July 2026Case Studyiso 42001 certification

Case Study: How an AI Startup Achieved ISO 42001 + SOC 2 Dual Certification in 12 Weeks to Close a $3.5M Law Firm Contract

Case study: How Aethon AI achieved ISO 42001 and SOC 2 Type II dual certification in 12 weeks — closing a $3.5M contract with a top-20 US law firm that required proof of AI governance.

By QuickTrust EditorialUpdated 2026-02-28

Case Study: How an AI Startup Achieved ISO 42001 + SOC 2 Dual Certification in 12 Weeks to Close a $3.5M Law Firm Contract

Company: Aethon AI (Series B, $18M raised, 60 employees, HQ Boston) Product: Enterprise AI copilot for legal document review and contract analysis Certifications achieved: ISO 42001:2023 + SOC 2 Type II Timeline: 12 weeks Deal closed: $3.5M/yr with a top-20 US law firm Engineering time consumed: 22 hours total across the entire engagement

The Situation

Aethon AI had been on a tear. Their enterprise AI copilot for legal document review — built on fine-tuned large language models capable of reviewing contracts, flagging risk clauses, and generating redlines — was processing over 50,000 documents per month for a growing roster of mid-market law firms. The product-market fit was undeniable. Revenue was growing quarter over quarter. The ML engineering team of 12 was deep into training v3 of their contract analysis model, a release that would widen their lead over every competitor in the legal AI space.

SOC 2 Type I was already in progress, a standard checkbox for enterprise SaaS sales. The team had a reasonable security posture: AWS-native infrastructure, Okta for identity, encrypted data at rest and in transit. Nothing unusual for a Series B company selling into regulated verticals.

Then the Whitfield & Crane opportunity materialized.

Whitfield & Crane LLP is a top-20 US law firm. 1,200 attorneys. Offices in New York, London, and Singapore. Their Innovation Partner, David Asante, had been evaluating Aethon's platform for six months. He was enthusiastic. The pilot had gone well. Contract review accuracy exceeded the firm's benchmarks. The attorneys on the pilot team were asking when they could roll it out firm-wide. A $3.5 million annual contract was on the table — Aethon's largest deal by a factor of four.

Then the firm's General Counsel intervened.

Margaret Liu had been tracking the EU AI Act's enforcement timeline. With the Act's risk classification requirements and transparency obligations coming into sharper focus, Whitfield & Crane's risk committee had mandated that every AI vendor demonstrate governance controls before any new procurement could be approved. SOC 2 alone was not sufficient. The committee specifically required ISO 42001 — the international standard for AI management systems — or an equivalent documented AI governance framework that covered the full lifecycle of AI system development, deployment, and monitoring.

Margaret sent Aethon a vendor questionnaire. It contained 67 AI-specific governance questions. The questions were precise: How do you document training data provenance? What is your model versioning and lifecycle governance process? How do you monitor for bias in production systems? What human oversight controls exist for AI-generated outputs? How do you handle AI-specific incidents such as hallucination or data leakage? What is your process for AI risk assessment?

Aethon's team could answer 8 of the 67 questions.

The remaining 59 were not things they had never thought about — they were things they had thought about informally, discussed in Slack threads, and handled through tribal knowledge within the ML team. But none of it was documented. None of it was auditable. None of it would satisfy a General Counsel at a firm that litigates risk for a living.

CTO Raj Iyer described the moment bluntly: the product was world-class, but the governance around it was nonexistent on paper. And in enterprise sales, if it is not on paper, it does not exist.

The clock was ticking. Whitfield & Crane's vendor review cycle closed at the end of Q3. Aethon had 14 weeks.

The Challenge

Aethon faced four compounding problems, each of which would have been significant on its own. Together, they looked close to impossible.

First, ISO 42001 was terra incognita. The standard had been published by ISO in December 2023, making it barely two years old. At the time Aethon needed it, fewer than 50 organizations worldwide had achieved certification. There was no established playbook. The consulting ecosystem had not caught up. Most auditors had limited experience with the standard. The handful of AI ethics firms that understood the concepts had never actually implemented the controls end-to-end or shepherded a company through a certification audit. Reading the standard itself — with its 42 Annex A controls organized across 8 categories — was one thing. Understanding what auditors would actually look for in evidence, what "conformity" meant in practice for an ML pipeline, and how to build an AI Management System (AIMS) that would hold up to a Stage 2 audit was another thing entirely.

Second, Aethon's AI systems had been built for speed, not governance. This is not a criticism — it is the reality of every high-growth AI startup. The ML team had been laser-focused on model performance: accuracy, latency, throughput. Training data provenance was tracked informally at best. Model versioning relied on Git tags with inconsistent naming conventions. There was no formal model registry. Bias testing was ad hoc — one engineer had run fairness metrics on the contract review model six months earlier, but the results were in a Jupyter notebook that was never reviewed or integrated into any process. There was no human override mechanism in production. If the model generated an incorrect redline, the only recourse was for an attorney to ignore it. There was no feedback loop, no escalation path, no incident response procedure specific to AI failures.

Third, Aethon needed SOC 2 Type II simultaneously. Whitfield & Crane required both certifications. SOC 2 Type I was already underway, but Type II required an observation period — a window of time during which the company had to demonstrate that controls were not just designed but operating effectively. This meant that the SOC 2 observation window had to start early enough in the 14-week timeline to produce a valid Type II report by the deadline. Every week of delay in standing up SOC 2 controls compressed the observation period further.

Fourth, the ML engineering team could not be pulled off product development. Aethon's v3 contract analysis model was in active training. This release represented a step-function improvement in accuracy for complex multi-party agreements — the exact capability that would differentiate them from competitors like Kira Systems, Luminance, and Ironclad's AI features. CEO Serena Park was clear: the compliance effort could not become a drag on engineering velocity. Whatever the solution was, it had to work around the ML team's sprint cycle, not replace it.

Fourteen weeks. Two certifications. One team that could not stop shipping. A standard that almost nobody had implemented. And a $3.5 million deal on the line.

Why QuickTrust

Aethon evaluated three options in the first five days.

Option 1: AI ethics consultancy. Several boutique firms specialized in responsible AI frameworks, fairness audits, and AI governance advisory. They could help build a governance framework on paper — policies, risk assessments, ethical guidelines. But none of them had technical implementation capability. They could not deploy a model registry, build a bias monitoring pipeline, or implement human oversight controls in production code. They also had no SOC 2 capability, which meant Aethon would need a second vendor for that workstream. Most critically, their typical engagement timelines ran 6 to 9 months. That was three times longer than Aethon had.

Option 2: Big 4 firm. One of the major accounting and consulting firms had launched an ISO 42001 practice and had completed a single pilot project. Their proposal came back at $350K+, with a 20-week estimated timeline and a scope limited to advisory and gap assessment. Implementation would be Aethon's responsibility. The Big 4 firm would tell Aethon what controls were needed but would not build them. For a 60-person company with no dedicated GRC function, advisory-only was not a viable model. Aethon did not need a PowerPoint deck explaining what an AI risk assessment should contain. They needed someone to build the risk assessment, implement the controls, collect the evidence, and coordinate the audits.

Option 3: QuickTrust. QuickTrust had already done the foundational work that the other options had not. The team had mapped every one of ISO 42001's 42 Annex A controls — across all 8 categories: AI system impact assessment, AI risk management, AI system lifecycle, data governance, AI system transparency, AI system accountability, third-party and supplier management, and organizational governance. They had built implementation templates for each control. They had established relationships with the small number of accredited auditors who had completed ISO 42001 certification engagements. And they had a critical insight that changed the math: 68% of SOC 2 trust service criteria controls overlap with ISO 42001 AIMS requirements.

That overlap was the key. It meant Aethon did not need to implement two separate compliance programs. QuickTrust could build a unified control framework where a single implementation satisfied both standards simultaneously. A model registry that tracked training data, versioning, and deployment approvals satisfied ISO 42001's model lifecycle governance requirements and SOC 2's change management criteria. An IAM architecture that enforced role-based access to model training environments satisfied ISO 42001's AI system access controls and SOC 2's logical access criteria. Logging that captured model inputs, outputs, confidence scores, and version identifiers satisfied ISO 42001's transparency requirements and SOC 2's monitoring criteria.

