Technical Evidence
Technical Evidence
Download evidence listRequirement
·
Mandatory RequirementControl activity
Implementing technical controls to enforce data retention and deletion policies. For example, automating data deletion based on retention schedules, using secure removal mechanisms, and managing data lifecycles.
Evidence
A001.2 Config: Data retention implementation
Implementation of automated deletion schedule or data lifecycle system - may include cron job or scheduled task deleting expired data, deletion script in Python/Bash with retention period logic, data lifecycle management tool configuration (e.g., AWS S3 lifecycle rules, database TTL settings), or deletion audit logs from database or storage system.
Tags
Mandatory Control
Technical Implementation
Engineering CodeEngineering Practice
Requirement
·
Mandatory RequirementControl activity
Implementing technical controls to enforce AI output opt-in/opt-out and deletion policies. For example, automating customer preference enforcement through consent management configuration, processing opt-out and deletion requests within defined workflows, and validating that opted-out outputs are excluded from storage and downstream reuse.
Evidence
A002.2 Config: Opt-in/opt-out and output deletion implementation
Implementation of opt-in/opt-out enforcement mechanism or output deletion workflow - may include consent management system enforcing customer preferences (e.g., feature flag gating output storage, consent database linked to processing pipeline), opt-out or deletion request processing script or automated task, or audit logs from consent and deletion systems with timestamps and execution records.
Tags
Supplemental Control
Technical Implementation
Engineering CodeEngineering Practice
Requirement
·
Mandatory RequirementControl activity
Configuring data access limits to reduce data and privacy exposure. For example, limiting data collection to task-relevant information based on context, implementing scoping based on user roles or workflow requirements, and avoiding persistent or out-of-scope data access.
Evidence
A003.1 Config: Data access scoping
Code implementing data access restrictions - may include RAG retrieval function with document filtering logic, session scoping configuration limiting data access per session ID, workflow conditional logic gating data collection by stage, permission decorators or middleware checking user roles before data access, or scoping functions rejecting out-of-scope queries with error messages.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Deploying monitoring mechanisms. Including ensuring AI systems only perform necessary inference and logging deviations from defined operational scope.
Evidence
A003.2 Config: Alerting system for auth failures
Screenshot of code showing an alert or error handling system is triggered upon authz check failure, or screenshot of alerting configurations in logging software (e.g. Posthog, Sentry, Datadog, Axiom, or downstream alert in Slack)
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Enabling agent identity management. For example, assigning each agent a unique, cryptographically verifiable identity; supporting standard identity federation protocols (e.g., OAuth 2.0, OIDC) for enterprise IAM integration; publishing agent cards declaring each agent's capabilities, tools, and permission scopes.
Evidence
A003.3 Config: Agent identity management
Documentation showing how identity governance is enabled - may include platform configuration showing unique, cryptographically verifiable identity assignment per agent instance, API or SDK documentation for identity federation endpoints (e.g., OIDC token exchange), or a sample agent card declaring agent capabilities and scopes.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Enabling agent access and governance through permission-ready architecture. For example, exposing per-agent permission scopes mappable to enterprise roles; supporting just-in-time permissions scoped to specific subtasks; preventing silent inheritance of elevated permissions from orchestrators or parent agents; enforcing segregation of duties across systems; and integrating data loss prevention controls on agent actions and tool calls.
Evidence
A003.4 Config: Agent access and permissions management
Documentation showing how permission governance is enabled - may include API or SDK documentation for permission scope configuration mappable to RBAC or ABAC policies, platform settings or code demonstrating just-in-time credential issuance scoped to individual subtasks or tool calls, architecture documentation showing how inherited permission chains from orchestrators or parent agents are bounded or surfaced for review, a segregation of duties matrix identifying and preventing conflicting agent permission combinations across integrated systems, or DLP policy configuration showing inspection and blocking rules applied to outbound data transmitted through agent actions or tool calls.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Providing user guidance on protecting confidential information. For example, instructing employees not to input trade secrets, proprietary code, or confidential business information into AI systems, communicating data handling policies for AI tool usage, or establishing clear guidelines on what information can and cannot be shared with AI agents.
Evidence
A004.1 Documentation: User guidance on confidential information
Policy document, training materials, or user guidelines instructing users on protecting confidential information when using AI systems.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Implementing technical controls to detect proprietary information in outputs.
Evidence
A004.3 Config: IP detection implementation
Code or configuration detecting proprietary information patterns in AI outputs - may include labelling proprietary files, filtering rules for internal identifiers/data labels/API keys, scanning logic for trade secret terminology, or rejection demonstrations showing appropriate responses to proprietary requests.
Tags
Supplemental Control
Technical Implementation
Engineering CodeProduct
Requirement
·
Mandatory RequirementControl activity
Establishing output monitoring for high-risk IP scenarios. For example, logging AI responses that accessed confidential data sources, implementing human review workflows for outputs flagged as potentially containing sensitive information.
Evidence
A004.4 Config: IP disclosure monitoring
Logs, audit trails, or review workflow documentation for AI outputs potentially containing sensitive information - may include logs of responses accessing confidential sources, flagged output review queues, or human approval workflows for high-risk disclosures.
Tags
Supplemental Control
Technical Implementation
Engineering PracticeLogs
Requirement
·
Mandatory RequirementControl activity
Implementing customer data isolation controls. For example, enforcing strict logical and physical separation of customer data, applying tenant-specific encryption, validating data flow boundaries in shared infrastructure, establishing technical barriers between customer datasets during training.
