AI SaaS
Enterprise buyers were asking about model access, training-data lineage and sub-processors - and asking for ISO 27001. The controls half-existed; the evidence to prove them did not.
ISO 27001 does not certify model behaviour or AI ethics - but it is the framework enterprise procurement gates on, and it maps directly onto the governance questions buyers were actually asking: who can access data and models, what sub-processors touch data, and whether controls operate. The gap was evidence, not intent.
Finding 01
The LLM vendor processed customer data but never appeared in the sub-processor list buyers asked for.
Finding 02
Broad access to data pipelines and model endpoints with no periodic review or approval trail.
Finding 03
Logs containing customer inputs were kept longer than the data-processing agreement allowed, with no retention control.
Finding 04
No record of what data trained or fine-tuned models - the first thing a regulated buyer's data team probes.
Finding 05
Security answers claimed controls that had no operating evidence behind them.
The company could answer the enterprise security reviews with evidence, and used ISO 27001 readiness as the frame that unlocked procurement - without pretending ISO covers model bias or the EU AI Act, which we were explicit it does not.
ISO 27001 does not cover model behaviour or AI bias - but it answers the governance questions enterprise buyers actually gate on: access, sub-processors, data handling and evidence that controls operate. The framework is the key that opens procurement; the evidence is what turns it.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.