An AI-first company that saw ISO-42001 implementation as a brake
The client describes itself as an "AI-first company". It is re-designing its entire business model around AI capabilities, and its new core offering would not exist without AI. When we first raised AI governance aligned with ISO/IEC 42001, the reaction was skeptical, and the priorities were stated plainly: keep building, and run a more aggressive go-to-market.
Reframing: governance as an accelerant, not a brake
The task was to show that a lightweight, ISO/IEC 42001-aligned governance baseline - with no certification - implemented now would support those two priorities rather than compete with them. Two arguments carried the case.
1. It surfaces failure modes and risks faster while you build
- We created a digital, visual document of all processes, identifying and showing where AI is used in those processes, by whom, how and why.
- This fed into their first AI & systems register, which in turn partly informed an integrated risk register covering AI × Privacy × Information Security.
- Working on the integrated risk register made it obvious that they were missing a few critical controls they now needed to address retroactively.
For an AI-first company, AI risk is business risk. You don’t want to accumulate it.
2. It helps you scale better and sell faster
- It is easier to scale on defined processes and controls than on ungoverned, poor ones.
- More importantly: for educated B2B buyers, the security and AI-assurance questionnaire is starting to appear in procurement, particularly in regulated industries.
So we went looking for the client’s peers and compiled a list of ISO/IEC 42001-certified organisations. In all transparency, they were very few — and the research did not surface ISO 42001-aligned-but-not-certified organisations either. The signal is clear: it is still rare enough to be a differentiator.
If you market or position yourself as an AI-first company, providing assurance around the responsible use and governance of your AI systems is not an optional consideration. It is part of your offer.
The engagement: a two-phased approach
We structured the work in two phases. First, we set the baseline: a clear, evidenced picture of where AI lives in the organisation, what is to be governed or not, where the gaps are, and what fixing them will involve.
01 · Setting the baseline with the organisation’s AI Footprint Map
The goal was for the business to know exactly where AI lives in their organisation, what’s theirs to govern, where the gaps are, and what fixing them will involve.
| What Was Delivered | What It Included |
|---|---|
| AI-footprint process map | A visual document capturing all processes, identifying and showing where AI is used in those processes, by whom, how and why. |
| AI & systems register | The operational inventory and single source of truth of the organisation’s AI assets. Referenced in organisational policies (e.g. the list of authorised AI tools in the AI policy). |
| Supply-chain role determination | Clarify which roles (AI producer, AI deployer, AI customer, AI subject) our client serves in the supply chain, to target controls that are actually relevant to them. |
| Draft build scope + fixed-price proposal | An evidence-based, fixed-price plan to take the findings of the first phase and implement actionable, compliant and auditable AI governance controls. |
02 · Implementing core foundations: AI Governance Build (aligned with ISO/IEC 42001)
Put the controls, records, and evidence in place so our client can answer their buyers’ AI-assurance questions and prove their organisation governs AI safely and responsibly.
| What We Delivered | What It Included |
|---|---|
| Integrated risk register (AI × Privacy × InfoSec) | One register that covers AI, privacy and security risk so our client stops unknowingly stockpiling business risk. |
| Controls implementation | Implementation of the risk treatment plan and key controls. |
| Completed AI-CAIQ self-assessment | Self assessment AI-assurance questionnaire, with real evidence for the controls. |
The takeaway
A lightweight, ISO/IEC 42001 baseline did not slow the build or the go-to-market motion. It de-risked both by surfacing missing critical controls before they became incidents, and turning AI assurance into a sales asset in a competitive market where it is still rare enough to stand out. For a company whose offering would not exist without AI, governing that AI is not overhead. It is part of the product.