Evidence
A005.2 Config: Customer data isolation controls
Configuration or code output demonstrating customer isolation controls - may show how app_IDs are enforced in the database schema, or namespace isolation by app_ID being implemented in the vector store for RAG (or equivalent logical isolation), or that authorization checks verify app_ID matching before returning objects.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing specific privacy-enhancing technologies (PETs) to reduce competitive exposure.
Evidence
A005.3 Config: Privacy-enhancing controls
May include tokenization, hashing, or anonymization techniques (robust to prevent re-identification or reversal) making data algorithmic-usable but not human-readable, differential privacy implementation obfuscating individual contributions, federated learning configuration avoiding centralized raw data, or data masking/pseudonymization protecting customer identities.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing safeguards to prevent personal data leakage through AI system outputs and logs. For example, filtering prompts and outputs for personal identifiers before storage or display, implementing automated PII detection and redaction in system logs, preventing retention of outputs containing sensitive personal information, or blocking responses that would expose personal identifiers.
Evidence
A006.1 Config: PII detection and filtering
Configuration or code output demonstrating filtering of LLM inputs and/or outputs for personal identifiers - may include keyword checks or regex patterns detecting PII (e.g. names, emails, SSNs, phone numbers), scrubbing functions removing personal data before storage or logging, output filtering blocking responses containing personal identifiers, log redaction configuration removing PII from application or system logs, or structured logging with PII isolation controls.
Tags
Mandatory Control
Technical Implementation
Eng: LLM output filtering logicEng: User LLM input filtering logic
Requirement
·
Mandatory RequirementControl activity
Requiring authentication and authorization for PII access. For example, role-based access controls for PII-containing systems, multi-factor authentication for sensitive data access, or approval-gated access to customer information.
Evidence
A006.2 Config: PII access controls
IAM configuration or user roles list for systems containing PII - may include role-based access controls for log aggregation tools or internal dashboards with PII, authentication requirements for PII access, or approval workflow documentation (Jira tickets, approval systems) for internal workforce requests to view customer data.
Tags
Mandatory Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Integrating with existing data loss prevention (DLP) systems to monitor and block outputs containing personal data in violation of policy.
Evidence
A006.3 Config: DLP system integration
Output pipeline integration with a DLP system to scan and block PII policy violations - may include DLP integration code scanning AI outputs before delivery to users, DLP configuration rules for PII detection, or logs showing blocked outputs containing personal data.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Establishing supplementary content filtering mechanisms where provider protections have gaps or limitations. For example, detecting copyrighted material in outputs, implementing trademark screening.
Evidence
A007.2 Config: IP infringement filtering
Code, API configuration, or filtering system showing detection of copyrighted material, trademark screening, or content validation checks applied to AI outputs - this could be pattern matching logic, third-party API integration (e.g. copyright detection services), or custom filtering rules.
Tags
Supplemental Control
Technical Implementation
Engineering CodeEng: LLM output filtering logic
Requirement
·
Mandatory RequirementControl activity
Implementing user guidance and guardrails to reduce IP risk. For example, usage policies that explain prohibited content types, user warnings in product, restricting output generation in known infringement domains.
Implementing restrictions in AI acceptable use policy.
Evidence
A007.3 Logs: User-facing notices
User-facing IP risk guidance - may include warning messages when attempting high-risk operations, help center articles about IP infringement guidance, or UI elements explaining prohibited use cases.
Tags
Supplemental Control
Technical Implementation
ProductAcceptable Use Policy
Requirement
·
Optional RequirementControl activity
Establishing detection and alerting. For example, implementing monitoring for prompt injection patterns, jailbreak techniques, adversarial input attempts, and exceeding rate limits, configuring alerts and threat notifications for suspicious activities.
Evidence
B002.1 Config: Adversarial input detection and alerting
Monitoring system, SIEM, or detection code showing rules and alerts for adversarial inputs - may include prompt injection detection patterns, jailbreak technique signatures, rate limit monitoring with threshold alerts, or notification configurations (Slack, PagerDuty, email)
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Optional RequirementControl activity
Implementing incident logging and response procedures. For example, logging suspected adversarial attacks with relevant context, escalating to designated personnel based on severity, and documenting response actions in a centralized system.
Evidence
B002.2 Logs: Adversarial incident and response
Incident management system or logs showing adversarial attack handling - may include log entries with timestamps and user/session context, escalation runbooks defining severity thresholds, or incident tickets in Jira/PagerDuty/ServiceNow documenting response actions and workflows.
Tags
Mandatory Control
Technical Implementation
LogsEngineering Tooling
Requirement
·
Optional RequirementControl activity
Maintaining detection effectiveness through quarterly reviews. For example, updating detection rules based on emerging adversarial techniques, analyzing incident patterns and documenting system improvements.
Evidence
B002.3 Documentation: Updates to detection config
Quarterly review documentation showing detection updates - for example, review meeting notes with incident pattern analysis, updated detection rules with version history, or tracking records showing rule improvements (e.g. GitHub/Jira tickets).
Tags
Mandatory Control
Technical Implementation
Engineering PracticeInternal processes
Requirement
·
Optional RequirementControl activity
Implementing adversarial input detection prior to AI model processing where feasible. For example, using pre-processing filters to flag likely threats before model processing.
Evidence
B002.4 Config: Pre-processing adversarial detection
Pre-processing filtering logic or gateway - may include pattern-matching or heuristic code checking inputs before model processing, WAF or API gateway rules blocking adversarial patterns, or IP-based filtering.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Optional RequirementControl activity
Integrating adversarial input detection into existing security operations tooling. For example, forwarding flagged inputs to SIEM platforms, correlating detection with authentication and network logs, enabling SOC teams to triage AI-related security events.
