Malcolm Leeming is CEO of Filtered Technologies. Filtered is ISO 27001, Cyber Essentials-and FuturePlus IMPACT CERTIFIED, we are on the path to Cyber Essentials plus.

Most enterprise AI vendors you meet this year are asking for something significant; access to your people’s learning content, your skills data, your workflow and, increasingly, the decisions your employees make inside that workflow.

No sensible buyer grants access on the strength of a demo. Enterprises have procurement, legal and infosec precisely because the default answer to that request is not yes. Vendors win the business by passing through those gates – security questionnaires, ISO 27001, DPAs, pen tests, and the rest.

The problem is not that the gates are too low. It is that they were built for a different category of vendor. Existing infosec and privacy frameworks are well-designed for SaaS that processes your data. They are less well-designed for AI vendors that retrieve against licensed third-party content, enforce per-provider rights policies, and create new potential leak paths through retrieval-augmented generation, shared embeddings and cross-tenant model use. These are AI-specific risks that AI-specific commitments need to answer.

The best vendors in this wave will extend the existing trust stack, not short-circuit it. Most have not done that work yet. They are asking buyers to assume that passing ISO 27001 covers the AI-specific questions too. For a two-year pilot that assumption might hold. For the kind of integration enterprise AI is starting to demand – wired into Copilot, into Teams, into the LMS, into the skills graph – it will not.

So what does a real trust stack look like? In my view, three layers.

Layer 1: Information security; ISO 27001 and Cyber Essentials

These are not differentiators at the top end of enterprise software, but they are a useful diagnostic. A vendor without ISO 27001 is telling you, implicitly, that they have not yet invested in the information security management substrate that comes before features. The path to ISO 27001 is not glamorous. It does not ship a roadmap item. It is a year of policies, access controls, audits, supplier management, incident response, and continuous improvement. Some AI-native companies have not done it yet because it feels like tax. It is not tax. It is the minimum legible commitment that a vendor understands they are operating inside the enterprise risk perimeter, not outside it.

Cyber Essentials is the UK equivalent at a narrower scope: the government-backed certification that a vendor has the baseline technical controls in place. In regulated UK procurement it is often a hard floor.

If an enterprise AI vendor pitching to you does not have both, the right question is not “Why not?” The right question is “What else have you skipped?”

Layer 2: impact and governance; externally certified, not self-declared

ESG has had a rough few years, and some of the scepticism is earned. Self-declared impact statements, marketing pages titled “Our Values” and logo-badged commitments to net zero are correctly discounted by sophisticated readers.

What is not discounted is an externally verifiable impact certification. FuturePlus, which assesses companies against the United Nations Sustainable Development Goals across environmental, social, economic and governance dimensions, is one such programme in the UK. Certification is graded, independently assessed, and renewable. It is not a statement; it is an audit.

In enterprise AI this matters more than it used to, because buyers’ ESG committees look at the supply chain. An AI vendor without a credible impact credential does not fail procurement outright, but it costs extra sales cycles, adding time to ESG sign-off and inviting questions that an independently verified credential would have pre-empted. An independently certified credential short-circuits that friction. It also quietly filters for a company that has decided the substrate questions matter enough to invest in them.

Layer 3: content-specific rights and containment – the layer the category does not yet have

This is the layer where most AI-native vendors have nothing at all, because the category has not yet demanded it and the existing certifications do not cover it.

ISO 27001 tells a buyer that a vendor secures data. It does not tell them the vendor can enforce per-object rights policies across a licensed provider catalogue. It does not tell them that provider content is not used to train foundation models. It does not tell them that embeddings are isolated per tenant. It does not tell them that retrieval is entailed at the user and role level, with provenance and audit.

These questions are specific to AI-era retrieval over licensed content. They are the questions that content providers are about to start asking every platform they engage with. They are also the questions enterprise buyers will ask once the first leak of licensed learning content into a general AI answer causes a contract review.

At Filtered we are working toward a content-specific trust framework that we expect to publish and have independently audited, covering entitlement-bound retrieval, no raw corpus exposure, provider policy enforcement at runtime, and no model training or cross-client contamination. ISO/IEC 42001, the international AI management system standard published in 2023, gives us the substrate; our work extends it for the specific rights and content questions that AI-era retrieval over licensed content creates. It sits on top of ISO 27001 and Cyber Essentials, not as a replacement for them. It sits on top of ISO 27001 and Cyber Essentials, not as a replacement for them. It is our answer to the trust questions that the existing certifications do not yet reach.

At Filtered, we use your content to generate answers safely, without exposing raw data; we enforce permissions in real time, and we never train on or mix your data with other customers.

Why this matters commercially

Enterprise buyers are making multi-year commitments to AI infrastructure. The cost of getting the trust substrate wrong is not necessarily a breach, though it could be. It is the cost of choosing a vendor who cannot be trusted with the next layer of data, the next surface, or the next integration and having to rip-and-replace later, at a moment when every other system you own is mid-migration.

A trust stack lets a buyer make a different decision. It lets them say, ‘I can commit to this vendor for a decade of integration, because the commitments are audited, named and externally legible. ‘ It lets procurement move faster, not slower, because the diligence answers are documented.

Providers care about this for the same reasons. A learning content provider considering whether to let a platform index and atomise their content needs contractual comfort on exactly these dimensions: entitlement, rights, containment, no training on our corpus, and no cross-client contamination. A platform that arrives at the conversation with ISO 27001, a credible ESG credential and a content-specific containment standard has a materially easier conversation than one that arrives with none of the three.

What I would encourage

You should not have to trust an AI vendor on their word. You should be able to check. The best vendors in this category will make checking easy – externally audited, named, and independently verifiable. Everyone else is asking you to move at their pace instead of yours.

At Filtered we have been putting in the cycles that could otherwise have gone to features: ISO 27001 and Cyber Essentials for the security baseline, FuturePlus certification for the impact and governance layer, and, next, a content-specific trust framework we will publish and have independently audited. The cycles are well spent. Buyers and providers are telling us they are.

If you are evaluating an enterprise AI vendor and you are being asked to trust them on velocity alone, ask for the stack.