How the world designs, approves, and builds for the future

July 13, 2026

In the industries of property development, urban planning, and municipal permitting, not only are the stakes high, but everyone, whether on the public or private sides, is under pressure to do more with less. Now that AI systems can read architectural drawings, flag compliance gaps, and help planning departments move applications through review in a fraction of the time, the question is not whether to adopt AI, but how to adopt it safely.

If AI platforms are going to be responsible for real work in regulated, high-consequence environments, the matter of safety is paramount. That makes the distinction between AI vendors that have invested—and continue to invest—in AI governance and those vendors that haven’t, one of the most glaring competitive gaps to be found.

The international standards that govern information security and AI management are there specifically to address those gaps.

ISO/IEC 27001 establishes, maintains, and continually improves information security management to protect data and manage information risks. ISO/IEC 42001 does the same, but specifically for Artificial Intelligence Management System (AIMS) so organizations develop and use AI responsibly, ethically, and effectively. The voluntary compliance framework SOC 2 (System and Organization Controls 2) specifies security and privacy “Trust Services Criteria” for maintaining strong cybersecurity and safeguarding client information.

Neither security risks, nor their guardrails to help mitigate them are new. However, AI technology specifically introduces a new level of both threat and the urgency to address it.

two people going over building plans on computer monitors.

AI Governance Mitigates the New Paradigm of Risk

With AI, the ramifications of mistakes or deliberate attacks can proliferate throughout an organization in minutes.

“AI brings with it a whole new paradigm of security risks, and many of the traditional security controls that organizations have been relying on don’t address the new ways attacks can occur,” says Michael Langley, Founding Partner at LBH, a technology consultancy that audits AI systems for governments and enterprises. “Any organization implementing AI, if they’re not looking at the controls around it, is basically implementing new potential risks and gaps into their organization.”

LBH identifies the most common failure mode for AI: In a rush to launch pilots, organizations hand AI agents privileged accounts or corporate API keys. Then the AI agent becomes, in Langley’s words, “a vector for data exfiltration,” or a door left open to information no single employee could ever access at once.

“With these AI bots, it’s real time; it’s instant,” says Phuong Hoang, Founding Partner at LBH. “Someone runs a query, and they’ve got access to your entire organization’s data if you’re not careful. The agent is effectively another employee; its access scope has to be managed and restricted by traditional, good old-fashioned software-based controls.”

However, risks also extend to well-meaning employees who improvise with consumer AI tools. A city planner who uploads architectural drawings into a public chatbot basically hands over sensitive intellectual property to a third party with no contractual obligations. City officials using unauthorized AI tools to fast-track building permit approvals have already made headlines, with dire professional consequences. In any case, the lesson is the same: Without guardrails, individual shortcuts can become serious liabilities.

Security Standards as the Bare Minimum for AI Vendors

AI governance offers a familiar path to mitigating risk. Properly implemented, standards such as ISO 27001, ISO 42001, and SOC 2 enforce a cohesive set of controls across data, technology, access, and people, extended to AI-specific concerns like human-in-the-loop oversight and bias monitoring.

Hoang analogizes AI governance standards to electrical safety standards, which the building industry takes for granted.“Everyone implements them because they prevent accidents,” he says. “Let’s do the same with ISO 27001 and SOC 2—and for AI systems, ISO 42001. These days, ISO 27001 is the minimum ticket to play.”

Buyer behavior backs up Hoang’s point. When LBH advises governments and financial institutions, uncertified vendors face a far more drawn-out assessment process, if they’re considered at all. Certification doesn’t replace due diligence, but it establishes a verified baseline that dramatically shortens the path to trust.

For example, Archistar has bet on AI governance early and often. The company is certified for both ISO 27001 and ISO 42001, while being on track to add SOC 2 certification in late 2026.

“Most of our clients now want us to consider being certified to ISO 42001 AI management, but we are surprising them by saying we’ve already got that,” says David Coorey, VP of Technology, Archistar. “They typically go for ISO 27001 first because they’re more worried about security. But more and more are asking for 42001, and we have both.”

