AIUC-1
Executive summary
AIUC-1 is the first AI certification standard whose addressee is not the organisation that adopts AI. It is the AI agent itself, considered as a deployable product with security, safety, and reliability properties that can be tested and certified. That shift in addressee is what makes AIUC-1 structurally different from everything else in this Hub.
The dominant narrative around AI certification has been built around management systems. ISO/IEC 42001 certifies that an organisation has the policies, processes, and controls to govern AI responsibly. The EU AI Act conformity assessment certifies that a high-risk AI system has been developed and documented to satisfy a regulatory regime. NIST attestations describe the alignment of an organisation’s AI risk management with a federal framework. All of these instruments certify something about the organisation: its governance, its processes, its documentation. None of them certifies whether a specific deployed AI agent will behave as expected when it interacts with users, calls tools, accesses sensitive data, or executes consequential actions.
That gap is the structural problem AIUC-1 addresses. The instruments designed for management systems and high-level governance were not designed for agentic AI — systems that take a goal rather than a prompt, decompose it into subtasks, choose which tools to use, evaluate outcomes, and adjust their approach. The risks that matter for agentic AI are not the risks the management system standards were built to govern. Hallucinations that drive customer-facing errors. Tool misuse where agents exceed their authorised boundaries. Data leakage through interactions. Prompt injection that subverts intended behaviour. Brand and reputation harm from inappropriate outputs. Identity and permission failures in systems where one agent calls another. None of these become certifiable through ISO/IEC 42001 audit, because the management system audit examines processes around the system, not the system’s behavioural properties under adversarial conditions.
AIUC-1 reframes the question. Instead of asking whether an organisation governs AI responsibly at the institutional level, it asks whether a specific AI agent meets defined security, safety, and reliability properties under independent audit and technical testing. The answer is recorded in a certificate that is valid for twelve months and conditional on quarterly technical testing that confirms the agent still meets the requirements as the threat landscape evolves.
This is structurally novel in three ways. First, it is product-level rather than management-system-level. The unit of certification is an agent or set of agents, not an organisation. Second, it is dynamic rather than static. A traditional certificate locks a snapshot at the audit date; AIUC-1 requires quarterly technical testing because adversarial techniques against AI evolve faster than annual audit cycles can detect. Third, it explicitly incorporates adversarial testing — jailbreak attempts, prompt injection, harmful content elicitation — not as optional add-ons but as part of the core certification methodology.
The standard was not built in isolation. Its design choices reflect a broader frustration in the enterprise AI market. Phil Venables, formerly CISO of Google Cloud, articulated the underlying need: enterprises buying AI agents need a familiar, actionable signal of security and trust comparable to what SOC 2 provides for general service organisation controls. The framing of AIUC-1 as “SOC 2 for AI agents” is deliberate and operationally useful. It positions the certificate in language that procurement teams, legal teams, and CISOs already understand, and it sets an expectation that the certificate will function in vendor selection in the same way that SOC 2 reports function today.
There is a structural feature of AIUC-1 that the standard’s promoters describe candidly and that we will too, because it shapes how the certificate should be read. AIUC accredits the auditors of AIUC-1 directly. It does not operate under an external accreditation body in the IAF MLA / ISO/IEC 17011 system that governs ISO/IEC 42001 certification. Auditor selection is also driven by the vendor seeking certification, not assigned by an accreditation body. AIUC itself conducts the technical testing that complements the audit. The framework, in other words, rests on AIUC’s own authority and methodology rather than on the international accreditation infrastructure. This is not a defect; it is a design choice. New certification regimes in fast-moving technical fields routinely begin this way and accumulate external recognition over time as the methodology proves itself, the contributor base broadens, and external accreditation arrangements emerge. The honest read of AIUC-1 is that it offers a rigorous, agent-specific control set with independent audit and technical testing today, and that its long-term credibility will depend on how the auditor accreditation question evolves as the market matures.
What AIUC-1 actually does, then, is open a new layer in AI assurance. It does not replace ISO/IEC 42001 (which certifies the management system) or EU AI Act conformity assessment (which establishes legal compliance for high-risk systems). It addresses a question those instruments do not answer: for this specific agent, deployed in this specific use case, what is the independent evidence that it operates within defined security, safety, and reliability boundaries? Enterprise buyers increasingly need that evidence. AIUC-1 is the first standard that produces it in a format procurement and risk teams can use.
Who it addresses. AIUC-1 addresses AI agent vendors — the organisations that build and offer AI agents to enterprise customers — and, indirectly, the enterprise buyers of those agents who want a structured trust signal before deployment. The standard is designed for agentic AI specifically: systems built on generative models that take goals and act autonomously through tool use, multi-step reasoning, and interaction with external systems and data. It is not designed for traditional ML models that produce predictions or classifications, nor for general software products.
