Atera’s AI management system under ISO 42001
Atera operates a certified AI management system (AIMS) in conformance with ISO 42001.
The AIMS sets our AI policy, assigns clear roles and accountability for AI governance, and drives AI risk and impact assessments across the AI lifecycle, all maintained through continuous cycles of monitoring and improvement.
Every feature of Robin and AI Copilot, our autonomous AI agents for IT, is governed by this system, and the sections below describe how it works in practice.
Your data, your control
In line with the data governance principles of ISO 42001, your data stays exclusively yours. All AI models used for Robin are hosted on Microsoft Azure OpenAI, ensuring enterprise-grade security, with all customer data stored within the United States and the European Union. Your data is never shared with OpenAI, Microsoft, or used to train any AI models, including Atera’s own. To meet the standard’s requirements for isolation and protection, all customer environments are logically isolated within Azure with no cross-tenant data access, and all data is encrypted both at rest and in transit.
Risk-rated action control
Reflecting the AI risk and impact assessment principles at the core of ISO 42001, every action Robin can take is risk-evaluated before it is allowed to operate in your environment. Atera provides hundreds of built-in actions and diagnostics that are developed, maintained, and rigorously tested by our engineering team, and each one undergoes thorough review and security evaluation to ensure safe operation.
Safety filters and guardrails
Robin includes multiple layers of real-time protection that put the operational monitoring expectations of ISO 42001 into practice. Microsoft Prompt Shield is the primary filter, blocking abuse, malicious activity, and harmful content before it reaches the AI model. Adding a further layer of governed oversight, a separate AI-as-a-judge mechanism, an independent AI model with no stake in the conversation, reviews Robin’s outputs to ensure they align with expected behavior. These layers are always on and cannot be disabled, ensuring interactions stay compliant and professional.
Full data isolation
Upholding the data management principles of ISO 42001, each customer’s knowledge base, scripts, logs, and configurations are logically isolated within Azure, ensuring no cross-tenant data access. For MSPs, data is also segmented per end-customer, keeping every environment’s boundaries intact.
Full audit logging and technician identity
Consistent with the logging and accountability principles of ISO 42001, every action taken by Robin is recorded in Atera’s Audit Log, just like those performed by human technicians. Each log entry clearly identifies “Robin” as the executing entity, leaving no ambiguity about who or what performed the task. This transparency lets administrators track every change, action, or response generated by the AI agent, holding agent activity to the same rigorous standards of traceability and accountability as any human user.
Conversation and decision logging
Extending those same transparency principles of ISO 42001, every interaction between end users and Robin is automatically logged as a ticket in Atera, with all AI decisions recorded as internal comments within the same ticket. These comments are visible only to technicians and admins, giving clear insight into the AI’s reasoning and behavior so IT teams can review context at any time and maintain full oversight and confidence in the agent’s actions.
Admin-governed autonomy
Putting the responsible-use principles of ISO 42001 into practice, Robin’s behavior is governed by custom instructions, playbooks, and knowledge base articles written by IT administrators in plain language that define the agent’s scope, approval flows, escalation criteria, and guardrails. Robin follows these instructions just like a new technician following your runbook, with all AI operations restricted to predefined IT support boundaries and anything outside that scope escalated rather than acted upon.
Optional AI recommendations
In keeping with the human-oversight principles of ISO 42001, AI generated content such as knowledge base articles and script suggestions is always optional and requires manual human admin approval before it is published or executed. No outputs are ever implemented without review.