Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  /

  / Drata Security Awareness Training: Setup, Tracking & Audit Readiness

Drata Security Awareness Training: Setup, Tracking & Audit Readiness

Picture of Pedro Dias
Copy Link

Roughly 60% of data breaches still trace back to a person rather than a system, according to Verizon’s 2025 Data Breach Investigations Report. Earlier editions of the same report put the figure as high as 74%. That single statistic is why every framework Drata supports — from SOC 2 to HIPAA — treats Drata security awareness training as a required control rather than a nice-to-have.

Drata gives you three ways to run that training: automatic tracking across your personnel and recurring resets that keep evidence current for auditors. This guide covers how each piece works, how to configure it, and the quiet mistakes that break compliance.

Drata Security Awareness Training

What Is Security Awareness Training in Drata?

Security awareness training in Drata is the annual cybersecurity education your workforce completes to satisfy personnel-related controls across frameworks. The control language is consistent across audits: security awareness training is provided to all employees on an annual basis. Drata’s job is to deliver or track that training, then hold the completion evidence in one place so you can show an auditor that every current employee and contractor met the requirement for the current cycle.

The discipline itself is well established. The broad concept of security awareness maps to the Protect function (PR.AT) of the NIST Cybersecurity Framework, which treats workforce education as a foundational layer of organizational defense. Inside Drata, training settings live on the Internal Security page, and completion surfaces on the Personnel page and in each person’s My Drata onboarding.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

Training Methods Available in Drata

Drata supports three approaches, and you choose one on the Internal Security page. They differ mainly in who delivers the content and who supplies the completion evidence.

Drata Embedded Security Awareness Training (Default)

Drata built its own training course that personnel complete directly inside the platform. During onboarding, the employee opens the Complete Security Awareness Training task, clicks Begin Training, and works through the module. On completion, the task flips to completed automatically, and the Personnel page reflects it. No file uploads, no chasing screenshots. This is the simplest route to compliance and the default for most accounts.

Connected Training Provider

If you already run a training platform, you can connect it so completion data flows into Drata automatically. Drata integrates with providers including KnowBe4, Huntress, and Curricula. Once connected, Drata recognizes that provider as your default training source and pulls completion status for the campaigns you select. For each person, Drata combines campaign selection, enrollment, and completion status to decide whether they are compliant.

Insider Note: Drata only syncs training for individuals who are not yet compliant. Once someone is marked compliant, Drata stops pulling their status from the connected provider, so a later change in that tool won’t accidentally overwrite a green check. The practical consequence: if you need to re-run someone, reset them in Drata first, then let the sync pick them back up.

External Training (Evidence Upload)

The third option covers training done entirely outside Drata. Here, evidence is uploaded manually — either by the employee through My Drata, or by an admin on their behalf, depending on configuration. Compliance is determined by the presence of valid evidence — a certificate, screenshot, or other file — for each current person.

How to Configure Security Awareness Training in Drata

Where to Find Security Awareness Training Settings

All training configuration lives in one place. Select your account from the bottom-left navigation, open Settings, then Internal Security. Only account administrators can access this section. The Security Awareness Training section is where you choose your method. If HIPAA or an AI-related framework is enabled on your account, additional training sections appear below it.

Setting Up Security Awareness Training for All Personnel

Under the Security Awareness Training section, select the radio button for your chosen method — embedded, a connected provider, or external upload — then save. That setting applies to all personnel going forward, and new hires see the corresponding task in their onboarding automatically.

Assigning Training to Individual Personnel

Most configuration is account-wide, but you manage individuals from the Personnel page. Select a person to open their detail drawer, where you can view their training status and, for the external method, view or upload evidence on their behalf. This is also where you handle one-off resets, covered further below.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

HIPAA Training in Drata (If Enabled)

What Is Annual HIPAA Training in Drata?

