AIUC-1 is updated formally each quarter to ensure that the standard evolves as technology, risk, and regulation evolves.
The most recent version of AIUC-1 was released on July 15, 2026.
The next version of AIUC-1 will be released on October 15, 2026.
For this update, focus has been on expanding coding agent requirements, developing public facing guidance for auditors and organizations pursuing AIUC-1, and further clarifications to existing requirements. This quarter’s refresh updates 8 requirements and 41 controls.
AIUC-1 for coding agents: Secrets management, secure defaults in code, execution-level safeguards broadened to coding agents
Technical guidance for auditors: Public documentation on AIUC-1 audit scoping and annual re-certification
Clarifications to existing requirements: Clearer rules for which controls apply to which agent types, and removal of duplicative controls
Q3 2026
A008: Prevent leakage of credentials and secrets
Added new mandatory requirement for code-generating agents covering detection and prevention of secrets leakage in AI system inputs, outputs, logs, and credential storage, with five new controls (A008.1-A008.5)
Q3 2026
B010: Promote secure patterns in generated code
Added new mandatory requirement for code-generating agents to promote secure patterns and prevent known vulnerabilities in generated code, with six new controls (B010.1-B010.6)
Q3 2026
A003: Limit AI agent data access
Retired the supplemental control on alerting for auth failures; agent identity management and agent access and permissions management renumbered to A003.2 and A003.3
Q3 2026
A003.1 Config: Data access scoping
Clarified the control to cover data access rather than data collection
Q3 2026
A004.1 Documentation: User guidance on confidential information
Recategorized the evidence from Technical Implementation to Operational Practices
Q3 2026
A005: Prevent cross-customer data exposure
Broadened the requirement to cover cross-customer data exposure generally, not only when combining customer data from multiple sources
Q3 2026
A005.2 Config: Customer data isolation controls
Generalized typical evidence to logical isolation appropriate to the architecture rather than specific app-ID patterns
Q3 2026
A006: Prevent PII leakage
Retired the core control requiring authentication and authorization for PII access; DLP system integration renumbered to A006.2 as a supplemental control
Q3 2026
A007: Prevent IP violations
Retagged capability scoping from generation modalities to externally facing agents
Q3 2026
B006.3 Config: Execution-level safeguards
Extended sandboxed execution safeguards to cover agent-executed code alongside first-party MCP servers
Q3 2026
B008: Protect AI system deployment environment
Retired the core control on model access controls; remaining controls renumbered B008.1-B008.5 with agentic interface data integrity retagged as supplemental
Q3 2026
B009: Limit output over-exposure
Extended capability scoping to cover image generation alongside text and voice generation
Q3 2026
C005: Prevent agent-specific high risk outputs
Renamed from customer-defined to agent-specific high-risk outputs to reflect that the risk taxonomy is defined per agent
Q3 2026
C006.2 Demonstration: Content handling and labelling for untrusted content
Relabelled from warning labels to content handling and labelling for untrusted content
Q3 2026
C008.3 Config: Security tooling
Renumbered from C008.4 to C008.3 to close a numbering gap
Q3 2026
E002: AI failure plan for harmful outputs
Retagged capability scoping from generation modalities to externally facing agents
Q3 2026
E003: AI failure plan for hallucinations
Retagged capability scoping from generation modalities to externally facing agents
Q3 2026
E003.1 Documentation: AI failure plan for hallucinations
Refocused the control on customer communication protocols and immediate mitigation steps with designated staff responsibilities
Q3 2026
E005.1 Documentation: Data storage security practices
Simplified the control to focus on documenting data storage security practices such as cloud vs. on-premises assessments
Q3 2026
E009: Monitor third-party access
Expanded the requirement to cover monitoring and logging of third-party API connections, sessions, and data access
Q3 2026
E009.2 Config: Anomalous third-party access alerting
Added new supplemental control for alerting on anomalous third-party access
Q3 2026
E017: Document system transparency policy
Restructured controls: transparency documentation is now the core control E017.1, transparency report sharing policy retagged supplemental as E017.2, and a new supplemental control E017.3 added covering platform and deployer security responsibilities
Detailed comparison of previous standards (January 15, 2026 and April 15, 2026) and current standard (July 15, 2026) is available on Github here
April 15, 2026
January 15, 2026
October 1, 2025
July 22, 2025
First launch of the standard
Customer-focused.We prioritize requirements that enterprise customers demand and vendors can pragmatically meet— increasing confidence without adding unnecessary compliance.
AI-focused. We do not cover non-AI risks that are addressed in frameworks or regulations like SOC 2, ISO 27001, or GDPR.
Insurance-enabling. We prioritize risks that lead to direct harms and financial losses.
Adapts to regulation. We update AIUC-1 to make it easier to comply with new regulations.
Adapts to AI progress. We update AIUC-1 to keep up with new capabilities, like reasoning capabilities and new modalities.
Adapts to the threat landscape. We update AIUC-1 in response to real-world incidents.
Continuous improvement. We regularly update the standard based on real-world deployment experience and stakeholder feedback.
Predictability.We review the standard and push updates quarterly— on January 15, April 15, July 15, and October 15 of each year.
Transparency. We keep a public changelog and share our lessons.
Backward compatibility. Existing certifications remain valid during transition periods.
We welcome feedback, ideas, suggestions, and criticism— provide input on AIUC-1.