Media release: Clayton Utz becomes first Australian law firm to achieve ISO 42001 certification for AI management

Alongside our ISO/IEC 27001 certification for information security management, the firm is now in the unique position of holding a double certification that demonstrates the highest level of AI and cyber governance.

Clayton Utz Chief Executive Partner Emma Covacevich said the certification reinforces the firm's commitment to using AI responsibly and securely.

"Our clients are highly sophisticated in terms of their own AI adoption and governance, and they expect the same from their legal providers," Ms Covacevich said.

"These combined certifications are the clearest demonstration that the AI-enabled technologies we use are governed by robust processes and meticulous risk management, and give our clients confidence that we are managing AI with the same rigour we apply to every aspect of our practice.”

ISO 42001 is the world’s first certifiable standard specifically designed to govern the use of AI. Developed by the International Organization for Standardization, it establishes a structured framework for organisations to design, implement and continuously improve an Artificial Intelligence Management System (AIMS).

The certification recognises that Clayton Utz has implemented a comprehensive AIMS aligned with global best practice, including formal governance structures, clearly defined accountability for AI systems, and robust risk management processes to identify, assess and mitigate potential harms associated with AI use.

Clayton Utz Partner and Head of AI Simon Newcomb said the certification reflects the firm’s long-term investment in building a sustainable and scalable approach to AI adoption.

"Our investment in the ISO 42001 certification reflects our aim to govern AI at the level of global best practice. We have built AI governance as the foundation on which we can responsibly and safely deliver AI-enabled legal services to our clients," Mr Newcomb said.

“The certification reflects a step up in our maturity in the way we use AI. We are also increasingly being asked by our clients and our insurers how we are managing AI risks. They are rightly interested to know that we are not only pursuing the benefits of AI, but are also managing the risks responsibly."

"ISO 42001 gives us global interoperability in our approach to AI governance while also suiting the Australian context. We achieved that by basing the objectives in our ISO42001 AIMS on the Australian Government's AI ethics principles and adapting them to fit the context of a large Australian law firm."

Clayton Utz Chief Information Officer Andrew Fisher said the ISO/IEC 42001 certification was the latest step in a long investment in AI and cyber governance and security.

"We already have embedded responsible AI practices into our day-to-day operations, including clear policies for acceptable AI use, mandatory training for our people, and governance processes that ensure accountability at every stage of the AI lifecycle," Mr Fisher said.

"The combined ISO/IEC 42001 and 27001 certifications create a dual approach to cyber and AI use and management, and reflect the level of governance and security clients expect of a top-tier law firm.

“Achieving ISO 42001 is not a one-off milestone – it requires ongoing discipline, monitoring and continuous improvement across the organisation. Clayton Utz was the first large Australian law firm to achieve the ISO/IEC 27001 certification, and we've held it consistently for 11 years. In obtaining the 42001 certification, we're now also positioned at the forefront of responsible AI adoption in the legal sector."

To read more about our AI guiding principles, read here.