AIUC-1: The First Compliance Framework for AI Agents w/ Rajiv from AIUC and Danny from Schellman
GRC Engineer
Governance vs Technical Standards
Danny contrasts governance frameworks like ISO 42001 with AIUC-1's technical, updatable testing focus.
Every compliance framework you know was built for deterministic systems. AI agents are not deterministic. That's why AIUC-1 was born.In this episode, I sit down with Danny from Schellman and Rajiv Dattani, co-founder of AIUC, to break down the first compliance framework purpose-built for AI agents. We cover the six pillars (data & privacy, security, safety, reliability, accountability, societal risks), how the technical testing works with thousands of adversarial simulations, and why tying it to insurance through Lloyd's of London changes the incentive structure for the entire audit market.Key takeaways:- AIUC-1 bridges the gap between governance frameworks (ISO 42001) and technical testing- You can't commoditize it: you either pass thousands of adversarial scans or you don't- Quarterly updates keep the framework current with the fast-moving AI threat landscape- Insurance-backed testing means the tester has skin in the game- The 100-page audit report replaces ~70% of your vendor questionnaire back-and-forth- Three evidence types: adversarial testing, technical controls (code review), and policies- Internal agents emphasize security/data privacy; external agents emphasize safety---CHAPTERS:00:00 Introduction & Guest Intros01:55 Why a New Framework for AI Agents?04:06 Why Schellman Partnered with AIUC08:06 Quarterly Updates & The Consortium Model09:29 The Five Principles Driving AIUC-111:36 The Six Pillars: Data, Security, Safety, Reliability, Accountability, Societal12:38 What You Get: 100-Page Report + Certification14:22 How Testing Works: Thousands of Adversarial Simulations16:12 Testing Stochastic Systems: The Entropy Problem17:05 The Insurance Innovation: From Benjamin Franklin to AI Safety20:39 Lloyd's of London & Synthetic Loss Data21:36 Aligning Incentives Through Insurance23:56 How Enterprises Use AIUC-1: Buyers vs Builders26:06 Deterministic vs Stochastic: The Compliance Challenge29:05 SOC 2 vs ISO 42001 vs AIUC-1 Positioning30:51 Threat Modeling Meets Compliance35:10 Traditional Security Controls & AI-Specific Risks38:11 GRC Engineering & Agentic Auditing42:18 The Hardest Challenge: Articulating Technical Testing44:46 Closing Thoughts------CONNECT WITH GRC ENGINEER:Newsletter: https://grcengineer.com/subscribeLinkedIn: https://linkedin.com/in/ayoubfandiWebsite: https://grcengineer.comCONNECT WITH DANNY:LinkedIn: https://www.linkedin.com/in/danny-manimbo-2b199718/CONNECT WITH RAJIV DATTANI:LinkedIn: https://linkedin.com/in/rajivdattani---#GRC #cybersecurity #compliance #AIagents #AIUC1 #ISO42001 #GRCEngineering
The AI-powered Podcast Player