Evidence
B002.5 Config: AI security alerts
SIEM platform, SOC tooling, or log forwarding configuration showing adversarial detection integration - may include Splunk/Datadog/Elastic SIEM ingesting AI adversarial alerts, correlation rules linking AI events with authentication or network logs, SOC dashboard displaying AI security event triage, or code forwarding flagged inputs to security platforms.
Tags
Supplemental Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Implementing systems distinguishing between high-volume legitimate usage and adversarial behavior. For example, using behavioral analytics and user profiling to calibrate detection thresholds and prevent false positives against trusted users.
Evidence
B004.1 Config: Anomalous usage detection
Anomaly detection system or configuration file - may include behavioral analytics dashboard (Datadog, Elastic, Splunk) with user scoring rules, rate limiting configuration with tier-based thresholds (config.yaml, API gateway settings), user allowlists or reputation tables, or code implementing session-based threshold logic.
Tags
Mandatory Control
Technical Implementation
Engineering ToolingEngineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing rate limiting and query restrictions. For example, establishing per-user quotas to prevent model extraction, blocking excessive query patterns, implementing progressive restrictions for suspicious behavior, or using economic disincentives for high-volume usage.
Evidence
B004.2 Config: Rate limits
Rate limiting configuration for API endpoints - may include per-user quota settings, query throttling rules, progressive restriction policies, WAF configuration (Cloudflare, AWS WAF, Azure Application Gateway) with blocking rules for excessive patterns, or pricing tier settings implementing usage-based cost increases.
Tags
Mandatory Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Conducting simulated external attack testing of AI endpoints. For example, performing automated attack simulations, testing endpoint protection effectiveness against high-volume and distributed attacks, and documenting methodologies appropriate to organizational threat profile.
Evidence
B004.3 Report: External pentest of AI endpoints
Third-party penetration test report for AI endpoints including attack simulations tested (e.g. scraping attempts, brute force, reconnaissance), rate limiting and endpoint protection validation, distributed attack testing, test methodology, and findings on protection effectiveness.
Tags
Mandatory Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Maintaining endpoint security through remediation. For example, tracking identified vulnerabilities, implementing protective measures based on testing outcomes, and regularly updating endpoint defenses and detection thresholds.
Evidence
B004.4 Documentation: Vulnerability remediation
Issue tracking system (GitHub, Jira, Linear) showing endpoint vulnerability lifecycle - must include vulnerability identification, remediation proposal, implementation, and production deployment with timestamps and approval records.
Tags
Mandatory Control
Technical Implementation
Engineering Practice
Requirement
·
Optional RequirementControl activity
Integrating automated moderation tools to filter inputs before they reach the foundation model. For example, integrating third-party moderation APIs, implementing custom filtering rules, configuring blocking or warning actions for flagged content, and establishing confidence thresholds based on risk category and severity
Evidence
B005.1 Config: Input filtering
Moderation tool integration showing API configuration, filtering rules, action settings (block/warn/modify), and confidence thresholds for different violation categories - this could be screenshots of configuration files, admin dashboard settings, or API integration code.
Example moderation tools: OpenAI Moderation API, Claude content filtering, VirtueAI/Hive/Spectrum Labs
Tags
Mandatory Control
Technical Implementation
Eng: User LLM input filtering logicEngineering Tooling
Requirement
·
Optional RequirementControl activity
Documenting the moderation logic and rationale. For example, explaining chosen moderation tools, threshold justifications, and decision criteria for different risk categories.
Evidence
B005.2 Documentation: Input moderation approach
Document explaining moderation approach including tool selection rationale, threshold settings with justifications, action logic for different violation types, and examples of how different input categories are handled.
Tags
Supplemental Control
Technical Implementation
Internal processesEngineering Practice
Requirement
·
Optional RequirementControl activity
Providing feedback to users when inputs are blocked.
Evidence
B005.3 Demonstration: Warning for blocked inputs
User-facing messages or UI flows showing how blocked inputs are communicated to users - this could be error messages, warning dialogs, or alternative suggestions provided when content is filtered.
Tags
Supplemental Control
Technical Implementation
Product
Requirement
·
Optional RequirementControl activity
Logging flagged prompts for analysis and refinement of filters, while ensuring compliance with privacy obligations.
Evidence
B005.4 Logs: Input filtering
Logging system showing how flagged inputs are captured, what metadata is included/excluded for privacy, retention policies, and audit trail - may include privacy documentation explaining logging disclosures to users.
Tags
Supplemental Control
Technical Implementation
Logs
Requirement
·
Optional RequirementControl activity
Periodically evaluating filter performance and adjusting thresholds accordingly. For example, accuracy, latency, false positives/negatives.
Evidence
B005.5 Documentation: Input filter performance
Report or dashboard showing analysis of filter performance metrics (false positives, false negatives, accuracy, latency) and documented threshold adjustments made based on performance data - should include timestamps and rationale for changes.
Tags
Supplemental Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Implementing technical restrictions that limit agent capabilities to authorized scope. For example, restricting agent access to approved backend services, APIs and MCP servers, enforcing network segmentation or API gateway rules, or implementing service-level authorization preventing access to sensitive systems.
Evidence
B006.1 Config: Agent service access restrictions
Configuration showing technical limitations on agent backend access - may include API gateway rules restricting accessible services, network policies defining allowed endpoints, MCP server allowlist or registration configuration restricting which MCP servers and tools the agent may connect to, service-level authorization configuration, or architecture diagram showing agent isolation boundaries including MCP server placement and network segmentation.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Deploying monitoring and alerting for agent actions that exceed security boundaries. For example, logging all agent service interactions, alerting on access attempts to unauthorized systems or APIs, or anomaly detection flagging unusual connection patterns.
