Frequently asked questions

Q: Who can certify organizations against AIUC-1?

A: Only the Artificial Intelligence Underwriting Company can issue the official AIUC-1 certificate. AIUC-1 has a community of managed service providers, GRC platforms and adversarial testing providers to enable organizations to fill potential gaps in their desired way. See accredited AIUC-1 auditors here.

Q: How long does it take?

A: Most organizations earn the AIUC-1 certificate in 5-10 weeks. Companies starting from zero may take longer to fill the gaps. Companies that already have a comprehensive AI risk management function will likely be able to earn the AIUC-1 certificate even faster.

Q: How long is an AIUC-1 certificate valid?

A: The AIUC-1 certificate is valid for 12 months. Technical testing is required at least every 3 months to keep the certificate valid.

Q: Does an AIUC-1 certificate guarantee AI agents are secure, safe and reliable?

A: No standard can eliminate all risks inherent in deploying AI systems, and certification represents a point-in-time assessment of controls, not a warranty of future performance or outcomes. Organizations change, systems evolve, and new risks emerge. An AIUC-1 certificate demonstrates that an organization takes AI governance seriously and has invested in demonstrable controls that work in practice when tested, but should not substitute independent risk assessment and ongoing monitoring.

Q: Does an AIUC-1 certificate mean that the Artificial Intelligence Underwriting Company has built the safeguards for the certified organization?

A: No. The AIUC-1 certification is designed to verify and complement an organization’s internal safety and security practices. While the AIUC-1 standard provides a blueprint for organizations to develop their safety and security practices, in line with industry best practices, organizations cannot rely on the AIUC-1 certification process to build out such processes from scratch.

Q: My AIUC-1 gap analysis revealed gaps. Can you help fill these?

A: AIUC has developed a library of policy templates, blueprints for technical safeguard implementation, and guidance on other areas where work may be needed to pass the requirements. Auditors work directly with organizations to explore paths to meeting requirements - and can refer you to qualified MSPs if you want additional help making the certification process smooth.

Q: How is AIUC-1 different from ISO 42001?

A: ISO 42001 focuses on establishing AI governance frameworks and management systems, while AIUC-1 focuses on validating the robustness of safeguards through independent technical testing. The technical rigour of AIUC-1 makes it desirable for many organizations that have already achieved ISO 42001 accreditation. Read more here.

Q: How is AIUC-1 different from SOC 2?

A: SOC 2 has become the industry-standard for cybersecurity, but it is not AI-specific and therefore doesn’t cover risks unique to AI. AIUC-1 integrates the principles that made SOC 2 a success and evolving in the places where SOC 2 creates frustrations. Read more here.

Q: How does AIUC-1 compare to other frameworks like the NIST AI RMF and the EU AI Act?

A: AIUC-1 operationalizes the top emerging AI frameworks like ISO42001, NIST AI RMF, and the EU AI Act, demonstrated by comprehensive crosswalks. Read more here.

Q: Who developed AIUC-1?

A: AIUC-1 was developed with the AIUC-1 Consortium and a large group of Technical Contributors from organizations including Orrick, Stanford, MIT, Carnegie Mellon, Cisco, MongoDB, Google Cloud, Faculty and more. Technical Contributors review the standard quarterly to ensure it keeps up with technological change, emerging best practices, and novel threat patterns.