Building customer trust in the age of AI

AI adoption has quietly rewritten every vendor questionnaire. Buyers who used to ask about encryption now also ask about model choice, prompt retention, training-data exclusion and human oversight. The vendors who answer clearly earn a trust premium; the vendors who dodge lose deals they don't even know were open.

Michael McCarroll 18 min read Updated June 2026

Why AI changed the trust conversation

Before 2023, most trust questions concerned data at rest, data in transit and access control. AI added a new class: data-in-use with a probabilistic component. A single prompt can cross borders, hit an external model, produce a hallucinated output, and appear in an internal audit report as if it were fact. Every enterprise buyer now has to defend how their data touches AI — and they push that requirement onto their vendors.

The new questions buyers are asking

Step 1

Model and vendor choice

Which foundation models process our data? Are they hosted in the EU? Do you use enterprise tiers with data-processing agreements? Can we exclude specific providers?
Step 2

Data flow and retention

What of our data is sent to model providers? What is retained? For how long? Is it used to train? Can we require zero retention?
Step 3

Human oversight

Which AI outputs are final vs. draft? Who reviews them? How do you catch hallucinations before they reach us or our customers?
Step 4

Governance and standards alignment

Are you working towards ISO 42001? How do you assess EU AI Act obligations for the features you sell into the EU?

A publishable AI trust posture

Buyers want to read your position, not extract it in a call. A credible public statement covers:

  • The AI features in your product, plainly described.
  • The models used per feature, with provider and hosting region.
  • The data sent, retained, and excluded from training.
  • The human review points and error-handling process.
  • The governance layer — who owns AI risk internally, and against which standard.
  • The opt-out mechanism, if any.

Internal AI use is a trust surface too

Step 1

Publish your internal AI policy

Regulated buyers ask what tools your staff use to process their data. An external-facing summary of your internal AI acceptable-use policy prevents an entire category of nervous follow-up questions.
Step 2

Provide safe defaults

Approve enterprise-tier AI tools with data-processing agreements, block or channel the consumer versions. This is faster than trying to police individual prompts.

The differentiation window

Most vendors still answer AI questions with vague reassurance. That will not last. The window to publish a credible AI trust posture — and to be measurably ahead of your category — is 12–18 months in most sectors. After that, this becomes table stakes, and the trust dividend moves to whichever vendor certifies against ISO 42001 first.

Bring AI under the same trust umbrella as the rest of your compliance

ISO-STANDARD.app extends your ISMS to ISO 42001, EU AI Act obligations and your published AI trust posture — one workspace, one methodology.

ISO-STANDARD.app ships a ready-to-adopt ISO 42001 / AI trust workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Free downloads for this topic

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Frequently asked questions

Do buyers really care which AI models we use?
Regulated buyers, yes. They now ask which foundation models process their data, whether prompts and outputs are retained, whether their data trains vendor models, and how you handle model updates. Vague answers eliminate you.
Should we adopt ISO 42001?
If AI is material to your product or operations, yes. ISO 42001 is the first international AI management system standard. Certification is early enough that it is still a genuine differentiator — and it maps cleanly to the EU AI Act.
How do we disclose AI use without alarming customers?
Publish an AI use statement: which features use AI, which models, what data is sent, what is retained, how humans stay in the loop, how customers can opt out. Precision reassures; vagueness alarms.
What about our staff using shadow AI tools?
Assume it is happening. Publish an approved-tools list, provide safe alternatives, and treat blocking as a last resort. The organisations losing trust here are the ones pretending shadow AI doesn't exist.
Trust & security
ISO 27001 aligned
Controls mapped to Annex A
Encryption in transit & at rest
TLS 1.3 · AES-256
MFA enforced
TOTP required for all admins
GDPR & UK GDPR
DPA on request · EU/UK data
SOC 2 ready posture
Audit-grade logging
RLS-isolated tenants
Row-level data separation
← All guidesHome →