QuickTrust's proposal: 12 weeks, both certifications, full implementation — not just advisory. Engineering time required from Aethon's ML team: estimated at under 30 hours across the entire engagement.

Raj Iyer approved the engagement within 48 hours.

Week-by-Week Implementation

Weeks 1-2: AI Management System Scoping and Gap Assessment

The engagement started with a comprehensive inventory of Aethon's AI systems. QuickTrust mapped every model in production and development: three production models (contract review, risk clause flagging, and redline generation) and two models in active development (the v3 contract analysis model and a new summarization model). Each system was profiled for its intended purpose, data inputs, output types, downstream consumers, and risk classification under both ISO 42001 and the EU AI Act's risk taxonomy.

The gap assessment was structured against ISO 42001's Annex A controls — 42 controls organized into 8 categories. QuickTrust evaluated Aethon's current state for each control on a maturity scale and identified the critical gaps: no formal AI risk assessment process existed; there was no model registry beyond informal Git tags; training data governance was absent — no data lineage tracking, no PII detection in training sets, no consent verification for data sources; bias monitoring had never been systematically implemented; there was no human oversight mechanism that would allow attorneys to override AI outputs and feed corrections back into the system; and there was no AI-specific incident response procedure.

In parallel, QuickTrust launched the SOC 2 gap assessment. This is where the 68% overlap thesis was validated in practice. Of the SOC 2 trust service criteria that Aethon needed to satisfy, roughly two-thirds mapped directly to ISO 42001 controls that QuickTrust was already planning to implement. This meant the SOC 2 workstream was not a separate project — it was an incremental layer on top of the AIMS implementation.

The AIMS scope was formally established to cover all production AI systems and the development pipeline that fed them. CTO Raj Iyer and VP Engineering Dr. Amara Osei attended a 3-hour AIMS briefing where QuickTrust walked through the standard's structure, the audit process, and what evidence the auditor would require. This was the single largest block of executive time required during the entire engagement.

By the end of Week 2, Aethon had a complete gap assessment, a prioritized implementation roadmap, and a shared understanding of exactly what "done" looked like for both certifications.

Weeks 3-5: AI Governance Framework and Policy Pack

With the gaps identified, QuickTrust moved into framework and policy development — the documentary foundation that ISO 42001 auditors evaluate first.

The AI risk assessment framework was the centerpiece. QuickTrust built a comprehensive risk register that identified 23 AI-specific risks relevant to Aethon's systems. These were not abstract theoretical risks — they were concrete, operationally grounded threats that an auditor (and a law firm General Counsel) would recognize immediately:

  • Hallucination: The contract review model generating plausible but factually incorrect clause interpretations, leading to missed risk in a legal agreement.
  • Bias in contract interpretation: Systematic differences in how the model handles contracts from different jurisdictions, client sizes, or industry sectors — potentially disadvantaging certain client populations.
  • Data leakage of privileged information: Client documents processed by the model containing attorney-client privileged material, with risks around training data contamination, unauthorized access, or inadvertent exposure.
  • Prompt injection: Adversarial inputs in contract text designed to manipulate model behavior — a particularly acute risk when processing third-party documents.
  • Model drift: Gradual degradation in model accuracy as the distribution of incoming contracts shifts over time.
  • Unauthorized model access: Insufficient access controls allowing non-authorized personnel to modify production models or access training data.

Each of the 23 risks received a documented treatment plan: risk rating (likelihood and impact), existing mitigations, residual risk, and planned controls.

QuickTrust then drafted the full policy suite. Eight policies were AI-specific, mapped directly to ISO 42001 requirements:

  1. AI Development Lifecycle Policy — governing how models move from research through development, validation, deployment, and retirement.
  2. Training Data Governance Policy — establishing requirements for data sourcing, lineage tracking, PII handling, consent, and data quality.
  3. Model Monitoring and Evaluation Policy — defining ongoing performance monitoring, drift detection, and periodic re-evaluation requirements.
  4. Human Oversight Policy — specifying when and how human review is required, how overrides are handled, and how feedback is incorporated.
  5. AI Incident Response Policy — defining what constitutes an AI incident (distinct from a security incident), escalation paths, and post-incident review.
  6. AI Ethics Policy — establishing principles for fairness, transparency, and accountability in Aethon's AI systems.
  7. Third-Party AI Component Policy — governing the use of foundation models, open-source ML libraries, and third-party APIs within Aethon's systems.
  8. AI Transparency Policy — defining what information is disclosed to customers about how AI systems work, their limitations, and their confidence levels.

