Trustworthy AI: Aligning governance with ISO 42001 and NIST AI RMF

When we talk about responsible AI, it’s easy to focus on the result: a certification, an attestation, a badge on a website. But the real story is what happens behind the scenes long before any auditor shows up. 

That’s why earning ISO 42001 certification and achieving NIST AI Risk Management Framework attestation matters so much to us at Dayforce. These milestones aren’t just about compliance. They reflect how we think about building AI, how we make decisions, and how seriously we take our responsibility to customers who trust us with their people data every day. AI moves fast, and if you’re only reacting to new regulations, you’re already behind. 

That mindset guided our entire journey. 

Governance can’t be an afterthought 

From the start, we knew we didn’t want AI governance to live in a document that is only dusted off during audits. If governance is bolted on at the end, it slows teams down and creates friction. Worse, it risks missing real issues until it’s too late. 

Instead, we focused on embedding governance directly into how we design, build, and deploy AI across Dayforce. This meant defining clear expectations early, aligning teams around shared standards, and integrating governance into everyday workflows rather than treating it as a separate compliance exercise. 

We also deliberately chose to support this work with the right tooling. Using an AI governance platform helped us bring structure, consistency, and visibility to our processes. It gave teams a clear system of record for our AI Impact Assessments, documentation, compliance framework alignment, and accountability, which made governance scalable as our AI capabilities continue to grow. 

Building the foundation before certification was a goal 

Long before certification entered the conversation, we invested in building the muscle memory required for responsible AI. We didn’t start with a checklist. We started with a belief that strong AI outcomes are only possible when expectations are clear, risks are understood, and accountability is shared from the very beginning. 

That philosophy wasn’t abstract. It showed up in how we built our AI program from day one. 

A core part of that foundation was our AI Rubric, which is a structured, repeatable way to evaluate AI use cases before they ever reach production. The rubric helps teams think critically about purpose, risk, impact, and safeguards early in the design process. It creates a common language across product, engineering, legal, and compliance, so decisions aren’t made in silos or rushed at the end. That upfront rigor is what allows teams to move faster with confidence, not hesitation. 

We also made the deliberate decision to subject our high-risk models to independent third-party audits focused on bias and fairness. Responsible AI can’t be based solely on internal assurances. External scrutiny brings objectivity, challenges assumptions, and strengthens trust.  

Equally important was the platform tooling that underpins all this work. Governance at this scale requires more than good intentions and static documentation. By operationalizing governance through tooling, we created visibility into decisions, assessments, ownership, and outcomes across the AI life cycle. That infrastructure made governance durable and repeatable. 

AI governance is ultimately about judgment 

One of the most critical lessons from this journey is that governance is not about eliminating human decision-making. It’s about strengthening it. 

We can and should automate where it makes sense. Automation helps with consistency, traceability, and efficiency. But responsible AI still depends on critical thinking, informed judgment, and human oversight at every stage of the AI life cycle. 

That belief shaped our AI Management System. Rather than focusing only on rules and controls, we emphasized clarity. What does “good” look like? Who is accountable at each stage? When should teams pause, escalate, or rethink an approach? 

When teams have those answers from day one, governance becomes an enabler rather than a barrier. 

Why this matters in the HCM space 

In HCM, the stakes are uniquely high. AI decisions can affect pay, scheduling, career opportunities, and employee trust. Customers don’t just want innovation. They want confidence that AI is being used thoughtfully, transparently, and responsibly. 

Our work toward ISO 42001 and NIST AI RMF is one way we demonstrate that confidence. It shows that we’re not waiting for regulations to force our hand or reacting after problems emerge. We’re building with intention and maturity, guided by globally recognized frameworks that prioritize trust, accountability, and transparency. 

Governance isn’t an obstacle to innovation. It’s what makes sustainable, responsible AI possible at scale, especially in a space as people-centric as HCM. 

The role of a rigorous independent audit  

Another critical part of this journey was working with an auditing partner. From the outset, they were extremely thorough in the best possible way.  

The level of scrutiny helped strengthen our AI Management System in very real ways. This approach forced clarity around roles, decision points, documentation, and evidence across the full AI life cycle. It reinforced that strong governance isn’t about having the right answers prepared – it’s about having repeatable, defensible processes that stand up to independent review. 

Working with an auditor who truly understands AI risk, governance, and emerging standards made the outcome more meaningful. The rigor of that process gives us confidence that what we’ve built is durable, not just compliant for a moment in time. 

Looking ahead 

This certification and attestation aren’t the finish line. They’re checkpoints on an ongoing journey. AI will continue to evolve, and so will expectations around how it should be governed. Our commitment is to continually learn, improve, and lead with purpose. 

I’m incredibly proud of the teams across Dayforce who made this possible. Their work proves that strong governance and meaningful innovation are not competing priorities. When done right, they reinforce each other. 

And that’s the kind of leadership our customers deserve.