For AI software companies, technical capability alone is not enough. Equally important is having a robust framework for developing and operating AI in a trustworthy way.
On 26 June, QueryPie held an ISO/IEC 42001 certification awarding ceremony at its R&D Center. The certification marks a significant milestone, demonstrating that QueryPie has established a management system aligned with international standards for the responsible development and operation of AI.

[Photo: Brant Hwang, CEO of QueryPie (left) and Il-Hyeong Lee, Managing director of LRQA Korea(right)]
At the certification awarding ceremony, LRQA congratulated QueryPie on achieving ISO/IEC 42001 certification. In a follow-up interview, QueryPie shared insights into its certification journey, experience in building AI governance, and future plans for responsible AI operations.
- Could you briefly introduce QueryPie and its key solutions?
QueryPie is an enterprise security company established in Silicon Valley in 2016. It has developed into an integrated security and governance platform that supports security and governance across cloud infrastructure, SaaS and on-premises environments.
The Access Control Platform, officially launched in 2020 through collaboration between engineers from Kakao and Naver and experts in various fields, has grown in the areas of access control and auditing across data, infrastructure and business systems. More recently, QueryPie has added AI capabilities on top of its security foundation, helping companies maintain consistent permissions, approvals, audits and sensitive information protection while using AI tools and AI agents.
QueryPie has also launched an AI Platform, expanding its business into the AI platform space by connecting all SaaS applications, data and internal systems used by companies with AI agents, enabling practical workflow automation and AX transformation for enterprises. The AI Platform includes apps directly provided by QueryPie, such as Lingo, a real-time interpretation service, and NotePie, which helps users easily create materials using internal company data.
2. As an AI software company, what was the main reason you began considering ISO/IEC 42001 certification? We would like to understand what needs you identified from various perspectives, such as customer requirements, market trust and internal management systems.
The main reason we began considering ISO/IEC 42001 certification was that, as the AI market continues to grow rapidly, we believed that having the capability to “build AI well” is no longer enough. It has become necessary to objectively demonstrate the capability to “provide AI in a trustworthy way.”
Recently, during enterprise customers’ adoption reviews and security assessments, we have seen a rapid increase in questions about what data AI processes, which models and services are used, whether internal information and personal data are securely protected, how reliable the results are, and whether responsibility and control can be maintained when issues arise. As a result, the role of companies providing AI services has expanded beyond simply offering technology to also taking responsibility for trust and safety.
For QueryPie, ISO/IEC 42001 was the clearest way to respond to these market and customer needs. As a security company, QueryPie has already built trust in areas such as access control, auditing, monitoring and risk management. By demonstrating, through an international standard, that it has a system for responsibly managing and operating AI on top of this foundation, QueryPie believed it could provide customers with a basis for adopting AI with confidence.
Ultimately, this certification was a choice to move beyond feature-based competition and institutionalise trust.
3. Before preparing for certification, what did QueryPie determine needed to be reviewed first internally?
Before preparing for certification, the first step was to “identify” QueryPie’s current use of AI and the areas subject to management from the perspective of ISO/IEC 42001. We reviewed the scope of the AI models, services and systems we use or provide, the related business processes, stakeholders and responsible parties, as well as the risks and impact factors associated with each use case.
QueryPie was already using AI across several areas, including product development, security operations and customer service. However, until then, AI use had largely been autonomous at the department or individual level. We therefore saw the starting point as making this visible as a management target at the organisational level.
Another important point was our decision not to prepare for ISO/IEC 42001 as a separate certification system. QueryPie already operates mature management systems, including ISO/IEC 27001, 27701, 27017 and 27018, SOC 2, ISMS-P and CSA STAR. Rather than separating the new standard from our existing systems, we determined that it would be more effective to connect and expand it within a single Integrated Compliance Management Cycle.
For this reason, the first areas we reviewed were the identification of our AI inventory and the points of connection with our existing management systems.