Evidence
B006.2 Config: Agent security monitoring and alerting
Implementation of monitoring configuration tracking agent security-relevant actions - may include logging setup capturing agent service calls and authentication attempts, alert rules for unauthorized system access, security monitoring dashboard showing agent infrastructure interactions, or example logs demonstrating boundary violations are detected.
Tags
Mandatory Control
Technical Implementation
Engineering CodeLogs
Requirement
·
Mandatory RequirementControl activity
Implementing additional safeguards to contain runtime risk. For example, applying sandboxed execution environments with restricted filesystem, network, and credential access for first-party MCP servers; monitoring MCP tool definitions for unauthorized changes after initial approval; providing pre-execution authorization hooks that verify runtime tool calls against defined policy before execution proceeds; or equivalent containment approaches appropriate to the deployment architecture..
Evidence
B006.3 Config: Execution-level safeguards
Configuration, documentation or code demonstrating runtime containment controls applied to agents and MCP servers - may include tool definition integrity controls showing how unauthorized post-approval changes are detected, container or VM configuration showing restricted filesystem and network access for first-party MCP servers, pre-execution hook or policy engine configuration showing tool calls are verified at runtime.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing system-level access controls tailored to AI systems. For example, using role-based or attribute-based access to restrict access to model configuration, training datasets, tool-calling capabilities, or prompt logs, based on job function and system sensitivity.
Restricting administrative and configuration privileges to authorized personnel. For example, limiting ability to alter system behavior, tools, or models.
Evidence
B007.1 Config: User access controls
IAM platform, permission files, or admin panel showing role-based or attribute-based access restrictions for AI system resources (model configurations, training datasets, tool-calling capabilities, prompt logs) - may include IAM role assignments, permission policies, or authorization code validating user permissions before accessing sensitive AI components.
Tags
Mandatory Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Implementing AI system access protection. For example, restricting access to production AI systems based on job function and operational need, implementing MFA for model system access, maintaining user access reviews appropriate to organizational size.
Evidence
B008.1 Config: Model access controls
IAM configuration, permission settings, or admin panel showing role-based access restrictions for production AI systems covering IAM role assignments restricting model access by job function, MFA configuration for model system access, and access review records validating model permissions.
Tags
Mandatory Control
Technical Implementation
Engineering CodeInternal processes
Requirement
·
Mandatory RequirementControl activity
Enforcing caller authentication across API endpoints and agentic interfaces. For example, applying scoped API tokens or signed requests for model API access; enforcing OAuth 2.0 or OIDC token validation with appropriate scoping for MCP server connections; implementing mutual authentication for agent-to-agent interfaces.
Evidence
B008.2 Config: API and agentic interface authentication
Configuration or code showing caller authentication controls - may include scoped API token or signed request configuration for model API endpoints, OAuth token scoping or OIDC validation middleware for MCP server connections, or mutual authentication configuration for agent-to-agent interfaces (e.g. A2A protocol authentication config).
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Securing model hosting environments. For example, using up-to-date and minimal container images, scanning for known vulnerabilities in dependencies and base images, and applying infrastructure-level isolation techniques based on risk level (e.g. container namespaces, VM separation, or dedicated GPU access).
Evidence
B008.5 Config: Model hosting security
Container configuration or infrastructure setup for model hosting - may include Dockerfile with minimal base images and up-to-date dependencies, vulnerability scanning results from Trivy or Snyk for container images, or infrastructure configuration showing isolation techniques (container namespaces, VM separation, network policies, dedicated GPU allocation).
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Verifying model integrity before and during deployment. For example, using cryptographic checksums or signed artifacts to detect tampering, scanning model files for malicious payloads.
Evidence
B008.6 Config: Model integrity verification
Deployment pipeline or code implementing model integrity checks - may include cryptographic checksum verification, model artifact signature validation, hash comparison before deployment, model scanning configuration detecting malicious payloads (e.g. Pickle, ONNX) using tools like Cisco's pickle-fuzzer, Trail of Bit's Fickling, or deployment logs recording model version hashes.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Securing data in transit across model API endpoints and agentic interfaces. For example, enforcing TLS for all model API endpoint traffic, MCP server connections, and agent-to-agent communication channels; implementing credential rotation policies for long-lived service connections.
Evidence
B008.3 Config: API and agentic interface transport security
Configuration or code showing transport security controls - may include TLS/HTTPS certificate configuration for model API endpoints, MCP server traffic, or agent-to-agent connections, or credential rotation policy documentation for service-level MCP or A2A connections.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Enforcing data integrity across agentic interfaces. For example, implementing cryptographic message signing for agent-to-agent communication; applying schema validation and input sanitization to MCP tool call inputs and outputs.
Evidence
B008.4 Config: Agentic interface data integrity
Configuration or code showing data integrity controls for agentic interfaces - may include cryptographic message signing configuration for agent-to-agent interfaces (e.g. signed agent cards), or schema validation configuration applied to MCP tool call inputs and outputs.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Reducing or limiting the number of results shown in outputs to relevant only to balance security and utility. For example, character limits, limits on inference time.
Evidence
B009.1 Config: Output volume limits
Code or configuration implementing output restrictions - may include character or token limits, inference time limits, result count restrictions, or timeout configurations preventing excessive output. Can be demonstrated by product demo showing system timeout when requesting output exceeding limits.
Tags
Mandatory Control
Technical Implementation
Engineering CodeProduct
Requirement
·
Mandatory RequirementControl activity
Limiting the fidelity of model outputs in certain use cases. For example, applying output rounding, threshold bands, or obfuscation techniques to reduce the risk of model inversion.
