New certifications start as claims and earn their weight through cycles of scrutiny. AIUC-1, a compliance framework for AI agent vendors, is at that starting point. How its structure, governance, and market acceptance hold up will decide what the certificate is worth.

AIUC-1 is a new compliance framework for AI agent vendors, positioning itself as a “SOC 2 for AI agents”. It covers agent-specific risks such as prompt injection, unauthorized tool calls, and data leakage through agent outputs, which fall outside the scope of existing certifications.

As enterprise buyers start asking how AI agent vendors handle security, AIUC-1 offers a structured answer backed by third-party audits. How much weight an AIUC-1 certificate ends up carrying depends on its structure, governance, and market acceptance. Vendors considering the certification and buyers reviewing one should understand both.

What AIUC-1 covers.

AIUC-1 was launched in 2025 by the Artificial Intelligence Underwriting Company (AIUC), a venture-backed startup.

AIUC-1 organizes 50+ controls into six domains: Safety, Security, Reliability, Accountability, Data & Privacy, and Society. Its controls map to threats in MITRE ATLAS and the OWASP Top 10 for Agentic Applications. Certified organizations undergo quarterly third-party retesting between annual examinations to keep up with evolving risks and controls. Schellman is the first accredited auditor.

Adjacent frameworks address different concerns:

• ISO 42001 is certifiable through accredited bodies, but it targets the AI management system rather than agent behavior.
• NIST AI RMF is voluntary risk-management guidance with no certification path.
• NIST’s Cyber AI Profile (IR 8596) is a CSF 2.0 community profile addressing the intersection of cybersecurity and AI risk, released as a draft in December 2025. It is risk-management guidance, not a certifiable control attestation.

SOC 2 is a separate attestation that covers a vendor’s general service organization controls. Its scope doesn’t include agent-specific failure modes such as prompt injection, unauthorized tool calls, or data leakage through agent outputs. The two frameworks coexist.

AIUC-1’s accreditation authority differs from its peers. ISO 42001 works through accredited certification bodies, SOC 2 is governed by the AICPA, and the NIST frameworks carry the authority of a federal standards agency. AIUC itself accredits AIUC-1’s auditors. Describing the framework as a “standard,” therefore, rests on AIUC’s own authority rather than an external accreditation body.

Three structural questions apply to AIUC-1.

Two questions from the SOC 2 checkbox carry forward to AIUC-1:

• Scope definition: AIUC-1 doesn’t define “AI agent,” so the vendor decides what counts as one and which agent to certify. That discretion extends to tools, data flows, and deployment context.
• Auditor selection: The vendor chooses its auditor, which collects evidence and writes reports while AIUC conducts the technical testing. Auditor firms compete for repeat business, and promises of “fast and easy” have threatened SOC credibility. The same dynamic can shape how closely an AIUC-1 auditor scrutinizes evidence and documentation.

The commercial design of AIUC-1 adds a third and most consequential consideration:

• Incentive chain: AIUC authors the framework, runs the technical evaluations, issues the certificates, and sells the AI agent insurance that the certification enables. Accredited auditors collect evidence and write the reports. Zack Korman has argued that this vertical integration creates conflicts of interest at every step. The closest precedent is the issuer-pays credit rating model, in which companies pay the agencies that rate them. That arrangement contributed to inflated ratings before the 2008 financial crisis. AIUC’s founders argue that their insurance business creates a counter-incentive, since losses on certified agents would hit AIUC directly.

What to do with AIUC-1 today.

If you’re evaluating a vendor that holds AIUC-1, treat the report as useful evidence that agent-specific controls were tested. As part of your review:

• Identify which agent, tools, and data flows the audit covered. A certificate scoped to a demo or a single configuration won’t cover what your organization actually uses. Vague scope language, such as “the agent” without named tools, model versions, and data flows, usually signals excluded integrations.
• Review the specific testing behind Domain C (Safety) and Domain F (Society). These controls cover judgment-based categories where documentation alone can satisfy the requirement.
• Check whether the vendor also holds ISO 42001. AIUC-1 attests to the agent itself, while ISO 42001 certifies the management system around it; without both, the governance picture is incomplete.
• Ask for evidence from the most recent quarterly retest, since the initial certificate reflects only the first audit.

If you’re building an AI agent product, the clearest reason to pursue AIUC-1 would be buyers asking for it. Even without that demand, early adoption lets a vendor frame the security conversation before buyers start asking, which helps establish trust. That matters when buyers worry about AI security without knowing the right questions.

I’ve written about compliance certifications from SAS 70 to SOC 2. Each new certification finds its level over several cycles as auditors compete, vendors learn, and buyers sharpen their diligence. AIUC-1 is at the start of that process.