The HIPAA Security Rule requires covered entities to implement a security awareness and training program for their entire workforce — a standard codified at 45 CFR 164.308(a)(5). If you have purchased the HIPAA framework in Drata, a dedicated HIPAA Training section appears on the Internal Security page so you can track this separately from general security awareness. Personnel complete it annually to address the associated control.

How to Configure HIPAA Training

With HIPAA enabled, the HIPAA Training section offers four options: Drata’s embedded HIPAA training, a connected provider, external training with manual evidence upload by an admin or information security lead, or opting out if HIPAA training is not required for your personnel. Select one and save. If you opt out, Drata removes all references to HIPAA training from the interface. Compliance is based on valid evidence existing for each current employee or contractor.

 

AI Awareness Training in Drata

What Is AI Awareness Training?

AI awareness training covers responsible and secure use of AI tools, and it maps to newer governance frameworks. Personnel should complete it annually to satisfy requirements in frameworks such as the NIST AI Risk Management Framework and ISO 42001. The setting only appears on your Internal Security page when a related framework is enabled on your account.

How to Configure AI Awareness Training

The AI Awareness Training section offers four options that mirror the others: Drata’s embedded AI training, a connected provider, external training with manual upload, or a URL that links personnel straight to an external course from My Drata. With the embedded option, Drata generates a certificate of completion as a PDF and uploads it automatically, viewable from the personnel drawer and in My Drata.

Worth Knowing: AI Awareness Training Sync Requirements

If you plan to sync AI awareness completions automatically through KnowBe4, that content sits in the KnowBe4 Diamond plan, and Drata currently requires the NIST AI RMF framework to be enabled for automated import and tracking. Organizations running ISO 42001 alone do not yet get automatic sync, so plan to handle those completions through manual evidence instead.

Training Status & Compliance

Training Status and Compliance Tracking

Understanding Training Completion Statuses

Status reflects whether a person has completed the current training cycle, not whether they have ever done the training at all. You see a completed or compliant state when current-cycle evidence exists, and Incomplete (sometimes shown as Pending or Failed) when it does not. The Personnel page shows these statuses across your entire roster in dedicated columns, and you can filter by compliance to pull a list of everyone still outstanding.

What Does a “Pending” Status Mean?

A pending status means the person has not completed the ongoing training cycle. It is not an error or a system fault. It is the normal state after onboarding begins, or after a reset, and it stays that way until valid evidence lands.

How to Show Completion of Security Awareness Training

To evidence the control, Drata lets employees upload proof during onboarding and annually thereafter. For the embedded course, completion records itself. For external training, the employee or an admin uploads the file under Complete Security Awareness Training in My Drata. Either way, that completion evidence is exactly what an auditor reviews when sampling your personnel.

Important: Compliance in Drata is judged on the current cycle, not your full history. A reset returns status to Incomplete even though last year’s certificate still sits in the record. Auditors sampling personnel look for evidence inside the current window, so a stack of old completions will not cover a lapsed cycle. Treat the green check as a statement about now, not about ever.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

Resetting Security Awareness Training in Drata

How Training Resets Work

Annual frameworks expect training to repeat, so Drata lets you reset completed training to push personnel through it again. A reset returns status to Incomplete until new evidence is provided. You can do this automatically on a schedule or manually at any time. Only account administrators or information security leads have access to this functionality.

How to Schedule Recurring Training Resets

On the Internal Security page, under the relevant training section, enable Schedule recurring training resets, choose when resets happen, and save. One option resets training 12 months after each person’s own completion date — dynamically — so each individual’s clock runs from when they actually finished. After you save, anyone who completed more than 12 months ago is reset immediately, and from the next day Drata’s automation checks daily and resets any training older than the configured window.

Pro Tip: Use 12-Month Rolling Renewals

Choose the dynamic "12 months after each person's last completion date" option rather than a single fixed calendar date. A fixed date resets everyone at once — including the person who onboarded last week — which creates a wave of needless retraining and a burst of false non-compliance. The rolling option keeps each person on their own annual cycle and smooths the workload across the year.

How to Reset Training Manually

You reset manually from the Personnel page using the Actions button. The scope depends on whether any individuals are selected when you trigger it.

