UPDATE 18 April 2025: I am now naming the company because of the details you will read herein.
I received a credible whistleblower report that Thalamus AI, which claims to be located in San Francisco, received an “instant” ISO 27001 certificate for its information security management system without having undergone an actual audit. Upon checking the certificate in IAF CertSearch, however, I found that the certificate was issued for a mailbox office in Delaware, not for an actual office in San Francisco. That’s not typically allowed.
AI company’s address in Delaware as it is listed on the ISO certificate [source: Google Maps]
Thalamus apparently doesn’t want you to know where it really works out of. Thalamus’ CEO, Bipul Vaibhav, claims to be in San Francisco, but their co-founder, Sudhanshu Bansal, claims to be in Bengalaru India.
The initial publication of this article, just two days ago, prompted a flurry of activity by Thalamus to further obfuscate their actual location. On April 16, 2025, I screenshotted the Thalamus AI webpage, and it clearly stated the “Governing Law and Jurisdiction” fell under the “laws of India” and specifically, “Bangalore, India” (or Bengalaru, where Bansal resides.) But after I ran this article on 17 April, someone updated the Thalamus website to edit out India and insert “Delaware” as the governing jurisdiction. A simple trip to the Wayback Machine will show the original text.
The interesting part here is that my original version of this article didn’t name Thalamus AI at all, and redacted their name. So, how did they know to edit their webpage in only 24 hours?
Keep reading.
Verma the Scammer
Thalamus AI’s ISO 27001 certificate was issued by the Indian CB, Quality Control Certification (QCC), which already has a dubious reputation. For many years, QCC was a known scammer certificate mill, claiming accreditation from “United Ackreditering Services Limited” (UASL), a made-up fake accreditation body which purports to operate out of the UK, but which is also an Indian scam. Surprising no one, QCC’s chief executive is one Ram Kala Verma and official UK government records reveal that UASL was created by the same guy.
There’s also the problem that those same UK records show the name “United Ackreditering Services Limited” was put into disuse back in 2021, and the new company name is actually “United Assessment Services Limited,” probably because the idiots realized they spelled “Accrediting” wrong in English. (That word is actually Swedish.) But the QCC certs and company LinkedIn page still use the UASL mark and misspelled name:
Here’s a shot of QCC’s address in India:
But certificate mill scammers like Ram Kala Verma are never happy unless they can get official recognition through whatever cheap, underhanded method they can. So Verma shopped around for an accreditation body to make his mill appear legitimate, which brought him to (of all places) Ethiopia.
The official Ethiopian accreditation body, the Ethiopian Accreditation Service (EAS), accredited QCC, having presumably conducted no actual audit of QCC and without verifying Verma’s checkered past. That is probably why Verma sought EAS accreditation instead of a local one from the more reputable Indian body, NABCB. Here is the page for QCC in IAF CertSearch:
I also checked the scope of accreditation of QCC and found that only its India operations are accredited. Unlike other cases, where an IAF signatory rubber stamps every country in the world onto the scope of accreditation, EAS didn’t do that, and only listed India. That means, technically, QCC can’t issue certs in other countries because it is not accredited outside of India. (IAF has refused to update its procedures to clarify this problem.)
The drama isn’t over yet, though. Digging further still, IAF CertSearch shows the IAF MLA status of Ethiopian Accreditation Service as “nonconforming,” so they shouldn’t be issuing any certs with their logos at all. Not only did the scammers at QCC operate for years using their own fabricated accreditation body, but they also found one of the only IAF members currently flagged as “nonconforming” to accredit them.
Globehopping Thalamus
In most, but not all, cases, ISO 27001 requires an on-site audit, as there may be physical cybersecurity controls that the CB needs to assess. There are instances where a fully-remote ISO 27001 audit may be performed (when all systems are off-prem), but it’s not really a good idea. It’s much worse for an initial certification like this one, less bad for annual surveillance.
The certificate issued to Thalamus by QCC only lists one address for Thalamus: the address of Delawareinc.com on Coastal Highway in Lewes, DE. From CertSearch (as of 16 April 2025):
The certificate makes no mention of San Francisco or, more importantly, Bangalore, where Thalamus AI likely actually works from. This assertion is supported by this job posting from Thalamus — or all of these, tooo — which seek “India-based candidates working US hours“:
This is crucial, because both ISO 17021-1 and ISO 27006 require an adequate scope of certification to include the addresses where work is performed. While auditing of the sites can be done remotely (under strict risk-based rules), you can’t leave off entire sites.
