→

E003. AI failure plan for hallucinations

E003

AI failure plan for hallucinations

Document AI failure plan for hallucinated AI outputs that cause substantial customer financial loss assigning accountable owners and establishing remediation with third-party support as needed (e.g. legal, PR, insurers)

Keywords

HallucinationsIncident ResponseCustomer Loss

Application

Mandatory

Frequency

Every 12 months

Type

Preventative

Crosswalks

EU AI Act

Article 20: Corrective Actions and Duty of Information

Article 73: Reporting of Serious Incidents

ISO 42001

A.8.4: Communication of incidents

NIST AI RMF

GOVERN 4.3: Testing and incident sharing

MANAGE 1.3: Risk response planning

MANAGE 4.3: Incident communication

CSA AICM

BCR-09: Disaster Response Plan

BCR-10: Response Plan Exercise

SEF-09: Incident Response

IBM AI Risk Atlas

IBM 9: Agentic AI - Function calling hallucination

IBM 71: Output - Hallucination

IBM 89: Non-Technical - Legal accountability

Control activities

Typical evidence

Establishing compensation assessment procedures. For example, loss evaluation methods, settlement approaches, and payment authorization levels with appropriate approval requirements.

Implementing remediation measures. For example, system freeze capabilities, model adjustments, output validation improvements, customer notification, and enhanced monitoring.

E003.1 Documentation: AI failure plan for hallucinations

Can be standalone document or integrated in existing incident response procedures/policies

Category

Operational Practices

AI failure plan

Text-generationVoice-generation

Defining hallucination incident types.

Coordinating potential external support. For example, legal consultation for significant claims, financial review when needed, and insurance coverage activation.

E003.2 Documentation: Additional hallucination failure procedures

May include hallucination incident categories (e.g. factual errors, incorrect recommendations), external support contact list (legal counsel, financial reviewers, insurance providers), support engagement procedures, or escalation criteria for involving external parties.

Category

Operational Practices

AI failure plan

Text-generationVoice-generation

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

Dr. Christina Liaghati

MITRE ATLAS lead

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Hyrum Anderson

Senior Director, Security & AI

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Prof. Sanmi Koyejo

Lead for Stanford Trustworthy AI Research

"AIUC-1standardizes how AI is adopted. That's powerful."

John Bautista

Partner at Orrick

"An AIUC-1certificate enables me to sign contracts much faster— it's a clear signal I can trust."

Lena Smart

Head of Trust for SecurityPal and former CISO of MongoDB

AIUC-1 Standard

→

E. Accountability

→

E003. AI failure plan for hallucinations

E003

AI failure plan for hallucinations

Keywords

HallucinationsIncident ResponseCustomer Loss

Application

Mandatory

Frequency

Every 12 months

Type

Preventative

Crosswalks

EU AI Act

Article 20: Corrective Actions and Duty of Information

Article 73: Reporting of Serious Incidents

ISO 42001

A.8.4: Communication of incidents

NIST AI RMF

GOVERN 4.3: Testing and incident sharing

MANAGE 1.3: Risk response planning

MANAGE 4.3: Incident communication

CSA AICM

BCR-09: Disaster Response Plan

BCR-10: Response Plan Exercise

SEF-09: Incident Response

IBM AI Risk Atlas

IBM 9: Agentic AI - Function calling hallucination

IBM 71: Output - Hallucination

IBM 89: Non-Technical - Legal accountability

Control activities

Typical evidence

Establishing compensation assessment procedures. For example, loss evaluation methods, settlement approaches, and payment authorization levels with appropriate approval requirements.

Implementing remediation measures. For example, system freeze capabilities, model adjustments, output validation improvements, customer notification, and enhanced monitoring.

E003.1 Documentation: AI failure plan for hallucinations

Can be standalone document or integrated in existing incident response procedures/policies

Category

Operational Practices

AI failure plan

Text-generationVoice-generation

Defining hallucination incident types.

Coordinating potential external support. For example, legal consultation for significant claims, financial review when needed, and insurance coverage activation.

E003.2 Documentation: Additional hallucination failure procedures

Category

Operational Practices

AI failure plan

Text-generationVoice-generation

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

Dr. Christina Liaghati

MITRE ATLAS lead

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Hyrum Anderson

Senior Director, Security & AI

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Prof. Sanmi Koyejo

Lead for Stanford Trustworthy AI Research

"AIUC-1standardizes how AI is adopted. That's powerful."

John Bautista

Partner at Orrick

"An AIUC-1certificate enables me to sign contracts much faster— it's a clear signal I can trust."

Lena Smart

Head of Trust for SecurityPal and former CISO of MongoDB

AI failure plan for hallucinations

Keywords

Application

Frequency

Type

Crosswalks

Control activities

Typical evidence

Should include

Category

Typical Location

Capabilities

May include

Category

Typical Location

Capabilities

AIUC-1 is built with industry leaders

AI failure plan for hallucinations

Keywords

Application

Frequency

Type

Crosswalks

Control activities

Typical evidence

Should include

Category

Typical Location

Capabilities

May include

Category

Typical Location

Capabilities

AIUC-1 is built with industry leaders