Ontra has earned ISO 42001 certification, the world’s first international standard for managing AI.
AI is now embedded in the workflows private markets firms rely on every day — contract review, fund obligation tracking, due diligence, and reporting. Legal, compliance, and operations leaders increasingly need to know how their AI providers govern the systems behind those workflows.
Learn more about what ISO 42001 is, why it matters for private markets, and how Ontra earned ISO 42001 certification.
What is ISO 42001?
ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within an organization. It was published in December 2023 by the International Organization for Standardization (ISO), making it the first global management system standard dedicated specifically to AI.
Where SOC 2 evaluates how effectively a company protects customer data and ISO 27001 establishes the framework for a company’s information security program, ISO 42001 fills the equivalent role for AI. Rather than mandating specific technical approaches, it establishes a structured governance framework for the design, deployment, monitoring, and maintenance of AI systems throughout their lifecycle.
Why ISO 42001 matters for private markets
AI provider risk is no longer a niche IT concern; it is a procurement question. Financial services firms are starting to incorporate ISO 42001 requirements into vendor security questionnaires, which means private markets firms are increasingly being asked to show that their AI providers meet a recognized governance standard.
The standard also complements existing security commitments rather than replacing them. ISO 42001 extends governance into areas that traditional security frameworks do not fully address: bias, transparency, accountability, and the ethical and operational risks specific to AI systems. For firms already evaluating vendors against SOC 2 and ISO 27001, ISO 42001 closes a gap that has become harder to ignore as AI increasingly appears across more steps of the fund lifecycle.
Independent certification gives the standard weight. The audit is conducted by an accredited third-party certification body, which means the result reflects verified practice rather than self-attestation. For LPs, regulators, and internal risk committees asking sharper questions about AI, that distinction matters.
The ISO 42001 certification process
The ISO 42001 certification process involves a two-stage audit conducted by an accredited certification body. Stage 1 reviews documentation and the design of the AI management system. Stage 2 evaluates operational effectiveness, whether the controls described on paper are actually working in practice. The resulting certification is valid for three years and is maintained through annual surveillance audits, so the commitment continues well past the initial sign-off.
To earn certification, Ontra had to demonstrate that its AI management system addresses the full set of areas the standard covers:
- Governance and accountability: Leadership commitment, defined roles, and oversight structures for AI.
- Risk management: Identifying, assessing, and mitigating AI-specific risks, including bias, discrimination, and unintended outcomes.
- AI system lifecycle controls: How AI is designed, developed, deployed, monitored, and decommissioned.
- Data governance: How training and operational data is sourced, handled, and protected.
- Human oversight: Ensuring AI decisions remain explainable and reviewable.
- Continuous improvement: Internal audits, performance evaluation, and corrective action processes.
Auditors do not accept policy documents alone. Every clause must be backed by concrete evidence — logs, records, risk assessments, and documented oversight — demonstrating that the governance system works the way it is described.
What this means for Ontra’s customers
For Ontra customers, ISO 42001 certification provides an independently audited answer to a question that is becoming standard in AI provider diligence: how does your AI provider manage AI risk?
The certification confirms that the way Ontra governs AI — from how systems are built to how they are monitored over time — has been examined and verified by an accredited third party. It also signals that AI governance is treated as a continuing discipline at Ontra, not a one-time milestone. Annual surveillance audits keep the practice accountable year over year.
Ontra’s continuing commitment to security and trust
ISO 42001 joins a broader set of commitments private markets firms can verify when evaluating Ontra: SOC 2 Type II, ISO 27001 certification, robust encryption, and the commitment that customer data is never used to train models. Together, these form a security and privacy posture purpose-built for the firms that trust Ontra with mission-critical work.
