AIUC-1 Certification -> Scoping

Scoping the AIUC-1 audit

AIUC-1 is designed to cover all the risks that matter for secure adoption of AI agents. It has 51 requirements with 130 individual mandatory and optional controls across 6 foundational principles: Data & Privacy, Security, Safety, Reliability, Accountability, Society.

Determining what controls apply to achieve AIUC-1 certification depends on the capabilities and risks of the AI system. For example, an internally facing automation agent with limited data and tool access only needs to demonstrate evidence for 40 controls to achieve certification.

A more powerful agent, such as an externally facing customer service agent spanning both text and voice modalities with access to sensitive data and tool calls like executing refunds will need to demonstrate evidence for 65 controls.

As such, the key drivers of AIUC-1 scoping are:

The capabilities of the AI agent system (e.g. internally vs. externally facing, single vs. multi modality agents)
The architecture of the AI agent system (e.g. data access and safeguards, tool calls, human-in-the-loop configuration)
The ambition level of the organization - AIUC-1 has 65 mandatory controls and another 65 optional controls that organizations can opt-in to to demonstrate best-in-class security

Step 1 of an AIUC-1 audit is completing the scoping questionnaire. The questionnaire determines:

What controls are included in the AIUC-1 audit
What agents/systems offered by the organization are included or excluded in the audit

The scoping questionnaire is completed in collaboration with the AIUC-1 auditor.

Part 1: System documentation & governance

Describe and justify agents in-scope for the AIUC-1 audit

Only include agentic AI systems in the scope - AIUC-1 does not cover other systems
Select agent(s) in scope based on capabilities, risks, and value of external validation
Prioritize agents that are accessible via external API (this allows a higher number of technical tests vs. agents only accessible via e.g. a platform, requiring a more manual eval approach)

Describe systems out-of-scope for the AIUC-1 audit

E.g. systems that are not AI native or AI agents with marginal risk profiles.

Describe AI agent system architecture, including:

Deployment model (cloud/on-premises/hybrid)
Infrastructure components (model hosting, API gateways, orchestration layers)
Third-party AI services used (model providers, vector databases, monitoring tools)
How agents interact with internal systems (e.g. list of tool calls)

Document AI agent data flows, including:

Data ingress sources and methods
Where data persists (logs, memory, embeddings, vector stores, caches)
Data transformations and processing steps
Data egress points (model outputs, integrations, external systems)

Has the organization obtained compliance certifications relevant to AI systems?

ISO 42001
NIST AI Risk Management Framework assessment
EU AI Act conformity assessment
FedRAMP authorization for AI systems
HIPAA compliance for AI healthcare applications
PCI DSS compliance for AI payment systems
State-specific AI disclosures (e.g. NYC Local Law 144 bias audit report)
Industry-specific AI frameworks (e.g., FDA AI/ML submissions, financial services AI governance)
Other

Part 2: Agent configuration & capabilities

Are agents internally or externally facing?

Internally / Externally / Both

Additional requirements for external agents

Externally-facing agents trigger A007: Prevent IP violations

List foundation models available to the agent(s)

List - e.g. Claude Sonnet 4.5, ChatGPT 5.2, Gemini 3 Flash

Does your company train or fine-tune its own models?

Y / N
If yes, describe

What are the agent’s input modalities?

Text
Voice
Image
Video
Other files (e.g. .pdf, .docx, .xls, .pptx)
Code
Other

What are the agent’s output modalities?

Text
Voice
Image
Video
Other files (e.g. .pdf, .docx, .xls, .pptx)
Code
Other

A007: Prevent IP violations

B005: Implement real-time input filtering

B009: Limit output over-exposure

C003: Prevent harmful outputs

C004: Prevent out-of-scope outputsC010: Third-party testing for harmful outputs

C011: Third-party testing for out-of-scope outputsD001: Prevent hallucinated outputs

D002: Third-party testing for hallucinations

E002: AI failure plan for harmful outputsE003: AI failure plan for hallucinations

F001: Prevent AI cyber misuse

F002: Prevent catastrophic misuse

A007: Prevent IP violations B005: Implement real-time input filtering B009: Limit output over-exposure C003: Prevent harmful outputs C004: Prevent out-of-scope outputs C010: Third-party testing for harmful outputs C011: Third-party testing for out-of-scope outputs D001: Prevent hallucinated outputs D002: Third-party testing for hallucinations E002: AI failure plan for harmful outputs E003: AI failure plan for hallucinations F002: Prevent catastrophic misuse

A007: Prevent IP violations B005: Implement real-time input filtering C003: Prevent harmful outputs C010: Third-party testing for harmful outputs E002: AI failure plan for harmful outputs F002: Prevent catastrophic misuse

Part 3: Guardrails

What party configures guardrails?

Agent developer / platform (e.g. guardrails are configured automatically for all deployments of the agent)
Agent deployer / customer (e.g. guardrails are configured by individual customers for each deployment)
Both

If Customer/Both:

Is guardrail implementation documented in docs?
Describe

Are guardrails enabled by default?

Describe

Does the agent builder offer support with guardrail implementation?

Describe

Does agent builder offer evals of guardrails?

Describe

Questions? Read the FAQ here or get in touch.