There are a lot of companies talking about responsible AI right now. Fewer are doing the governance work that makes it real.

At Resync, we’ve spent the past several months building our AI Management System from the ground up — not to tick a box, but because we build and operate an AI product, and our clients deserve to know how we manage it. That work is now complete.

Here’s what we’ve done and why it matters.

What we built

We have established an AI Management System aligned to ISO/IEC 42001:2023 — the international standard for AI governance. Our AIMS covers all 38 Annex A controls across the full governance lifecycle: policy, scope, risk management, impact assessment, roles and responsibilities, development lifecycle, acceptable use, and ongoing review.

The documentation set is ten documents, each mapped to specific standard clauses:

• AI Policy — our top-level commitment to responsible AI use
• AIMS Scope Document — which systems are governed and why
• AI Risk Register — 12 identified risks with rated controls and residual risk
• Statement of Applicability — all 38 Annex A controls, assessed, justified, and evidenced
• AI System Impact Assessment for Resync Sentinel — potential harms, affected parties, and mitigations
• AI Governance Roles and Responsibilities — who owns what, with a RACI
• AI Acceptable Use Guidance — practical rules for our team
• AI Development Lifecycle — how we build Sentinel responsibly
• AIMS Document Register — master index with version control
• Annual Review Checklist — governance that continues to work next year, not just today

This is not a framework we bought. It is a framework we built, specific to Resync’s context, our product, our team, and our obligations to our clients.

What this means for Resync Sentinel

Resync Sentinel — our AI-powered code review and test generation platform — is aligned to ISO/IEC TS 42119-2:2025, the new international technical specification for testing AI systems.

42119-2 defines the test types that AI systems require beyond conventional software testing: data quality testing, model testing, bias and fairness testing, adversarial testing, explainability testing, and drift testing. Sentinel’s AI reviewer personas map directly to these test types. The Security persona addresses adversarial and boundary testing. The Data & Privacy persona addresses data quality and bias considerations. The Architecture persona covers system-level testing.

This is not coincidental alignment. We designed Sentinel’s review categories around what rigorous AI testing actually requires.

When a Sentinel client uses the platform to review a pull request, they get a structured AI review anchored to the same principles the international testing community is now codifying. That matters more as AI-generated and AI-adjacent code becomes the norm, not the exception.

What this means for clients

If you engage Resync for quality engineering work, you are working with a consultancy that has done the governance work its own products demand. We have a documented AI policy, a risk register, an impact assessment, and an annual review cycle. We have thought carefully about how our AI tools handle your data, where human oversight sits, and what happens when something goes wrong.

Most NZ consultancies using AI in delivery don’t have this. It’s not a criticism — the standards are new and the documentation burden is real. But if you are a government agency, a regulated entity, or any organisation that needs to account for how its suppliers use AI, the question is worth asking: does your consultancy have an AI governance framework, and can they show it to you?

We can.

Free training — now live on Resync Bootcamp

We have also published a dedicated ISO/IEC 42119-2 training module on Resync Bootcamp — our free, no-signup NZ software testing training platform.

The module is six lessons:

1. Why AI Testing Is Different
2. Data Quality Testing
3. Model Testing
4. Bias and Fairness Testing
5. Audit-Ready Artefacts
6. Applying 42119 to a NZ Project

It sits in the Test with AI section alongside the existing ISTQB CT-GenAI content. Every lesson is written in NZ context, with NZ examples and NZ regulatory references. No signup required. No cost.

If you are a tester working on AI systems in New Zealand, this is the fastest way to get across what the standard actually requires and what good looks like in practice.

bootcamp.resync.nz/ai-testing/iso42119/

AI governance gets talked about a lot. Frameworks like 42001 and 42119 exist to make it concrete. We’ve done that work. If you want to understand what it covers, what it doesn’t, and how it applies to your own AI programme, get in touch.