AIUC-1
Legal Evidence

Legal Evidence

Legal Evidence

Download evidence list
Requirement
A001Establish input data policy
·
Mandatory Requirement
Control activity
Defining and communicating input data usage policies. Including specifying how customer data is used for inference and model training, establishing data retention periods, and documenting customer data rights.
Evidence
A001.1 Documentation: Policy for input data ownership, usage and retention
Typically demonstrated by Terms of Service, Privacy Policy or Data Processing Agreement
Tags
Mandatory Control
Legal Policies
Terms of ServicePrivacy PolicyDPA
Requirement
A001Establish input data policy
·
Mandatory Requirement
Control activity
Documenting processes for handling end-user data subject rights. For example, handling requests for opt-in/opt-out rights, access, portability, or deletion of input data.
Evidence
A001.3 Documentation: Data subject right processes
May be included in DPA, GDPR appendix, External Privacy Policy or similar internal or external policies documenting processes for data handling
Tags
Supplemental Control
Legal Policies
Data Processing AgreementPrivacy Policy
Requirement
A002Establish output data policy
·
Mandatory Requirement
Control activity
Establishing output ownership and usage rights policies. For example, specifying customer ownership of AI-generated outputs versus AI inputs, defining permitted uses of outputs (commercial use, redistribution, modification), documenting usage restrictions or limitations, and clarifying how ownership applies to different output types or use cases.
Disclosing opt-out and deletion procedures for AI outputs. For example, documenting how customers can opt out of output storage or reuse, explaining deletion request processes, specifying retention periods and data handling practices, and clarifying how customers can control or revoke permissions for their outputs.
Evidence
A002.1 Documentation: Output usage and ownership policy
Typically demonstrated by Terms of Service, Data Processing Agreement, Master Service Agreement, Privacy Policy, or AI Addendum. May be a combination of these policies.
Tags
Mandatory Control
Legal Policies
Terms of Service
Requirement
A004Protect IP & trade secrets
·
Mandatory Requirement
Control activity
Leveraging foundation model provider protections. For example, using providers with zero data retention policies, requiring contractual commitments that inputs are not used for training, selecting models with enhanced privacy guarantees for sensitive use cases.
Evidence
A004.2 Documentation: foundational model IP protections
Provider contracts, terms of service, or documentation showing IP protection commitments. Often found in third party's terms of use/service, DPA or AI Addendum/Schedule
Tags
Supplemental Control
Legal Policies
Vendor Contracts
Requirement
A005Prevent cross-customer data exposure
·
Mandatory Requirement
Control activity
Establishing explicit consent and disclosure for combined data usage. For example, informing customers when their data will be combined with competitor data, disclosing data anonymization and abstraction policies, providing opt-out mechanisms.
Evidence
A005.1 Documentation: Consent for combined data usage
Typically demonstrated by Data Processing Agreement or Terms of Service
Tags
Mandatory Control
Legal Policies
Data Processing AgreementTerms of Service
Requirement
A007Prevent IP violations
·
Mandatory Requirement
Control activity
Documenting foundation model provider IP protections which may serve as primary infringement safeguards. For example, indemnification clauses or copyright/trademark guardrails.
Evidence
A007.1 Documentation: Model provider IP infringement protections
Foundation model provider contract, terms of service, or data processing agreement showing IP protection commitments including copyright/trademark handling policies, indemnification clauses, liability coverage, and any documented limitations or exclusions. May include vendor questionnaire responses or certification documents addressing IP protections.
Tags
Mandatory Control
Legal Policies
Vendor Contracts
Requirement
E010Establish AI acceptable use policy
·
Mandatory Requirement
Control activity
Defining prohibited AI usage for end-users. For example, jailbreak attempts, malicious prompt injection, unauthorized data extraction, generation of harmful content, and misuse of customer data.
Evidence
E010.1 Documentation: AI acceptable use policy
Policy document defining acceptable and/or prohibited AI usage - can be standalone document or parts of, e.g., terms of service
Tags
Mandatory Control
Legal Policies
Acceptable Use Policy
Requirement
E011Record processing locations
·
Mandatory Requirement
Control activity
Implementing transfer compliance procedures. For example, assessing data transfer requirements for AI training data and inference processing, maintaining approved transfer mechanisms for foundation model providers and AI infrastructure, mitigating transfer risk for cross-border AI model training.
Evidence
E011.2 Documentation: Data transfer compliance
Demonstrated by DPA, data transfer impact assessments, approved transfer mechanism documentation (Standard Contractual Clauses, adequacy decisions), cross-border data flow approvals for AI training/inference, or risk assessments for international AI processing.
Tags
Supplemental Control
Legal Policies
Internal policiesData Processing Agreement
Requirement
E012Document regulatory compliance
·
Mandatory Requirement
Control activity
Identifying relevant regulations. For example, data protection laws. For example, GDPR, CCPA, sector-specific requirements, emerging AI standards. For example, EU AI Act.
Documenting compliance procedures and strategies appropriate for company size and operations.
Reviewing the repository every 6 months and when additional requirements may be triggered. For example, regulations change or business operations expand into new jurisdictions.
Evidence
E012.1 Documentation: Regulatory compliance reviews
Compliance register, assessment memo or review tickets (e.g. in Notion), or policy listing applicable regulations with compliance strategies - should include review dates or version history showing periodic updates.
Tags
Mandatory Control
Legal Policies
Internal processes
Requirement
E017Document system transparency policy
·
Optional Requirement
Control activity
Establishing a transparency policy defining documentation requirements for major AI systems. For example, specifying required documentation elements, establishing documentation standards.
Evidence
E017.1 Documentation: Transparency policy
Policy document defining transparency documentation requirements - may include criteria for systems requiring documentation, required documentation elements (capabilities, limitations, use cases, risks), or documentation standards and templates.
Tags
Mandatory Control
Legal Policies
Internal policies
Requirement
F001Prevent AI cyber misuse
·
Mandatory Requirement
Control activity
Results of testing from foundation model developer on offensive cyber capabilities and mitigations.
Evidence
F001.1 Documentation: Foundation model cyber capabilities
Provider model cards, cybersecurity assessment reports from model developers, or foundation model documentation describing offensive cyber capabilities and mitigations
Tags
Mandatory Control
Legal Policies
Vendor Contracts
Requirement
F002Prevent catastrophic misuse
·
Mandatory Requirement
Control activity
Results of testing from foundation model developer on CBRN capabilities and mitigations.
Evidence
F002.1 Documentation: Foundation model CBRN capabilities
List of foundation models used with CBRN capability information - may include provider model cards with CBRN assessments, weapons of mass destruction risk evaluations from model developers, or other documentation describing CBRN-related capabilities and mitigations.
Tags
Mandatory Control
Legal Policies
Vendor Contracts

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service