Twelve additional SOC 2 policies were drafted in parallel, with significant reuse of common elements — access control, incident response, change management, risk assessment, and vendor management policies all drew from shared foundations with the AIMS policies.

QuickTrust simultaneously built the model registry — a structured, auditable record of every model in Aethon's inventory. The registry captured training data sources, preprocessing steps, hyperparameters, evaluation metrics (accuracy, precision, recall, F1 by task type), deployment approvals, version history, and current production status. This was not a document — it was a living system that would be maintained going forward.

Training data governance was implemented at the same time: data lineage tracking from source documents through preprocessing, tokenization, and model training; PII detection scanning on all training datasets; and consent verification for every data source used in model training.

By the end of Week 5, Aethon had a complete documentary framework: 20 policies, a populated risk register, and a model registry. The foundation was set for technical implementation.

Weeks 5-8: Technical Control Implementation

This was the heaviest implementation phase, and the period where QuickTrust's engineering capability — rather than advisory capability — made the difference.

Model governance infrastructure was built first. QuickTrust deployed MLflow as the centralized model registry, replacing the informal Git tag system that had been Aethon's de facto versioning mechanism. MLflow provided experiment tracking (every training run recorded with hyperparameters, metrics, and artifacts), model versioning (immutable version identifiers with full lineage), and a model staging workflow (models progressed through "Staging," "Production," and "Archived" stages with explicit approval gates).

On top of MLflow, QuickTrust implemented a model approval workflow: every deployment to production required sign-off from both the ML team lead and a legal domain expert. This dual-approval mechanism ensured that model changes were evaluated for both technical performance and domain appropriateness — a control that ISO 42001 auditors specifically look for.

The human oversight dashboard was a critical build. QuickTrust worked with Aethon's frontend team (4 hours of their time) to create an interface where attorneys using the platform could flag any AI-generated redline as incorrect, irrelevant, or potentially harmful. Every flag was logged, categorized, and routed to a review queue. Patterns in flags triggered automatic model retraining reviews. This was not just a governance checkbox — it was a genuine product improvement that made Aethon's platform more trustworthy for end users.

Bias monitoring was implemented as a systematic, automated process. QuickTrust deployed statistical parity testing on the contract review model's clause classifications, sliced across three dimensions: jurisdiction type (US state law vs. UK law vs. EU law vs. Singapore law), client company size (SMB vs. mid-market vs. enterprise), and industry sector (technology vs. healthcare vs. financial services vs. manufacturing). Any statistically significant divergence in classification accuracy across these dimensions triggered an alert and investigation. The monitoring ran on a weekly batch cycle against production inference logs.

Confidence scoring was integrated into the inference pipeline. Every model output was tagged with a confidence score. Outputs below a 0.85 confidence threshold were automatically escalated to human review — the attorney would see the AI's suggestion but with an explicit flag indicating lower confidence. This mechanism directly addressed the hallucination risk identified in the risk assessment and gave auditors a concrete, measurable control to evaluate.

Data governance controls were implemented in parallel. Training data lineage was tracked in a data catalog built on AWS Glue Data Catalog, providing a queryable record of every dataset's origin, transformations, and usage in model training. A PII detection pipeline using Amazon Comprehend scanned all pre-training data, flagging and quarantining any records containing personally identifiable information that had not been appropriately anonymized. Data retention and deletion controls were enforced for client documents: auto-purge after processing with a 30-day retention window, after which documents were permanently deleted from all storage systems including backups.

Prompt injection detection was deployed as an input sanitization layer sitting before all model inference endpoints. The layer used pattern matching and a lightweight classifier to detect adversarial inputs in contract text — attempts to manipulate model behavior through carefully crafted text strings embedded in documents.