The primary audience among vendors includes:
- AI-native vendors offering agents in customer service, sales operations, software engineering, knowledge work, and other enterprise functions.
- Voice AI and conversational AI providers whose agents interact directly with customers.
- Agentic automation platforms (such as RPA-AI hybrids) that combine traditional automation with generative AI decision-making.
- Foundation model providers whose agentic offerings are deployed by enterprises in customer-facing contexts.
- Sector-specific agentic AI vendors (legal, healthcare, financial services) where domain risk is material.
The enterprise buyer audience includes CISOs evaluating AI vendors, procurement teams handling agentic AI purchases, legal teams assessing contractual risk, AI governance teams operationalising vendor management, and risk and compliance functions that need third-party assurance over agents being deployed in operations. Industry adopters in early certification waves include voice AI (ElevenLabs, first voice AI company certified) and agentic automation (UiPath, certified across IXP, Agents, and Autopilot through audit by Schellman covering more than 2,000 enterprise risk scenarios).
What it covers. The standard covers six core domains. Each domain combines control requirements that the vendor must implement and adversarial testing that probes whether the controls hold under realistic attack and stress conditions:
- Data & Privacy. How the agent handles sensitive data: data minimisation, access controls within agent operations, prevention of training-data leakage during interactions, retention and deletion practices, and alignment with applicable data protection regulation (GDPR and US state privacy laws).
- Security. Resistance to adversarial manipulation: prompt injection defences, jailbreak resistance, agent identity and permission management, third-party and supply-chain risk for components used by the agent, model context protocol (MCP) security where applicable.
- Safety. Prevention of harmful content generation: harassment, illegal content, dangerous instructions, content harmful to children. Includes refusal behaviour testing under adversarial conditions.
- Reliability. Behavioural consistency under load and over time: hallucination management, output stability, error handling, performance degradation detection, and fallback behaviour when the agent cannot complete a task safely.
- Accountability. Logging, traceability, incident response: ability to reconstruct what the agent did, why, and with what authority. Incident handling procedures and post-incident analysis.
- Society. Broader impact considerations: fairness in agent behaviour across user populations, transparency about AI use to end users, and management of foreseeable misuse risks.
The standard is updated quarterly, which means the specific control content within each domain shifts as new risks emerge. Recent quarterly updates have focused on MCP security, third-party risk in agent components, and agent identity and permissions — reflecting how rapidly the agentic AI threat surface is evolving.
Obligations
AIUC-1 obligations apply to vendors seeking certification. They divide into three operational layers that operate together: control implementation, independent audit, and technical testing.
Control implementation
Vendors implement the controls specified in the six domains. The control set is risk-based and adapts to the specific agent in scope. An internal-facing agent with limited data access is subject to fewer controls than a customer-facing agent with access to sensitive data and authorised to take consequential actions on behalf of users. The scoping process produces a tailored control set for each agent or agent family being certified.
The control layer includes operational controls (access management, change management, logging, incident response), technical controls (input validation, output filtering, agent identity systems, permission boundaries, monitoring), and contractual controls (commitments to customers regarding agent behaviour, data handling, and incident notification).
Vendors must remediate material issues — P0 and P1 vulnerabilities, operational control gaps — before a full certificate is issued. This mirrors the SOC 2 convention where only unqualified attestations support “SOC 2 compliant” claims; partially remediated assessments do not yield a full AIUC-1 certificate.
Independent audit
The vendor selects an authorised AIUC-1 auditor, which collects evidence and writes the audit report. Schellman became the first authorised AIUC-1 auditor in 2025, and additional auditors have been authorised by AIUC since. The audit examines documentary evidence, control implementation, and operational practice across the six domains. It produces a report comparable in structure to a SOC 2 Type II report.
Technical testing
AIUC conducts the technical testing layer directly. This is what differentiates AIUC-1 from purely documentation-based certifications. The testing includes:
- Adversarial testing. Active attempts to manipulate the agent through prompt injection, jailbreak techniques, and other attack vectors documented in MITRE ATLAS and the latest AI security research.
- Harmful content elicitation testing. Probing the agent’s refusal behaviour against attempts to generate prohibited content categories.
- Data leakage testing. Probing whether interactions with the agent can extract sensitive data the agent was trained on or has access to.
- Behavioural consistency testing. Probing whether the agent’s outputs remain stable under adversarial input variation.
- Tool misuse testing. For agents with tool-use capability, probing whether tools can be invoked outside authorised boundaries.
