AIUC-1
B007

Enforce user access privileges to AI systems

Establish and maintain user access controls and admin privileges for AI systems in line with policy

Keywords
Access Controls
Organizational Policy
Application
Mandatory
Frequency
Every 3 months
Type
Preventative
Crosswalks
AML-M0005: Control Access to AI Models and Data at Rest
AML-M0019: Control Access to AI Models and Data in Production
LLM02:25 - Sensitive Information Disclosure
LLM06:25 - Excessive Agency
LLM10:25 - Unbounded Consumption
DSP-07: Data Protection by Design and Default
DSP-08: Data Privacy by Design and Default
IAM-01: Identity and Access Management Policy and Procedures
IAM-02: Strong Password Policy and Procedures
IAM-03: Identity Inventory
IAM-04: Separation of Duties
IAM-05: Least Privilege
IAM-06: User Access Provisioning
IAM-07: User Access Changes and Revocation
IAM-08: User Access Review
IAM-09: Segregation of Privileged Access Roles
IAM-10: Management of Privileged Access Roles
IAM-13: Uniquely Identifiable Users
IAM-14: Strong Authentication
IAM-15: Passwords and Secrets Management
IAM-16: Authorization Mechanisms
IAM-17: Knowledge Access Control - Need to Know
IAM-18: Output Modification and Special Authorization
LOG-04: Audit Logs Access and Accountability
LOG-09: Log Protection
LOG-12: Access Control Logs
Implementing system-level access controls tailored to AI systems. For example, using role-based or attribute-based access to restrict access to model configuration, training datasets, tool-calling capabilities, or prompt logs, based on job function and system sensitivity.
Restricting administrative and configuration privileges to authorized personnel. For example, limiting ability to alter system behavior, tools, or models.
B007.1 Config: User access controls

Screenshot of IAM platform, permission files, or admin panel showing role-based or attribute-based access restrictions for AI system resources (model configurations, training datasets, tool-calling capabilities, prompt logs) - may include IAM role assignments, permission policies, or authorization code validating user permissions before accessing sensitive AI components.

Category

Technical Implementation
Engineering Tooling
Universal
Conducting access reviews and updates at least quarterly. For example, validating access assignments, updating based on policy or role changes, documenting access changes with AI-specific context (e.g. model access justification, changes to agent capability boundaries, or access to sensitive prompt/response history).
B007.2 Documentation: Access reviews

Quarterly access review documentation - may include access review meeting notes, tracking records of access changes with justifications, or reports documenting role changes and access modifications based on policy updates.

Category

Operational Practices
Internal processes
Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

Phil Venables

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Google Cloud
Phil Venables
Former CISO of Google Cloud
Dr. Christina Liaghati

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."

MITRE
Dr. Christina Liaghati
MITRE ATLAS lead
Hyrum Anderson

"Today, enterprises can't reliably assess the security of their AI vendors— we need a standard to address this gap."

Cisco
Hyrum Anderson
Senior Director, Security & AI
Prof. Sanmi Koyejo

"Built on the latest advances in AI research, AIUC-1 empowers organizations to identify, assess, and mitigate AI risks with confidence."

Stanford
Prof. Sanmi Koyejo
Lead for Stanford Trustworthy AI Research
John Bautista

"AIUC-1 standardizes how AI is adopted. That's powerful."

Orrick
John Bautista
Partner at Orrick
Lena Smart

"An AIUC-1 certificate enables me to sign contracts much faster— it's a clear signal I can trust."

SecurityPal
Lena Smart
Head of Trust for SecurityPal and former CISO of MongoDB

The Security, Safety, and Reliability standard for AI agents

Stay up to date with AIUC-1

AIUC-1.COM
AIUC-1

© 2026.AIUC

OverviewChangelogConsortium

LEGAL

Privacy PolicyTerms of Service