SOC 2 technical controls were implemented on the same timeline, leveraging the 68% overlap:

  • Identity and Access Management: AWS IAM Identity Center federated with Okta, with role-based access controls separating model training access, inference endpoint access, and training data access into distinct permission sets. ML engineers could not access production inference logs. Customer success staff could not access training infrastructure.
  • Encryption: AWS KMS managed encryption keys for model artifacts and training data at rest. TLS 1.3 was enforced on all API endpoints. Encryption in transit covered every data path — client documents, model inputs, model outputs, and inter-service communication.
  • Logging and Monitoring: AWS CloudTrail captured all API calls to AWS services. CloudWatch provided infrastructure and application monitoring. Custom model inference logging — built by QuickTrust — captured every AI decision with the input hash, full output, confidence score, model version, and timestamp. This inference log was the single most important evidence artifact for both ISO 42001 transparency requirements and SOC 2 monitoring criteria.
  • Application Security: Semgrep and Gitleaks were integrated into the CI/CD pipeline for static application security testing and secrets detection. Snyk was deployed for dependency scanning, catching known vulnerabilities in Python packages and ML libraries before they reached production.

The total engineering time from Aethon's ML team across this entire phase: 22 hours. That included model architecture discussions (so QuickTrust understood the systems well enough to implement controls correctly), access provisioning for QuickTrust's engineers, and validation of bias testing results. Twenty-two hours across 12 people over 4 weeks. Less than one hour per engineer per week.

Weeks 9-10: Internal Audit and Evidence Collection

Before subjecting Aethon to an external certification audit, QuickTrust conducted a full internal audit against the combined ISO 42001 and SOC 2 control set. This is where gaps are caught and fixed — far better to find issues internally than to have an auditor document them as nonconformities.

The internal audit covered every control in the AIMS scope and every SOC 2 trust service criterion. QuickTrust's auditors reviewed documentation, tested controls operationally, examined evidence artifacts, and interviewed key personnel (Raj Iyer, Dr. Amara Osei, and two senior ML engineers).

Three minor findings emerged in the AI governance domain:

  1. Model registry gap: Two legacy models — early versions of the contract review model that were still technically deployed in a non-production environment — had not been added to the MLflow registry. They were running in a staging environment used for regression testing but had never been formally registered. QuickTrust registered both models with full metadata within one day.

  2. Training data lineage incompleteness: The v1 contract review model, trained 18 months earlier, had incomplete training data lineage. The original training dataset had been assembled before any data governance process existed, and some source records could not be fully traced. QuickTrust documented the known lineage, flagged the gaps, and established a remediation plan (the v1 model was scheduled for retirement when v3 launched, which resolved the issue permanently).

  3. Bias monitoring thresholds: The bias monitoring system was operational and producing results, but the thresholds for what constituted a "statistically significant divergence" triggering investigation had not been formally documented in the Model Monitoring and Evaluation Policy. QuickTrust updated the policy with explicit threshold definitions (based on standard statistical parity metrics with a 5% divergence trigger) within two days.

All three findings were remediated within 4 days. None required architectural changes or significant engineering effort.

Evidence collection was the other major activity in this phase. ISO 42001 and SOC 2 auditors require documentary evidence that controls exist, are implemented, and are operating effectively. QuickTrust collected and organized over 420 evidence artifacts: policies, procedures, risk assessments, model registry exports, training data lineage records, bias monitoring reports, access control configurations, encryption settings, log samples, incident response test results, and management review minutes.

A formal management review was conducted with CEO Serena Park, CTO Raj Iyer, and VP Engineering Dr. Amara Osei. The review covered the AIMS scope, risk assessment results, control implementation status, internal audit findings, and certification readiness. This management review is a specific ISO 42001 requirement — it demonstrates that senior leadership is engaged with and accountable for the AI management system.

Weeks 11-12: Certification Audits

The final two weeks were devoted to external certification audits for both standards.

