Back to Insights
AI & Delivery 6 min readFebruary 2026

What ISO 42001 Actually Means for a Software Agency

ISO 42001 is the world's first international standard for AI management systems. Published in December 2023, it sets out requirements for organisations that develop, provide, or use AI systems — covering governance, risk management, transparency, and accountability.

Most of the commentary around ISO 42001 focuses on large enterprises and AI product companies. What does it mean for a bespoke software agency that uses AI as part of its delivery process?

Why we pursued it

We started using AI-assisted development tools seriously in 2023 — not as a gimmick, but because the productivity gains were real and significant. We were generating code faster, catching bugs earlier, and running more thorough QA processes than we could with purely manual approaches.

But we noticed something: clients were starting to ask questions. "Is AI being used on my project?" "How do you ensure quality when AI writes code?" "What happens to the data I share with you?"

These were fair questions. And we didn't have a formal, auditable answer to them. ISO 42001 gave us a framework to build one.

What the certification actually required

The certification process required us to document and formalise several things we were already doing informally, and to introduce new controls where gaps existed:

  • AI use policy: A formal policy defining which AI tools are approved for use, in which contexts, and with what data handling requirements.
  • Risk assessment: For each AI-assisted process, we assess the risk of errors, bias, or data leakage — and document mitigating controls.
  • Human review requirements: All AI-generated code goes through mandatory human review before it enters a client codebase. The standard requires this to be documented and auditable.
  • Transparency to clients: Clients are informed when and how AI is used in their project. This is now a standard part of our project kick-off process.
  • Continuous improvement: We track AI-related incidents (errors, unexpected outputs, quality issues) and review them quarterly.

What it means for clients

In practical terms, ISO 42001 certification means that when you work with Bitcube, you can ask exactly how AI is being used on your project and get a documented, auditable answer. It means the AI tools we use have been assessed for data security. It means every AI-generated output has been reviewed by a human engineer before it reaches your codebase.

It doesn't mean we don't use AI. We do, extensively. It means we use it responsibly — with governance, accountability, and transparency built in.

The broader picture

We believe ISO 42001 will become a standard expectation for software agencies within the next three to five years — particularly for clients in regulated industries like healthcare, finance, and government. Getting certified now puts us ahead of that curve, and it means the governance infrastructure is already in place when clients need it.

If you're evaluating software agencies and AI governance matters to your organisation, we're happy to walk you through our AI management system in detail. Get in touch.

Bitcube Team

Bespoke software development agency — London, Cape Town, Bloemfontein, Pirot

Have a project in mind?

We'd like to hear about it. No obligation, no sales script.

Talk to us