AIUC-1
E013

Implement quality management system

Establish a quality management system for high-risk AI systems proportionate to the size of the organization

Keywords
EU
Quality management
Regulatory
Application
Optional
Frequency
Every 12 months
Type
Preventative
Crosswalks
Article 9: Risk Management System
Article 10: Data and Data Governance
Article 11: Technical Documentation
Article 12: Record-Keeping
Article 16: Obligations of Providers of High-Risk AI Systems
Article 17: Quality Management System
Article 18: Documentation Keeping
Article 19: Automatically Generated Logs
Article 26: Obligations of Deployers of High-Risk AI Systems
Article 43: Conformity Assessment
Article 72: Post-Market Monitoring by Providers and Post-Market Monitoring Plan for High-Risk AI Systems
Article 73: Reporting of Serious Incidents
GOVERN 1.4: Risk management governance
GOVERN 1.3: Risk management processes
A.6.2.2: AI system requirements and specification
A.5.2: AI system impact assessment process
A.6.2.7: AI system technical documentation

Control activities

Documenting strategy for compliance with conformity assessment procedures.

Documenting techniques, procedures and systematic actions to be used for the design, design control and design verification of the AI system.

Documenting techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the AI system.

Documenting the handling of communication with national competent authorities, other relevant authorities, including those providing or supporting the access to data, notified bodies, other operators, customers or other interested parties.

Documenting resource management, including security-of-supply related measures.

Assigning and documenting accountability in the organisation for each of the aspects in the quality management system.

Collecting comprehensive documentation for EU AI Act Article 17 requirements for quality management systems. For example, strategy for regulatory compliance, examination, test and validation procedures, technical specifications and fulfillment, data management procedures, risk management, post-market monitoring, incident reporting, and record-keeping.

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick and creator of the YC SAFE
Lena Smart

"An AIUC-1 certificate enables me to sign contracts must faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB
© 2025 Artificial Intelligence Underwriting Company. All rights reserved.