Is Your Organisation Ready to Use AI Safely? Here’s What You Need to Know

Most New Zealand businesses are already using AI – whether they know it or not.

Staff are pasting client emails into ChatGPT to draft replies. Someone in finance is using Copilot to summarise contracts. A manager is feeding customer data into an AI tool they found online. It’s happening right now, in businesses of every size, with no policy, no oversight, and no clear understanding of what’s actually happening to that information.

That’s not a criticism – AI tools are genuinely useful, and it makes sense that people are reaching for them. The problem is that most organisations are adopting AI faster than they’re governing it. And that gap between use and governance is where the real risk lives.

This article breaks down the key safety risks of implementing AI in your organisation, what good AI governance actually looks like in practice, and how to start getting ahead of both the risks and the regulations – without overcomplicating things.

Why AI Safety Isn’t Just an IT Problem

When people hear “AI security,” they often picture science fiction: rogue systems or sophisticated hacking. The real risks are much more ordinary – and much more immediate.

The most common AI-related security issues we see in New Zealand organisations right now are:

Data leaving the building without anyone noticing. When a staff member copies sensitive information into an AI tool, that data is often processed on overseas servers, retained by the AI provider, and potentially used to train future models. Customer records, financial data, internal strategy documents – all of it can end up somewhere you never intended.

No policies, so no accountability. If your organisation hasn’t told staff what they can and can’t put into AI tools, you can’t hold anyone responsible when something goes wrong. And without a policy, “something going wrong” is only a matter of time.

Privacy Act exposure. New Zealand’s Privacy Act 2020 requires organisations to take reasonable steps to protect personal information. Feeding personal data into third-party AI tools without understanding how it’s handled is a privacy risk that regulators are paying increasing attention to.

Regulatory requirements you may not know apply to you. The EU AI Act has been in force since August 2024. If your AI systems affect EU residents – even if your business is based entirely in New Zealand – you may already have legal obligations. Many NZ businesses are surprised to learn this applies to them.

Reputational risk from AI-generated decisions. Automated or AI-assisted decisions that turn out to be biased, incorrect, or unexplainable can cause significant reputational damage – particularly in sectors like finance, HR, or healthcare.

None of these risks require sophisticated attackers or complex technical failures. They’re mostly the result of well-meaning people using powerful tools without the right guardrails.

What Good AI Governance Actually Looks Like

“AI governance” can sound abstract, but in practice it comes down to a handful of concrete things.

Knowing what AI tools your organisation is actually using. This sounds simple, but it’s often the hardest step. Most organisations have significant “shadow AI” – tools being used by staff that IT and leadership don’t know about. An AI usage audit is the starting point for any serious governance programme.

Understanding what data is going into those tools. Once you know what tools are in use, the next question is what data is being fed into them. Are staff sharing customer information? Internal financial data? HR records? Each of those carries different risk profiles and compliance implications.

Having a clear, practical policy. An AI acceptable use policy doesn’t need to be long or complicated. It needs to tell staff clearly: what tools are approved, what information can and can’t go into them, and what to do if they’re unsure. A policy that sits in a drawer doesn’t help anyone – it needs to be communicated and understood.

Classifying your data. Not all information carries the same risk. A data classification scheme helps staff understand what’s sensitive and what’s not, so they can make better decisions about what to share with AI tools and what to keep internal.

Aligning with recognised frameworks. The international frameworks for AI governance – NIST AI RMF, ISO/IEC 42001, and the EU AI Act – give organisations a structured way to manage AI risk. They’re not designed to be bureaucratic exercises; they’re practical tools for making sure your AI use is responsible, defensible, and compliant.

Ongoing monitoring. AI governance isn’t a one-time project. The tools your staff use will change. New regulations will emerge. Your AI governance programme needs to evolve with them.

The Frameworks You Need to Know

If you’re implementing AI in your organisation, three frameworks are particularly relevant for New Zealand businesses right now.

NIST AI RMF (and the 2024 GenAI Profile) Developed by the US National Institute of Standards and Technology, the AI Risk Management Framework provides a practical structure for identifying, assessing, and managing AI risk. The 2024 GenAI Profile addresses risks specifically from tools like ChatGPT and Microsoft Copilot – the tools most organisations are actually using. It’s voluntary, but it’s one of the most useful practical guides available.

