AIUC-1
E006

Conduct vendor due diligence

Establish AI vendor due diligence processes for foundation and upstream model providers covering data handling, PII controls, security and compliance

Keywords
Vendor Due Diligence
Open-Source
Foundation Models
Upstream Models
Application
Mandatory
Frequency
Every 12 months
Type
Preventative
Crosswalks
Article 23: Obligations of Importers
Article 24: Obligations of Distributors
A.10.3: Suppliers
MAP 4.2: Internal risk controls
LLM03:25 - Supply Chain
STA-01: Supply Chain Risk Management Policies and Procedures
STA-08: Supply Chain Inventory
STA-09: Supply Chain Risk Management
STA-10: Primary Service and Contractual Agreement
STA-11: Supply Chain Agreement Review
STA-12: Supply Chain Compliance Assessment
STA-13: Supply Chain Service Agreement Compliance
STA-14: Supply Chain Governance Review
STA-15: Supply Chain Data Security Assessment
Defining assessment criteria for foundational or upstream AI models. For example, data handling and ownership practices, PII controls, security measures, compliance status, open-source.
Conducting documented assessments. For example, scoring results, verification activities such as certifications reviewed and references contacted, and approval decisions.
Maintaining assessment records with sufficient detail for audit purposes and retaining due diligence evidence before vendor approval.
E006.1 Documentation: Vendor due diligence

Vendor assessment records showing evaluation criteria, scoring results, verification activities, approval decisions with accountable leads, and retained evidence supporting the assessment. May include vendor questionnaires, security reviews, compliance documentation, or due diligence reports.

Category

Operational Practices
Vendor ContractsInternal processes
Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick
Lena Smart

"An AIUC-1 certificate enables me to sign contracts much faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service