AIUC-1 Explained: The AI Agent Security Standard

AIUC-1 is the first security standard for AI agents, combining independent audits, continuous adversarial testing, and a comprehensive control framework to help organizations assess, certify, and secure AI agents against real-world threats.

In This Article

    AIUC-1 is the first standard built explicitly for AI agents. That's the autonomous systems that act within your business workflows, rather than merely responding to questions. Published by AI Underwriting Company (AIUC), AIUC-1 includes a compendium of security controls, coupled with independent assurance and continuous adversarial testing. If you work at an organization utilizing AI agents, and someone on the board, or a customer, or a procurement team has started asking how you're mitigating risk, AIUC-1 is going to be the answer you'll be expected to know.

    Here we provide an overview of what AIUC-1 entails, who authored it, how it relates to frameworks you may already be using (like the NIST AI Risk Management Framework and ISO/IEC 42001), and how to approach alignment if it's on your roadmap. The standard is reviewed quarterly, so this will cover the most up to date spec as of mid-2026, including the new January 2026 revision that clarified existing requirements and introduced voice-specific controls.

    AIUC-1 Readiness Self-Assessment | Mindgard
    Mindgard MINDGARDAI SECURITY

    AIUC-1 Readiness Self-Assessment

    Answer one question per AIUC-1 risk domain to gauge how close your AI agents are to audit-ready. This is an informal self-check, not a certification. Scored in your browser.

    0 / 6
    Answer the six questions
    Test your agents with Mindgard →
    About the six domains

    Questions map to the six AIUC-1 risk domains: Data & Privacy, Security, Safety, Reliability, Accountability and Society. The security, safety and reliability domains require adversarial testing that documentation alone cannot satisfy. Source: AIUC-1.

    What is AIUC-1? 

    AIUC-1 is an agent-centric standard for security, safety and assurance of AI agents. Rather than treating AI functionality as something to manage like a model or document like a feature, AIUC-1 assumes that an agent can do. An agent can call tools, move data, initiate transactions, and chain steps with zero people in the loop. This capability introduces failure modes that don't map easily onto traditional cyber security practices or previous AI governance initiatives.

    Released in mid-2025, the standard is segmented into six risk categories, which are further divided into numbered requirements labeled as required or optional. Unique to it, however, is its approach to testing. Beyond simply verifying documentation, AIUC-1 tests how an agent actually operates across over 5,000 adversarial scenarios based on real world events. Updated quarterly, this list evolves with the rising threat landscape.

    Summed up in one sentence: AIUC-1 is an AI agent control catalog that is externally assured through independent audit and continuous adversarial testing, rather than self-attestation.

    Old controls were built on assumptions that agents break. Traditional apps have a specific set of behaviors a tester can identify. Agents choose at runtime what to do and which tool(s) to call. They can even be influenced by the very text they process. A control that validates a static API provides little security against an agent that can be convinced to abuse that API. AIUC-1 fills that void.

    Who Publishes AIUC-1

    Comparison chart showing AIUC-1 versus ISO/IEC 42001, NIST AI RMF, and OWASP LLM Top 10, highlighting that AIUC-1 uniquely combines a control catalog, built-in adversarial testing, independent certification, and quarterly updates for AI agent security

    AIUC-1 is issued by the Artificial Intelligence Underwriting Company. After operating in stealth mode, AIUC publicly launched in July 2025 with a $15 million seed round led by Nat Friedman at NFDG with Emergence, Terrain, and Anthropic founder Ben Mann also participating. AIUC's founders are from Anthropic, McKinsey, the Center for AI Safety and METR, giving them familiarity with both AI safety research and enterprise risk management.

    The standard itself was developed with consortium input from over 100 Fortune 500 CISOs and security executives across industries. Technical insight for the standard came from companies like Microsoft, Cisco, JPMorgan Chase, UiPath and ElevenLabs. AIUC operates two businesses: one side is the standard and audit. The other is actually insurance products written against that standard. Related, but two separate offerings. It's helpful to think of them that way. AIUC-1 is the standard your company certifies against. The insurance is something else companies may purchase after they're certified.

