The New Zealand public sector is quietly standardising on Microsoft Copilot as its default artificial intelligence tool for 2025 and 2026—not because of a formal mandate or rigorous evaluation, but because agencies already hold Microsoft 365 licenses. This procurement-driven default is raising urgent questions about vendor lock-in, competitive fairness, and the government’s own AI governance principles.

Multiple government sources have confirmed that dozens of agencies are activating Copilot for Microsoft 365 as a natural extension of their existing enterprise agreements. The logic seems straightforward: when you’ve already bought the enterprise suite, adding Copilot at an additional cost per user appears cheaper and simpler than procuring a separate AI platform. But this incremental decision, repeated across the public sector, effectively turns procurement convenience into de facto technology policy.

The shadow procurement process works like this: an agency’s existing Microsoft licensing agreement, often negotiated centrally by the Department of Internal Affairs, already covers core productivity tools. Activating Copilot is a transactional add-on that falls below the threshold requiring a new open tender. With the New Zealand government spending over NZ$500 million annually on ICT, the aggregate effect is massive—and quietly locks in Microsoft as the government’s AI operating system.

Vendor Lock-in by Default

Technology procurement rules require public agencies to consider value for money, open competition, and long-term sustainability. Yet the Copilot rollout sidesteps these principles. By treating Copilot as an extension of Office 365 rather than a distinct AI platform, agencies avoid comparing it with alternatives like Google Gemini for Workspace, Amazon Q Business, or a sovereign AI solution built on open-source models.

This pattern is not new. Governments worldwide have stumbled into de facto standardisation on Microsoft for email and office suites. But AI raises the stakes. Copilot is not just another feature; it deeply integrates with Microsoft Graph, ingesting an agency’s entire document, email, and collaboration ecosystem. Once workflows and automations are trained on Copilot’s proprietary framework, switching costs become astronomical. The government will not just be using Copilot—it will be architecturally dependent on it.

Critics point out that the “easy button” for Copilot masks long-term risks. A 2024 report from the New Zealand Productivity Commission warned about government IT procurement concentrating market power. “When an incumbent leverages an existing contract to extend into new services without competition, innovation stagnates and prices rise,” the report noted. Copilot’s expansion follows exactly that playbook.

Data Sovereignty in the Cloud

New Zealand government data is classified in tiers: unclassified, in-confidence, sensitive, and restricted. Microsoft’s Azure data centres in Australia handle most government workloads, but Copilot’s processing pipeline sends prompts and context to global servers. While Microsoft has committed to storing New Zealand customer data within its Australia region under certain conditions, Copilot’s use of large language model inference may still involve transient processing outside the region.

The Government Chief Digital Officer (GCDO) has stated that all public service agencies must comply with the Protective Security Requirements and the New Zealand Information Security Manual. Yet no overarching cloud impact assessment has been published specifically for Copilot’s AI features. Agencies are adopting the tool individually, with varying levels of risk assessment. One IT manager at a large ministry, speaking on condition of anonymity, said, “We were told Copilot was just a feature add-on, so our existing cloud risk assessment covered it. Nobody asked if the AI processing changed the data sovereignty profile.”

Privacy concerns are equally pressing. Copilot can surface sensitive information from SharePoint sites, Teams messages, and emails unless permissions are meticulously configured. A misconfigured SharePoint library could allow Copilot to summarise board papers marked “in-confidence” and present them to unauthorised staff. Microsoft’s own documentation advises that organisations must secure their data estates before enabling Copilot, yet few agencies have completed such audits.

Government AI Guidelines vs Reality

The NZ government’s Algorithm Charter for Aotearoa New Zealand, launched in 2020, commits signatories to transparency, fairness, and human oversight in automated decisions. More recently, the Digital Government Strategy and the Responsible AI framework require agencies to conduct algorithmic impact assessments and maintain a register of AI use cases. Copilot deployment appears to be proceeding without systematic compliance with these guidelines.

