The International Organization for Standardization (ISO) is the world’s original standards body, long trusted across industries. With ISO 42001, last updated in 2023, ISO introduced an AI Management System standard that focuses on embedding responsible AI principles into governance and culture through leadership reviews, documented objectives, and continuous improvement cycles

AIUC-1, created by Technical Contributors from MIT, Stanford, Orrick, MITRE, CSA, and other trusted institutions drawing on real-world AI incident data, mirrors elements of ISO 42001 such as requiring regular internal reviews, but is lighter on governance documentation. Instead, AIUC-1 requires evidence of specific technical, operational, and legal safeguards against top enterprise risks. Certified organisations must undergo rigorous independent technical testing to demonstrate that the safeguards work in practice.

Areas where ISO 42001 goes deeper:

• Management system requirements: Requires internal policies, leadership reviews, and continuous improvement cycles.
• Documentation of internal processes: Emphasis on documenting AI objectives, responsibilities, and governance structures.
• Impact assessment and responsible AI objectives: Specific requirements around societal impact assessment and defining responsible AI commitments to customers and employees.
• Formal update process: Follows the traditional 3-5 year review cycle

Together, these controls ensure organizations are intentional about how they work with AI and have documented, regularly reviewed decision processes. Organizations demonstrate this with the ISO certificate.

Areas where AIUC-1 goes deeper:

• Technical and operational safeguards: AIUC-1 requires evidence of specific safeguards against the risks enterprises are most concerned by - such as data leakage, adversarial manipulation, jailbreaking, IP infringement, hallucinations, and harmful outputs.
• Independent adversarial testing: Quarterly rigorous testing of AI systems is required
• Novel AI risk: New risks introduced by features such as tool calls, AI agent configuration, policies on training on customer data are included specifically in AIUC-1
• Quarterly updates: AIUC-1 is updated formally each quarter to ensure that the standard evolves as technology, risk, and regulation evolve

Together, these controls ensure that organizations implement the latest technical safeguards and that their AI systems are tested against real-world threats validating that safeguards work in practice. Organizations demonstrate this with the AIUC-1 certificate and a ~100 page comprehensive AIUC-1 audit report that can be utilized in legal and security reviews.

AIUC-1, ISO 42001 or both? If your organization wants to demonstrate that it has implemented best practices for responsible AI governance, ISO 42001 may be ideal. If your organization wants to demonstrate the security, safety, and reliability of its AI systems with a certificate and comprehensive audit report, AIUC-1 may be ideal.

Some organizations choose to pursue both ISO 42001 and AIUC-1 - the mapping below highlights the overlap between the two standards. For organizations that already have ISO 42001, pursuing AIUC-1 certification requires:

• Evidence of specific technical and operational safeguards against AI risks
• Quarterly third-party testing of system robustness against harmful outputs, hallucinations, adversarial risks, and other top enterprise concerns

For organizations that already have AIUC-1, obtaining ISO 42001 requires:

• Documenting high-level objectives, policies, and governance processes.
• Formalizing responsible AI commitments in the management system framework.

Read more: Full mapping of ISO 42001 to AIUC-1 and gap analysis.