Minimally Viable AI Governance
AI has an image problem. We all know it. Whether you are a true believer, a skeptic, or somewhere in between, just about everyone can agree that AI systems and the companies that build them are not worthy of blind trust. This lack of faith gives way to a rising interest in the governance of AI. It would be prudent for today’s AI startup – or really any company incorporating AI in their business – to get out ahead on governance before it is forced upon them.
ISO 42001 serves as the de facto certification standard for organizations as they look to implement AI governance. It acts as a framework for addressing the risks associated with your use of AI, assuming you have controls in place. If you don’t, it’s as good a place as any to start.
Getting ISO 42001 certified should be understood as a tool for actual risk management, not merely a checkbox. Certification is a byproduct of good security. And as security engineers we know good security starts with a threat model.
Choose any acronym you like: STRIDE, PASTA, DREAD. Pick the modeling format you can reason about. What matters is that you structure your thinking about risk. If you are struggling to think of those related to AI, take a look at the OWASP Top 10 for LLM Applications.
Once you have identified risks, mitigate them with the minimal set of controls. It’s easier to add more controls later than it is to take them away. You don’t need anything fancy. In fact, the SOC2 starting seven probably gets you most of the way there. The certification process is not a live assessment of your security posture. It is paperwork. If you are running a tight program, you should already be generating a thorough enough paper trail to demonstrate your security bonafides.
Trust is a product of transparency and the AI company that invests in transparency will differentiate themselves from the competition. ISO 42001 is how. Besides, you want to sell more software right? Playing the certification game will generate revenue for your business without fail. If you sit out, you will eventually see sales churn pile up because potential customers are not satisfied with the way you govern AI.