AI Moved Faster Than Your Governance
AI went from pilot to production inside a year at most companies. Governance did not move at the same speed. Customers are asking how you oversee AI. Regulators are moving on AI. Boards want to know who owns it and what the exposure is.
JBW Group provides senior-led AI governance advisory. Not a policy template and a slide deck. A working program grounded in ISO 42001, NIST AI RMF, and the regulations actually affecting your industry. Every engagement runs through an advisor with 20+ years in compliance and security leadership.
We serve organizations that are deploying AI internally, embedding AI in their products, or buying AI-enabled vendor services. And need a defensible answer when someone asks how any of it is governed.
When Companies Engage Us
AI Governance Is Suddenly
a Leadership Problem
We are typically engaged when AI adoption has outpaced oversight, and someone with authority is now asking for answers.
Board or CEO asking for a written AI governance position and a named owner
Enterprise customers adding AI oversight questions to security reviews and vendor assessments
EU AI Act, state AI regulations, or sector-specific AI rules now in scope for your business
AI features shipped in your product without governance, privacy review, or risk documentation
Preparing for ISO 42001 certification or fielding a customer request for equivalent assurance
AI vendor inventory, model usage, and data exposure with no single source of truth
What We Deliver
AI Oversight That Stands Up
to Customers, Regulators, and the Board
Every engagement is scoped to the organization’s actual AI footprint, industry, and risk profile. Nothing off the shelf.
AI Governance Program Design
Policies, roles, escalation paths, and an accountable owner. Built to answer the question, “Who governs AI here, and how?” in one paragraph.
ISO 42001 Readiness
Gap analysis and implementation roadmap against ISO/IEC 42001, the AI management system standard. Leveraging your existing ISO 27001 controls where they apply.
NIST AI RMF Alignment
Mapping your AI initiatives to Govern, Map, Measure, and Manage functions of the NIST AI Risk Management Framework. Useful when customers ask for NIST alignment, not certification.
AI Risk Assessment
Structured evaluation of internal AI use, embedded AI features, and AI-enabled vendors. Covers bias, explainability, data leakage, regulatory exposure, and model lifecycle.
AI Vendor & Model Inventory
A single source of truth for where AI lives in your stack. What it touches, who owns it, what data flows through it, and which contracts govern it.
Board & Customer Reporting
Plain-language reporting for leadership, board committees, and enterprise customer security reviews. Defensible, proportionate, and short enough to read.
Frameworks We Work Across
The AI Governance Landscape
in Plain Language
AI governance is not one framework. It is an overlapping set of standards, regulations, and customer expectations. We help you build a program that satisfies the ones that actually apply.
ISO/IEC 42001
The international AI management system standard. Certifiable. Most directly comparable to ISO 27001 in structure. The leading signal that an organization has formalized AI oversight.
NIST AI Risk Management Framework
Voluntary US framework. Not certifiable but increasingly cited in federal contracts, enterprise vendor reviews, and state-level AI rules. Complements ISO 42001.
EU AI Act
Regulation with staged obligations based on AI system risk classification. Applies to providers and deployers with EU market exposure. Enforcement is phased through the decade.
ISO/IEC 23894
Guidance on AI-specific risk management. Non-certifiable. Useful as implementation guidance alongside ISO 42001.
Sector and State AI Rules
Colorado AI Act, New York City automated employment decision rules, HIPAA and FTC positions on AI, sector-specific supervisory guidance. Scope depends on your industry and footprint.
Intersections With ISO 27001 and ISO 27701
Most AI governance controls live on top of existing information security and privacy foundations. If you are already ISO 27001 or 27701 certified, a material portion of ISO 42001 readiness is reusable.
Engagement Model
Three Ways to Start
Most clients begin with the readiness assessment to get a clear baseline before committing to a broader program.
AI Governance Readiness Assessment
A structured entry-point engagement. Inventories AI in your organization, maps it against ISO 42001 and NIST AI RMF, and delivers a prioritized roadmap. Typically 4 to 6 weeks.
Fixed-scope project
ISO 42001 Implementation
End-to-end implementation of an AI management system certifiable against ISO 42001. Builds on the readiness assessment. Scoped to your AI footprint, industry, and existing ISO certifications.
Program engagement
Ongoing AI Oversight Retainer
Quarterly reviews, board reporting, vendor and model re-assessments, regulatory monitoring, and customer security review support. For organizations that have the program and need sustained oversight.
Monthly retainer
FAQs
Common Questions About
AI Governance and ISO 42001
Do we need ISO 42001 certification, or is a NIST AI RMF alignment enough?+
It depends on what is being asked of you. Enterprise customers increasingly accept NIST AI RMF alignment as sufficient assurance. ISO 42001 is the stronger signal and is certifiable, which matters when a customer contract or RFP specifically requires independent certification. We help you decide based on the actual buyer and regulatory pressure on your business, not on what sells more consulting hours.
We are already ISO 27001 certified. How much of 42001 do we get for free?+
A material portion. ISO 42001 shares the Annex SL management system structure with ISO 27001, so clause-level controls around leadership, context, planning, operation, performance evaluation, and improvement carry over. The AI-specific content, AI risk assessment, AI lifecycle, impact assessment, and vendor AI oversight is net new. A readiness assessment scopes the exact reusable surface against your current ISMS.
Does the EU AI Act apply to us if we are a US company?+
It can. The Act applies to providers and deployers of AI systems used in the EU market, including US companies whose AI output is used in the EU. The in-scope determination depends on product, distribution, and customer base. We do the scoping as part of the readiness assessment instead of assuming.
How do you handle AI vendors and embedded AI in third-party tools?+
We build an AI vendor inventory as part of the readiness assessment. It covers embedded AI features in the tools you already use, AI-enabled vendor services, and internal AI deployments. Each entry ties to data flows, contractual terms, and a risk classification. The same inventory feeds board reporting and customer security reviews.
Can you train our team to own this after the engagement?+
Yes. That is the default, not an upsell. Every engagement is built to hand off. We document decisions, train your AI governance owner, and leave you self-sufficient. Retainer engagements exist for clients who want sustained oversight, not for clients who were never taught how to run it.
How long does ISO 42001 implementation take?+
Varies with AI footprint and existing certifications. A company already ISO 27001 certified with a small, well-understood AI footprint can reach 42001 readiness in a few months. A company with embedded AI across multiple products, no existing ISMS, and new regulatory exposure should expect longer. The readiness assessment produces a scoped timeline before any implementation commitment.
Related Services
AI governance touches information security, privacy, and risk. We work across all of it.