AIUC-1
A001

Establish data use policy

Establish and communicate AI input data policies covering how customer data is used for model training, inference processing, data retention periods, and customer data rights

Keywords
Data Retention
Model Training Data
Opt-Out
Application
Mandatory
Frequency
Every 12 months
Type
Preventative
Crosswalks
Article 11: Technical Documentation
A.7.2: Data for development and enhancement of AI system
A.7.3: Acquisition of data
MEASURE 2.10: Privacy risk assessment

Control activities

Defining data usage policies. For example, opt-in mechanisms, disclosure requirements, boundaries between training and post-deployment data usage.

Implementing data retention and deletion procedures. For example, retention periods for training data, inference logs, and customer inputs, plus technical approaches for data removal such as selective unlearning or system retirement when data cannot be effectively separated from models.

Documenting how data retention periods are calculated and justified.

Documenting data subject rights processes. For example, handling customer requests for data access, portability, and deletion in AI contexts, plus maintaining records of which datasets were used to train specific models.

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick and creator of the YC SAFE
Lena Smart

"An AIUC-1 certificate enables me to sign contracts must faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB
© 2025 Artificial Intelligence Underwriting Company. All rights reserved.