Will Percey — Portfolio

AIUC-1 Standard

> > Updated Feb 2026

verified

The Standard

AIUC-1 is the first comprehensive standard for AI agent security, safety, and trustworthiness. It establishes measurable requirements across six critical domains, giving enterprises a framework to assess whether their AI vendors and internal systems meet a verifiable bar.

The standard addresses a fundamental gap: enterprises cannot reliably assess the security posture of their AI vendors. Without a common benchmark, every organisation reinvents due diligence from scratch. AIUC-1 provides that benchmark, with independent third-party certification rather than self-assessment.

The standard is updated quarterly to reflect emerging threats and regulatory changes. It was developed with over 40 contributors including Microsoft, Google Cloud, JPMorgan Chase, Stanford, and MITRE.

hexagon

Six Domains

AIUC-1 organises its requirements into six domains. Each domain defines specific, testable criteria rather than aspirational guidance.

security

Security open_in_new

6 mandatory, 3 optional

Preventing unauthorised access through adversarial testing and jailbreak safeguards. Covers prompt injection resistance, input/output sanitisation, and red-teaming requirements.

B001Conduct quarterly adversarial security testing by independent third parties

B002Block known jailbreak techniques including prompt injection, role-play exploits, and encoding attacks

B004Prevent endpoint scraping and unauthorised bulk data extraction

B006Prevent agents from executing unauthorised actions or accessing restricted resources

B009Limit output over-exposure to prevent leaking internal reasoning or system prompts

health_and_safety

Safety open_in_new

9 mandatory, 3 optional

Mitigating harmful outputs via third-party testing and human review. Defines thresholds for content filtering, toxicity detection, and escalation procedures when safety boundaries are approached.

C001Maintain a risk taxonomy classifying harmful output categories with severity levels

C003Prevent generation of content that facilitates violence, self-harm, or illegal activity

C005Prevent generation of child sexual abuse material

C007Provide mechanisms for users to report harmful outputs with documented response procedures

C010Conduct quarterly third-party safety testing against the risk taxonomy

verified

Reliability open_in_new

4 mandatory, 0 optional

Addressing hallucinations and unauthorised tool calls. Requires measurable accuracy benchmarks, grounding verification, and controls preventing agents from taking actions outside their declared scope.

D001Implement controls to prevent hallucinated outputs with measurable accuracy benchmarks

D002Conduct quarterly hallucination testing with documented pass/fail thresholds

D003Restrict agents from making unsafe or unauthorised tool calls outside declared scope

D004Conduct quarterly tool call safety testing to verify scope enforcement

assignment_ind

Accountability open_in_new

15 mandatory, 2 optional

Enforcing governance, failure planning, and oversight. Requires documented ownership chains, incident response procedures, audit trails for agent actions, and defined escalation paths for failures.

E001Document failure planning including incident response, rollback, and communication procedures

E004Assign clear accountability for AI agent behaviour to named individuals or teams

E006Perform vendor due diligence for all third-party AI components and models

E015Log all model activity with sufficient detail for post-incident forensic analysis

E016Disclose AI involvement to end users when agents interact on behalf of the organisation

lock

Data & Privacy open_in_new

7 mandatory, 0 optional

Protecting against leaks, PII exposure, and unauthorised training. Covers data retention policies, consent management, cross-border data handling, and controls preventing model training on customer data.

A001Define and enforce an input data policy covering collection, retention, and deletion

A003Limit agent data collection to the minimum required for the declared task

A005Prevent cross-customer data exposure through tenant isolation controls

A006Prevent PII leakage in model outputs with automated detection and redaction

A007Prevent intellectual property violations including unauthorised reproduction of copyrighted material

public

Society open_in_new

2 mandatory, 0 optional

Guarding against catastrophic risks and system misuse. Addresses concentration of power, societal impact assessment, dual-use risk evaluation, and requirements for human override capabilities.

F001Prevent AI systems from being used for cyber attacks, surveillance, or unauthorised offensive operations

F002Prevent catastrophic misuse including CBRN (chemical, biological, radiological, nuclear) applications

hub

Framework Integration

AIUC-1 does not replace existing frameworks. It maps to them, providing a unified assessment that covers requirements from multiple regulatory and industry standards simultaneously.

Framework	Scope	Relationship
ISO 42001	AI management systems	AIUC-1 requirements align with ISO 42001 controls. Certification evidence can support ISO 42001 compliance documentation.
MITRE ATLAS	Adversarial threat landscape for AI	Security domain testing references ATLAS attack techniques. Adversarial testing covers known ATLAS threat vectors.
EU AI Act	European AI regulation	Domain requirements map to high-risk AI system obligations. Certification evidence supports conformity assessment documentation.
NIST AI RMF	AI risk management framework	Six domains align with NIST AI RMF functions (Govern, Map, Measure, Manage). Assessment methodology follows NIST risk-based approach.
OWASP Top 10 for LLMs	LLM-specific security vulnerabilities	Security domain covers all OWASP LLM Top 10 categories. Testing includes prompt injection, insecure output handling, and training data poisoning.

workspace_premium

Certification

AIUC-1 certification is granted by independent third-party auditors, not by self-assessment. This is a deliberate design choice: the value of the standard depends on the credibility of the assessment process.

person_check

Independent Auditors

Accredited third-party assessors (such as Schellman) conduct the evaluation. The organisation being assessed does not evaluate itself. This mirrors the model used by SOC 2 and ISO certifications.

update

Quarterly Updates

The standard evolves with the threat landscape. New attack vectors, regulatory changes, and lessons from incidents are incorporated quarterly. Certified organisations must maintain compliance with current requirements.

fact_check

Evidence-Based

Certification requires demonstrable evidence, not policy documents alone. Auditors test adversarial resistance, review incident response procedures in practice, and verify that controls are operational rather than aspirational.