Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Insights on data, AI & business. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

Selling AI Tools to NZ Government: A Practical Guide
Blog AI

Selling AI Tools to NZ Government: A Practical Guide

How Kiwi AI vendors can win public sector work under the NZ Privacy Act 2020 and procurement rules, without falling into the common traps.

Sam McKay

Selling AI Tools to NZ Government: A Practical Guide

If you are building an AI product in Auckland, Wellington, or Christchurch and wondering how to actually sell into a government department, this one is for you. The opportunity is real but the procurement and privacy rules trip up a lot of smart teams. I will walk you through what we see working for NZ-based vendors right now, and where the landmines sit.

Let me ground this in numbers first. A typical pilot with a small NZ agency (think 50 to 200 staff) tends to land somewhere between NZD $25,000 and NZD $80,000 depending on scope. A multi-year rollout with a Tier 1 or Tier 2 agency (Ministry, large DHB-equivalent, or Department) we typically see starting around NZD $250,000 and reaching seven figures once integration is counted. Those figures are approximate, by the way. Dollar conversions from USD benchmarks are rough, and any large deal depends heavily on data migration and support tiers.

The good news is the procurement pipeline is genuinely active. The Government Chief Digital Officer (GCDO) has been funding pilots through the digital government partnership, and agencies like the Department of Internal Affairs, ACC, and MSD are running active AI experiments. Agencies have statutory obligations to modernise, and most are under pressure to demonstrate measurable service improvement, not just shiny demos.

What NZ Agencies Actually Buy

Here is the pattern we see across the agencies our NZ vendor clients sell into. The buy is rarely “an AI tool.” It is almost always one of four things.

The first is a back-office automation layer. Invoice processing, claims triage, eligibility checks, and document classification. For example, a vendor we know replaced a manual review queue at a government call centre with a classification model and dropped average handling time by roughly 40 percent (their number, not mine, and worth pressure-testing).

The second is a frontline productivity tool. Copilot-style assistants for caseworkers, summarisation of long case notes, draft reply suggestions in inboxes. These are politically safe because they assist a human rather than make a decision.

The third is an analytics layer. Dashboards, anomaly detection on benefit claims, fraud signals, and procurement spend patterns. NZ has been quite open about wanting better analytics in social services, particularly where existing BI (built on tools that integrate with Xero for back-office reconciliation in some agencies) reaches its limit.

The fourth is a citizen-facing layer. Chatbots for high-volume queries, eligibility pre-checks, document upload helpers. These come with the most scrutiny and the longest procurement cycles. If you are pitching into this layer you should expect six to twelve months of evaluation, not the six to twelve weeks you might see in private sector.

The Procurement Reality You Need to Know

NZ Government procurement runs primarily through the Government Electronic Tender Service (GETS). You register as a supplier, you respond to Requests for Proposals (RFPs) or Requests for Information (RFIs), and you wait. There is no fast lane for AI specifically, although some agencies now run innovation sandboxes that can short-circuit parts of the process.

The key things we coach vendors on. First, the All-of-Government (AoG) panels matter. Being on a relevant ICT panel (such as the Solutions panel run through the Department of Internal Affairs) is often a prerequisite to even being considered for Tier 1 work. If you are not on a panel yet, that should be a parallel workstream to your sales effort, not a later optimisation.

Second, security clearances slow things down. Vendors and sometimes their staff need to be able to handle classified or sensitive data. The Protective Security Requirements framework is the bible here. Industry estimates suggest baseline security accreditations add three to six months to first revenue for most new vendors. Plan around it.

Third, references carry enormous weight. A two-paragraph reference from a small NZ council or NGO is often more valuable than the slickest demo deck in the world. If you do not have government references yet, look at the NZ startup ecosystem grants from Callaghan Innovation or the Innovative Procurement programmes where you can build a reference cheaply.

NZ Privacy Act 2020 Is Not Optional Compliance

This is where a lot of overseas-origin AI vendors fall down. They walk in with a generic SaaS Data Processing Addendum drafted for GDPR and wonder why the procurement team pauses the deal.

The Privacy Act 2020 has 13 Information Privacy Principles (IPPs) and you need to be able to speak fluently about each one in the context of your product. Let me flag the ones that bite hardest for AI tools.

IPP 1 is the purpose of collection. If your model is trained on data collected for one purpose and you want to use it for another, you have a problem. Be clear about training data provenance.

IPP 3 covers notification. When personal information flows through your system, the agency must be able to tell the data subject what is happening with it. Your system architecture needs to support that disclosure, not just technically but in plain English artefacts the agency can hand on.

IPP 5 covers storage and security. Where does the data live, who can access it, what is the encryption posture, what is the breach notification SLA? If you are using offshore infrastructure (AWS US-East, Azure in Singapore, etc.), this is where you need to be ready to discuss cross-border data flows.

IPP 12 is the one that catches most overseas vendors off guard. It deals specifically with disclosure of personal information outside New Zealand. The default position is that the agency remains accountable for the information even when it leaves NZ on a server in another country. If your architecture involves offshore model inference or training, you need to demonstrate that the receiving jurisdiction provides comparable safeguards, or that you have robust contractual and technical measures in place. There is no single mechanical rule, and the Privacy Commissioner’s guidance has evolved. Verify with your lawyer what the current expectation looks like for your specific architecture.

IPP 13 is about unique identifiers, which can matter if your system uses IRD numbers, passport numbers, or similar identifiers to link records. Many AI systems try to do exactly this. Make sure you have a lawful basis and a clear retention policy.

