GRClabs

AI  Governance · GRClabs
Your AI startup has a compliance problem. 
It just hasn't hit yet.
ISO 42001 is the world's first AI management system standard. Enterprise buyers and EU regulators are already asking for it. 
Most startups have never heard of it.
Book a 30-min call
ISO/IEC 42001 · 2023
The standard is here. The deadline is coming.
2023
ISO Standard 
published
The world's first AI management system standard lands.
0
Consultants who 
specialise in it
Almost no one is positioned to implement this yet.
2026
EU AI Act 
enforcement begins
Full enforcement for AI systems. Fines up to €35M or 7% of revenue.
The Problem
Enterprise procurement just got harder. Again.
You've shipped the product. You've found the customers. Then a procurement team at a bank, government agency, or global enterprise sends you a vendor questionnaire.
Question 47: "Describe your AI governance framework and the standards it aligns to."
You don't have one. The deal stalls. They move to the next vendor who does.
This is happening right now, in NZ, Australia, APAC, Germany, and across the EU. And it will get worse — not better — as AI regulation matures.
Four reasons this can't wait
The EU AI Act is not optional
If you sell into Europe — or plan to — you need demonstrable AI governance. The Act came into force in 2024. Enforcement for high-risk AI systems begins in 2026. ISO 42001 is the most credible way to demonstrate compliance.
Investors are starting to ask
Series A and B due diligence now routinely includes AI risk questions. Not having an answer isn't a yellow flag — it's a red one. Especially if your product is the AI.
Your customers' customers are asking them
Third-party risk management is cascading. If your customer sells to enterprise, they're passing the questionnaire down to you. The compliance pressure travels up the supply chain whether you're ready or not.
Waiting costs more than acting
A single delayed deal at $150k ARR costs more than a full ISO 42001 implementation. And once you have it, every subsequent enterprise deal gets easier.
"Over a third of organisations have lost deals due to lacking a required security certification. Compliance is not a cost — it is a sales asset."

Industry data, 2024
What is ISO 42001
The standard that governs how you build, deploy, and account for AI.
ISO/IEC 42001:2023 is the world's first international standard for AI management systems. Published in December 2023, it provides a framework for organisations to demonstrate that their AI systems are developed, operated, and monitored responsibly.
It covers what decisions your AI makes, how those decisions are monitored, what happens when something goes wrong, and who is accountable. It is not a technical standard — it is a governance standard. It lives at the intersection of your product, your operations, and your risk management.
For a startup, implementing ISO 42001 does three things: it forces you to document what your AI actually does (which is harder than it sounds), it gives enterprise buyers a credible answer to their procurement questions, and it positions you ahead of competitors who are still treating AI governance as someone else's problem.
It pairs directly with ISO 27001. If you already have 27001, roughly 50% of the control infrastructure carries over. If you don't have either, doing them together is the most efficient path — one implementation, two certifications, one story to tell customers.
Why Now
The window to move first is open
Dec 2023
ISO 42001 published. The standard lands. Most organisations don't notice. A small number of large enterprises start asking their vendors about alignment.
Aug 2024
EU AI Act enters into force. The Act is law. Prohibitions on unacceptable-risk AI systems take effect immediately. GPAI model obligations begin. The clock starts for high-risk system requirements.
2025
Vendor questionnaires start including AI governance. Enterprise procurement teams — particularly in financial services, government, and healthcare — begin adding AI governance questions to standard vendor assessments. ISO 42001 becomes the reference answer.
Aug 2026
EU AI Act high-risk obligations enforced. Full enforcement begins for high-risk AI systems. Fines up to €35M or 7% of global revenue. If you sell AI into Europe — or plan to — this is your hard deadline.
Now
The window to move first is open. Most of your competitors haven't started. The startups that certify in 2025–2026 will reference it in every enterprise pitch, every investor deck, and every procurement response. First-mover advantage in compliance is real and durable.
What GRClabs Does
I implement. I don't advise from a distance.
Sprint 

ISO 42001 Implementation
Full implementation from gap assessment to certification-ready. Fixed scope, fixed timeline, fixed price. We handle the documentation, the controls, the evidence, and the auditor liaison. You focus on the product.
8–12 weeks · from $15k NZD
Bundle

ISO 27001 + 42001 Combined
Security and AI governance in one implementation. Most controls overlap — running them together saves four to six weeks and significant cost compared to doing them sequentially. The most efficient path for AI-native startups.
12–16 weeks · from $25k NZD
EU Track

APAC → EU Compliance Bridge
For NZ and Australian startups selling into Germany or the EU. ISO 27001 + 42001 + GDPR + EU AI Act readiness. Built for the specific regulatory context of selling B2B SaaS into European enterprise and government.
16–20 weeks · from $35k NZD
Who I AM
Built by someone who has sat on both sides of the audit table.
GRClabs is Felix Scholz — CISA, CIA, MBA. German-born, New Zealand-based. A decade at PwC Germany implementing GRC frameworks for European corporates, followed by fours years at PwC New Zealand, plus five+ years as cybersecurity consultant, and a string of startup ventures that means he understands both sides of the table.
Not a software vendor. Not a generalist consultant. A certified information system auditor (CISA), certified internal auditor (CIA) as well as ISO27001 & ISO 42001 certified practitioner who has implemented APRA CPS 234, ACSC Essential 8, ISO 27001, ISO 42001, SOC 2 and GDPR — across New Zealand and Germany — and is currently doing it live at AI startups right now.
The combination of Big 4 expertise, active certifications, startup founder experience, and a network across both APAC and Germany is genuinely rare. There is no other service in New Zealand positioned exactly here.
Your next enterprise deal 
shouldn't stall on question 47.
I'll tell you in a single call whether ISO 42001 is the right move for your stage, your customer base, and your timeline. No pitch. No deck. Just a straight answer.
Book a 30-min call
ISO 27001
ISO 42001
SOC 2
GDPR
EU AI Act