VOGSY's guide to responsible AI in project-based ERP with ISO 42001

The market is flooded with hype, promising revolution but often delivering little more than a new feature button and a host of unmanaged risks.

For our customers, ambitious professional services firms, the real questions are about value and - above all - about accountability.

How do you adopt AI to create a durable competitive advantage without exposing your firm—and your clients—to new operational, financial, and reputational threats? How do you ensure the intelligence you rely on is trustworthy, auditable, and secure?

This is the governance challenge of the next decade, and it’s why we’ve taken a deliberately different path at VOGSY.

We believe the future isn't just about being AI-powered; it's about being AI-accountable. It’s about building a framework of control and responsibility around this powerful technology before it becomes deeply embedded in your most critical business processes.

This guide is for leaders who think the same way. It cuts through the noise to explain how a formal AI Management System (AIMS), governed by the international standard ISO 42001, is the only way to move from AI experimentation to a true strategic asset.

It’s a look inside our own journey and a pragmatic framework for how you can think about yours.

First, let's be clear about what an AIMS is not. It’s not a piece of software or a new dashboard. As we explain in our guide What is an AI management system AIMS and why does it matter, it's a set of documented policies, processes, and controls for governing how AI is designed, deployed, and maintained across an organization.  

Think of it as a quality management system (ISO 9001) or an information security management system (ISO 27001) for artificial intelligence. It's the organizational blueprint that ensures AI operates safely, ethically, and in alignment with your business objectives. The framework ensures a human is always in the loop and that accountability is built in, not bolted on.  

This distinction is critical for a leadership team. Adopting an "AI feature" is a tactical decision. Implementing an AIMS is a strategic one. It represents a shift from using AI ad hoc to managing it as a core business capability.

Without an AIMS, you're letting an unmanaged, unaccountable force operate inside your business. For any leader, especially in finance or operations, that’s an unacceptable risk. An AIMS turns a potential liability into a controlled, auditable, and strategic capability. It provides the structure to answer the tough questions: Who is accountable for this output? What data was used to generate this insight? How can we verify that this recommendation is unbiased?

If an AIMS is the blueprint, then ISO/IEC 42001 is the international building code. Published in December 2023, it's the world's first certifiable standard for AI management systems.  

While there are other valuable resources, as we discuss in this article about standards, ISO 42001 is the only one that allows for independent, third-party certification. An accredited auditor can verify that a company's AI governance meets the highest international standard. It’s the difference between saying you're responsible and having the certificate to prove it.

The standard is built on core principles that resonate with any business leader. You can read more in our plain English guide to ISO 42001 requirements, but the key themes include:

• Systematic Risk Management: The framework mandates a structured process to identify, assess, and mitigate risks throughout the AI lifecycle—from data bias and privacy concerns to security vulnerabilities and unintended societal impacts. This means moving from a reactive "what-if" posture to a proactive, documented risk management strategy.  

• Leadership and Accountability: ISO 42001 requires that top management is actively involved and accountable for the AIMS. It forces the establishment of clear roles and responsibilities, ensuring that humans are always in control and that the governance of AI is a board-level concern, not just an IT project.

• Transparency and Explainability: The standard pushes organizations to move away from "black box" solutions. It requires processes that ensure AI systems are understandable and their decisions can be explained to users and stakeholders. This is the foundation of trust and adoption.  

• Robust Data Governance: The quality and integrity of an AI system are entirely dependent on the data it uses. ISO 42001 requires strict controls for managing data quality, ensuring relevance, and protecting privacy, giving you confidence in the accuracy of the AI's output.

For a leadership team, this isn't just about compliance; it's about control. It's about having a systematic, internationally recognized way to manage a powerful new technology and the risks that come with it.

At VOGSY, we made a strategic decision early on: we would not simply add an uncontrolled AI layer to our platform. Our pragmatic approach to AI fundamentally changes how we operate as a company. We build a complete, responsible AI system from the ground up, using ISO 42001 as our guide. Our certification is underway and will be completed in Q4 2025, making VOGSY the first project-based ERP governed by this standard.  

We call this our "glass box" approach. While others rush to market with opaque AI features, we are deliberately building the foundations of a responsible AI management system first. This transparency is core to our philosophy.  

This commitment extends through our entire technology stack. We are built on Google Cloud, which has also achieved ISO 42001 certification for its infrastructure and AI development platforms, including Gemini.

When you deploy VOGSY, you get an end-to-end chain of trust that is unique in the market:

From Google Cloud's foundational infrastructure to the agentic and generative AI capabilities in Google Cloud Vertex and Gemini, to the VOGSY application layer, every component is governed by the same rigorous, internationally recognized standard for responsible AI management.

For our customers, this means there are no weak links in data security in AI-powered ERP. You have verifiable assurance that the entire ecosystem handling your data and powering your insights is managed responsibly.

With new regulations emerging, many leaders are rightly concerned about compliance. The EU AI Act, the world's first comprehensive AI law, categorizes AI systems based on risk, imposing strict obligations on those deemed "high-risk".

High-risk systems include those used in hiring, credit scoring, or critical infrastructure—areas where an AI's decision can have a significant impact on a person's life or safety.

VOGSY's AI capabilities do not fall into the high-risk category. The legislation provides clear exceptions for systems that are not the final decision-maker. According to Article 6 of the Act, an AI system is not considered high-risk if intended to perform a narrow procedural task, improve the result of a previously completed human activity, or perform a preparatory task.

