At first glance, the basics are quite similar to the ISO 27001 certification you already want to see from your vendor. A similar structure based on risk assessments, governance, lifecycle controls, internal audits etc.

But the biggest difference I think is that most tech vendors rely on external models like ChatGPT and Claude. Your vendor does not control these models, and they update faster than you can amend your responsible AI use policy.

On paper, that makes this a harder certification to maintain than traditional ISO certifications. Because scope creep and underlying model changes (or even the model’s TOS/privacy policy changes) can unravel what was certified six months ago.

Sure, the basic hygiene of the vendor is what matters most:
• Documented AI risk assessment process
• Governance structure with defined accountability
• Lifecycle controls (design, deploy, monitor, improve)
• Change management (including model updates)
• Internal audit and continual improvement

But still, it will be difficult for them to keep their certification up to date whilst relying on third party models.

To be clear, they do not need to redo the full certification audit every time a model updates. They run their internal change control, re-assess risks, re-validate, and document them. The certification stays intact as long as their governance process handles the changes properly. But will that be doable in practice considering how fast the models change?

And before you ask: no, 𝗔𝗻𝘁𝗵𝗿𝗼𝗽𝗶𝗰 𝗯𝗲𝗶𝗻𝗴 𝗜𝗦𝗢 𝟰𝟮𝟬𝟬𝟭 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗲𝗱 𝗱𝗼𝗲𝘀 𝗻𝗼𝘁 𝗳𝗹𝗼𝘄 𝗱𝗼𝘄𝗻 𝘁𝗼 𝘃𝗲𝗻𝗱𝗼𝗿𝘀 𝗯𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗼𝗻 𝘁𝗼𝗽 𝗼𝗳 𝗖𝗹𝗮𝘂𝗱𝗲. Just like AWS being ISO 27001 certified does not make every company hosting on AWS automatically certified. Your vendor still needs to certify their own processes, and still needs to re-validate every time the underlying model changes.

Right now not many vendors have it. Zendesk is one of the first CX companies to achieve it, and even they had to exclude recent acquisitions from the certification scope.

The expectation is that this becomes the new ISO 27001. Meaning companies will start asking their tech vendors for this certification in the same way they ask for security certifications today. Microsoft already mandates it for AI systems in sensitive use cases through their supplier assessment program.

Will you ask this from your tech vendor?