// Research / Trust, PII & Safety

ISO 42001 implementation that survives the surveillance audit.

ISO/IEC 42001:2023 is the AI management system standard buyers and procurement teams will start asking for. We're not a certification body - we run the gap assessment, implement the controls, and wire evidence collection into your pipeline so the AIMS holds up at year-two surveillance, not just on audit day one.

Book a meetingSee related case study

// What we see

Year one passes. Year two surveillance is where the AIMS breaks.

01

The policies live in SharePoint, the system lives in CI/CD

The audit passes because the documents exist. Six months later, the engineering team has shipped 40 model versions and the AIMS hasn't tracked any of them. The surveillance audit finds the gap, the nonconformity is filed, and the program restarts.

02

Annex A controls written for an ISMS, not an AI system

Most consultants port the ISO 27001 control language across and call it AIMS. The auditor opens a model card, asks where the impact assessment was triggered, and the control evidence doesn't connect. The remediation is rewriting the controls against the actual lifecycle.

03

Evidence is collected the night before the auditor arrives

Risk decisions, model cards, eval results - all manually compiled, all dated retroactively. It looks tidy and survives a casual review. It doesn't survive a competent technical auditor pulling on a thread for ten minutes.

// Case Study

We trained EasyDocs' invoice extraction model

EasyDocs is the platform provider - they ship document management software to their own customers. We trained the fine-tuned NLP model that runs inside it, auto-extracting VAT numbers, totals, and addresses from invoices and learning from every user correction. Deployed on their servers, no external dependencies.

  • 98%

    field-level extraction accuracy

  • <300ms

    inference time per invoice

  • On-prem

    deployment with no external dependencies

Read the case study
We trained EasyDocs' invoice extraction model

// What we do

Three things that decide whether the AIMS holds up.

Most ISO 42001 work fails at year-two surveillance, not year-one audit. We build for the system that operates after we leave - controls in the pipeline, evidence collected automatically, management review tied to engineering reality.

Annex A controls in the pipeline

A.6.2 impact assessments triggered by deploy events, A.7 data quality checks integrated into ingestion, A.8 lifecycle controls in CI/CD, A.9 reporting wired to your existing channels. The controls live where the work happens, not in a parallel governance system nobody reads.

Evidence automation, not folders

Model cards and datasheets generated at training time. Eval results linked to model versions and deploy gates. Audit logs of risk decisions with hash chaining. The auditor walks in, you click through dashboards mapped to Annex A control IDs - no PDFs printed the night before.

Crosswalk to AI Act and ISO 27001

ISO 42001 covers ~70% of EU AI Act technical documentation and inherits most of the ISO 27001 information-security controls. We map them once so you don't pay twice - the evidence layer feeds all three audits, the management review covers all three reporting cycles.

// Method fit

ISO 42001 isn't the right framework for every AI program.

skip it if

  • Your AI portfolio is two prompts and a vector store

    If you have one customer-facing chatbot and a RAG over your docs, ISO 42001 is overkill. A documented risk policy plus your existing ISO 27001 controls covers the surface. Come back when the AI surface area justifies a dedicated management system.

  • Your driver is the EU AI Act, not a buyer requirement

    If the procurement team isn't asking for ISO 42001 yet and your only constraint is the AI Act, run that program directly. ISO 42001 helps satisfy AI Act requirements but it's a longer path - go straight at the regulation when that's what's actually load-bearing.

    EU AI Act & GDPR Compliance

  • You need the certificate this quarter

    Realistic timeline from gap assessment to a Stage-2 audit is 6-12 months. If a buyer is asking for ISO 42001 in the next 90 days, the right move is documenting your current state, scoping the AIMS narrowly, and being honest about the timeline - not racing a process that's designed to be deliberate.

use it if

ISO 42001 fits when your AI portfolio is broad enough to need a management system, your buyers or regulators are starting to ask for it, you already have ISO 27001 (or are running it in parallel), and you want a program that survives surveillance audits without restarting every two years.

// How we work

Gap assessment first. Build in the open. Hand off the evidence dashboards.

