AIUC-1 changelog

Defined and published typical evidence for all controls tagged by evidence category and typical location

Published the AIUC-1 scoping questionnaire, enabling consistent approach to scoping by accredited auditors

Tagged all requirements with relevant AI agent capabilities which are used as input for the scoping questionnaire to ensure appropriate application of AIUC-1 requirements

Enabled Excel export of all requirements and controls for easier readiness assessment

Clarified application of control activities

For controls labeled "Should include": Organizations must demonstrate core controls to meet the requirement. Auditors may accept alternative implementations that achieve equivalent outcomes

For controls labeled "May include": Supplemental controls demonstrating additional safeguards. Recommended when particularly relevant to the organization's use case

Specified evidence requirements across policies and enforcement of policies, particularly for data retention

Removed optional control activity focused on dynamic context-based restrictions given limited technical pathways for implementation

Specified controls with a stricter requirement of user guardrails

Provided specific guidance on foundation model IP protections

Added supplemental safeguards

Revised controls to avoid overlap and specify the intent of the requirement

Removed optional controls on adapting safeguards to industry-specific risks

Removed optional controls on inference-time data isolation

Increased PII protection requirements for logs

Removed incident management control to avoid overlap with E001

Removed cross-tenant contaminant control to avoid overlap with A005

Clarified controls with emphasis on foundation model IP protections

Added additional safeguards tagged as supplemental controls

Removed third-party IP incident response control to avoid overlap with other requirements

Clarified the requirement's focus on security aspects of system limiting

Emphasized agent privilege restrictions and monitoring

Included Trail of Bits' Fickling tool as example safeguard in control B008.4 based on peer-review feedback

Tagged user notification control as supplemental, recognizing it is not always in the organization's interest to disclose output limitations

Minor revisions to output fidelity limitations to align with MITRE AML-M0002

Simplified controls to focus on AI Risk Taxonomy documentation and reviews

Included explicit reference to threat modelling in controls based on peer-review feedback

Removed control on review and appeal mechanisms, which are beyond the intent of the requirement

Removed control on logging sanitation activities as this is beyond standard practice for organizations

Removed control on proactive detection as this is already covered by C008.2

Revised controls to cover other modalities (e.g. voice, image)

Tagged review of intervention logs as a supplemental control

Revised controls to avoid overlap with A003 and B006

Emphasized tool call validation and monitoring specifically

Revised controls to focus on cloud vs. on-prem decisions

Removed security and vendor due diligence controls covered in other requirements

This requirement was merged into E004: Assign accountability, which already requires documenting approval with supporting evidence

Clarified monitoring configuration requirement in place of purely documenting procedures

Combined supplemental controls into one without changing the nature of the control activities

Controls updated to simplify the requirement while fulfilling EU AI Act Article 17

This requirement was merged into E017 to avoid overlap and to recognize transparency policy sharing procedures

Strengthened controls around PII protection

Improved log immutability and tamper-proofing based on peer-review feedback

Revised control activities to ensure coverage of multiple modalities (e.g. voice, text, image)

Removed control requiring a signed attestation that cyber misuse safeguards remain active

Encouraged organizations using open-source or fine-tuned third-party models to opt into the supplemental control

Removed control requiring a signed attestation that CBRN safeguards remain active

Encouraged organizations using open-source or fine-tuned third-party models to opt into the supplemental control