New Zealand company offers AI-enabled products or services to users in the EU, or its AI outputs are used there, it can be legally bound by the Act despite having no European office. Other jurisdictions are following suit, and international standards such as ISO/IEC 42001 (Artificial Intelligence Management Systems) are becoming reference points for demonstrating good practice to overseas customers and regulators alike.

Risk management: start early, repeat often

The guidance frames AI risk management as a continuous cycle across the AI life cycle rather than a one-off assessment: identify risks, assess their severity and likelihood, manage them according to your risk tolerance, record mitigations and responsibilities, and review continuously as systems and contexts change.

Common AI risks the guidance highlights include compromise of personal or confidential information through security vulnerabilities, unfair treatment of people affected by biased AI systems or human over-reliance on them, lack of transparency with customers about AI use, and — specific to generative AI — decisions made on the basis of hallucinated outputs.

Practical tips from the guidance worth adopting immediately: maintain a living risk inventory; prefer prevention over cure for foreseeable risks; communicate risks and mitigations to relevant teams and third-party providers; publish usage policies (particularly for generative AI) so staff know the organisation’s stance and rules; watch for new risks created by fixing old ones, since reducing bias can sometimes reduce accuracy; and build contingency, business continuity and exit plans so you can phase out an AI system safely if you need to. The guidance also points businesses to the MIT AI Risk Repository, the Stats NZ Algorithm Impact Assessment toolkit and Business.govt.nz’s risk management resources as starting points.

If it isn’t documented, it didn’t happen

The final element of the governance pillar is recordkeeping. Documentation is what turns good intentions into demonstrable accountability — it lets you show where and how decisions were made, respond to customer queries about AI use, and comply with audits. The guidance highlights AI model cards as a useful tool for recording a system’s purpose, data sources, training approach, performance metrics and known biases, whether you build systems or buy them. MBIE also publishes a recordkeeping checklist as part of the guidance.

What to do this quarter

For most New Zealand businesses, acting on this pillar of the guidance comes down to five moves:

  • Name accountable owners for every AI system in use — and write it down so everybody knows their role.
  • Expand your privacy officer’s remit to cover how AI tools are ingesting and processing personal information. It’s the fastest governance win available.
  • Map your AI uses against the legislation above, including any extraterritorial exposure such as the EU AI Act, involving legal advice where needed.
  • Stand up a simple, repeatable risk process with a living risk inventory, reviewed as systems and contexts change.
  • Start documenting before you scale, not after — model cards, usage policies and decision records that show how and why choices were made.

Governance is not the glamorous end of AI adoption, but it is the part that determines whether AI becomes an asset or a liability. The businesses that get it right will be the ones that can look customers, regulators and their own boards in the eye and explain exactly how their AI works, who oversees it, and what happens when something goes wrong.


This article is based on the Ministry of Business, Innovation and Employment’s Responsible Artificial Intelligence Guidance for Businesses. It is general commentary and not legal advice; seek professional advice on your specific obligations.