CrowdStrike gains ISO AI governance boost for Falcon

CrowdStrike has gained ISO/IEC 42001:2023 certification for its approach to managing artificial intelligence in its cybersecurity products.

The company said the certification covers parts of its Falcon platform, including CrowdStrike Endpoint Security, Falcon Insight XDR, and Charlotte AI.

ISO/IEC 42001:2023 sets out requirements for an AI management system. Organisations use it to structure governance processes, document risk controls, and demonstrate oversight of AI systems.

CrowdStrike said an independent, accredited certification body carried out the audit. It assessed the company's AI management system, including governance, policies, risk management, and development practices.

Governance focus

The certification lands as regulators and standards bodies increase scrutiny of AI in commercial products. Security teams also face pressure from customers and boards on how suppliers build and operate AI features.

CrowdStrike positioned the certification as a signal of process maturity for the way it develops and operates AI across its product set.

"CrowdStrike is among the first cybersecurity companies to achieve ISO 42001 certification, the world's first AI management system standard," said Michael Sentonas, President, CrowdStrike. "For a cybersecurity vendor, responsible AI governance is foundational. This certification validates the maturity, discipline, and leadership behind how we develop and operate AI across the Falcon platform," said Sentonas.

Product scope

CrowdStrike said the audit scope includes "AI-powered cybersecurity" across core Falcon platform functions. The company linked the work to its endpoint security and detection tools, as well as Charlotte AI, which it markets as an AI layer for security operations.

The company also set the certification in the context of what it described as AI-enabled attacker behaviour. It said adversaries use AI to scale activity faster than defenders can respond.

CrowdStrike described a requirement for defenders to operate with governance and accountability. It contrasted that with attacker behaviour.

Charlotte AI

CrowdStrike said Charlotte AI works across the security lifecycle. It described the product as using "intelligent agents" and automation for tasks in security operations.

The company said Charlotte AI uses a "bounded autonomy" model. It said this approach keeps decisions under security team oversight and defines when automated actions can occur.

CrowdStrike also described controls for AI data, models, and agents in regulated environments. It did not name specific sectors in its announcement.

Market context

ISO/IEC 42001:2023 is an AI-specific management system standard. Companies can use it alongside other assurance and security frameworks. It provides a formal structure for internal governance and external audit of AI processes.

Cybersecurity vendors increasingly market AI features for detection, triage, and response workflows. Buyers in regulated industries often ask suppliers for evidence of controls around model development, data handling, and human oversight.

CrowdStrike said the certification reinforces trust in its AI governance. It also linked the audit outcome to the way it operates AI across Falcon.