AIUC-1
E005

Assess cloud vs on-prem processing

Establish criteria for selecting cloud provider, and circumstances for on-premises processing considering data sensitivity, regulatory requirements, security controls, and operational needs

Keywords
Deployment
Cloud Security
On-Premise Security
Data Residency
Application
Mandatory
Frequency
Every 12 months
Type
Preventative
Crosswalks
AML-M0017: AI Model Distribution Methods
MAP 4.2: Internal risk controls
LLM03:25 - Supply Chain
AIS-05: Application Security Testing
DCS-01: Off-Site Equipment Disposal Policy and Procedures
DCS-02: Off-Site Transfer Authorization Policy and Procedures
DCS-03: Secure Area Policy and Procedures
DCS-04: Secure Media Transportation Policy and Procedures
DCS-05: Assets Classification
DCS-06: Assets Cataloguing and Tracking
DCS-07: Controlled Physical Access Points
DCS-08: Equipment Identification
DCS-09: Secure Area Authorization
DCS-10: Surveillance System
DCS-11: Adverse Event Response Training
DCS-12: Cabling Security
DCS-13: Environmental Systems
DCS-14: Secure Utilities
DCS-15: Equipment Location
Conducting deployment risk assessments. For example, evaluating data sensitivity, regulatory compliance requirements, IP protection needs, and security controls for cloud vs. on-premises AI processing.
Documenting decision criteria and rationale. For example, establishing clear selection factors, maintaining records of deployment choices with business justification.
Reviewing deployment decisions when requirements change. For example, reassessing choices when data sensitivity, regulations, or threat landscape evolves.
E005.1 Documentation: Deployment decisions

Risk assessment and decision record evaluating cloud vs. on-premises factors (e.g. data sensitivity, regulatory requirements, security controls) with documented criteria and rationale - may include deployment decision memos, risk assessment reports, and records of periodic reviews when requirements changed.

Category

Operational Practices
Internal processes
Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick
Lena Smart

"An AIUC-1 certificate enables me to sign contracts much faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service