ISO/IEC 42001 Published in December 2023, ISO 42001 is the international standard for AI management systems – essentially the ISO 27001 equivalent for AI. Enterprise procurement teams are increasingly asking vendors and partners to demonstrate ISO 42001 alignment. If you’re pursuing ISO 27001 certification, adding ISO 42001 at the same time is efficient and increasingly expected.

EU AI Act In force since August 2024, the EU AI Act classifies AI systems by risk level and imposes obligations based on that classification. Critically, it applies to any organisation whose AI systems affect EU residents – regardless of where the organisation is based. If you have EU customers, EU employees, or if your digital products reach EU users, the Act may already apply to you.

NZ Algorithm Charter For organisations making automated or algorithmic decisions, New Zealand’s Algorithm Charter sets out voluntary commitments around transparency, human oversight, and bias prevention. While not mandatory, it’s a useful framework for responsible AI use in a New Zealand context.

A Risk Assessment Is Where to Start

If your organisation is using AI tools – or planning to – the most important first step is understanding where your risks actually are.

A structured AI risk assessment will:

  • Identify what AI tools are in use across your organisation (including shadow AI that IT doesn’t know about)
  • Map what data is being processed by those tools and where it goes
  • Assess your exposure under the EU AI Act, NZ Privacy Act, and other relevant regulations
  • Identify gaps in your current policies and controls
  • Give you a prioritised roadmap for closing those gaps

This isn’t about finding reasons to block AI use. It’s about making sure your organisation can use AI confidently – with clear visibility into the risks and the controls to manage them.

At KIS, our risk assessment service gives you a clear, honest picture of your current position, assessed against NIST CSF 2.0 and ISO 27001 controls. For organisations specifically focused on AI, our AI security and governance service includes a full AI usage audit, risk assessment against the NIST AI RMF, data classification, policy development, and EU AI Act applicability assessment.

Compliance: Which Framework Do You Actually Need?

One of the most common questions we get is: “Which framework should we be aiming for?”

The honest answer is: it depends on your organisation, your sector, and your risk profile. And the honest answer is sometimes “none of them yet” – if you’re a small business just starting to think about AI governance, there are simpler steps to take before you commit to a formal certification programme.

KIS covers 17 compliance frameworks, including NIST CSF 2.0, ISO 27001, ISO/IEC 42001, the EU AI Act, NIST AI RMF, GDPR, and the NZ Privacy Act 2020. We’ll tell you honestly which ones are worth pursuing for where your business is right now – and which ones aren’t worth the investment yet.

If you’re already pursuing ISO 27001 and your organisation uses AI tools, adding ISO 42001 to your programme is a natural and efficient extension. If you have EU-facing products or services, understanding your EU AI Act obligations is urgent. If you’re just getting started, a risk assessment and a clear AI acceptable use policy may be the most valuable steps you can take right now.

Our compliance service is designed to give you a practical path forward – not a certification for its own sake.

What About the People Using AI Every Day?

All the governance frameworks and policies in the world don’t help if your staff don’t understand them.

AI security training isn’t about making people afraid of AI tools – it’s about making sure they understand what’s at stake when they use them, and what responsible use looks like in practice. That means knowing what data is sensitive, understanding the basics of how AI tools handle information, and knowing who to ask when they’re unsure.

If your organisation rolls out AI tools without accompanying staff training, you’re creating risk. If your AI acceptable use policy exists but hasn’t been communicated clearly, it won’t change behaviour. Our security training service includes role-specific modules that make this practical – not just a compliance checkbox.

The Bottom Line

AI is genuinely useful. Most New Zealand organisations are right to be exploring and using it. But using AI without governance is like leaving your front door unlocked because the neighbourhood feels safe – it might be fine, but the risk is real, and the consequences of getting it wrong can be significant.

The good news is that getting on top of AI governance doesn’t have to be complicated or expensive. For most organisations, the first steps are simple: understand what tools your staff are using, put a clear policy in place, and get a proper picture of your risk exposure.

That’s exactly what KIS helps with – in plain English, without the jargon, and without overselling what you need.

Ready to find out where your organisation stands?

Book a free 30-minute conversation with KIS →

We’ll talk through your current AI use, your concerns, and what steps make sense for your organisation right now. No sales pitch – just straight answers.

Related services:

KIS (Kelevra Information Systems) is a New Zealand-owned cybersecurity firm helping NZ and Australian businesses stay secure – in plain English, no jargon. Learn more about us →