    The Governance Question Experts Are Raising

    AIUC has a unique role in its supply chain. It writes the standard, accredits the auditors certifying companies to that standard, and underwrites insurance policies that price risk according to that same standard. Media reports have indicated that AIUC is actually not a licensed insurance carrier itself. Instead, AIUC is operating in a MGA/underwriting capacity in partnership with a licensed carrier (Beazley has been named as one such underwriting-capacity partner) who issues the policy and would have liability for claims payments.

    Under this arrangement, AIUC designs the program, underwrites/prices risk, binds coverage and retains the commission on any premium it writes and any other monies provided for under the agreement between the parties. This may also include contingent commissions based on the performance of the insurer’s book of business (i.e., fewer losses).

    AIUC markets its standards work and its insurance work as separate products. Some observers, however, have questioned the arrangement of having a single organization write the standard, accredit the certifiers and underwrite the insurance product priced against that standard.

    Cybersecurity expert and SANS Institute faculty fellow Lenny Zeltser has described it as analogous to the issuer-pays model used by credit rating agencies, where credit-worthy businesses pay rating agencies for their rating services. This practice has been widely blamed for the over-inflated ratings leading up to the 2008 financial crisis.

    The founders of AIUC have rejected that analogy. They point out that since AIUC has "skin in the game" with regard to how the insurance program performs, there is an intrinsic incentive for corrective action: losses by insured agents adversely impact AIUC’s commission economics.

    One other distinction worth pointing out is that the incentive differs from that of a traditional insurer taking on 100% underwriting risk on its own books. AIUC's risk is derived through commission and contingent-commission on a carrier partner's book of business.

    Mike Kim, cofounder and CEO of AI governance consultancy Mycroft.io, explains it plainly:

    “AIUC-1 is the framework you adopt when your product is an agent and the people evaluating you are technical. It is open source as a standard, but the certifier and the insurer are the same entity. That is something every buyer should understand before they commit.”

    Security researcher Zack Korman has made the broader argument that this vertical integration (writing the framework, performing technical reviews, granting certificates, and underwriting the insurance that the certificate provides) results in conflicts of interest at each stage, regardless of the precise structure of AIUC’s insurance arm.

    None of this is intended to suggest that AIUC-1 isn’t a substantive and well-thought-out standard. It’s clear that the consortium of Fortune 500 CISOs and technical experts who have developed the standard are practitioners who take their work seriously. However, the governance around how the standard-setting body, certifiers, and insurance underwriters relate to one another is something organizations should fully understand before embarking on the certification journey, especially for organizations operating in regulated industries where independence of assurance activities is scrutinized by regulators.

    The Six Risk Domains AIUC-1 Covers

    The content of AIUC-1 spans six domains. Each domain focuses on a type of agentic failure, and specifies what types of control are needed to mitigate it.

    Data and Privacy

    This domain concerns the ways in which an agent can misuse data. Failures include unauthorized data extraction via tools, prompt-Injected exfiltration attacks by which an attacker manipulates an agent to leak data they have access to, and training-data leakage appearing in agent responses. Controls include those for data minimization, access scope, and output filtering.

    Security

    The security domain addresses attacks against the agent itself: prompt injection, jailbreaks, tool-use abuse and compromise of externally-hosted Model Context Protocol (MCP) servers that link agents to other systems. The latest quarterly update put more meat on these bones, adding controls for MCP security once it became ubiquitous as an integration mechanism. Security is the domain where adversarial testing really matters. Approaches such as AI red teaming can give you the evidence that a control actually works.

    Safety

    Safety concerns harm that the agent could cause via its behaviors or outputs: producing harmful outputs, calling a tool in an unsafe way or taking an action that results in financial loss or physical harm. Controls revolve around guardrails, action restrictions and escalation to a human for high-stakes operations.

    Reliability

    How well does the agent perform its intended function without failing? Failures here include hallucinations that slip through into business-critical workflows, inconsistent outputs when subjected to adversarial pressures, and degradation under load. For agents that approve refunds or automatically file tickets, reliability is a security property.

    Accountability

    This category answers the question of who did what. It includes agent identity and permissions, audit trails and human-in-the-loop checkpoints. Recent iteration further clarified agent identity, as many organizations find themselves rapidly deploying agents requiring clear, accountable permissions.