ISO 42001 Stage 1 audit (document review) was conducted first. The auditor reviewed Aethon's AIMS documentation: the AI management system scope, AI risk assessment, AI policies, model registry, and management review records. The Stage 1 audit evaluates whether the documentary foundation is sufficient to proceed to a Stage 2 audit. Aethon passed with zero major findings. The auditor noted the comprehensiveness of the AI risk assessment and the clear mapping between identified risks and implemented controls.

ISO 42001 Stage 2 audit (operational evidence review) followed immediately. This was a 2-day on-site engagement where the auditor evaluated whether the controls documented in Stage 1 were actually implemented and operating in practice. The auditor examined the MLflow model registry, observed the model approval workflow, reviewed bias monitoring outputs, tested the human oversight dashboard, examined training data lineage records, and interviewed Aethon personnel about AI incident response procedures.

The result: zero nonconformities. The auditor specifically praised two elements of Aethon's AIMS. First, the human oversight mechanism — the ability for attorneys to flag and override AI outputs, with flags feeding back into model improvement processes — was cited as a best practice that exceeded the standard's requirements. Second, the bias monitoring framework, with its multi-dimensional fairness testing across jurisdictions, client sizes, and industry sectors, was noted as one of the most thorough implementations the auditor had seen.

SOC 2 Type II required an observation period — a window during which controls must be demonstrably operating. QuickTrust had planned for this from Day 1, beginning the observation period in Week 4 when core controls were stood up. By Week 12, the 8-week observation window had completed. The SOC 2 auditor reviewed the full observation period evidence: access logs, change management records, monitoring alerts, incident response tests, and security scanning results. The opinion was clean and unqualified — no exceptions, no qualifications.

Both certificates were issued before the end of Week 12. Two weeks ahead of Whitfield & Crane's vendor review deadline.

The Results

The numbers tell the story.

  • ISO 42001:2023 certificate issued in Week 12 — Aethon became one of fewer than 50 companies worldwide to achieve this certification.
  • SOC 2 Type II report issued in Week 12 — clean, unqualified opinion with zero exceptions.
  • Total internal ML engineering time: 22 hours across the entire 12-week engagement. Less than two sprint days for the entire team.
  • ISO 42001 Annex A controls implemented: 42 out of 42, covering all 8 control categories.
  • SOC 2 controls implemented: 31 controls, with 68% directly reused from the AIMS implementation.
  • AI-specific risks assessed: 23 risks with documented treatment plans, residual risk ratings, and mapped controls.
  • Policies created: 20 total — 8 AI-specific policies for ISO 42001 and 12 SOC 2 policies, with shared foundations reducing redundancy.
  • Evidence artifacts: 420+ items collected, organized, and presented to auditors.

The deal closed. Whitfield & Crane LLP signed the $3.5M annual contract. Margaret Liu, the General Counsel whose 67-question questionnaire had started the entire journey, personally noted that Aethon was "the first AI vendor that could prove their systems were auditable." David Asante, the Innovation Partner, began firm-wide rollout within 30 days of contract signing.

The pipeline expanded. Five additional law firms — representing a combined $4.2M in annual contract value — that had paused procurement discussions due to AI governance concerns re-engaged after learning about Aethon's ISO 42001 certification. The certificate was not just a compliance artifact; it was a sales asset.

The competitive moat deepened. Every competitor in the legal AI space — Kira Systems, Luminance, Ironclad's AI features, and a half-dozen smaller startups — lacked ISO 42001 certification. For enterprise law firms with AI governance requirements on their vendor questionnaires, Aethon was the only option that could satisfy the checkbox. In a market where product differentiation is narrowing, governance differentiation became Aethon's most durable advantage.

"We were building AI for lawyers. Lawyers care about risk. The fact that we couldn't demonstrate governance of our own AI systems was becoming an existential sales problem. ISO 42001 didn't just close the Whitfield deal — it made us the only legal AI vendor that enterprises can buy with confidence."

Serena Park, CEO, Aethon AI

"I expected ISO 42001 to be a nightmare — a brand-new standard with no playbook. QuickTrust had already mapped it. They told us which of our existing practices counted, what was missing, and then implemented the gaps. My ML engineers spent 22 hours across 12 weeks. That's less than two sprint days."

