The tools are already inside the building
A 21-year-old man took photos from four women’s social media accounts, ran them through freely available apps, and generated explicit images that he then distributed to friends, family, and international pornography sites. He received 24 months’ intensive supervision in May 2026, making it New Zealand’s first sentence for deepfake pornography. The same month, ACT MP Laura McClure’s Deepfake Digital Harm and Exploitation Bill passed its first reading with unanimous parliamentary support.
These two events mark the point where deepfake abuse stops being a social harm story and becomes a governance question for every NZ employer. The offender’s profile is instructive: young, tech-comfortable, using mainstream tools on a personal device. That describes a significant slice of any workforce. A Tech Transparency Project investigation found dozens of “nudify” and face-swap apps available through both Apple and Google app stores that generate sexualised images from ordinary photographs within seconds, despite both platforms prohibiting sexually explicit content.
Any employee with a smartphone has access to these tools right now.
The numbers are accelerating
Netsafe recorded 667 sextortion reports in just the first three months of 2025, compared to 2,250 for the entire previous year, a 68% year-on-year rise. Victims range from children as young as nine to adults in their prime working years. In 2025, Netsafe’s chief online safety officer Sean Lyons put the shift plainly: “We used to think if you never made an image like that… that content could never be used against you. AI changes that.”
A January 2026 Classification Office survey of 1,000 NZ adults found 66% had seen extreme or potentially illegal content online, with half encountering it passively in social media feeds. Yet only 7% reported to Netsafe and 1% to Police. The reporting gap means the real scale of workplace exposure is almost certainly larger than anyone is measuring.
Voluntary codes failed before the ink dried
Elon Musk’s Grok AI, built into X, was used to generate an estimated three million sexualised images of women and girls before the UK forced a partial restriction. X had signed the Aotearoa New Zealand Code of Practice for Online Safety and Harms. It did not matter. As law academics Cassandra Mudgway and Andrew Lensen argued in January 2026, the voluntary code “does not set standards for generative AI, nor does it require risk assessments prior to implementing an AI tool”. X was technically compliant while its own product generated millions of non-consensual images.
ECPAT national director Eleanor Parkes was direct: “We’ve seen we can’t rely on goodwill here. We need enforceable standards.”
The risk runs in two directions for employers
The exposure is not hypothetical. An employee could be a victim, targeted by a colleague, a client, or someone external. The organisation’s response becomes an HR and potentially legal matter. Or an employee could be a perpetrator, using work devices, work networks, or work time. Once the bill passes, that conduct is a criminal offence. An employer with no policy, no training, and no monitoring will face hard questions about governance.
The ACC gap makes this worse. A 2025 Newsroom analysis noted that victims of image-based sexual abuse are excluded from ACC sensitive claim cover. A petition seeking that coverage was rejected. That means employees who are victimised cannot access ACC mental injury support, placing the welfare response squarely on the employer.
Justice Minister Paul Goldsmith framed the bill’s intent clearly: “We have zero tolerance for this kind of harassment of individuals, particularly women, who are clearly far more likely to be the victims.”
What to do before the law catches up
The bill is now with the Social Services Committee. It is not yet law. But the direction of travel is unanimous and the timeline is short. Organisations that wait for royal assent before updating policies are already behind.
The minimum: review acceptable use policies to explicitly cover AI image-generation tools and nudify apps on work devices. Update HR frameworks to treat deepfake creation or distribution as serious misconduct regardless of whether the target is a colleague. Build incident-response capability for when a staff member reports being targeted, including referral pathways that account for the ACC gap. Brief directors that once the bill passes, a failure to have these controls in place could be characterised as a governance failure.
In October 2025, Laura McClure noted growing concern from principals and parents about deepfake incidents in schools, with some young people attempting suicide in response. The workplace is next if it is not already there. The tools are free, the law is tightening, and the gap between what employers should be doing and what they are doing is wide enough to drive a tribunal claim through.
Sources
- 1News: Man sentenced for creating, sharing deepfake porn images (2026-05-22)
- RNZ: Deepfake bill passes first reading in Parliament (2026-05-07)
- RNZ: NZ is criminalising sexualised deepfakes – banning apps that make them should be next (2026-05-07)
- NZ Herald: Netsafe reports 68% rise in sextortion in NZ as AI deepfake threats increase (2025-05-04)
- RNZ: ‘We can’t rely on goodwill’ – NZ lags behind on battling AI creation of sexual images (2026-01-12)
- Classification Office: Online Exposure – Experiences of Extreme or Illegal Content in Aotearoa (2026-01)
- 1News: NZ makes first deepfake porn prosecution, but are we equipped for AI onslaught? (2025-10-16)
- Newsroom: Deepfake law shouldn’t make the perfect the enemy of the good (2025-10-30)