    Society

    The sixth pillar covers broader harms: automated decision bias, disparate impact to groups and third-party risk propagated through an agent's integrations. This is where AIUC-1 overlaps most with existing AI risk efforts such as ISO/IEC 23:894. The controls consider not just a single deployment but its downstream effects as well.

    NIST AI RMF, OWASP LLM Top 10 and ISO/IEC 42001: How AIUC-1 Compares 

    Many of you assessing AIUC-1 are already running at least one other framework. The question isn't necessarily which to choose, but rather where AIUC-1 fits. Below is a table with the four compared side by side.

    Framework Publisher Primary focus Technical testing Certification Update cadence Best used for
    AIUC-1 AIUC Agent controls plus adversarial testing Yes, built-in Yes, independent audit Quarterly Certifying that a deployed AI agent is tested and assured
    NIST AI RMF NIST Governance and risk management No, guidance only No Periodic, plus a 2024 generative AI profile Standing up an AI risk-management program
    OWASP LLM Top 10 OWASP Threat catalog for LLM apps No, informs testing No Periodic list updates Threat awareness and planning what to test
    ISO/IEC 42001 ISO/IEC AI management system No Yes, accredited bodies Standard revision cycle Certifying an organizational AI management system

    The bottom line is that AIUC-1 is the only framework of the four that combines a control catalog with technical testing done independently of the security team and continuous assurance. NIST AI RMF is focused on governance and instructs you how to organize an AI risk management program. ISO/IEC 42001 certifies that you have an effective AI management system. This certifies an organizational process rather than testing any particular agent. The OWASP LLM Top 10 is a threat catalog which informs you about what can go wrong, but it doesn't certify anything.

    For that reason, enterprises are layering AIUC-1 on top of these frameworks, not replacing them. NIST/ISO helps determine if you govern AI responsibly as an organization. AIUC-1 helps determine whether this specific agent has been tested against realistic attacks and validated by a third party. Coming at this from the ISO perspective, our article on ISO/IEC 23894 covers the risk-management standard most adjacent to AIUC-1’s Society consideration.

    Regulatory Positioning

    AIUC-1 is voluntary, not required by regulators or laws, and does not directly correlate to existing compliance requirements your organization may already be subject to. That's significant as regulation continues to tighten.

    The EU AI Act took effect in 2024, and it requires AI systems to adhere to risk-tiered transparency, human oversight and robustness requirements. These requirements map heavily to AIUC-1's categories of safety and security, reliability and performance, and accountability. Certification to AIUC-1 will not independently demonstrate compliance with the EU AI Act; however, if an organization is working towards both, there will be significant overlap in the controls assessments. It's worth the effort to document that mapping explicitly to reduce duplicated effort and to show regulators that you're acting in good faith.

    While the US lacks an overarching federal AI law or regulation, individual states are beginning to take action quickly. Sector-specific regulators, especially in fintech and healthcare, are paying close attention to automated decision-making. Much of what falls under AIUC-1's categories of society and accountability relate directly to the types of bias, transparency, and auditability concerns these regulators are focusing on.

    In practice, this means AIUC-1 should not be considered in isolation from your existing compliance requirements. Plan your roadmap by mapping AIUC-1 controls to your existing regulatory mandates. In many cases you'll find significant overlap in the control work, meaning certification effort you've already completed counts toward both. A standard that already requires third-party assessment has greater credibility with regulators than a self-attestation.

    Certification and Assurance: How AIUC-1 Is Different

    AIUC-1 is built around three layers of assurance. Layer 1 is the control catalog that tells you what you need to do for each of the six domains. Layer 2 is independent auditing. Someone other than yourself verifies that you did what you say you did. Schellman was the first auditor to be accredited. ElevenLabs was the first company to achieve the certification. Layer 3 is continuous technical testing. Instead of simply checking boxes on paper, the deployed agent is put through the paces with adversarial testing. 

    When conducting an audit, you’ll review evidence for all six domains: scoping data access, hardening the agent against performing unsafe actions, identity and permission assignment and how your team responds when a penetration test finds a failure. The adversarial testing is what differentiates passing from merely completing a paperwork exercise. You will want to show that the agent was attacked with modern tactics and that your controls withstood the attempt or vulnerabilities were remediated and retested.

