ISO 42001 and Dealership AI: How to Know Which Vendors You Can Trust

Announcement

Jön White

Every vendor in automotive technology is talking about AI right now. That isn’t a bad thing. AI is real, it’s here, and the dealerships putting it to work are seeing real results.

But not all AI is built the same. And not all vendors managing AI are doing it with the same level of oversight, accountability, or control.

That gap is where your store's risk lives.

AI is already part of your daily operation

This isn’t a conversation about the future. AI is already part of how leads get worked, follow-up gets sent, and customers get engaged at thousands of dealerships right now.

Here’s the reality on the floor. A recent study found 43.2% of dealership sales leads are mishandled, meaning missed calls, no CRM entry, lapsed follow-up, or slow response.[1] In the same data, 60% of buyers purchased within the first three days of reaching out. If your follow-up is measured in days instead of minutes, you’re not losing leads at the bottom of the funnel. You’re losing them before the process ever starts.

That’s the gap AI is closing for stores that are using it well. A nationwide study of more than 1,700 dealerships released at NADA 2025 found that 61% of stores now respond to internet leads within 15 minutes, up from 55% two years prior. The stores moving that number are not doing it with more headcount.[2] 

Customer Engagement, especially in the CRM is the number one area where dealerships are currently deploying AI, ahead of sales, customer service, and marketing.

That means AI is sitting inside the platform your team uses every day to manage leads, follow up, and work your database. It’s touching customer conversations. It’s influencing which leads get worked first and which ones get left behind.

That is an opportunity. It’s also a responsibility.

Your CRM should have AI, no question. But is it secure?

Almost every CRM vendor will tell you they have AI. That claim is table stakes now. It tells you almost nothing useful.

The better questions are the ones most vendors are not prepared to answer:

  • Who is watching the AI?

  • Who owns the risk when it makes a mistake?

  • How is it reviewed before it goes live in your store?

  • Can your managers see what it said or did?

  • When does a human step in, and how?

Here’s why those questions matter. Across industries, 77% of organizations are concerned about unauthorized AI use, and more than half have already experienced at least one negative outcome tied to AI inaccuracies.[3] Those outcomes don’t stay inside the software. They reach customers. They affect your reputation. They show up in your CSI score.

Dealers who have been burned by overpromised technology before know that what a vendor claims and what actually runs inside your store can be very different things. The sea of AI providers in automotive right now makes it harder, not easier, to tell the difference. That’s exactly why asking the right questions matters more than ever.

What ISO 42001 means in plain English

ISO/IEC 42001 is an international standard for managing AI responsibly. Published in December 2023, it’s the world's first certifiable standard of its kind.

In plain terms, it means a company has built a real management system around how AI is developed, deployed, monitored, reviewed, and improved. Not a checklist. Not a self-assessment. An independently audited framework with documented policies, active controls, and annual surveillance to make sure it stays current.

To earn the certification, a company must pass a two-stage audit conducted by an accredited third-party certification body. Stage one reviews the documentation and design of the AI management system. Stage two evaluates whether it actually works in practice.[4]

The certificate is valid for three years, with annual audits in between. If the system slips, the certification does not automatically carry forward.

That’s the difference between a vendor that says "we take AI seriously" and one that has had an independent organization come in and verify it.

DriveCentric is ISO/IEC 42001 certified.

Why ISO 42001 matters for your store

When AI is working inside your CRM, it’s working inside your customer relationships. That’s not abstract. It means AI may be helping craft the message a customer receives after they visit your lot. It may be flagging which be-backs to prioritize. It may be surfacing database opportunities your BDC would otherwise miss.

Those are high-stakes moments. A miscommunication, a bad recommendation, or an off-brand message at the wrong time can cost you a deal or damage a relationship you spent years building.

AI without governance isn’t a neutral thing. It carries real operational risk, and that risk lands in your store, on your team, and in front of your customers.

ISO 42001 addresses that risk directly. Here’s what a certified AI management system actually means for your operation:

  1. Your team stays in control. 

AI supports decisions; it doesn’t make them without accountability. Human handoff points are defined and documented, so your managers always have a clear way to step in.

  1. There’s named ownership of AI risk. 

Someone inside the vendor organization is responsible when something goes wrong. That’s not assumed or implied under ISO 42001. It is required.

  1. The AI gets reviewed before it reaches your store. 

Controls are in place to evaluate AI tools before deployment, not after a problem surfaces in front of a customer.

  1. Your managers can see what happened. 

Transparency and explainability are built into the standard. If AI sent a message or surfaced a recommendation, there’s a record. You’re not flying blind.

  1. Third-party tools get scrutinized too. 

Any external AI connected to the platform falls inside the governance scope, not just the AI the vendor built themselves.

How this connects to DriveCentric's AI strategy

DriveCentric's AI is built to support your team, not replace it.

Here’s what that looks like on the floor. When a lead comes in after hours, AI responds immediately so the customer doesn’t go cold before your team gets in the next morning. When a be-back stops engaging, AI surfaces it and helps your BDC get back in front of them before they buy somewhere else. When the database has an opportunity your team has not touched in months, AI finds it.

The people still close the deal. AI makes sure they get the at-bat.

ISO 42001 certification is proof that there’s a real management system behind how that AI is built, reviewed, and monitored. It’s not a badge. It’s evidence of a process, one that was assessed by an independent third party and is maintained through annual audits because responsible AI isn’t a one-time milestone.

Questions to ask any AI CRM vendor about governance

Before any AI vendor earns a place in your CRM, your team's workflow, or your customer conversations, get clear answers to these:

  1. Is your AI governance independently certified? Self-declared standards are not the same as third-party audited certification. Ask for documentation, not assurances.

  2. Who owns AI risk inside your company? There should be a named person or team. If the answer is vague, that’s the answer.

  3. How do you review AI tools before they go live? There should be a defined process, not a general commitment to being careful.

  4. Can my managers see what the AI said or did? Transparency isn’t optional when customer relationships are involved.

  5. How does a human take over when needed? Every AI system needs a clear handoff. If the vendor can’t describe it, there may not be one.

  6. Are third-party AI tools reviewed before being connected to the platform? Many vendors plug in external AI. Those tools should be governed too.

  7. How do you monitor AI after it goes live? Deployment isn’t the finish line. Ongoing monitoring is what keeps AI working the way it should.

  8. What documentation can you provide during vendor review? A vendor serious about AI governance can back up their claims with paperwork. Ask for it.

The bottom line

AI can help your store respond faster, work your database harder, and stop letting opportunities fall through the cracks. The upside is real, and the stores leaning in are pulling ahead.

But speed without oversight isn’t an advantage. It’s a liability.

When AI is touching your customer conversations, your follow-up, and your reputation, the question isn’t just what it can do. It’s who is watching it, who owns it, and what happens when something goes wrong.

DriveCentric is ISO/IEC 42001 certified because we think you deserve a real answer to that question, not a promise.

Want to see how DriveCentric is building trusted AI for modern dealerships? Request a demo.

Have questions about our AI governance or want to review our ISO documentation? Contact us.


Sources:

1: The Foureyes 7th Annual Automotive Dealer Industry Benchmarks Report, published in March 2025, 

2: DAS Technology Automotive Lead Response Study, NADA 2025

3: Teamgate, State of CRM 2025

4: Schellman, What to Expect in the ISO 42001 Certification Process, June 2025

Discover the Power of DriveCentric

Transform your automotive CRM with hyper-personalization and automation

Discover the Power of DriveCentric

Transform your automotive CRM with hyper-personalization and automation

Discover the Power of DriveCentric

Transform your automotive CRM with hyper-personalization and automation