Raj Iyer, CTO, Aethon AI

Key Lessons

Five takeaways from Aethon's experience that apply to any AI company facing governance requirements.

ISO 42001 is new but not impossible. The standard was published in December 2023, and the ecosystem is still maturing. But companies that already have SOC 2 controls in place have a 68% head start. The overlap between SOC 2 trust service criteria and ISO 42001 AIMS requirements is substantial — access controls, change management, monitoring, risk assessment, and incident response all have direct parallels. The AI-specific controls that ISO 42001 adds (model registry, bias monitoring, human oversight, training data governance, AI risk assessment) are incremental, not a complete rebuild.

AI governance is becoming a sales requirement, not just a regulatory checkbox. Whitfield & Crane did not ask about ISO 42001 because a regulator forced them to. They asked because their risk committee — composed of lawyers who assess risk professionally — concluded that AI vendors without governance controls represented unacceptable risk. This pattern is accelerating across regulated industries. Law firms, healthcare systems, financial institutions, and government agencies are all adding AI governance questions to their vendor assessments. Companies that cannot answer those questions are losing deals today.

The EU AI Act is creating urgency even for US-based companies. Aethon is headquartered in Boston. Their primary market is US law firms. But Whitfield & Crane has offices in London and Singapore, which means their AI vendors are subject to EU AI Act obligations through the firm's European operations. The Act's enforcement timeline was the specific trigger for Margaret Liu's intervention. Any AI company selling to multinational enterprises — or to enterprises whose clients are multinational — needs to assume that EU AI Act compliance will be on the procurement questionnaire.

Three controls matter most to auditors: model registry, human oversight, and bias monitoring. During Aethon's Stage 2 audit, the auditor spent the most time on these three areas. A model registry demonstrates that the organization knows what AI systems it operates, how they were built, and how they are maintained — this is the foundation of AI governance. Human oversight controls demonstrate that AI systems have appropriate guardrails and that humans remain in the loop for consequential decisions. Bias monitoring demonstrates that the organization is actively measuring and managing fairness risks. Companies preparing for ISO 42001 should prioritize these three controls above all others.

First-mover advantage is real and compounding. Being among the first 50 companies worldwide with ISO 42001 certification gave Aethon a competitive advantage that is difficult and time-consuming to replicate. Competitors who start the certification process today will need 3 to 6 months to achieve it — during which time Aethon is closing deals they cannot compete for. And with each new law firm that requires ISO 42001, the advantage compounds. The cost of waiting is not just the certification timeline; it is the pipeline that leaks while competitors have a credential you lack.

What's Next for Aethon

Aethon is not treating ISO 42001 as a one-time certification exercise. The AI Management System that QuickTrust built is now a core part of their operations and their go-to-market strategy.

The company is building their AI governance framework into a customer-facing trust center — a public-facing portal where prospective and existing clients can review Aethon's AI governance policies, audit certifications, bias monitoring summaries, and model transparency documentation. For law firms conducting due diligence, the trust center will answer the 67-question questionnaire before it is even sent.

Aethon is also preparing for EU AI Act conformity assessment, using their ISO 42001 AIMS as the foundation. The AI Management System's risk assessment framework, model lifecycle governance, and transparency controls map directly to the EU AI Act's requirements for high-risk AI systems. The work that QuickTrust implemented for ISO 42001 is not just a certificate on the wall — it is the operational infrastructure that will support regulatory compliance across jurisdictions for years to come.

Get ISO 42001 Certified Before Your Competitors

QuickTrust has already mapped the standard. Our engineers implement your AI Management System, build your governance framework, and coordinate certification — so your ML team stays focused on the product.

Start your AI governance sprint → quicktrustapp.com

Ready to get SOC 2 certified?

Our engineers implement controls, prepare evidence, and coordinate your SOC 2 audit.

Get SOC 2 Ready

Related Articles

June 2026

ISO 42001: The AI Governance Certification Every AI/ML Company Will Need by 2027

July 2026

SOC 2 for AI Companies: Special Considerations for LLM, ML, and Data-Intensive Startups

September 2026

Case Study: How a Fintech Startup Achieved SOC 2 + PCI DSS + ISO 27001 Triple Certification in 14 Weeks