AI security & governance

Your team is already using AI. Is it safe?

Most NZ businesses are already using AI tools — ChatGPT, Microsoft Copilot, Gemini — with no governance, no data handling policies, and no understanding of what data is leaving the organisation. KIS helps you get ahead of both the risks and the regulations: assessing your current AI usage against the NIST AI RMF, building practical governance aligned to ISO/IEC 42001, and preparing for the EU AI Act.

What's included

AI usage audit — what tools are in use and what data is being fed into them
Risk assessment across your AI tool landscape (NIST AI RMF)
Data classification — what should and shouldn't go into AI tools
AI acceptable use policy development for staff
EU AI Act applicability assessment — are you in scope and at what risk level?
ISO/IEC 42001 readiness assessment and gap analysis
AI governance framework design and implementation support
Board and leadership briefing on AI risk

Why now? The EU AI Act is in force since August 2024. ISO/IEC 42001 is being requested by enterprise procurement teams. Ungoverned AI tool use creates data leakage, privacy breaches, and regulatory exposure today — not in the future. (Source: EU AI Act Official Journal — eur-lex.europa.eu)

Talk to us about AI governance →

AI frameworks we work with

EU Act

EU AI Act

In force August 2024. Applies to NZ businesses whose AI systems affect EU users. Classifies AI by risk level.

ISO 42001

ISO/IEC 42001

Published December 2023. The international standard for AI management systems — the ISO 27001 equivalent for AI.

NIST AI

NIST AI RMF + GenAI profile

Practical AI risk management framework. The 2024 GenAI profile addresses risks from ChatGPT, Copilot, and similar tools.

NZ Charter

NZ Algorithm Charter

Voluntary NZ government commitment covering transparency, bias, and human oversight for algorithmic decisions.

The questions we help you answer

What you need to know about AI in your organisation.

→

What AI tools are your staff actually using right now — including the ones IT doesn't know about?

→

What customer, employee, or business data is being processed by those tools — and where is it going?

→

Does your use of AI trigger EU AI Act obligations — and if so, at what risk level?

→

What policies do you need to put in place — and how do you communicate them without creating friction?

→

How do you use AI competitively without taking on unacceptable legal or reputational risk?

→

What does your board need to know about AI risk — and how do you report on it clearly?

Who this is for

This service is right for you if any of these fit.

You don't need to be using sophisticated AI — if your staff use ChatGPT or Copilot, you have an AI governance question.

Your staff use AI tools informally

No official policy, no visibility into what's being shared with AI platforms. That's a data handling risk you need to address.

You use AI in a product or service

Recommendation engines, automated decisions, AI-generated content — all potentially in scope for the EU AI Act or ISO 42001.

You have EU users or customers

If your AI systems affect EU residents, the EU AI Act applies — regardless of where your business is based.

Enterprise clients are asking about AI governance

Security questionnaires are starting to include AI governance questions. If you can't answer them, deals stall.

Your board wants to understand AI risk

Directors are increasingly responsible for understanding and overseeing AI risk. KIS provides the briefing and the framework.

You're pursuing ISO 27001 or SOC 2

AI governance is becoming a natural extension of existing security certification. Adding ISO 42001 while in compliance mode is efficient.

How it works

Four stages from audit to governance.

AI governance isn't a one-time project — it's an ongoing programme. We build it properly from the start.

Discover

Identify what AI tools are in use — including shadow AI your IT team doesn't know about.

Assess

Evaluate risks against NIST AI RMF — data handling, privacy, bias, regulatory exposure.

Govern

Build your AI governance framework — policies, acceptable use guidelines, ISO 42001 alignment.

Monitor

Ongoing review as your AI tool landscape evolves — new tools, new regulations, new risks.

Related services

Compliance

EU AI Act, ISO 42001, and NIST AI RMF sit alongside our full compliance framework — including NIST CSF 2.0 and ISO 27001.

View service →

Virtual CISO

Your vCISO can lead AI governance as part of an integrated security and compliance programme.

View service →

Security training

AI acceptable use policies need to be communicated. We train your staff so the policy actually sticks.

View service →

Our Workflow…

Free conversation
We talk about your business, your concerns, and your goals. No sales pitch.
We scope and quote
A clear proposal arrives within two business days. Exact scope, fixed price — no surprises.
We get to work
We handle the heavy lifting. We’ll only contact you when we need something or have something to show you.
We debrief clearly
Every engagement ends with a plain-English walkthrough of findings, recommendations, and next steps.

What you need to provide…

About an hour of your time
For the initial conversation and the final debrief. We do the rest.
Access to the right people
Usually your IT contact (or you, if that’s the same person) and whoever owns the systems in scope.
Read-only access where needed
For most assessments, we only ever need read access — never admin credentials or the ability to make changes.
An honest picture of where you are
The more candid you are about your current setup, the more useful our findings will be. There’s no judgement here.

That’s genuinely it. You don’t need a dedicated IT team, a security background, or any preparation beyond booking the first call.

Not sure which service you need?

Start here.

A free 30-minute conversation. We’ll tell you honestly what your business needs — and what it doesn’t.

Book a free conversation

What others say about us…

We’d always had a family member looking after our IT, and while we trusted them completely, we hadn’t realised how much risk we were quietly carrying. KIS came in and overhauled our entire security setup, got us properly configured with multi-factor authentication, and went through our Microsoft 365 environment to make sure the right people had the right access and licensing. It wasn’t just a technical fix, it was genuine peace of mind. We now know our systems are actually secure, not just looked after by someone who means well.

Jeremy T.Owner, Auto Services

As a financial services firm, protecting client data isn’t optional. We had no formal security management framework in place and knew we needed to get serious. KIS assessed where we stood and mapped out a practical path toward NIST and ISO 27001 compliance, grounded in what was realistic for our size and structure. Their advice was prioritised and clear, and we came away with a credible roadmap and the confidence that we’re taking the right steps in the right order.

Pam K.CIO, Financial Services Firm

We were rolling out AI across the organisation and our internal IT team is great, but this was new territory. We needed someone to close the gaps fast and set us up to manage things ourselves going forward. KIS delivered on all of it. They implemented data loss prevention, a document classification scheme, and Microsoft Purview, and the uplift in our security and compliance posture has been significant. The best part? They didn’t just fix things and leave. We came out of it actually understanding the system and capable of running it ourselves.

Abby S.Compliance Officer, Telecommunications Company

We’re a small non-profit focused on young people, and like many organisations like ours, we were running largely on goodwill and volunteers. We had a website collecting significant personal information and, honestly, we hadn’t fully grasped the risk we were sitting on. KIS conducted a penetration test, walked us through every finding, and worked through remediation of all critical vulnerabilities with our budget in mind the whole time. They treated our mission as if it mattered to them too, and that made all the difference.

Elizabeth C.Senior Leader, Youth Organisation

Your team is already using AI. Is it safe?

EU AI Act

ISO/IEC 42001

NIST AI RMF + GenAI profile

NZ Algorithm Charter

What you need to know about AI in your organisation.

This service is right for you if any of these fit.

Four stages from audit to governance.

Discover

Assess

Govern

Monitor

Compliance

Virtual CISO

Security training

Our Workflow…

What you need to provide…

Not sure which service you need?

What others say about us…

KIS

Services

Company

Useful links