    How Adversarial Testing Actually Works

    AIUC-1 mandates adversarial testing for security, safety, and reliability. However, it leaves specifics to the discretion of the auditor and your organization. Typically, adversarial testing involves a mix of automated scenario testing and manual red teaming efforts. The automated testing involves running your deployed agent against a library of more than 5,000 adversarial scenarios, including prompt injection variations, jailbreak variants, tool-use abuse patterns, and data extraction probes. 

    These scenarios are based on real-world failures and are expanded quarterly in tandem with updates to the standard itself. The manual portion consists of human red teamers attempting to fail your agent in ways the scripted scenarios cannot, such as chained attacks which manipulate agents through a series of steps.

    Responsibility is shared. While the accredited auditor is responsible for performing and validating the testing, your team should be performing continuous testing in-between quarterlies instead of waiting for someone else to identify vulnerabilities first. That's why a purpose-built continuous testing platform like Mindgard makes sense: you need to be able to produce and monitor attacks continuously, not just during audits.

    "5,000+ scenarios" refers to coverage across attack categories, not unique attack techniques. Within one category there can be many versions of that attack: prompt injection done by direct injection through user input, indirect injection where the agent pulls information from a tool that contains the injection, attempts to evade detection through multilingual payload injection, etc. While the number implies breadth of coverage, what ultimately matters is if the scenario library applies to your agent's tools and permissions. A voice agent and a code-execution agent have substantially different threat surfaces.

    The breadth of that threat surface is also why testing can't be a one-time event.

    That's where the cadence comes in. AIUC-1 certificates are valid for 12 months. But to remain certified, you must complete quarterly technical exams to demonstrate continued proficiency. The standard itself updates quarterly. The January 2026 revision changed dozens of requirements and introduced a large block of voice-specific controls, directly in response to the proliferation of voice agents. A certification program that only ships documentation once a year simply cannot keep up with that.

    One that requires re-testing every three months can. This is also where adversarial testing stops being elective: passing the security, safety and reliability domains require you to run real attacks against your live agent. The same kind of discipline that goes into red teaming AI applications in enterprise settings. If your team is thinking through where this fits in a larger credential strategy, our roundup of AI risk management certifications can help you slot AIUC-1 into the larger picture.

    What Happens If You Fail? 

    AIUC-1 does not publicly document a remediation or grace period procedure. Lack of published procedure is something to discuss with your auditor upfront. From what we know, your certification is good for 12 months if you pass quarterly technical exams. If you fail a quarterly exam, your certification is on the line (not just your internal score). If your organization has committed to certification as part of a procurement or contract requirement, that is a business risk you'll want to address proactively.

    As it relates to audits, we recommend treating each quarterly window as a deadline with a runway, not a pass/fail moment. Allow for continuous testing in between periods so you fail privately (with time to remediate) before you fail on the exam itself. Organizations that will be most successful in doing this are those that have already integrated adversarial testing into a regular program vs. bootstrapping reactively when the quarter begins. If your agent is halfway through deployment when you realize a control is failing, being aware that three months out is vastly different than discovering it the week of your audit.

    Until AIUC defines explicit remediation timelines and how partial certifications will be handled, these are questions you’ll want to ask your accredited auditor directly.

    Who is Adopting AIUC-1

    Adoption may be early but is already substantial. ElevenLabs purchased the first AIUC-1-backed AI insurance policy for its voice agents and was the first customer to go-live on the standard. Cisco is contributing technical expertise to the standard. AIUC-1 allows enterprises to begin operationalizing Cisco’s Integrated AI Security and Safety Framework. The standard was developed alongside industry leaders such as Microsoft, JPMorgan Chase and UiPath to name a few. This signals where enterprise demand is being realized.

    Let’s be clear about what those signals mean, though. They indicate large, security-mature organizations are beginning to consider AIUC-1 good enough to adopt and certify against. It is not yet saying that everyone must use AIUC-1 universally. Framed honestly, AIUC-1 is a new agent-specific layer that organizations should learn about now since AI agents are heading into production, not as a standard that everyone will be required to use tomorrow.

