Thunai Gets ISO42001 Compliant: Securing the World's First AI Certification

We are humbled and ecstatic to announce that Thunai has officially achieved ISO/IEC 42001:2023 certification!

This isn't just another compliance certification. ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS).

To get certified, we followed a rigorous Plan-Do-Check-Act (PDCA) method, making certain our AI voice and chat agents are continuously monitored for ethical and operational integrity, not just blindly deployed. 

We expected a grueling process and maybe some internal operational shifts. What happened next was a complete validation of our system architecture.‍

The ISO42001 Hard Numbers: Timeline, and Market Uptake

We started this process months ago, and the competition to be truly enterprise-ready was daunting! When building a business case for stakeholders, it is necessary to understand the financial and temporal commitments.

Here is what the current market condition looks like based on data from top-tier consulting firms like Deloitte, Schellman, Polimity, and Neumetric:

There is a massive execution gap in the market. While 87% of executives claim to have AI governance frameworks in place, fewer than 25% have actually operationalized them. We refused to be just theoretical.

Most businesses take 4 to 9 months to go from gap analysis to a completed certification audit and we are glad to say Thunai was one of the few companies that fell in this category.

The Direct Reality: What the Experts Are Saying

Formal guidelines are neat, but actual application is complex.

We faced the 'Voluntary but Mandatory' paradox head-on. While ISO 42001 is technically voluntary, it is quickly becoming a de facto requirement for B2B enterprise sales.

Enterprise clients are demanding detailed AI governance documentation before signing contracts, especially if the AI impacts human beings.

Vendor management is highly difficult. We had to secure proper Data Processing Agreements (DPAs) and audit rights from massive entities like OpenAI and Anthropic, which became a major administrative delay.

But the experts agree it is worth the effort. As the AWS Security Blog notes, companies are operationalizing trustworthy, secure, and accountable AI governance throughout the full system lifecycle.

Jay Ferro at Clario echoes this, stating it future-proofs platforms against emerging AI regulations.

Actionable Breakdown of Annex A Controls in Thunai

To pass the audit, we had to master the controls in Annex A. Here is what this actually means for you when you use Thunai:

A.2 and A.5: Policies and Impacts

• A.2 - Policies Related to AI: We have top-management approval and strict Acceptable Use Policies.
• A.5 - Assessing AI Impacts: Before we deploy our AI Voice Agents, we conduct an Artificial Intelligence Impact Assessment (AIIA) detailing impacts on fairness, privacy, and trust.

A.6, A.7, and A.10: Life Cycle, Data, and Suppliers

• A.6 - AI System Life Cycle: Our AI Meeting Assistants and Chat Agents are never opaque systems. We track model drift meticulously.
• A.7 - Data for AI Systems: AI is heavily dependent on its data. We maintain Data Provenance Logs proving we test for bias.
• A.10 - Third-Party Suppliers: We take full responsibility for risks introduced by third-party APIs through strict Supplier Security Questionnaires.

Our Phased Execution Guide and Your Next Steps

The acceptance driver is clear: nearly 80% of consumers state they are less likely to buy from companies whose AI they do not trust. Over 60% of global companies expect mandatory AI governance laws within two years.

We tackled this through a strict Phased Execution Guide:

1. Phase 1 and 2: We conducted gap analyses and formed cross-functional AI Governance Committees.
2. Phase 3: We drafted the primary three documents, including our Statement of Applicability.
   
3. Phase 4 and 5: We executed threat modeling and activated continuous monitoring to retain evidence of our data audit trails.

The world is ready for an AI that truly works alongside you securely and ethically.

Want to see how Thunai can help improve your enterprise with AI automation that is ISO42001 certified?

‍Book a free demo with our team! 

FAQs on ISO42001 Compliant AI Software and Agents

What exactly is ISO/IEC 42001?

ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS). Rather than dictating how to code an AI, it concentrates strictly on governance aspects like addressing risk, transparency, bias reduction, and accountability. 

Is ISO 42001 certification mandatory?

While technically a voluntary framework, this certification is quickly becoming a de facto requirement for closing B2B enterprise sales. Enterprise clients are increasingly demanding detailed AI governance documentation before they will sign contracts. This is especially true if the AI system directly impacts human beings in sensitive areas like hiring, lending, or healthcare.

Do we have to begin completely anew if we already have ISO 27001?

No, having an existing ISO 27001 or SOC 2 certification gives you a significant initial advantage with an estimated 60 to 70% documentation overlap. Early stage companies can utilize this by creating an 'AI Addendum' to their current Information Security Management System (ISMS). 

What are the primary documents an auditor will ask for?

Auditors require concrete proof linking your specific risk assessments to your controls, starting with top-management approval on a clear AI Policy. You must also provide an Artificial Intelligence Impact Assessment (AIIA) report detailing potential harms to fairness, privacy, and trust before deployment. Finally, they will look for Data Provenance Logs and AI System Operating Procedures to prove your models are actively monitored.