This perfectly describes our philosophy. The "Ask VOGSY" feature is designed to find, explain, calculate, and prepare information to support your decisions.

It suggests, but the human user always decides and approves. For example, it might flag a project at risk, but the project manager decides on the course of action. It might suggest a resource for a project, but the resource manager confirms the assignment. The AI does not make autonomous decisions that materially influence outcomes without human review.  

Therefore, VOGSY is classified as a "limited-risk" system. Under the EU AI Act, the primary obligation for limited-risk systems is transparency—ensuring users know they are interacting with an AI. This is a straightforward requirement we fully support, and it means VOGSY customers can adopt our AI capabilities without the significant compliance burden and legal exposure associated with high-risk systems.

A commitment to ISO 42001 isn't just about mitigating risk; it's about creating tangible business value. VOGSY turns a defensive compliance measure into a proactive strategy for efficiency, profitability, and competitive differentiation.

For the CFO: a framework for financial control and risk mitigation

For a finance leader, AI governance is synonymous with financial stewardship. As detailed in the CFO's guide to AI risk management and governance, an ISO 42001-certified AIMS provides the auditable controls necessary to de-risk AI adoption and protect the bottom line.

• Verifiable Risk Mitigation: Ungoverned AI can lead to costly errors in forecasting, resource allocation, or even billing. A certified AIMS ensures that the AI operates on validated data and defined business logic, protecting the integrity of your financial operations and mitigating the risk of AI-driven failures.  

• Compliance Readiness and Cost Avoidance: Regulations like the EU AI Act create new compliance obligations. An ISO 42001-governed system is designed to align with these emerging standards, helping you avoid future penalties and legal costs. It's a proactive investment in staying ahead of the regulatory curve.

• Enhanced Profitability and Margin Protection: The VOGSY AI Assistant provides direct tools for financial oversight. You can ask questions like, "Which of our projects has the highest and lowest profit margin right now?" or "Show me all time entries for today that are missing descriptions" to proactively identify margin erosion and revenue leakage before they impact financial statements.  

• Auditability and Stakeholder Trust: Trust requires verification. A core principle of our AIMS is explainability. You can ask the system to show you the data and logic behind its recommendations, providing the transparency and audit trail that a finance leader requires to maintain the confidence of the board, investors, and auditors.

For the COO: a blueprint for operational excellence and predictability

For an operations leader, governance equals reliability. Our AIMS ensures that VOGSY's AI tools are robust, secure, and produce predictable results, which is the foundation of operational excellence. You can learn more here about how explainable AI drives operational efficiency for COOs.

• Improved Project Predictability: The AI Assistant warns early about project roadblocks and budget overruns. You might ask, "What is the ripple effect if a project is delayed by 2 weeks?" and instantly see the downstream impact on other projects and resources, transforming operations from reactive firefighting to proactive management.  

• Increased Operational Efficiency: The system streamlines and automates routine workflows, reducing administrative friction. Simple queries like "Copy my timesheet of last week" or "Show me everyone who is planned for more than 40 hours next week" save cumulative hours across the organization, freeing up your team for high-value, billable work.  

• Enhanced Resource Utilization: An intelligent system provides a more precise, real-time understanding of project health and resource allocation. It can spot risky setups, like a junior resource on a high-complexity project, before they become delivery issues, ensuring optimal deployment of your most valuable asset: your people.  

• Process Integrity and Trust: An ISO 42001-governed system guarantees that the AI operates according to defined, auditable business rules. This gives the COO confidence that the insights and suggestions are reliable and that core operational processes are followed consistently and correctly.  

For the entire business: a durable competitive advantage

In a market wary of AI hype vs. practical application, verifiable trust is the ultimate competitive differentiator.

Proving your commitment to responsible AI builds client confidence, wins deals, and protects your brand.

Our approach to the user experience is built on simplicity and pragmatism. The user interacts with the AI through a single, integrated panel: "Ask VOGSY". In the near future, this interaction will also be possible via other tools such as Slack or WhatsApp.

We are building all the instructions for a wide variety of prompts, and you can see a range of examples in our guide about use cases for the VOGSY AI Assistant. Here are a few that we are thinking of that illustrate the power of this integrated approach :

• For strategic oversight: "Summarize all active projects, open invoices, and new opportunities for this client. Are there any red flags I need to know about?"

• For operational control: "Show me all projects where a junior resource is planned on a high-complexity project without a senior resource."

• For financial health: "What is the total year-to-date revenue and overall profitability for this account?"

The underlying AIMS is what makes this simple interface so powerful. It ensures these answers are secure, explainable, and based only on the data your users are authorized to see.

The system respects all existing user permissions within VOGSY. If a user doesn't have access to financial data, they can't get it by asking the AI Assistant.

The promise of ERP has been a "single source of truth." That's no longer enough. In an increasingly complex world, data is only as valuable as the intelligence you can derive from it. The goal now is to have a single source of intelligence.  

But that intelligence must be trustworthy, governed, secure, and explainable.

Adopting a framework for responsible AI is the only path forward for ambitious leaders looking to build enduring, competitive firms. With VOGSY, you get this built in and ready to go. It's how you harness the power of AI while maintaining absolute control form day one.

This is the foundation we are building at VOGSY. We invite you to join us on the journey.