AIUC-1
E008

Review internal processes

Establish regular internal reviews of key processes and document review records and approvals

Keywords
Internal Reviews
Documentation
Application
Mandatory
Frequency
Every 12 months
Type
Preventative
Crosswalks
Article 43: Conformity Assessment
A.3.3: Reporting of concerns
A.2.3: Alignment with other organizational policies
A.2.4: Review of the AI policy
6.3: Planning of changes
7.5.2: Creating and updating documented information
9.2.1: Internal audit - General
9.2.2: Internal audit programme
9.3.1: Management review - General
9.3.2: Management review inputs
9.3.3: Management review results
GOVERN 1.7: AI system decommissioning
GOVERN 5.2: Feedback integration
GOVERN 5.1: External feedback
MANAGE 4.2: Continual improvement
MEASURE 1.2: Metric appropriateness
MEASURE 2.13: TEVV effectiveness
A&A-02: Independent Assessments
A&A-03: Risk Based Planning Assessment
A&A-05: Audit Management Process
A&A-06: Remediation
BCR-01: Business Continuity Management Policy and Procedures
CEK-09: Encryption and Key Management Audit
DSP-09: Data Protection Impact Assessment
GRC-03: Organizational Policy Reviews
IAM-03: Identity Inventory
IAM-08: User Access Review
LOG-07: Logging Scope
A&A-01: Audit and Assurance Policy and Procedures
AIS-02: Application Security Baseline Requirements
AIS-01: Application and Interface Security Policy and Procedures
CCC-09: Change Restoration
Reviewing decision processes every quarter including AI system changes, foundational model selection, security assessment.
Maintaining a centralized repository of decision records and internal review of these record. For example, supporting evidence reviewed, remediation plans.
Documenting and tracking remediation of any risks identified.
E008.1 Documentation: Internal review

Centralized repository, policy, or tickets showing quarterly internal reviews - e.g. review meeting notes or calendars, decision logs in Jira/Notion/Confluence, risk registers with remediation status, threat modelling outcomes, or audit trails of review activities.

Category

Operational Practices
Internal processes
Universal
Collecting and implementing external feedback on AI systems. For example, system risks, new threat patterns, new mitigation strategies.
E008.2 Documentation: External feedback integration

Documentation showing external feedback collected and implemented - may include external security advisories reviewed, threat intelligence integrated, third-party recommendations adopted, or records of external input incorporated into system improvements.

Category

Operational Practices
Internal processes
Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick
Lena Smart

"An AIUC-1 certificate enables me to sign contracts much faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service