Across New Zealand, the AI conversation is shifting. It is no longer just “should we turn on Copilot.” It is “what should we actually do, and how do we do it safely while getting real impact.”
That is where AI governance comes in.
Before completing my ISO/IEC 42001 Lead Implementer certification through GAICC, I saw governance the way a lot of people do: necessary, but easy to mistake for a compliance tick box or a brake on progress. What this certification reinforced is the opposite. Done well, governance is what lets organisations move faster, with confidence.
Governance is an enabler, not a barrier
Most leaders I work with already have the appetite for AI. Teams are experimenting, often well ahead of any formal guardrails. The risk is not a lack of ambition or willingness. It is moving fast without clarity on what is acceptable, what is not, and why.
Even simple guardrails change that. Once people know where the lines are, they stop hesitating and start building.
Start with the basics, not the full framework
A pattern I keep seeing is that organisations delay any governance because they think it has to be comprehensive from day one, or they have no clue where to start. It does not have to be that way.
The first step is usually a clear, simple policy paired with the why behind it, so it reads as enablement rather than restriction. That is often where I start.
Practical and scalable by design
What I appreciate about ISO/IEC 42001 is that it does not demand full certification on day one. It is a structured framework you can implement at the level your organisation is actually at, whether you are just getting started or formalising practices you already have in place.
Naming AI-specific risks, explicitly
Traditional governance frameworks were not built with AI’s particular failure modes in mind: bias, lack of explainability, unintended outputs. Most teams are not ignoring these risks on purpose. They simply do not know what to look for yet.
This is where the AI System Impact Assessment earns its place. It forces a pause. How is this AI system actually being used? What could go wrong? And who is affected if it does? In a field this new, that structured pause matters more than experience alone.
Where this leaves me with clients
Since completing this certification, I am having sharper, more confident conversations with clients about risk, grounded in an internationally recognised framework rather than instinct alone.
My answer to “is AI governance necessary” has not changed: yes. AI brings real opportunity, but real risk too. Governance is what lets organisations capture the upside while protecting their people, their customers, and the communities they serve.
These are exactly the conversations I have with New Zealand organisations day to day. If you are thinking through your own AI governance approach, or trying to formalise practices you already have running informally, I would welcome the chance to talk — find me at Nodero.
And if you are thinking about doing the course: do it.
Stacey Greaney is a GAICC-certified ISO/IEC 42001 Lead Implementer based in New Zealand, where she helps organisations use AI safely, responsibly, and with real impact through Nodero.