Evidence
B009.3 Config: Output precision controls
Code implementing output fidelity limitations - may include rounding logic for numerical outputs, threshold bands reducing precision, or obfuscation techniques preventing model inversion, precision-sensitive data disclosure, or adversarial model extraction attacks.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Conducting pre-deployment testing with documented results and identified issues. For example, structured hallucination testing, adversarial prompting, safety unit tests, and scenario-based walkthroughs.
Completing risk assessments of identified issues before system deployment. For example, potential impact analysis, mitigation strategies, and residual risk evaluation.
Obtaining approval sign-offs from designated accountable. For example, documented rationale for approval decisions and maintained records for review purposes.
Evidence
C002.1 Documentation: Pre-deployment test and approval records
Test results with identified issues and severity ratings, risk assessment with mitigation decisions, and approval sign-offs with rationale - may be combined in deployment gate documentation or provided as separate documents (e.g., test suite outputs from GitHub Actions/pytest, Jira/Linear tickets with risk assessment and approval, staging environment test reports, deployment checklist with sign-offs).
Tags
Mandatory Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Integrating AI system testing into established software development lifecycle (SDLC) gates. For example, including threat modelling and risk evaluation during design phases, requiring risk evaluation and sign-off at staging or pre-production milestones, aligning with CI/CD or MLOps pipelines, and documenting test artefacts in shared repositories."
Evidence
C002.2 Config: SDLC integration
CI/CD pipeline configuration or workflow showing AI testing integrated as deployment gate - may include GitHub Actions/Jenkins/GitLab CI config files requiring test passage, pull request templates with testing checklists, or branch protection rules enforcing pre-deployment validation.
Tags
Supplemental Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Implementing pre-deployment vulnerability scanning of AI artifacts and dependencies. For example, scanning AI models and ML libraries for security vulnerabilities, validating runtime behavior for unsafe operations, and analyzing outputs for harmful content before deployment.
Evidence
C002.3 Documentation: Vulnerability scan results
Security scanning tools or CI/CD pipeline showing vulnerability analysis of AI artifacts and dependencies - may include GitHub/GitLab security tab with dependency alerts, Snyk or Dependabot vulnerability findings, pip-audit or safety check terminal output showing CVE scans, model file scanning results, or CI/CD logs showing security scan execution.
Tags
Supplemental Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Implementing content filtering for harmful output types. For example, detecting and blocking distressed responses, angry language, offensive content, biased statements, and deceptive information.
Evidence
C003.1 Config: Harmful output filtering
Content filtering rules, moderation API configuration, or classifier settings showing detection and blocking logic for harmful output types - may include filtering rules in code, third-party moderation tool configuration (e.g., OpenAI Moderation API, Perspective API), or custom classifier model settings with harm category definitions.
Tags
Mandatory Control
Technical Implementation
Eng: LLM output filtering logic
Requirement
·
Mandatory RequirementControl activity
Implementing guardrails for advice generation. For example, restricting high-risk recommendations in sensitive domains, requiring disclaimers for guidance.
Evidence
C003.2 Config: Guardrails for high-risk advice
System prompts, guardrail rules, or domain restrictions showing safety controls on advice generation - may include defensive prompting, domain-specific output restrictions (e.g., medical/legal/financial advice blocklists), or conditional response templates that add warnings for sensitive topics.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing bias detection and mitigation controls. For example, monitoring for discriminatory patterns, implementing fairness checks in outputs.
Evidence
C003.3 Config: Guardrails for biased outputs
Documentation of bias eval results testing for stereotypical responses across demographic attributes, manual review logs documenting bias assessments, or output filtering rules blocking discriminatory patterns - may include automated fairness evaluation tools or bias monitoring dashboards if implemented.
Tags
Supplemental Control
Technical Implementation
Eng: LLM output filtering logic
Requirement
·
Mandatory RequirementControl activity
Detecting and blocking out-of-scope requests. For example, detecting conversations outside intended use cases, blocking prohibited topics, providing redirection messages when users hit boundaries, and escalating or restricting access for repeated violations.
Evidence
C004.1 Config: out-of-scope guardrails
Blocking rules, defensive prompting, or filtering configuration showing how out-of-scope requests are detected and handled - may include topic blocklists, redirection message templates, escalation rules for repeated attempts, or system prompts defining allowed topics.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Tracking out-of-scope violations and updating boundaries. For example, logging boundary violations, adjusting restrictions based on misuse patterns.
Evidence
C004.2 Logs: Out-of-scope attempts
Logs showing out-of-scope attempts with frequency data. May include documentation of boundary updates made in response to violations, monitoring dashboard of flagged requests, change log showing restriction updates with rationale, or incident reports triggering scope adjustments.
Tags
Mandatory Control
Technical Implementation
Logs
Requirement
·
Mandatory RequirementControl activity
Providing user guidance on system capabilities and limitations. For example, communicating what the AI system can and cannot do, intended use cases, and topics or requests outside the system's scope.
Evidence
C004.3 Demonstration: User guidance on scope
User-facing guidance explaining system capabilities and limitations - may include onboarding tooltips or welcome screens, help documentation or FAQs describing intended use, UI warnings when approaching scope boundaries, or published usage guidelines.
Tags
Supplemental Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Implementing detection and blocking mechanisms aligned with organizational risk taxonomy. For example, deploying filtering based on defined risk categories and severity thresholds.
Implementing response actions for detected risks. For example, blocking high-severity outputs, flagging medium-risk content for review, logging violations for monitoring and analysis.
Evidence
C005.1 Config: Risk detection and response
Filtering rules, system configuration, or code showing detection logic mapped to AI risk taxonomy categories and corresponding response actions per severity level - may include risk classifiers with block/flag/log rules, content moderation API configuration defining actions by risk type, or defensive prompting.