Every ISO 42001 engagement starts with a gap assessment that names which controls are real and which are theatre. From there we build inside your engineering systems - not in a parallel SharePoint tree.

01

Gap assessment and scope (week one)

We map your current state against ISO 42001 clauses 4-10 and Annex A controls. Output: a defensible scope statement, a control gap matrix with effort estimates, and a roadmap your CISO and your head of engineering both sign off on before any policy is drafted.

02

Implement controls in your systems

Annex A controls go into your model registry, your CI/CD, your eval pipeline. Evidence dashboards pull from the same sources your engineers already use. Policies get drafted to match what the systems actually do, not the other way around. Your team watches it being built, not in a Friday demo.

03

Hand off the management review cadence

We hand off the evidence dashboards, the management review pack template, the internal audit program with rotating scope, and the crosswalk to AI Act / ISO 27001. We rehearse the Stage-1 documentation review and the Stage-2 mock audit. Slack for 30 days after delivery.

Michał Pogoda-Rosikoń

// Expert insight

Most ISO 42001 work is consulting theatre - a SharePoint folder of policies that the engineering team has never read. The AIMS that survives surveillance year two is the one where Annex A controls are wired into the deploy pipeline, and evidence is generated as the work happens. We build the second one.

Michał Pogoda-Rosikoń

Co-founder @ bards.ai

See our open-source work

// Why bards.ai

Why us, instead of a Big-Four AI governance practice.

Most ISO 42001 consulting is run by lawyers and auditors without engineering depth. The AIMS that holds up needs the engineering team to actually implement the controls. We do both sides.

AI engineering credibility, not pure compliance

We've shipped 1B+ tokens/day in production and 16+ open-source models. We know what the model registry, deploy gates, and eval pipelines look like - because we build them. The Annex A controls land in real systems, not in a deck.

Crosswalk built in

ISO 42001 covers ~70% of EU AI Act technical documentation. We map controls to the AI Act and to ISO 27001 in the same engagement so the evidence layer feeds every audit your team has to face.

Senior engineers only, no juniors

Every person on your engagement has shipped AI to production and knows what 'evidence' actually means. No ramp-up tax, no learning the standard on your dollar.

// FAQ

Common questions about ISO 42001 implementation

No. Certificates are issued by accredited certification bodies (BSI, DNV, TÜV, DEKRA, Bureau Veritas, and others). We're not a certification body and we don't audit. We do the implementation work that gets you ready, and we stand by you through the audit. We can recommend CBs we've worked with and rate their AI-domain familiarity.

From gap assessment to Stage-2 audit readiness typically runs 6-12 months end-to-end, with our engineering work concentrated in 8-12 weeks of structured delivery. The variability is mostly your scope and current maturity. Lean engagements with one product land closer to 6 months. Multi-product enterprise scopes with legacy systems take 9-12.

ISO 42001 isn't a substitute for AI Act conformity, but it covers most of the management-system and technical-documentation requirements that high-risk systems need. We build the AIMS so it produces the artifacts the AI Act expects (risk management documentation, post-market monitoring, transparency information) without duplication. Crosswalk matrix included.

Not strictly required, but ISO 27001 covers the information security baseline that ISO 42001 builds on. If you're already certified, we plug the AIMS into the existing ISMS. If not, we either run them in parallel or scope ISO 42001 narrowly enough that the security overlap is handled in-context.

Engagements start at $40K. Most ISO 42001 implementations land between $40K and $120K depending on scope, current maturity, and whether the evidence layer is greenfield. CB audit fees are separate. Fixed-fee proposal after the gap assessment - no time-and-materials surprise.

// Let's ship it

Send us your AI portfolio. We'll send back a gap.

Tell us your AI scope, your current ISO posture, and which buyers or regulators are starting to ask. We'll come back with a defensible scope statement and a roadmap to audit readiness - usually within a business day. Engagements from $40K, typically 4-8 weeks of structured engineering work.

Book a meetinghello@bards.ai
Michał Pogoda-Rosikoń

Michał Pogoda-Rosikoń

Co-founder @ bards.ai