A scan of the public Algorithm Charter register reveals no entry for Microsoft Copilot across any government department. When asked, several agencies indicated they considered Copilot a productivity aid rather than algorithmic decision-making, thus exempt from the Charter. But legal experts disagree. Dr. Tom Barraclough, director of the Artificial Intelligence Law Institute, argues: “When an AI tool synthesises information, drafts official advice, or summarises potentially erroneous data, it is influencing decisions. That squarely falls under the Charter’s definition of an operational algorithm.”

This gap between policy and practice could expose the government to judicial review or public trust damage. The Privacy Commissioner has signalled interest in examining how agencies are using generative AI. “Any use of AI that affects individuals’ information needs to be transparent and fair. We expect agencies to be proactive about assessing privacy impacts,” a spokesperson said.

Squeezing Out Local Innovation

New Zealand has a small but growing AI sector. Companies like Nyriad, Soul Machines, and UneeQ have developed niche AI capabilities. But when the government defaults to Copilot, it signals that local startups cannot compete for public sector AI business. The Ministry of Business, Innovation and Employment (MBIE) has innovation procurement programmes designed to help startups win government contracts, yet Copilot’s bundling bypasses these entirely.

“It’s the elephant in the room,” said Sarah Grant, an AI policy researcher at Wellington’s code4nz meetup. “Government preaches supporting local tech, but its default behaviour entrenches a foreign hyperscaler. How can a Kiwi AI startup get a pilot when every ministry can just flip a switch on Copilot?”

Some agencies are exploring alternatives. The Ministry of Education has trialled Google’s AI tools, and the Ministry of Social Development is testing open-source models for internal data analysis. But these projects are isolated and face bureaucratic resistance. The default remains Copilot.

International Context

The UK and European Union have taken stronger stances. The UK’s Central Digital and Data Office published an AI procurement guidebook that explicitly warns against vendor lock-in and recommends multi-cloud strategies. The EU AI Act mandates specific transparency and risk management requirements that will apply to government AI use by 2026. New Zealand, which often aligns with European regulatory approaches, has not yet enacted equivalent legislation.

Australia’s Digital Transformation Agency, by contrast, has adopted Copilot in a pilot but with clear guardrails: limited users, mandatory risk assessments, and a public review after six months. New Zealand lacks even that level of central oversight. Cabinet agreed to a “spend to save” approach in Budget 2024, allowing agencies to fund technology improvements from baseline savings, which has accelerated uncoordinated Copilot purchases.

The Path Forward

Procurement officials acknowledge the issue but feel trapped. The All-of-Government Microsoft agreement runs until 2026, and renegotiating it to carve out AI services would be complex. A senior procurement advisor, who requested anonymity, admitted, “We know we should be tendering AI separately, but the business areas want it now. Telling a minister they can’t use Copilot while it’s available in the current contract is a hard conversation.”

Yet there are signs of pushback. In April 2025, the Public Service Association (PSA) raised concerns about job displacement and work intensification from AI tools. The PSA is negotiating a Collective Agreement clause requiring any algorithmic tool that affects work to be co-designed with staff and assessed for workplace impacts. This could slow Copilot adoption in some agencies.

A more strategic approach would require Cabinet to issue a government-wide directive on AI procurement. That could mandate competitive neutrality for AI services, separate risk assessments for generative AI, and a central register of AI tools in use. It could also require agencies to test at least two alternatives before committing to Copilot, preserving the principle of contestability.

Some experts suggest the government should invest in a shared sovereign AI infrastructure, rather than allowing each agency to buy Copilot ad hoc. A national GPU cluster could run open-source models, ensuring data remains in-country and costs are controlled. Such a model already exists in Singapore and Estonia. Without that shift, New Zealand risks repeating the mistakes of past IT outsourcing—locking in a single vendor for a generation of AI-enabled public services.

For now, the default Copilot rollout continues. The outcome is a classic tale of procurement driving policy: the tail wagging the dog. The consequences will be felt for years, not just in IT budgets but in the very fabric of how the government makes decisions and serves citizens.