AI Governance Posture

Dembri operates under ISO 42001-aligned AI management controls.

We operate a self-implemented AI Management System designed to the ISO/IEC 42001:2023 control framework. We are not formally certified— certification is deferred until customer scale justifies the engagement with an accredited body. This page summarises what we do anyway.

A note on language

✅ We say: “Operates under ISO 42001-aligned AI management controls”, “Implements the ISO 42001 control framework”, or “ISO 42001-ready (formal certification deferred)”.

❌ We do not say: “ISO 42001 certified” or “ISO 42001 compliant”. Only ANAB / UKAS-accredited bodies can certify. We are not yet engaged with one.

ISO 42001 Annex A Controls

What our AI management system covers

Each row maps to a control area in ISO/IEC 42001:2023 Annex A. Full per-control documentation is maintained internally; the summary below is for partners, customers, and regulators doing due diligence.

A.2

AI Policies

Top-level AI policy with five principles (human accountability, transparency, proportionality, reversibility, honesty over capability), decision protocols, prohibited uses, and incident response.

A.3

Internal Organization

Roles and accountability defined. Asif Nagarkatti is the sole AI Accountable Owner until headcount triggers role segregation. All AI decisions flow through a documented sign-off gate.

A.4 / A.7

AI Resources + Data

Complete inventory of every AI system Dembri uses internally or ships to customers (Claude, Gemini, GPT, Vibe Prospecting, Hermes, plus customer-facing document extraction, compliance assistant, and agentic monitor). Data inputs / outputs / lawful basis documented per system.

A.5

AI Impact Assessments

Every AI system is impact-tiered (Low / Medium / High) and assessed for hallucination, bias, drift, data leak, prompt injection, customer over-reliance, and regulatory non-compliance. High-tier systems require mandatory human-in-the-loop.

A.6

AI Lifecycle

Per-system lifecycle records cover development → pilot → production → monitoring → decommissioning. Append-only event log. High-tier systems carry mandatory rollback procedures.

A.8

Information for Interested Parties

Users are told which AI processes their data, why, what data, what control they have. Reflected in the public privacy policy, onboarding flow, and per-feature disclosures. PDPL Article 18 (automated decision-making rights) honoured across customer-facing AI features.

A.9

Use of AI Systems

AI does not take any customer-facing action without explicit customer approval. The agent drafts; the customer decides; the customer submits. No automated regulatory filings without human review.

A.10

Third-Party Relationships

Every AI vendor (Anthropic, Google, OpenAI, Explorium, Firecrawl) is risk-assessed annually. Data Processing Agreements signed with all primary providers. No vendor trains on Dembri customer data.

Where this matters in practice

For customers

Dembri does not take any AI-mediated action on your behalf without explicit approval. The agent drafts the corrective document; you review it; you submit it. Every AI system carries a documented human-in-the-loop checkpoint. Read the privacy policy AI section for the user-facing version.

For partners and B2B prospects

Our AI governance documentation (8 documents covering policy, system registry, impact assessment templates, lifecycle records, vendor risk assessments, transparency disclosure, and internal audit cadence) lives at docs/compliance/iso42001/ in our codebase. Available under NDA on request.

For regulators

Asif Nagarkatti is the named accountable owner for all AI decisions at Dembri. Direct inquiries to privacy@dembri.com. We engage UAE counsel before formal regulatory response.

For investors and accelerators

Our AI governance posture meets the bar for enterprise procurement diligence and is documented to an auditable standard. We deferred formal ISO 42001 certification (engagement is AED 30-80K and 12-18 months for a small org) until customer scale makes it commercially justified. The control framework is in place today.

Related Dembri compliance posture

  • UAE PDPL — Federal Decree-Law No. 45 of 2021. Dembri operates as a Controller for its own data and a Processor where contracted. DPIA and Records of Processing maintained. PDPL guide.
  • NIST AI Risk Management Framework 1.0 — GOVERN / MAP / MEASURE / MANAGE functions covered by the ISO 42001 controls above. We published the first public PDPL ↔ NIST AI RMF crosswalk.
  • UAE 2026 Agentic AI Framework — Dembri positions explicitly in alignment with the UAE Cabinet's April 2026 framework committing to agentic AI across 50% of federal government sectors by 2028. Agentic compliance overview.
  • EU AI Act and ISO/IEC 42001 — control overlap is significant. Our internal mapping to both frameworks supports multi-jurisdictional Dembri customers.

For procurement, partnership, investor diligence, or regulator inquiries: email asif.n@dembri.com and reference this page. Full internal documentation available under NDA.

This page reflects Dembri's AI governance posture as of 2026-05-31. Reviewed quarterly. Last full internal audit scheduled 2026-08-31.