One practical pattern. A vendor I worked with recently narrowed their initial pitch to a smaller agency data set that was already confirmed non-personal or de-identified under the agency’s framework. They got a faster pilot this way because the privacy review was simpler, then used the reference to expand. Smart move for vendors without a security-cleared production environment.

Practical Pricing and Commercial Model

Pricing models we see working in NZ public sector. Per-seat licensing works for frontline productivity tools where you have a headcount you can count (a department with 300 caseworkers for example). Per-transaction or per-decision pricing works for back-office automation where there is a clear volume metric (each invoice processed, each claim triaged). Outcome-based pricing is appealing to agencies but operationally hard, and audit trails for the outcome claim tend to require more reporting than smaller vendors can absorb.

On the dollar side. Per-seat pricing for AI productivity tools at this segment ranges roughly NZD $25 to NZD $80 per user per month depending on the model tier. Per-transaction pricing for document processing typically runs NZD $0.20 to NZD $2.00 per item depending on complexity and human-in-the-loop involvement. If you are quoting in USD remember the rough conversion is NZD 1.65 per USD, but verify with your finance lead because current rates can vary. And if you are pitching to an Australian state or federal agency on the same platform capability, AUD is roughly 1.55 per USD for a quick sense check.

A commercial tip that comes up again and again. Agencies want to see a clear exit and data portability story. Who owns the fine-tuned model weights if you train on their data? What happens to the prompts and embeddings when the contract ends? Can they export the full interaction log? Have crisp answers on day one. Vendors who fudge this in the procurement Q&A often get quietly deselected.

Building a Profile That Agencies Will Trust

If you are a startup founder reading this and wondering whether you can win this work, the answer is yes, but you have to do the unglamorous bits. Get on the ICT panel early. Get a security accreditation (even baseline PSR compliance carries weight). Ship at least one public reference case, even if it is a council, a polytechnic, or an NGO funded by government.

Hire or contract someone who has been on the other side of the table. A former agency product owner or procurement lead can compress your cycle time massively. We see founders underinvest in this and then wonder why proposals take six months to land. The honest answer is usually that they wrote the proposal without understanding how the evaluation panel scores.

Keep case studies grounded in outcomes the agency values. Cost-to-serve reduction, processing time, error rates, customer satisfaction. Avoid vague language about transformation and modernisation. Agencies have heard it for fifteen years. They want a number.

Watch the regulatory tail. The Privacy Act review has been a moving target for several years now, and the Office of the Privacy Commissioner has signalled tighter guidance on automated decision-making. If your tool produces or materially influences a decision affecting an individual (particularly in social services, justice, or immigration contexts), expect additional scrutiny. Verify with your lawyer the current expectations around human review and explainability. The detail on what counts as meaningful human review continues to evolve.

A Realistic 12-Month Sequence

If you are starting from scratch, here is a realistic sequencing we walk NZ vendors through.

Months one to three. Foundations. Privacy Act gap analysis on your product, basic security posture review, panel applications started, one or two warm conversations with potential agency champions. You might also explore the Digital Public Goods opportunities or the GCDO innovation network.

Months four to six. First referenceable work. Pilot with a smaller entity, ideally with a non-sensitive data set, contract signed, baseline metrics captured. This is where Founders often try to jump to a Ministry and stall.

Months seven to nine. Second reference and panel admission. Push for a slightly larger engagement, ideally a Tier 2 agency or a multi-department shared service. Lock in your panel slot.

Months ten to twelve. First Tier 1 attempt. With two references and panel status you can credibly respond to a Tier 1 RFP. Plan for a long cycle. Expect to lose your first one. That is normal and the references you build responding are valuable in their own right.

Where We Come In

Most of the work we do with NZ AI vendors sits in months one through six of that sequence. Pricing model design for public sector, privacy posture review, RFP response support, and the unglamorous panel application work. We have also worked alongside Australian vendors chasing NZ government work, where the Privacy Act 2020 and the Australian Privacy Principles overlap but are not the same. If you are building any kind of AI capability that touches personal information, getting the privacy and security posture right before you respond to your first RFP is worth roughly six months of cycle time later.

Two neighbouring points worth flagging for the cross-Tasman crowd. ASIC’s Regulatory Guide 265 applies if your AI touches financial advice or credit decisions in Australia, and APRA CPS 234 applies if you want to sell into an APRA-regulated entity. AHPRA codes matter if you are touching health information. None of these are blockers, but they each shift the procurement conversation. Verify with your lawyer and your compliance lead how your specific capability maps.

There is also a softer point that I notice consistently. NZ agencies tend to value relationships and local presence more than equivalent Australian buyers. A vendor who flies up for a workshop, knows the local policy context, and treats the procurement team like long-term partners tends to do better than a slicker overseas vendor pitching the same underlying technology. Build the relationship muscle. It is one of the few genuine advantages a Kiwi vendor has.

Next Step

If you are seriously pursuing NZ public sector work with an AI product, the single highest-value 60 minutes you can spend is a structured review of where you are against the typical buyer checklist. Privacy posture, security posture, panel eligibility, reference trajectory, pricing model fit. We call it the Omni Audit.

Enterprise DNA works with NZ and AU businesses on this challenge. Book a 60-min Omni Audit — https://calendly.com/sam-mckay/discovery-call?utm_source=edna-landing&utm_medium=blog&utm_campaign=nzau