Tags
Mandatory Control
Technical Implementation
Eng: LLM output filtering logic
Requirement
·
Mandatory RequirementControl activity
Establishing escalation procedures for flagged high-risk content. For example, defining when human review is required and establishing approval workflows for edge cases.
Evidence
C005.2 Documentation: Human review workflows
Documentation or workflow configuration showing human review and escalation procedures for flagged content - may include runbook defining escalation criteria and review SLAs, workflow diagram showing approval process, or ticketing system configuration (Jira, Linear) with content review queues and assignment rules.
Tags
Supplemental Control
Technical Implementation
Engineering Practice
Requirement
·
Mandatory RequirementControl activity
Implementing automated real-time interventions. For example, blocking or modifying outputs based on severity.
Evidence
C005.3 Config: Automated response mechanisms
Code or system configuration showing automated response mechanisms - may include logic blocking or modifying outputs based on risk scores, or dynamic warning messages triggered by content flags.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Establishing output sanitization and validation procedures before presenting content to users. For example, encoding or stripping potentially malicious content, validating structured outputs against safe schemas, blocking unsafe URLs, and enforcing secure rendering modes.
Evidence
C006.1 Config: Output sanitization
Code or configuration implementing output sanitization - may include HTML/JavaScript/shell syntax encoding functions, URL validation or rewriting rules blocking unsafe links, schema validation checking structured outputs (JSON/YAML/XML) against whitelists, CSP header configuration, or template rendering with auto-escaping enabled.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing security labeling and content handling based on trust level. For example, marking untrusted or third-party content, distinguishing external data from system-generated content, and applying differentiated security controls based on content source.
Evidence
C006.2 Demonstration: Warning labels for untrusted content
UI or code showing trust-based content handling - may include visual indicators marking third-party content (badges, styling, warning icons), metadata tags tracking content source and trust level, or code applying conditional security controls based on content origin (e.g., stricter sanitization for external sources).
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Detecting advanced output-based attack patterns. For example, identifying prompt injection attempts, model subversion techniques, payloads targeting downstream systems, or obfuscated exploits designed to bypass filters.
Evidence
C006.3 Config: Adversarial output detection
Detection rules or monitoring system identifying advanced attack patterns in outputs - may include pattern matching for prompt injection chains or jailbreak tokens, payload signature scanning detecting command injection or SQL queries, or anomaly detection flagging obfuscated exploits bypassing basic filters.
Tags
Supplemental Control
Technical Implementation
Eng: LLM output filtering logic
Requirement
·
Optional RequirementControl activity
Implementing automated detection mechanisms for high-risk outputs. For example, using content filtering, risk scoring, or classification models to identify outputs requiring review or flagging.
Evidence
C007.2 Config: High-risk detection mechanisms
Detection code, configuration file, or rules engine showing high-risk output filtering - may include keyword lists or regex patterns flagging sensitive topics, scoring logic assigning risk values to recommendations, if/then rules defining high-risk conditions, ML model configuration (e.g., classification thresholds in config.yaml), or API response showing confidence scores with risk thresholds.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Optional RequirementControl activity
Establishing ongoing monitoring of AI outputs across risk categories. For example, conducting regular evaluations prioritized by risk severity, sampling outputs for review, and tracking system behavior patterns.
Evidence
C008.1 Logs: AI risk monitoring
Monitoring dashboard, logging system, or evaluation reports showing ongoing AI output tracking - may include output sampling logs with review results, behavior trace logs showing system patterns, prompt-response logging configuration, evaluation schedules prioritized by risk severity, or monitoring metrics dashboard tracking trends over time.
Tags
Mandatory Control
Technical Implementation
Engineering Tooling
Requirement
·
Optional RequirementControl activity
Maintaining documentation. For example, recording identified scenarios with clear examples, updating risk taxonomy based on monitoring findings and incidents.
Evidence
C008.2 Documentation: Monitoring findings
Document or change log showing identified risk scenarios with examples - may include incident reports triggering taxonomy changes, risk scenario database with concrete examples, or version history of risk taxonomy showing updates with rationale linked to monitoring findings.
Tags
Supplemental Control
Technical Implementation
Engineering Practice
Requirement
·
Optional RequirementControl activity
Integrating AI output monitoring with existing security tools. For example, forwarding alerts and flagged outputs to SIEM platforms, applying standard logging formats (e.g. JSON, syslog) to support automated threat detection workflows.
Evidence
C008.4 Config: Security tooling
Monitoring dashboard, logging system, or evaluation reports showing ongoing AI output tracking - may include output sampling logs with review results, behavior trace logs showing system patterns, prompt-response logging configuration, evaluation schedules prioritized by risk severity, or monitoring metrics dashboard tracking trends over time.
Tags
Supplemental Control
Technical Implementation
Engineering Tooling
Requirement
·
Optional RequirementControl activity
Enabling user intervention capabilities. For example, providing mechanisms for users to pause, stop, or redirect system behavior, implementing feedback collection tools for users to report issues or concerns, ensuring technical controls persist across devices and interaction contexts.
Ensuring accessibility of feedback and intervention mechanisms. For example, adhering to WCAG 2.1 standards for color contrast, screen reader compatibility, keyboard navigation, and clear messaging for users with disabilities.
Evidence
C009.1 Demonstration: User intervention mechanisms
Intervention controls (stop/pause/redirect buttons, feedback forms, issue reporting mechanisms) with accessibility features integrated (e.g. keyboard navigation, high contrast modes, screen reader labels)
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Implementing factual accuracy controls. For example, deploying available fact-checking mechanisms, flagging uncertain or low-confidence responses.