Could Thalamus actually operate entirely from a virtual office? Yes, the staff of Thalamus might be entirely work-from-home, and all of their systems off-premises. But the scope of certification seems to include at least some activities, like “operational processes” and “maintenance of infrastructure” which would suggest this isn’t just guys writing code from their kitchens. The Thalamus AI website goes further, claiming their ISO 27001 certification covers physical data security operations:
With rigorous multi-factor authentication, granular role-based access controls, and 24/7 monitoring, we guard your data so you can operate with complete confidence. With us, your data is protected by best-in-class security engineers —because your trust is our highest priority.
There’s also the problem that Thalamus AI is marketing its stuff to US companies and will be hosting US company data. It is very important for a user of Thalamus’ “security” services to understand just where that data is being held, and under what legal jurisdiction it falls under. Having an ISO 27001 information security management system certificate that insists the company is in Delaware, when it’s actually storing code in India, could raise both a host of legal problems for Thalamus customers. Since they’re in India, there would not be much a US customer could do about it, either; are you going to sue them in Bangalore?
And here is where things get dirtier still. On 16 April, I sent a formal complaint to QCC before I published the original version of this article. Unlike my original report here, my complaint named Thalamus AI, however. I then ran a post on LinkedIn to the article, showing a redacted version of the Thalamus’ webpage where it referenced Indian governing law. At that point, the only human beings on the planet who would have known I was talking about Thalamus would have been Verma, ANAB’s Lori Gillespie, IAF’s Victor Gandy, and Celestine Okanya of the IAF regional body AFRAC.
I also filed an information request with them on 16 April, asking them to clarify their physical location:
Thalamus AI never answered me, of course.
So either Thalamus AI received my question and then, while refusing to reply to me, scrambled to edit their website, or their certification body, QCC, tipped them off. Either of those answers suggests Thalamus AI is at least partly culpable in this deception. That, then, gives some credence to the original claim that they were shopping for an instant ISO 27001 without any audit at all.
In response to the complaint, Verma showed the usual professionalism and tact of a scammer certificate mill operator, calling the complaint “stupid.” He then listed some clauses from ISO 27006 which he thinks justify his shady practices, leaving out entire paragraphs of requirements that require him ensure the scope of certification when performing audit planning, to ensure all sites are audited or sampled, and to ensure that the company (Thalamus AI) isn’t making claims about their management system applying to locations it doesn’t.
I rejected the response, but now the problem is who to escalate it to next? If EAS is suspended somehow from IAS, then they may not be able to process the complaint. If not them, then who? The next logical step would be AFRAC, the African IAF regional body that is supposed to oversee IAS. Okanya has been copied on this email chain, so maybe he will chime in.
IAF’s Scam Enablement Scheme
The IAF uses this maze of bodies to its own advantage. They demand absolute conformity with the rule that a complaint cannot be escalated until the lower body processes it. If the lower body never processes it, the IAF will refuse to allow it to be escalated. The scammers have picked up on this trick and simply ignore complaints now, effectively cutting them off. Oxebridge’s reporting and widespread audience are usually the only things left to motivate them into doing something at all, since they know we will report on their failures.
What’s frightening is that Verma and QCC have issued their fake certs to otherwise legitimate organizations, like the Centre for Advanced Computational Research in New Delhi. That company is doing designing drugs, so you’d think having a real ISO 9001 certificate might be a good idea.
Regardless of all this, the Thalamus certificate remains fully listed as valid in IAF CertSearch. This shows the problems with IAF CertSearch, where CBs can enter whatever they want, and there is no oversight at all. CertSearch is just a cash grab for IAF and its software partner, Quality Trade.
At this point, we have decades of evidence showing the IAF simply won’t do its job and ensure that only valid ISO certificates are issued, and only by valid ISO certification bodies. We used to be able to identify scammer mills simply by the fact they were not accredited by an IAF member. Now, we can’t rely on the IAF mark at all anymore. We also cannot rely on IAF CertSearch, which is still lacking thousands of certificates and includes fake ones like those of QCC.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