Archistar's ISO 27001 and ISO 42001 certification logos.

How AI Governance in Action Looks

Archistar publishes its Responsible Use of AI policy in its publicly available online Trust Center, where certificates and audit artifacts are available for anyone to verify. “Our philosophy on AI governance is really around augmenting the human decision, not replacing it,” Coorey says. “Trust and transparency are critical in planning systems. Clients just want a trusted partner with their data.”

As such, Archistar does not use any submitted building plans or any other customer data to train its AI models, generate new building plans or for any other purpose without explicit consent.

When a customer submits a plan to Archistar AI PreCheck, it is processed within the customer’s logically isolated AWS environment and used only to complete the requested assessment. Customer plans remain customer data and are never provided to third parties. The AI’s role is also deliberately bounded to detecting and classifying drawing elements, and flagging potential compliance gaps. It then supports city reviewers’ decisions rather than replacing them.

Guardrails apply as well to the AI tools used internally within the company. “If you don’t have that basic governance around the tools you use, then you can get into trouble,” Coorey says. “We don’t allow personal subscriptions of common AI tools. We use business-grade subscriptions, monitor access, and delete access as soon as people move on to different roles or leave the company.”

The Cost of Compliance

A high level of AI governance does take significant effort, as well as investment. Archistar’s path to certification involved a dedicated governance, risk, and compliance hire; an external certification partner; internal and external audits; and tooling that automatically collects data showing the controls are working. The company recently established an AI board, which evaluates how to treat new AI requirements in accordance with standards like ISO 42001. Complying with AI governance standards is an ongoing process. It never really ends. Audits recur annually, and full recertification is needed every three years.

“When we get audited, those controls are tested, and we have to show proof that those controls are working,” Coorey says. “Otherwise we’re not doing what we say we would do. You’re either running in a governed operating model or you’re not.”

The reality is that many vendors in this space are not running that governed operating model. Certifications can be a meaningful indicator of who is putting in ongoing effort and investment toward AI governance and guardrails.

Two government workers walking down the outside stairs of a government building.

Due Diligence for AI Vendors and Tools

Governments vetting prospective AI vendors only need to verify a slightly longer checklist for their due diligence.

Due diligence for local governments vetting AI vendors and tools should include finding out:
• Where the data is processed
• How files are encrypted
• How the AI software handles authentication

AI-specific points of due diligence include:
• Which third-party models underpin the AI platform
• How AI agents inherit user identity
• Where inference occurs

“A local government shouldn’t be intimidated by it,” Langley says. “They should apply the same technical due diligence that they normally would. There are a few AI-specific things, but the approach to how you assess isn’t fundamentally any different.”

Local governments may be tempted to improvise solutions internally by feeding sensitive documents to consumer AI tools. That’s risking a lot to gain a little. As a safer alternative, choose vendors who have built a dedicated and governed solution.

Due Diligence for AI Vendors and Tools

Moving proactively toward AI governance and security is possible for any organization, but there is also an imperative to act quickly. Frontier AI models are rapidly gaining abilities that, in the hands of malicious actors, can result in automated, real-time attacks.

“It’s only going to be a month or so before other models, including open-source ones, get to the same capability [as Claude Mythos 5],” Langley says. “Then you’re going to see widespread automated AI bots out there probing and launching attacks. Organizations that aren’t preparing now are going to be impacted.”

Organizations in a rush to move AI tools from pilots to production should resist the temptation to cut corners on access controls and AI governance. “There are a lot of actors out there with tools that get this stuff in real time,” Hoang says. “We’re not talking about days or weeks. It’s within minutes.”

AI governance builds the foundation of trust that enable high-stakes industries to adopt AI in the first place. Archistar’s approach of gaining and maintaining certifications, publishing its policies, and always safeguarding customer data reflects a larger attitude about the customer/vendor dynamic concerning powerful AI technology: The future belongs in the hands of those who build and use not just smarter tools, but safer ones.

Want to learn how AI PreCheck brings governed, transparent AI to your planning and building department?

Request an Archistar
AI PreCheck demo

Archistar
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.