While 73% of US executives are using AI in their organizations, only 58% have started assessing AI risks. That gap represents a massive blind spot that's about to get very expensive for unprepared organizations.
Kandji CISO, Satyam Patel, just shared the story of how Kandji became one of the first U.S. companies to achieve ISO 42001 certification—the new international standard for AI management systems. His account of navigating uncharted territory offers valuable insights for any organization grappling with AI governance.
Why This Standard Matters Now
ISO 42001 emerged in December 2023 to address the growing need for standardized AI governance. As organizations become increasingly reliant on AI-driven systems, the lack of structured oversight presents operational and reputational dangers—from data privacy breaches to unethical decision-making.
The standard isn't just for large enterprises. It's designed for organizations of all sizes that develop, provide, or use AI-based products and services, offering a structured framework that balances innovation with responsible AI practices.
The Strategic Investment
Kandji didn't view certification as a compliance checkbox but as a strategic investment in their AI roadmap. The benefits span multiple areas:
AI risk management: Clear guidance on identifying and assessing risks associated with AI applications, helping safeguard critical data and operations while reducing legal or reputational damage.
Governance alignment: Ensures AI practices meet legal and regulatory requirements while streamlining governance for consistent, responsible implementation.
Ethical standards: Requires evaluating societal impact and aligning AI products with ethical values, building stakeholder trust and addressing public concerns.
Reputation protection: Demonstrates commitment to responsible AI development, enhancing credibility with users, customers, and the public.
Five Hard-Won Lessons
As one of the first U.S. companies through the process, Kandji essentially built the roadmap as they went. Here's what they learned:
Start with deep understanding: Comprehensive scoping and gap assessments early in the process helped align strategy with the standard's requirements and set clear paths forward.
Overhaul risk frameworks: Certification required aligning with ISO 23894 and NIST AI risk management frameworks to effectively identify, evaluate, and manage AI-specific risks.
Develop comprehensive policies: Required creating AI-specific policies covering governance, acceptable use, deployment plans, impact assessments, and vendor evaluation processes.
Invest in training and auditing: Updated security awareness training for developers, product managers, and users, plus internal audits before final certification to identify potential issues.
Choose experienced partners: Integrating the new AI Management System with existing ISO 27001 Information Security Management System required auditors experienced with both frameworks.
The Compliance Reality Check
The process took several months and consumed significant resources, but the dividends are already showing: enhanced AI governance programs, improved risk management, and increased credibility with customers and partners who value ethical AI practices.
For compliance leaders, the key insight is positioning your organization as a leader in responsible AI innovation while safeguarding reputation as a trustworthy provider.
The Bigger Picture
This isn't just about checking compliance boxes. As AI regulations continue evolving and public scrutiny intensifies, organizations that get ahead of governance requirements will have significant advantages over those scrambling to catch up later.
The gap between AI adoption and AI risk assessment won't remain viable much longer. Organizations that treat AI governance as an afterthought are setting themselves up for costly problems.
Read Satyam's complete ISO 42001 journey
Latest content:
🔓 Unlocking Apple’s New Device Management API Apple Business Manager and Apple School Manager now offer programmatic access through a new API, unlocking automation, integration, and smarter workflows. At PSU Mac Admins, Kandji’s Weldon Dodd and Arek Dreyer show how it works and what it means for Mac admins.
⚙️ The New Face of IT: More Ops, Less Headcount The IT department of 2025 looks nothing like 2015. Today’s teams are driving transformation, securing systems, and enabling growth, all with fewer people and greater demands. Our survey of 1,011 IT and security pros reveals just how much the role of IT has been redefined.