How ISO 42001 is changing the game for AI-first companies.

INTRODUCTION TO NEBULY

Based in the United States and Italy, Nebuly is a plug-and-play user analytics platform for generative AI chatbots.

They’ve cracked the code on improving user engagement with GenAI chatbots by uncovering the nuances hidden in conversational AI interactions. Nebuly’s User Intelligence platform extracts valuable insights from 99% of conversations where users implicitly express their needs and preferences. The platform then turns them into actionable insights to increase user satisfaction.

INTRODUCING ISO 42001 COMPLIANCE AND SAFEGUARDING AI DEVELOPMENT

Nebuly maintains a strong commitment to security and compliance, holding both ISO 27001 certifications and SOC 2 attestation, and wanted to remain at the cutting edge of compliance for their AI-first product. Operating in regions with evolving regulatory landscapes, it was no surprise when customers started asking about responsible AI and the EU AI Act. This led Nebuly to investigate ISO 42001. “Customers started asking about EU AI Act compliance, we looked into how to approach it, and we identified ISO 42001 as the practical solution we needed,” said Julien.

GETTING AUDIT-READY

Having already gone through ISO 27001 and SOC 2 audits, Julien and the team understood the work required in “preparing for the audit, and that an external partner would be needed.” Although with a newer standard, the Nebuly team had to find a partner who already had experience in the space.

Enter Fairly.AI. Fairly.ai provides automated testing on AI products on dimensions like fairness, privacy, and security, and this is helpful to companies wanting to adopt responsible AI practices.

“We moved earlier than most companies (Q4 2024), and there were not many companies working on ISO 42001 back then. When I researched, I could see Fairly.ai shaped the space and had real experience,” said Julien.
 
Fairly.AI’s role was instrumental in getting the Nebuly team not only audit-ready but implementing the findings from the ISO 42001 audit.

“There was a lot of teamwork and Nebuly's documentation was probably some of the most thorough that we've actually used so far for a company that was in the stages of preparing for an ISO 42001 audit.” Hassan Patel, Director of Global AI Compliance Engineering, Fairly.ai

ISO 42001 AUDIT PROCESS

With their audit readiness underway, Nebuly began the process of looking for an audit firm to complete the audit itself. Nebuly has been working with AssuranceLab for their ISO 27001 and SOC 2 audits, so adding ISO 42001 to the mix was a no-brainer for the team.

The collaboration and communication between all three teams had an added layer of complexity, with Nebuly’s AI team based in Italy, Fairly.ai in Canada, and AssuranceLab in Australia. Because the audit process was spread out, it gave all three companies the chance to collaborate in a way that worked for everyone. AssuranceLab provided great collaboration and communication, which meant that if there was ever an issue, it got solved fast. This agile, remote approach meant the time zones didn’t impact the experience or the result.

“Nebuly was prepared for their audit, and they did a great job in ensuring that the requirements for ISO 42001 had been implemented.” Kayleen Sto Domingo, Consultant at AssuranceLab.
 
“ISO 42001 is a fairly new standard, but it sticks to the classic ISO management system playbook with a specific focus on AI ethics, governance, and controls. Nebuly being ISO 27001 certified already and their leadership team’s clear commitment to responsible AI meant they were more than ready to jump into these audits - and they nailed it!” Jack Holmes, Senior Consultant at AssuranceLab.

ADDING ISO 42001 TO THE COMPLIANCE STACK

Whilst only recently achieving ISO 42001, Nebuly has ensured that its AI development processes and documentation remain thorough and in line with the ISO 42001 standard. “This includes formalising meetings that have always been part of our AI development process, having a structured approach to AI solutions regarding risk assessments, and third parties”, said Diego Fiori, Co-founder and CTO at Nebuly.
 
From a customer perspective, Nebuly is experiencing positive feedback around already holding ISO 42001 certification, particularly in risk-averse sectors such as financial services. This proves that, whilst a new area, AI compliance is something customers already value.
 
A future goal for Nebuly is to be able to use its ISO 42001 certification to speed up AI questionnaires. Whilst some of it can be used currently, most enterprises still have their own questionnaire style. It is expected that as the topic of AI evolves and becomes more widely understood, organisations will continue to expand their due diligence efforts/questionnaires, ensuring they capture AI activities and risks.

RECOMMENDATIONS FOR OTHER AI COMPANIES

Having completed their ISO 42001 and other frameworks with AssuranceLab and Fairly.ai, Julien shared that he would “Definitely (recommend you) from my perspective. We had a great experience with both of you guys. I mentioned Fairly.ai has been instrumental in preparing us for the audit, and AssuranceLab comes with years of experience in the software certification space.”
 
Julien also shared his advice for companies starting ISO 42001: “Be ready to invest some time, even if your AI system is not complex. There are a lot of nuances to be aware of, and that is where Fairly.ai can help.”

LOOKING TO THE FUTURE FOR NEBULY

Now that Nebuly has a solid compliance stack (SOC 2, ISO 27001 and ISO 42001), they begin the work on maintaining compliance year-round. This will be made possible with partners like Fairly.ai and AssuranceLab. They also look to continue their growth and expand their presence into regulated sectors like banking, insurance and healthcare.

If you would like to experience the AssuranceLab difference yourself, contact our team: info@assurancelab.com.au