4. While preparing for ISO/IEC 42001, what did you find to be more important than expected, or what was the most challenging aspect during the preparation process?
While preparing for ISO/IEC 42001, we found that what mattered more than the level of AI technology use itself was how AI could be explained and controlled within the organisation’s formal management system.
As mentioned earlier, QueryPie was already actively using AI across several areas, including product development, security operations and customer service. At first, we thought that our capability to use AI would also be an important part of the preparation. However, during the actual preparation process, what became more important was not “how well we are using AI,” but how systematically we could explain “for what purposes and within what scope AI is being used, and how the organisation identifies and manages the risks and impacts that may arise in the process.”
The area we thought about the most was how to establish and operate the monitoring, measurement, analysis and evaluation framework under Clause 9.1. To demonstrate that the AI management system exists not only as documentation but also functions in actual operations, it was important to define what should be monitored and which indicators should be used for measurement, analysis and evaluation.
For example, in existing information security or privacy management systems, there are relatively familiar indicators, such as vulnerability remediation rates, access rights review results, security event response status and training completion rates. In contrast, for an AI management system, we determined that simple AI usage volumes or a list of models would not be sufficient to explain the risks and impacts of AI systems.
Therefore, while building on the security and compliance indicators we had already been operating, we focused on designing management indicators specific to the AI management system. For example, we reviewed monitoring areas such as the identification status of AI systems and services, whether AI risk assessments and impact analyses had been conducted, the results of reviews for high-risk use cases, the status of model and service change reviews, compliance with AI-related policies, issues identified during AI use and the status of corrective actions, as well as employee AI training and awareness-building activities.
Ultimately, the most important aspect in preparing for Clause 9.1 was to create an indicator framework that connects existing security management activities with the AI management system, while also demonstrating model selection, change management, risk and impact management, accountability and continual improvement. Through this, we focused on establishing ISO/IEC 42001 not merely as a documentation system, but as a PDCA-based management system that is measured and improved through actual operations.
5. From the perspective of a company that provides AI software, which areas did you find particularly important to manage within the AI management system? For example, please share the areas that were especially important in practice, such as responsibilities and roles, risk management, data management, security and monitoring.
The area we found most important to manage within the AI management system was “control across the entire lifecycle” of AI systems. We saw responsibilities and roles, risk management, data management, security and monitoring not as separate items, but as elements that need to be connected as one continuous flow. During the preparation process, we specifically developed the following four areas.
First, responsibilities and roles. We clearly assigned responsible parties for each stage of AI system planning, development, review, deployment, operation and change. We also established a process so that new AI features or high-risk use cases undergo a separate review before deployment.
Second, data and security. We first identified what data each AI system is connected to and whether there is any possibility of sensitive information or personal data being included. We then expanded existing security controls, such as access permissions, logs, API integrations and vulnerability management, in line with the characteristics of AI systems. QueryPie’s experience in controlling access to databases, servers and Kubernetes through its ACP (PAM) product was directly applied in this area.
Third, risk and impact assessment. We conducted risk assessments and impact analyses for each AI use case, and designed separate levels of control for cases classified as high risk.
Fourth, monitoring. We operated indicators that allow us to continuously measure and review areas such as the identification status of AI systems and services, the status of model and service change reviews, the results of high-risk use case reviews, and compliance with AI-related policies.
Ultimately, for a company that provides AI software, what matters is not only the performance of its features, but also its ability to deliver those features in a trustworthy way. QueryPie designed its approach so that security and AI governance operate as one connected flow by combining its existing security and compliance framework with an AI management system based on ISO/IEC 42001.
6. For companies or organisations considering ISO/IEC 42001 certification, what do you think they should check first in the early stages of preparation?
For organisations considering ISO/IEC 42001, we recommend checking the following three areas first in the early stages.