    Emerging Competition

    AIUC-1 is the first (and presently only) published standard designed from the ground up specifically for AI agents with independent certification and adversarial testing baked into the framework. But competing agent-specific standards are likely coming, and organizations certifying against AIUC-1 now should factor that into how they think about the commitment.

    The organization most likely to develop a competing framework is NIST. They already have an AI Risk Management Framework with a 2024 generative AI profile baked in, and extending that with agent-specific guidance would be a natural progression as agentic systems become more widespread. A standard with NIST backing would hold a lot of sway with US federal agencies and other industries that default to NIST guidance, and might spur procurement dynamics that run counter to AIUC-1.

    ISO is also slow-moving but occupies comparable turf. ISO/IEC 4 governs certification of AI management systems at the organizational level, and the ISO working groups responsible for it are already hard at work on neighboring standards. A comparable ISO agent-level technical standard would likely have more international cache, especially since alignment to ISO is typical of regulatory compliance discussions in the EU.

    Industry consortia are likewise hard at work. The OWASP LLM Top 10 already provides guidance for agentic threat modeling, and an OWASP standard with a certification program attached is certainly conceivable. Vertical-specific organizations within financial services and healthcare could develop agent governance requirements that override or augment a baseline general-purpose standard such as AIUC-1.

    The honest takeaway today is that AIUC-1 is the first- mover, but not necessarily the permanent incumbent. If certification is going to be a multi-year effort for your organization, keep your eyes open for whether a NIST or ISO equivalent materializes, and how AIUC positions itself with respect to those efforts.

    Cost and Accessibility

    AIUC-1 does not have a set list price for certification. Pricing will vary based on the scale of your agent deployment, which auditor you choose to work with, and how much remediation work is identified by your gap analysis. However, external audits and quarterly adversarial testing cycles are not a lightweight commitment. Plan to budget for the initial audit as well as the infrastructure required for continuous testing and internal engineering resources to remediate issues both prior to your audit and in-between testing cycles.

    Currently, AIUC-1 is realistically aimed at large-scale businesses. The companies we've seen signing up early, like ElevenLabs, Cisco, and JPMorgan Chase, are not small players. If you operate AI agents within a mid-market company or smaller, it’s still good to know the standard, especially if you have enterprise customers that may demand it as part of procurement. However, going for full certification will be a heavy lift without an existing security team and audit program processes in place. Look for AIUC to possibly create tiered or simplified tracks as adoption widens.

    What to Do Next

    If you’re targeting AIUC-1, three steps are prudent whether or not you plan to certify this year.

    Begin with a gap analysis. Chart your current AI agent implementations across the six domains and see where you have areas of no control or no evidence. Simply doing this will quickly highlight your highest-risk areas of exposure

    Second, perform adversarial testing to validate security, safety and reliability. These are domains documentation can’t satisfy because you need evidence that your deployed agent can actually stand up to real attacks. This is where continuous testing really proves its worth. Mindgard’ s AI security platform helps teams generate and track those attacks. If you need a structured starting point, our guide to performing an AI security assessment walks you through the process.

    Third, hire a certified auditor if certification is needed for procurement or customers. Because the certification is good for 12 months and you must test quarterly, manage this as a program, not a project.

    Frequently Asked Questions

    How frequently is AIUC-1 updated? 

    AIUC-1 is revised on a quarterly basis. In addition to certifying against the standard, certified organizations are required to perform quarterly technical testing to maintain a valid certificate over its 12 month duration.

    Is AIUC-1 insurance? 

    No. AIUC-1 is the standard that you certify to. AIUC offers insurance written to that standard, but they are two different things. There's no requirement to purchase the insurance once you're certified.

    Is AIUC-1 necessary if I already practice NIST AI RMF? 

    AIUC-1 and NIST AI RMF are different things. NIST AI RMF is used to help you govern AI risk within your organization. AIUC-1 verifies and certifies that a particular agent has been assured against actual attacks. Many enterprises run both processes.

    Get Your Free AI Risk Management Checklist

    The expert-level checklist for operationalizing NIST AI RMF, ISO/IEC 42001 and the EU AI Act. 190+ interactive items and a board-ready maturity scorecard. Built for CISOs, AI governance leads and ML engineering teams.