By Michael, Tier 1 Consulting
Published: July 2026
AI can help a professional services firm draft, research, summarise and analyse. It can also expose confidential information, produce convincing errors or influence a decision that no one has properly checked.
For law firms and boutique consulting firms, the immediate question is not whether to pursue a certification. It is whether the firm knows which AI tools are being used, what information enters them, who checks the output and who is accountable when something goes wrong.
ISO/IEC 42001 provides a formal management-system framework for answering those questions. Smaller firms can also apply its core ideas without beginning a certification project.
ISO/IEC 42001:2023 is the international standard for an artificial intelligence management system, commonly called an AIMS. ISO and IEC published it in December 2023 for organisations that develop, provide or use AI-based products and services.
Like other management-system standards, it requires more than a policy. It establishes a repeatable system for leadership, objectives, risk assessment, controls, defined responsibilities, monitoring, internal review and continual improvement. It addresses both the risks and opportunities created by AI.
The standard can support independent certification, but certification is not the only reason to use it. Its structure can help a firm govern AI consistently and produce evidence for clients, insurers, auditors and leadership.
Staff may paste client material, meeting notes, contracts, source files or personal information into an AI service without understanding how the provider stores or uses it. A paid licence does not automatically make every use appropriate. The firm needs approved tools and clear data rules.
Generative AI can produce fluent content that is incomplete or wrong. A qualified person should review important output against reliable sources before it informs legal advice, client deliverables, financial decisions or security changes.
Using a commercial AI product can involve collecting, using or disclosing personal information. The Office of the Australian Information Commissioner recommends a privacy-by-design approach when selecting and deploying these products. A privacy assessment may be needed for higher-risk uses.
AI features can appear inside software the firm already uses. Supplier review should cover the service terms, data locations, retention, model training, security, subcontractors, incident notification, deletion and administrative controls.
If no one owns AI decisions, informal use becomes the default. The firm should name who approves tools and use cases, who accepts risk, who monitors use and who can suspend a system.
A small firm can establish useful governance without building an enterprise-sized program.
Record approved, trial and prohibited tools. For each use case, note the owner, purpose, users, information involved, supplier, risk rating, required review and approval status. Include AI functions embedded in existing software.
Tell staff what they may and may not enter into each approved tool. Address client confidential information, personal information, privileged material, credentials, security data and contractual restrictions. Use technical controls where available rather than relying only on a policy.
Define which outputs need checking, who is qualified to check them and what evidence must be retained. Higher-impact decisions need stronger review and a way for a person to pause, override or reject the AI output.
Review the provider before approval and again when important terms, models, features or data practices change. A tool approved for public marketing copy is not automatically approved for client matters.
Give staff a simple way to report accidental disclosure, harmful output or unexpected system behaviour. Connect AI incidents to the firm's privacy, cyber incident and client-notification processes.
Generic awareness is not enough. Show staff how the rules apply to drafting, transcription, research, coding, document review and client deliverables. Partners and managers need to model the same behaviour expected from staff.
Review the register, exceptions, incidents, supplier changes and control effectiveness. Retire tools that no longer meet the firm's requirements.
The Australian Government's Guidance for AI Adoption sets out six essential practices for responsible AI governance. Its foundations guidance is designed for organisations starting with lower-risk uses, while separate implementation guidance addresses more complex and higher-risk use.
That guidance and ISO 42001 are not substitutes for the law. Existing privacy, consumer, employment, professional, intellectual-property and contractual obligations can apply to AI use. Obtain legal advice for the firm's circumstances and check current regulator guidance before relying on an AI system for a high-impact purpose.
A structured ISO 42001 program may be useful when:
A small firm using a limited number of low-risk productivity tools may not need certification. It still needs an inventory, data rules, supplier review, human oversight, incident handling and clear accountability.
The EU AI Act uses a risk-based model and can be relevant beyond Europe in some circumstances. An Australian firm that provides or deploys AI systems connected with the EU market should obtain advice on whether the Act applies and which role it performs under the legislation. ISO 42001 can support disciplined governance, but adopting the standard does not by itself prove compliance with the Act.
Start by finding the AI already in use. Approve or suspend each tool based on its purpose, information and risk. Put the data rules and human review points in writing. Then decide whether the firm needs a practical internal baseline, formal ISO 42001 alignment or a certification pathway.
Talk to us about safe AI and AI governance
Tier 1 Consulting helps Australian law firms and boutique consulting firms use AI safely and build practical AI governance. Learn more about our safe AI and AI governance service.