Technical testing is performed at certification and at least every three months thereafter. This quarterly cadence is structurally important: it converts the certificate from a snapshot at the audit date into an ongoing assurance signal that adapts to the evolving threat landscape. A certificate that has not undergone its scheduled quarterly testing is not valid.
Certificate lifecycle and remediation
The certificate has twelve-month validity. Quarterly technical testing maintains validity. The standard itself is updated quarterly by AIUC in collaboration with technical contributors, which means certified vendors must keep pace with revisions and have any new material requirements integrated into their control set during the recertification cycle. Failure to remediate material findings during the cycle results in suspension or withdrawal of the certificate.
Timeline / Implementation
AIUC-1 has a publication calendar rather than a statutory implementation calendar. The cadence reflects how rapidly the agentic AI threat landscape evolves:
- July 2025 — AIUC-1 v1 launched. Schellman becomes first authorised auditor. ElevenLabs becomes first voice AI company certified.
- 2025–2026 — Initial enterprise adoption wave. Cisco joins as technical contributor; AIUC-1 operationalises Cisco’s Integrated AI Security Framework.
- Quarterly — AIUC publishes formal updates to the standard, integrating contributions from technical partners and reflecting evolutions in the threat landscape. Recent quarterly focuses include MCP security, third-party risk management, and agent identity and permissions.
- 2026 — Adoption accelerates among AI-native vendors and enterprise agentic AI deployments. UiPath certifies IXP, Agents, and Autopilot through audit by Schellman covering more than 2,000 enterprise risk scenarios. Crosswalks mature with NIST AI RMF, ISO/IEC 42001, and EU AI Act, supporting multi-framework alignment.
- Ongoing — Authorised auditor base broadens beyond Schellman. Discussions develop regarding integration with EU AI Act conformity assessment for high-risk agentic AI systems and possible recognition pathways with formal accreditation bodies.
For vendors, the operational implication is that AIUC-1 is operative now and is the recognised reference for agent-specific assurance. For enterprise buyers, the operational implication is that AIUC-1 certification status is increasingly part of vendor diligence for agentic AI procurement, particularly in regulated industries and in customer-facing deployments where brand and compliance risk are material.
How Zertia covers it
AIUC-1 governance operates through a structure that differs from the IAF/ISO accreditation system in important respects, and we should describe it accurately.
AIUC as standard owner. The Artificial Intelligence Underwriting Company maintains AIUC-1, publishes quarterly updates, authorises auditors, conducts technical testing, and issues the certificate. The standard development draws on technical contributors (currently including Cisco, ElevenLabs, MITRE, Stanford, and MIT), feedback from over 500 enterprise risk leaders (including CISOs from Google Cloud and MongoDB), and ongoing engagement with the AI security research community.
Authorised auditor model. AIUC accredits its auditors directly. Schellman was the first authorised auditor; the authorised auditor list expands as AIUC qualifies additional firms. This structure differs from ISO/IEC 42001 certification, where an accreditation body governed by ISO/IEC 17011 accredits certification bodies under ISO/IEC 42006 criteria. The AIUC model concentrates standard-setting, auditor authorisation, and technical testing within the standard owner. The benefit is operational coherence and rapid evolution of the standard with the threat landscape. The cost is that the certificate’s credibility depends on AIUC’s institutional discipline rather than on independent accreditation infrastructure. Both can produce trustworthy outcomes, but they produce them through different governance pathways.
Technical contribution model. Cisco’s contribution is a specific example: AIUC-1 operationalises Cisco’s Integrated AI Security Framework, which means the standard incorporates Cisco’s threat model and control content for agent security. ElevenLabs joined as a technical contributor focused on voice-specific requirements. MITRE’s contribution links AIUC-1 to MITRE ATLAS, the catalogue of adversarial techniques for AI systems. This contribution model is how the standard remains current: the standard owner aggregates expertise from frontier vendors and research institutions and operationalises it into testable controls.
Crosswalk maintenance. AIUC publishes crosswalks between AIUC-1 and other AI governance instruments — ISO/IEC 42001, NIST AI RMF, EU AI Act — so that an AIUC-1 certified vendor can demonstrate alignment with multiple frameworks without duplicating audit effort. The crosswalks are maintained as part of the quarterly update cycle.
Market acceptance as governance signal. New certifications earn credibility through cycles of scrutiny and adoption. AIUC-1 is in the early phase of that cycle. Its structural acceptance — by enterprise buyers, by sectoral regulators, by accreditation bodies — will sharpen as more vendors are certified, as auditor practice consolidates, and as integration with established regulatory frameworks (particularly the EU AI Act) matures.
Regulation you understand is regulation you can turn into competitive advantage.
Not sure if this framework applies to your organization? Talk to us.