Evidence
D001.1 Config: Groundedness filter
Code or configuration showing groundedness validation - may include filters checking responses against source documents, fact-checking API integration, or logic comparing generated content to retrieved context for factual accuracy.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Establishing information source validation. For example, requiring citations for factual claims, implementing source reliability checks.
Evidence
D001.2 Demonstration: User-facing citations & source attributions
UI or output format showing citations and source attributions provided to users - may include inline citations, source links, reference lists, or attribution labels identifying where information originated.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Maintaining uncertainty communication. For example, displaying confidence levels, providing appropriate disclaimers for generated information.
Evidence
D001.3 Demonstration: User-facing uncertainty labels
UI or output format showing confidence levels, uncertainty disclaimers, or warnings for generated information - may include confidence score displays, low-certainty warnings, or standard disclaimers about potential inaccuracies.
Tags
Supplemental Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Implementing tool call validation and authorization. For example, restricting tool calls to approved functions and MCP servers, validating parameters before execution.
Evidence
D003.1 Config: Tool authorization & validation
Code or configuration showing function and tool allowlists, parameter validation logic, or authz checks before tool execution - may include tool permission schemas, input validation functions, or access control lists restricting available tools per agent/user.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Enforcing rate limits and transaction caps for autonomous tool use.
Evidence
D003.2 Config: Rate limits for tools
Code or configuration showing rate limits and transaction caps on tool usage - may include per-tool usage quotas, time-windowed limits, or circuit breakers preventing excessive autonomous tool calls.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Establishing execution monitoring and logging. For example, tracking all tool calls, monitoring for unauthorized access attempts or scope violations.
Evidence
D003.3 Config: Tool call log
Logging configuration, monitoring dashboard, or audit logs showing tracked tool calls - may include log entries capturing the originating MCP server, tool name, tool version, input parameters, and timestamps per invocation, alerts for unauthorized tool access attempts, or monitoring system flagging scope violations.
Tags
Mandatory Control
Technical Implementation
Logs
Requirement
·
Mandatory RequirementControl activity
Implementing code signing and verification processes for AI models, libraries, and deployment artefacts to ensure only digitally signed components are approved for production use.
Evidence
E004.2 Config: Code signing implementation
Code signing configuration, CI/CD pipeline requiring signed artifacts, or verification process for AI components - may include model signing process, signature verification in deployment pipeline, artifact registry showing signed models/libraries, or policy enforcement blocking unsigned components from production.
Tags
Supplemental Control
Technical Implementation
Engineering CodeEngineering Practice
Requirement
·
Mandatory RequirementControl activity
Configuring logging for third-party interactions. For example, capturing API connections, user access sessions, data exchanges, and service integrations.
Capturing access metadata. For example, user identification, authentication timestamps, accessed resources, session duration, origin IP addresses, and resource usage patterns.
Evidence
E009.1 Config: Third-party access monitoring
Logging system or SIEM configuration showing third-party interactions being monitored with captured metadata - may include cloud logging interface (Google Cloud Logging, AWS CloudWatch, Azure Monitor) showing logged API requests with timestamps/IPs/user agents, access logs capturing authentication events and resource access, or SIEM dashboard displaying third-party connection monitoring with relevant metadata fields.
Tags
Mandatory Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Implementing detection and monitoring tools. For example, prompt analysis, output filtering, usage pattern anomalies, and suspicious access attempts.
Evidence
E010.2 Config: AUP violation detection
Code, configuration, or monitoring system detecting acceptable use policy violations - may include prompt analysis logic, output filtering rules, anomaly detection for usage patterns, or alerting on suspicious access attempts.
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing user feedback when policy is breached. For example, showing alerts or error messages when inputs violate acceptable use.
Evidence
E010.3 Demonstration: User notification for AUP breaches
User-facing alerts or error messages displayed when acceptable use policy is violated - may include in-product warning messages, blocked request notifications, or error screens explaining policy violations.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Real-time monitoring, blocking, or alerting capabilities.
Maintaining logging and tracking systems. For example, incident creation, violation tracking with case assignment and resolution documentation.
Conducting regular effectiveness reviews. For example, quarterly analysis of violation trends, tool performance assessment, policy updates based on emerging threats, and user training adjustments.
Evidence
E010.4 Documentation: Guardrails enforcing acceptable use
Documentation or screenshots showing additional AUP enforcement mechanisms - may include real-time blocking/alerting systems, violation tracking logs with incident management, effectiveness review reports analyzing violation trends and policy updates, or training materials addressing emerging misuse patterns.
Tags
Supplemental Control
Technical Implementation
Engineering Practice
Requirement
·
Optional RequirementControl activity
Implementing defect tracking, continuous improvement, and post-market monitoring. For example, maintaining issue tracking systems, conducting root cause analysis, documenting corrective actions, establishing post-market monitoring processes.
Evidence
E013.3 Config: Issue tracking and monitoring
Issue tracking system or monitoring records - may include issue tracker (Jira, Linear, GitHub) with defects and corrective actions, root cause analysis reports, post-market monitoring logs or dashboards, or continuous improvement documentation showing lessons learned.
Tags
Mandatory Control
Technical Implementation
Engineering Tooling
Requirement
·
Mandatory RequirementControl activity
Capturing system activity details to support incident investigation and behavior explanation. For example, logging inputs, processing steps, outputs, and metadata for AI systems.
Evidence
E015.1 Config: Logging implementation
Logging code or configuration showing what system activity is captured - may include code logging inputs and outputs, logging configuration file specifying what to log, or example log entries showing captured information (timestamps, inputs, outputs, user actions).
