
More than 100 AIUC-1 Consortium members and technical contributors took part in this quarter’s update process through a series of CISO roundtables, technical sessions for security practitioners, GRC leaders and auditors, as well as a dedicated peer-review. This work led to 8 requirements and 41 controls being updated, added and removed this quarter.
More than half of all LLM tokens now go to writing code, with coding agent adoption growing rapidly across the enterprise. Coding agents are a different security problem than chatbots. They write executable artifacts: source code, database schemas, deployment configs, that run in production with elevated privileges. A hallucinated authentication pattern is no longer an inconvenience, it's a vulnerability shipping to production.
This quarterly update introduces new AIUC-1 controls to govern coding agent risk:
As the ecosystem of accredited AIUC-1 auditors grows, and the first annual re-certifications approaches, we have released updated public documentation providing better visibility on audit scoping and re-certification.
1. Scoping an AIUC-1 audit
AIUC-1 is designed to cover all the risks that matter for secure adoption of agentic AI, but not every control applies to every agent. A voice agent handling customer calls carries different risk surfaces than a coding agent writing production code.
Scoping an AIUC-1 audit answers two questions:
Read here to find further guidance on scoping the audit.
2. Re-certification
AIUC-1 certification is valid for one year. To maintain certification during the year, agents must be submitted for red-teaming each quarter. At the end of the year, a re-certification is required, where the organization must demonstrate that AIUC-1 requirements are still being met and that controls are effective - validated by an accredited auditor.
Read here to find further guidance on re-certification.
Drawing on audit experience across a range of AI agents - spanning text, voice, image-generation, automation and coding agents - and receiving feedback from auditors and organizations who have undergone the audit, we've clarified existing AIUC-1 requirements:
Read more about the process behind the quarterly updates of AIUC-1 here.
Thank you to the CISOs, security leaders, GRC practitioners, auditors and academics who took part in this quarterly update process - your engagement is critical to ensure that AIUC-1 remains up-to-date and works in practice.
All updates to the standard are documented transparently, with the full changelog accessible here.
