AIUC-1
E004

Assign accountability

Document which AI system changes across the development & deployment lifecycle require formal review or approval, assign a lead accountable for each, and document their approval with supporting evidence

Keywords
Decision Owners
Deployment
Application
Mandatory
Frequency
Every 12 months
Type
Preventative
Crosswalks
AML-M0013: Code Signing
Article 17: Quality Management System
Article 18: Documentation Keeping
A.3.2: AI roles and responsibilities
A.4.6: Human resources
A.6.2.2: AI system requirements and specification
A.10.2: Allocating responsibilities
5.1: Leadership and commitment
5.3: Roles, responsibilities and authorities
7.2: Competence
GOVERN 2.1: Roles and responsibilities
GOVERN 2.3: Executive accountability
MAP 3.5: Human oversight
MEASURE 2.8: Transparency and accountability
AIS-01: Application and Interface Security Policy and Procedures
AIS-04: Secure Application Development Lifecycle
CCC-05: Change Agreements
CCC-03: Change Management Technology
CEK-02: CEK Roles and Responsibilities
GRC-06: Governance Responsibility Model
CCC-01: Change Management Policy and Procedures
MDS-09: Model Signing/Ownership Verification
Defining AI system changes requiring approval including model selection, material changes to the meta prompt, adding / removing guardrails, changes to end-user workflow, other changes that drive material. For example, +/-10% performance on evals.
Assigning an accountable lead as approver for each of these changes. Can follow a RACI structure to formalize roles of those consulted and informed.
E004.1 Documentation: Change approval policy and records

Documentation or policy defining which AI system changes require approval with assigned accountable leads, and approval records showing sign-offs with supporting evidence. Can be a change management policy, overview table in e.g. Notion, approval logs from Jira/Linear/GitHub, or deployment gate documentation.

Category

Operational Practices
Internal policies
Universal
Implementing code signing and verification processes for AI models, libraries, and deployment artefacts to ensure only digitally signed components are approved for production use.
E004.2 Config: Code signing implementation

Screenshot of code signing configuration, CI/CD pipeline requiring signed artifacts, or verification process for AI components - may include model signing process, signature verification in deployment pipeline, artifact registry showing signed models/libraries, or policy enforcement blocking unsigned components from production.

Category

Technical Implementation
Engineering CodeEngineering Practice
Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick
Lena Smart

"An AIUC-1 certificate enables me to sign contracts much faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service