First, it is important to understand the “perspective” of the standard. ISO/IEC 42001 is not a certification that evaluates the performance of AI technology or security features. It is a management system standard that looks at the purposes and scope for which an organisation uses AI, and how it identifies, manages and improves the related risks and impacts. Therefore, rather than starting by creating specific documents or controls, it is important to first understand the structure of the management system required by the standard.
Second, the scope of application should be clearly defined. The preparation required will vary significantly depending on whether the scope covers AI use across the entire organisation, a specific AI service or product, or even the use of AI for internal business operations. If the scope is unclear, the identification of AI systems, risk assessment, definition of responsibilities and monitoring design can all become unstable.
Third, stakeholders should be identified. AI systems are not only a matter for development teams. They affect product, security, privacy, legal, compliance, operations and sales teams, as well as customers and users. Understanding their requirements, expectations and concerns at an early stage helps ensure consistency when designing controls later.
In practical terms, we recommend starting with the “AI inventory” before drafting documentation. This means creating a list of the AI systems and services the organisation uses and provides. Only once this list is in place can the scope, risks, responsibilities and monitoring approach be properly defined.
7. Could you share why QueryPie chose LRQA when selecting a certification body?
The main reason QueryPie chose LRQA was that we saw LRQA as an organisation with the expertise to understand and assess not only a single certification, but also multiple security, privacy and cloud compliance frameworks in an integrated way.
QueryPie operates a range of security, privacy and cloud compliance frameworks. Therefore, when selecting a certification body, it was important for us to consider not only whether the organisation could assess ISO/IEC 42001, but also whether it could understand how the AI management system connects with our existing certifications.
LRQA is a global assurance provider offering certification, verification, assessment and training services across a wide range of areas, including quality, information security, cloud security, sustainability, supply chain and cybersecurity. In particular, LRQA has experience in information security and cloud security areas, including ISO/IEC 27001 and CSA STAR, which made it a strong fit for the integrated compliance management framework QueryPie is pursuing. We therefore believed that, throughout the ISO/IEC 42001 certification process, LRQA would be able to assess the connection between our existing security, privacy and cloud management systems and our AI management system.
We were also impressed by the expertise and approach of LRQA’s auditors during the audit process. Rather than simply checking whether requirements were met based on a checklist, the auditors used their expertise to review how QueryPie’s existing management systems and its AI management system based on ISO/IEC 42001 were connected and operating together.
Their approach to understanding our organisation and systems, as well as their balanced communication, was another important reason why we chose LRQA.
8. Finally, following this certification, could you share how QueryPie plans to further develop its AI governance and responsible AI operations framework?
For QueryPie, this ISO/IEC 42001 certification is not the destination, but the starting point. Achieving certification has helped establish the AI management system as part of QueryPie’s processes. However, we see responsible AI operations as an area that must continue to evolve, as AI technology and the ways in which it is used are constantly changing. Going forward, we will focus on continuously operating and developing our AI management system based on a PDCA cycle that measures and improves it through actual operations.
The first area we will focus on is expanding the scope of management. QueryPie’s use of AI is rapidly expanding across its products and business operations, and new AI features and AI applications are being released continuously. Whenever new AI systems and use cases emerge, we will further strengthen the process of identifying and assessing them so that they can be naturally incorporated into the AI management system.
We also plan to continue enhancing the level of monitoring and accountability. We will develop our current activities, such as AI risk assessments, reviews of high-risk use cases, and model and service change management, into more sophisticated indicators. This will enable us to explain and respond to the risks and impacts of AI systems more quickly and objectively. At the same time, we will continue to monitor changes in AI-related regulations and standards that are rapidly taking shape both in Korea and globally, reflect them in our management system, and further embed AI literacy and a culture of responsible AI use among our employees.
Ultimately, what QueryPie aims to build is confidence among customers that, by working with QueryPie, they can adopt and operate AI in a safer and more trustworthy way. Building on this certification, we will continue to mature our responsible AI operations framework step by step.
Learn more ISO/IEC 42001 certification service
