For decades, enterprise automation meant scripted execution. That era is ending. Where robotic process automation (RPA) followed deterministic scripts, today's AI agents reason over context, select tools dynamically, and execute multi-step workflows across complex system landscapes - with minimal human involvement.

The business case is compelling: agents can process invoices, resolve support tickets, update records, qualify leads, and manage exceptions at a scale and speed no human team can match.

But the same properties that make agents valuable also increase the impact when things go wrong. An agent that can act is an agent that can act incorrectly - and at machine speed, across integrated enterprise systems, the consequences of a misconfigured or compromised agent are categorically different from those of a misbehaving chatbot. Or, as said by AIUC-1 Technical Contributor, Sanmi Koyejo, in our recently published whitepaper: —

The value proposition of agents is removing humans from the decision loop - but this also removes our most reliable safety mechanism.

Professor Sanmi Koyejo Leader of Stanford's Trustworthy AI Research Lab

— To address this, AIUC-1 has been adapted to meet the unique challenges of agentic automation. This was done drawing on insights from AIUC-1 consortium members and Technical Contributors including UiPath. The result is a set of purpose-built controls that reflect the operational realities of deploying agents in enterprise environments, not theoretical risk models.

Why agentic automation requires a different security posture

Traditional automation was predictable by design. A script does exactly what it was written to do - nothing more, nothing less. The security model for RPA was relatively straightforward: control who can deploy automations, log what they execute, and audit outcomes.

AI agents break this model. They do not follow a fixed execution path. They interpret instructions, make decisions about which tools to call, determine what data to retrieve, and in many cases decide when to act without waiting for human confirmation. The same flexibility that makes them useful makes their behavior harder to predict, audit, and constrain. —

AI agents are not users. They are software that can reason, call tools, and take action at machine speed. If we give agents the same long-lived credentials and broad permissions we designed for humans, we turn convenience into standing access and standing access into standing risk.

Nancy Wang CTO, 1Password & AIUC-1 Consortium Member —

This shift from deterministic to probabilistic, multi-step execution demands a different approach - three categories of risk stand out:

1. Unconstrained system and data access. In enterprise environments, agents are typically granted broad permissions across systems with different sensitivity levels. When an agent is misconfigured, manipulated through prompt injection, or makes an error, those permissions define the blast radius - creating vectors for data exfiltration, unauthorized disclosure, and cross-system leakage that compound in multi-agent architectures.
2. Tool call integrity and authorization failures. Agents that select the wrong tool or execute without an adequate authorization chain can trigger irreversible outcomes - sent emails, processed payments, modified records - before any human can intervene. Unlike a bad chatbot response, a bad agent action creates downstream effects that are difficult or impossible to unwind.
3. Loss of human control over autonomous decision-making. As agents handle increasingly complex workflows, meaningful intervention points become fewer and further apart. When accountability is distributed across an orchestration layer, individual agents, and integrated backend systems, establishing who is responsible for a given outcome - and who can reverse it - becomes genuinely difficult.

Specific agentic automation requirements now integrated in AIUC-1

Working with our Technical Contributors and Consortium members, we identified focus areas for agentic automation that have now been implemented in AIUC-1 requirements. —

As AI transitions from simple assistants to autonomous actors, traditional security controls are no longer sufficient. Organizations must move beyond high-level governance and adopt technically grounded frameworks to turn AI security into a competitive advantage.

David Campbell Head of AI Security Research, Scale AI & AIUC-1 Consortium Member

—

Below we list a subset of the requirements that automation agents must meet to earn AIUC-1 certification, grouped across the AIUC-1 principles. The full list includes 40+ requirements including frequent technical testing of automation-specific risks.

A. Data & Privacy

• Agent data collection limits - A003: Limit AI agent data access to task-relevant information based on user roles and context when executing workflows
• Protect PII in automation flows - A006: Ensure that PII accessed or processed is scoped to task requirements, masked or tokenized where full access is unnecessary, and never persisted in agent memory, logs, or intermediate outputs beyond what’s required for task completion.

B. Security

• Adversarial testing - B001: Include automation-specific attack vectors such as prompt injection embedded in documents, emails, or tool outputs, attempts to manipulate agent behavior through instruction hijacking across orchestration layers, and adversarial inputs designed to trigger unauthorized tool calls or privilege escalation.
• Prevent unauthorized actions - B006: Implement technical restrictions that limit agent access to approved backend services and APIs within authorized scope - including network segmentation, API gateway rules, and service-level authorization controls - combined with monitoring and alerting that detects and flags agent actions exceeding defined security boundaries.

C. Safety

• Human in the loop - C007: flag agent outputs exceeding defined risk thresholds for human review before execution - including actions that modify sensitive records, trigger financial transactions, or fall outside the scope of the originating workflow
• Intervention capabilities - C009: Provide real-time mechanisms for users to pause, override, or redirect agent workflows mid-execution

D. Reliability

• Hallucinations - D001 & D002: Continuously evaluate agents for hallucination rates across automation workflows and task types - ensuring factual reliability does not degrade when agents operate across integrated systems, process unstructured data, or handle edge cases outside their training distribution.
• Tool call verification - D003 & D004: Implement safeguards to prevent tool calls in AI systems from executing unauthorized actions, accessing restricted information, or making decisions beyond their intended scope - and test safeguards regularly

E. Accountability

• Accountability assignment - E004: Define and document clear ownership for each automated workflow - specifying which human or team is responsible for agent behavior, authorized scope, and remediation when outcomes fall outside expected parameters.
• Log actions - E015: Maintain comprehensive, tamper-evident logs of agent reasoning, tool calls, and outputs across all workflow stages - supporting incident investigation, compliance auditing, and explainability of autonomous decisions.

Several requirements were updated in the January 15, 2026 release of AIUC-1, with additional controls planned for release as part of the April 15, 2026 update.

Outlook for secure, safe and reliable automation agents

Agentic automation may represent the single largest near-term opportunity for AI in the enterprise. The ability to deploy agents that reason, act, and execute complex workflows autonomously - across the systems enterprises already run - compresses the gap between AI capability and business value in a way that no prior technology wave has managed

UiPath, one of the leading agentic automation platforms and a Technical Contributor to AIUC-1, offers a concrete example of what this looks like in practice. —

UiPath has built AI governance into our products from day 1. As a Technical Contributor to AIUC-1, we help define how agent security and reliability should be evaluated.

Sheron Chakalakal Head of GRC at UiPath

—

Their approach translates directly into the kinds of controls AIUC-1 requires. A dedicated annotation layer provides structured guidance for document extraction workflows, improving accuracy and reducing the hallucination risk that comes with unstructured inputs. Their AI Trust Layer gives enterprises centralized visibility and governance across all UiPath agents - enabling consistent policy enforcement without fragmenting oversight across individual deployments. And purpose-built agent monitoring tooling allows teams to score agent performance against ground truth datasets in production, closing the feedback loop between deployment and continuous improvement.

These emerging practices directly informed the agentic-specific requirements now codified in AIUC-1 - helping ensure the standard reflects leading security and safety practices.