Driving ISO 42001 certification in AI-powered healthcare with Eleos
Managing risk for AI-powered behavioral health.
I’m thrilled to announce that Eleos is ISO/IEC 42001:2023 certified!
A leading AI-powered platform for behavioral health, Eleos slashes administrative burdens and powers provider efficiency. But when handling sensitive protected health information (PHI), securing data and maintaining patient trust is absolutely critical.
Already ISO 27001 certified—and with a SOC 2 + HITRUST attestation—Eleos runs a tight privacy and security ship under Raz Karmi, Chief Information Security Officer. Due to the intricacies of AI—and the risks it poses if left ungoverned—he wanted to build a fully certified Artificial Intelligence Management System. He also needed to avoid common pitfalls while pursuing a relatively new compliance certification so he could focus on high-leverage strategic goals, not waste time on minutiae.
That’s where StackAware came in.
Assessing models, systems, risks, and impacts
Step 1 of our engagement was a thorough inventory of all assets in use. Because Eleos uses a range of model approaches and tech partners, understanding the entire risk landscape was critical. With that done, we then:
Evaluated models for data quality, provenance, and undesired bias.
Mapped ISO 42001 requirements to Eleos’ AI systems and products.
For those processing PHI, we analyzed their societal and individual impacts.
Logged risks where there were opportunities for improvement.
Building a solid foundation of governance
Using their existing Information Security Management System (ISMS) as a starting point, we then crafted actionable:
AI-related policies and procedures
Updates to existing compliance documentation
Tech stack-specific governance training to educate employees
Raising the bar with an AI governance standard
With the right scaffolding in place, StackAware and Eleos could then map out the right AI-specific controls from ISO 42001’s Annex A. We also built an AI governance standard against which we could evaluate all systems and models to confirm they met company requirements and risk tolerances.
This involved a detailed look into these assets’:
Intended use and risk profiles
Observability, logging, and monitoring
Data sensitivities and retention policies
“StackAware’s approach to ISO 42001 certification made things incredibly easy for me and the Eleos team. They focused on building a lean management system that addresses real threats to our AI operations, not just on creating compliance documentation. This let our team prioritize what matters most: delivering secure and effective AI-powered behavioral healthcare.”
- Raz Karmi, Chief Information Security Officer, Eleos
Managing risk and achieving compliance
At the end of the engagement, StackAware had delivered to Eleos:
An effective and streamlined AIMS that could be easily integrated into business operations. Rather than a paperwork-heavy checkbox exercise, Eleos runs a lean management system focused on addressing risks and improving AI effectiveness.
Clear and effective data and AI model governance. With realistic standards and procedures in place, fast-moving internal teams can develop and deploy AI in a repeatable and controlled manner.
Proactive risk assessment and incident response. Through actionable recommendations, StackAware gave Eleos a clear roadmap to deal with any residual risk. At the same time, the company was prepared for the worst with an agile incident response procedure.
Driving value with AI governance
By partnering with StackAware, Eleos was able to achieve ISO 42001 certification without being distracted from its core mission: improving behavioral healthcare. As Raz noted, “Working with StackAware gets me out of the weeds so I can focus on our customers and guide our strategy.”
For us, success means enabling customers to build and scale innovative solutions while creating trust and avoiding breaches and potential legal penalties.
Are you a security, compliance, or technology leader in AI-powered healthcare looking to:
Manage risk?
Strengthen customer trust?
Avoid regulatory scrutiny and fines?
StackAware delivers customized, white-glove ISO 42001 readiness. So please: