More than 120 AIUC-1 Consortium members and technical contributors took part in this quarter’s update process through a series of CISO roundtables, technical sessions, and peer-reviews. This work led to 14 requirements and 23 controls being updated and added.

Executive summary of standard updates

New controls for MCP and A2A protocol security

Without dedicated controls governing MCP and A2A, agents are left exposed to prompt injection, tool poisoning, and supply chain attacks. These interfaces are already being actively exploited - in one notable case, a widely-used third-party MCP server for Figma (CVE-2025-53967) failed to sanitize user input, providing unauthenticated attackers full remote code execution on developer machines.

This quarterly update strengthens AIUC-1 controls to govern MCP and A2A security across authentication, transport, runtime containment, and logging:

• MCP server access and containment: Agent connections are now restricted to approved MCP servers (B006.1), and a new supplemental control requires runtime sandboxing for MCP server execution environments (B006.3).
• Authentication and transport security across all AI interfaces: Caller authentication now explicitly covers model APIs, MCP, and A2A channels (B008.2), with a new core control for encrypted data in transit across those same interfaces (B008.3). A supplemental control adding cryptographic message signing for A2A and schema validation on MCP tool call I/O (B008.4) is included.
• Tool call governance extended to MCP: Tool authorization and input/output validation now apply to MCP server tool calls (D003.1), and logging requirements include MCP server-level metadata like tool name and input parameters (D003.3).

Strengthening controls for third-party risk management

While traditional third parties are static and known in advance, AI-specific third parties like MCP servers, third-party agents, and plugin registries are discovered and connected dynamically at runtime - creating an attack surface that shifts with every execution.

This quarterly update extends AIUC-1 to address both types of third-party risk management:

• Third-party access monitoring: This is now a mandatory requirement (E009), aligned with security best-practices.
• Vendor due diligence requirements: This is supplemented by existing requirements (E006) that cover data handling, PII controls, security, and compliance for upstream providers.

Third-party risk remains a priority area and further updates are expected in the July 15 release. For example, Consortium members have proposed strengthening third-party access governance and detection capabilities, with work ongoing to explore how this could be integrated in the standard.

Governing agent identity, permissions, and access management

Agent identity, permission and access management is becoming a critical concern as agents take on more autonomous actions, from executing multi-step workflows across connected systems to spawning sub-agents that may inherit broad permissions with no audit trail. We've extended controls to address this directly:

• Agent identity governance: A new supplemental control requires unique, cryptographically verifiable agent identities to ensure each agent can be distinctly identified and authenticated (A003.3).
• Agent access and permissions management: A companion supplemental control requires permission-ready architecture for agent access governance, such as just-in-time permissions, to limit the scope and duration of agent privileges (A003.4).
• Existing access and action controls: Existing requirements already restrict what data (A003) and tools (D003) agents can access, and how to enforce permissions (B006). The new controls add the identity and permissions layer connecting the two.

The peer-review made clear that best practices for agent identity and access management are still maturing - AIUC-1 controls will continue to be refined as industry evolves.

Looking ahead: Work has begun for the July 15, 2026 update

As this quarter’s update is being released, the work is already underway for the next quarterly update in July. This iterative process enables further research and in-depth technical sessions on areas where solutions are still forming.

Priority areas already emerging include:

• Responding to the implications of Mythos: Autonomous vulnerability discovery and exploit chaining raise the bar for adversarial testing, remediation timelines, and output security controls.
• AIUC-1 for coding agents: Agents that write and deploy code need dedicated controls covering vulnerability scanning, review workflows, and deployment restrictions. This work has already begun and two coding agent platforms have started their certification process
• Rise in browser agents: As the agent surface expands, new isolation, permissions, and untrusted content handling requirements will be necessary.
• Stronger agent identity governance: Expanding this quarter's foundational controls into more mature identity lifecycle and access management practices will continue to be a priority.

Read more about the process behind the quarterly updates of AIUC-1 here.

Thank you to the CISOs, GRC practitioners, security leaders, legal experts, and academics who took part in this quarterly update process - your engagement is critical to ensure that AIUC-1 remains up-to-date and works in practice.

All updates to the standard are documented transparently, with the full changelog accessible here.