AIUC-1, mapped to your operating evidence.
How the six AIUC-1 control categories map to TrustEvals operating outputs, under the AI Governance control lead. Built for auditors and risk teams. The same trace data that drives your operating view.
The standard names the categories. You set the baseline.
AIUC-1 tells you what to evaluate across six control families. It does not tell you what good enough looks like for a loan-underwriting agent versus a marketing-copy agent. TrustEvals sets the baseline per agent and proves it continuously, so the certification claim has source evidence behind it.
Six AIUC-1 categories. One operating output each.
For each control family, what AIUC-1 expects and what TrustEvals produces from the same trace pipeline.
Personal data handling, classification, minimization, retention, cross-border flow, data-subject rights.
Per-tenant data handling log. Classification plus source pointer per interaction. Cross-border flow inventory. Data-subject-request workflow.
Access control, authentication, prompt-injection defenses, tool-call authorization, audit logging.
Authorization exception log. Prompt-injection detection rates. Authentication and authorization audit trail per invocation.
Harmful output filtering, jailbreak resistance, escalation paths, human oversight for consequential actions.
Versioned safety baseline. Safety-violation incident log with resolution trace. Human-in-the-loop trigger audit.
Groundedness, factuality, multi-turn consistency, performance under load, fallback behavior.
Groundedness SLO (rolling 30-day). Multi-turn consistency metric per agent. Documented and tested fallback behavior.
Decision provenance, audit logs, human ownership, change history for policy, baseline, prompt, and model.
Decision chain per interaction. Human-owner registry. Change log for every policy, baseline, prompt, and model update.
Bias and fairness, demographic parity, impact assessments, disclosure practices.
Per-use-case bias evaluation. Versioned impact assessment with named owner. Populated disclosure templates.
AIUC-1 is the agent-level standard.
Most enterprises running AI at scale want both an organization-level standard and an agent-level standard. Here is how AIUC-1 pairs, all on the same evidence.
- ISO 42001. Organization-level. Certifies that your AI management system runs well end to end. Pairs cleanly with AIUC-1 at the agent level. Same evidence, different certification layer.
- NIST AI RMF. Risk framework. MEASURE functions map directly to the AIUC-1 evidence. Procurement teams at regulated buyers cite both increasingly often.
- EU AI Act. Binding law. High-risk system obligations overlap with AIUC-1 reliability and accountability. The same trace data produces Annex IV technical files.
Evidence shape that passes audit.
Three patterns auditors actually look for. The same patterns hold whether the standard is AIUC-1, ISO 42001, or SR 11-7.
Versioned baseline per use case.
A signed-off threshold document. Loan-underwriting agent and marketing-copy agent have different baselines, and the auditor sees both with timestamps and owners.
Trace lineage to a human owner.
Every decision points to the data that informed it, the policy that permitted it, the baseline it was evaluated against, and the human who owns it.
Freshness attestation.
Every artifact timestamped. Evidence current as of today, not last quarter. The auditor can ask what the system was doing yesterday at 3:47 pm and get an answer.
Start with the quick audit.
The quick-entry artifact under AI Governance. Two weeks to an independent operating read: AI value, AI risk, fluency gaps, owners, and the next funded workstream. From there, the AIUC-1 evidence stream runs continuously.
AIUC-1, asked plainly.
No. Certification is done by AIUC Inc. or an authorized third party. TrustEvals produces the evidence the certifier needs, plus the evidence that the certification is still accurate next month. Auditors run the audit.
Scope. ISO 42001 is a management-system standard. AIUC-1 is an agent-level standard. Most enterprises running AI at scale want both.
Yes. The same evaluation data maps to NIST AI RMF MEASURE functions, ISO 42001 Clause 8 (operation), and EU AI Act high-risk requirements. One pipeline, every framework.
Plan on a three-month readiness arc. The work starts by understanding where each agent stands against the AIUC-1 categories, where it is likely to get stuck, and where consolidation or better architecture would make the certification path cleaner.