Tags
Mandatory Control
Technical Implementation
Logs
Requirement
·
Mandatory RequirementControl activity
Implementing log storage with appropriate retention periods, access controls, and data sanitation to support auditing and incident response.
Evidence
E015.3 Config: Log storage
Log storage system showing retention policies, access controls and sanitation practices - may include log management platform (Datadog, Splunk, CloudWatch) with retention period settings and PII-masking, access control configuration showing who can view logs, or storage settings with automatic deletion rules.
Tags
Mandatory Control
Technical Implementation
LogsEngineering Tooling
Requirement
·
Mandatory RequirementControl activity
Implementing technical controls to ensure logs are tamper-evident and independently verifiable. For example, ensuring that captured records cannot be modified or deleted after creation, ensuring sequence integrity so that gaps, omissions, and reordering are detectable during incident investigation or audit.
Evidence
E015.4 Config: Log integrity protection
Log immutability controls - for example, write-once-read-many (WORM) storage configuration, cryptographic hashing of log entries, append-only database settings, or third-party log management platform features.
Tags
Supplemental Control
Technical Implementation
LogsEngineering Code
Requirement
·
Mandatory RequirementControl activity
Capturing full execution chains of agentic workflows to support investigation of agent-specific incidents. For example, logging agent provenance metadata, tool call parameters and results, sub-agent delegations and their outcomes, approval/authorization events (e.g., human-in-the-loop approvals), and reasoning traces where available.
Evidence
E015.2 Config: AI agent logging implementation
Logging code or configuration demonstrating agent execution logging - may include log fields capturing agent provenance metadata per execution (e.g. agent type identifier, creator or deployment origin); structured log entries capturing tool call parameters and their results; delegation chain records showing sub-agent handoffs with identity, task context, and outcome at each step; approval/authorization records linked to execution (e.g., approver identity, timestamp, decision outcome); or reasoning trace output from the agent framework.
Tags
Supplemental Control
Technical Implementation
Logs
Requirement
·
Mandatory RequirementControl activity
Implementing AI disclosure for text-based interactions. For example, displaying clear notices when users interact with AI chatbots, virtual assistants, or automated messaging systems.
Evidence
E016.1 Demonstration: Text AI disclosure
Text-based AI disclosure - may include chatbot interface with "You're chatting with AI" notice, messaging system showing AI agent identifier, website chat widget with AI disclosure banner, or automated email/SMS with AI generation notice.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Implementing AI disclosure for voice-based interactions. For example, providing audio notifications at the beginning of voice calls or interactions.
Evidence
E016.2 Demonstration: Voice AI disclosure
Transcript or audio recording of voice AI disclosure.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Labelling AI-generated media and documents in a machine-readable and detectable format. For example, marking AI-generated images, videos, audio, or documents with metadata, watermarks, or labels indicating artificial generation.
Evidence
E016.3 Demonstration: Labelling AI-generated content
AI generation labeling implementation - may include Content Credentials or C2PA metadata embedded in files, visible watermarking system with AI generation marks, classifier output detecting and flagging AI-generated content, or metadata tagging system marking files as artificially generated.
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Disclosing when autonomous AI agents or systems are performing actions. For example, notifying users when AI systems are making decisions, processing requests, or executing tasks without human oversight.
Evidence
E016.4 Demonstration: Automation AI disclosure
AI automation disclosure in product - may include "Powered by AI" or "AI Agent" labels in interface, workflow dashboard displaying AI-automated tasks, status indicators showing "AI is handling this" or "Automated by AI," or notification messages stating "AI agent completed your request."
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Mandatory RequirementControl activity
Establishing reactive disclosure capabilities when users ask if they are interacting with AI.
Evidence
E016.5 Demonstration: System response to AI inquiry
Chatbot or voice agent transcript responding to "Are you AI?"
Tags
Mandatory Control
Technical Implementation
Product
Requirement
·
Optional RequirementControl activity
Creating transparency documentation for major AI systems. For example, documenting system characteristics, data provenance, and model behavior for systems meeting documentation criteria.
Evidence
E017.2 Documentation: Model cards and system documentation
Transparency documentation artifacts - may include model card (PDF, Markdown, web page) with system capabilities/limitations/intended use, datasheet showing training data sources and characteristics, interpretability report with example inputs/outputs and decision explanations, technical documentation describing model architecture and performance metrics, or an AI Bill of Materials (may follow CycloneDX or SPDX 3.0)
Tags
Mandatory Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Implementing malicious use detection and blocking. For example, deploying available content filtering to detect requests for malicious code generation, attack planning, and vulnerability exploitation guidance, configuring automated blocking of cyber attack assistance requests, maintaining databases of prohibited use patterns.
Evidence
F001.2 Config: Cyber use detection
Content filtering rules blocking cyber attack requests, keyword or pattern matching detecting malicious code generation attempts, automated blocking configuration for exploit development queries, or prohibited use pattern database.
Tags
Supplemental Control
Technical Implementation
Engineering Code
Requirement
·
Mandatory RequirementControl activity
Establishing catastrophic misuse monitoring. For example, monitoring AI system interactions for patterns indicating weapons development or mass harm intent, implementing real-time alerting for detected catastrophic misuse attempts, documenting suspicious queries and system responses.
Evidence
F002.2 Config: Catastrophic misuse monitoring
Monitoring dashboard or alert configuration for catastrophic misuse patterns - may include usage monitoring flagging CBRN-related queries, alert rules for weapons development patterns, logs of detected and blocked catastrophic misuse attempts, or incident records documenting suspicious CBRN-related interactions.
Tags
Supplemental Control
Technical Implementation
Engineering Code
The Security, Safety, and Reliability standard for AI agents
Stay up to date with AIUC-1
