I implemented an ISO 42001-certified AI Governance program in 6 months (beabytes.com)

From January to June 2025 the author designed and drove an organization-wide AI Governance program at Zendesk that was externally audited in July 2025 and led to ISO 42001 certification—making Zendesk one of the first customer‑experience companies to earn that credential. The program leaned on the NIST AI Risk Management Framework (Govern, Map, Measure, Manage) as its backbone (the author argues NIST alignment gets you ~90% of the way to ISO 42001 and also maps well to the EU AI Act), while using existing GRC structures and ISO 27001 certification as practical accelerants. Critical operational moves were securing senior executive sponsorship, scoping what “AI” covers, assembling cross‑domain stakeholders (security, legal, product, engineering), and embedding continuous incident management and training. Technically, the implementation mixed qualitative “AI impact” assessments (structured questionnaires/FactSheets) for mapping with targeted quantitative measures for high‑priority risks, while recommending IBM’s AI Risk Atlas as an industry‑practical risk taxonomy (vs. overly granular or security‑only lists like MIT, MITRE, OWASP). For third‑party evaluation the Cloud Security Alliance AI‑CAIQ is suggested. Key takeaways for the AI/ML community: ISO 42001 is a certifiable way to externally validate governance, pragmatic reuse of existing controls speeds certification, quantitative measurement remains the hardest part, and mature AI Governance is rapidly becoming a market and regulatory differentiator for B2B AI offerings.