New Zealand has a talent problem, and it's becoming a security risk

New Zealanders are deploying AI across their operations - financial services, healthcare, government, and more. Many are building on the same cloud platforms, the same AI models, often the same vendors. On paper, their technology stacks look remarkably similar.

And yet, their risk profiles couldn't be more different.

Not because one chose better tools than another, but because of access to very different pools of talent. In a country of five million people, the question of who you can hire matters enormously. What looks like a hiring challenge is actually something bigger. The shortage of cybersecurity and AI governance skills is shaping how safely AI can be scaled - and in a small, geographically isolated market like Aotearoa, that challenge is acute.

The shortage everyone knows about, and the details we tend to miss and by now, many of us are familiar with the headlines.

According to ISC2, the global cybersecurity workforce gap exceeds 4.7 million professionals in 2024. The World Economic Forum continues to list cyber risk among the most severe global threats, while repeatedly warning that AI adoption is outpacing the skills needed to govern it safely.

But here's the part we don't talk about enough. That shortage is not evenly distributed. And it's not evenly felt.

For New Zealand, this hits differently. NZISM compliance obligations, the Privacy Act 2020, and the GCSB's growing guidance on critical infrastructure protection all create governance demands, but the talent pool to meet them remains thin. CERT NZ has consistently flagged workforce capability as a structural vulnerability, and unlike the United States or Europe, New Zealand cannot fill the gaps quickly.

A missing cybersecurity professional in one region creates a very different kind of risk than a missing AI governance expert in another.

When AI governance turns a talent gap into a risk gap

Cybersecurity shortages are painful. But AI governance shortages are destabilising. That's because AI governance is not a single discipline. It lives at the intersection of AI engineering, data governance, cybersecurity, regulation, and ethics. It requires people who can understand how models work, how they fail, how they can be attacked, and how regulators expect them to be controlled.

The World Economic Forum Insight Report noted earlier observes that organisations expect AI risk and governance roles to grow. But most enterprises are assigning this responsibility to existing teams like security, legal, or compliance, rather than building a new team dedicated to this capability.

In New Zealand, this is the case across the board. A stretched security team at a Wellington agency or an Auckland financial institution is unlikely to have a dedicated AI governance function - yet those are precisely the organisations deploying AI at scale.

The burnout behind the gap

The pressure on those who do exist in these roles is significant. Globally, up to 70% per cent of cybersecurity professionals report experiencing burnout, driven by relentless workloads, constant incident response, and expanding responsibility including AI oversight without equivalent increases in capacity.

At the same time, stability at the top is eroding. Nearly half of cybersecurity leaders were projected to change jobs, with around 25% leaving for entirely different roles due to workplace stressors.

In New Zealand, where teams are small and backfill is difficult, losing a senior security or governance professional can set an organisation back by years. Senior expertise is moving frequently. This creates a subtle but serious problem for AI governance.

When you step back and look across regions, a clear pattern emerges.

The problem isn't that organisations don't understand AI and cyber risk. And it isn't that they aren't trying hard enough to hire either. The real issue is that the skills enterprises now depend on no longer exist as a single role or in a single place.

For New Zealand specifically, geography compounds this. It's harder to draw from the same talent clusters as Sydney, London, or Singapore with ease. Remote work has helped, but it has also meant New Zealand risks losing its best people to offshore roles offering higher salaries and greater scale.

AI governance has crossed a threshold. It has become too complex, too interdisciplinary, and too tightly bound to local regulation and data sovereignty to be solved through traditional hiring models.

So, what's the answer? The only way forward is to design for scarcity. Organisations that are driving ahead have accepted this early. They are no longer designing for talent abundance. They are designing for talent scarcity.

That means treating AI governance as a system, not a role - building oversight into processes and tools so that when individuals leave, capability remains. It means building overlapping capabilities across cybersecurity, data, legal, and risk teams, with shared ownership rather than single points of failure.

This approach doesn't eliminate the talent gap. It makes it manageable.

The organisations that thrive in AI will be those who build systems resilient enough to govern AI even when the perfect person isn't available. In a market this size, that's not a nice-to-have. It's a necessity.