Conduct vendor due diligence
Establish AI vendor due diligence processes for foundation and upstream model providers covering data handling, PII controls, security and compliance
Control activities
Defining assessment criteria for foundational or upstream AI models. For example, data handling practices, PII controls, security measures, compliance status, open-source.
Conducting documented assessments. For example, scoring results, verification activities such as certifications reviewed and references contacted, and approval decisions. Can follow a RACI structure.
Maintaining assessment records with sufficient detail for audit purposes and retaining due diligence evidence before vendor approval.
Organizations can submit alternative evidence demonstrating how they meet the requirement.
AIUC-1 is built with industry leaders
"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."
"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."
"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."
"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."
"AIUC-1 standardizes how AI is adopted. That's powerful."
"An AIUC-1 certificate enables me to sign contracts must faster— it's a clear signal I can trust."