Resetting Training for All Current Personnel

From the Personnel page, select Actions, then Reset Security Training, making sure no individual checkboxes are selected. With nothing selected, the action applies to all personnel. You will be asked to confirm before anything changes.

Resetting Training for Individual Current or Former Personnel

To reset specific people, check the boxes next to their names first, then choose Actions and Reset security training. To reset a single person, open their detail drawer, click the three-dot menu, and select the reset option. Both paths prompt for confirmation, and resets can be applied to current or former personnel alike.

What Happens After a Training Reset

Once confirmed, the compliance check on the Personnel table, in the detail drawer, and in My Drata onboarding switches to Incomplete or Failed. The person can then retake the embedded course or upload fresh evidence, depending on the method configured in Internal Security settings.

Resetting HIPAA Training in Drata

HIPAA training resets the same way, through its own dedicated action, keeping it cleanly separate from general security awareness. Only admins or information security leads can perform it, and it can be applied in bulk or to individuals.

Reset HIPAA Training for All Current Personnel

From the Personnel page, click Actions and select Reset HIPAA Training with no individuals selected, then confirm when prompted.

Reset HIPAA Training for Individual Personnel

Open a person’s detail drawer, click the three-dot icon, and choose Reset HIPAA Training. After confirmation, their HIPAA status shows Incomplete or Failed, and they retake or re-upload depending on your configured settings.

 

Resetting AI Awareness Training in Drata

AI awareness training resets through the same Actions menu, available if you have purchased the relevant AI framework such as NIST AI RMF. From the Personnel page, select Actions, then Reset AI Awareness Training, or reset an individual from their detail drawer. Confirmation is required before the change takes effect. After a reset, the person’s AI awareness status returns to Incomplete until they complete the current cycle again or new evidence is uploaded, in line with the delivery option selected in Internal Security settings.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

Policies for Security Awareness Training in Drata

Configuring the training is only half the control. Most frameworks also expect a written policy stating that security awareness training is provided annually. Drata’s policy templates and policy center let you publish that policy and collect personnel acknowledgement alongside the training itself.

This matters more than most teams realize: pairing the policy acknowledgement with completion evidence gives an auditor both the stated commitment and the proof that it was carried out — the combination that closes the control cleanly.

A completed training record without a supporting policy, or a policy without evidence of training, leaves a gap that experienced auditors are trained to find. The ISO 27001 standard, for example, explicitly calls for documented information as part of its competence and awareness requirements, a pattern echoed across virtually every major framework.

 

The Bottom Line

Drata reduces security awareness training to three decisions: how you deliver it, how you keep it current, and how you prove it. Pick a method that matches how your team already works, schedule rolling resets so evidence never goes stale, and remember that auditors care about the current cycle rather than your archive. Get those right, and the human-error problem that sinks so many compliance programs becomes one of the easiest controls to keep green.

Frequently Asked Questions

Does SOC 2 to ISO 27001 mapping guarantee compliance with both frameworks?

No. Mapping shows where control coverage overlaps and where gaps remain. Compliance still depends on designing the controls properly, operating them consistently, and producing evidence that satisfies each auditor. A crosswalk is a planning tool, not a substitute for the work itself.

Industry estimates generally place the control overlap between 60 and 80 percent, concentrated in access control, risk management, incident response, and change management.

The overlap is high enough that the second framework should never be a full rebuild, but it is not complete, because the ISO management system clauses have no SOC 2 equivalent and must be built from scratch regardless of where you are starting from.

Often, yes. A large share of SOC 2 evidence, including access reviews, change tickets, vulnerability scans, and training records, directly supports ISO 27001 Annex A controls.

The catch is that ISO also requires evidence SOC 2 never asks for, such as internal audit reports and management review records, which must be generated separately and cannot be substituted.

Treat it as a living document. Review it at least once a year, and also whenever you add a major system, adopt a new cloud service, change a core process, or when either framework is revised. A mapping that sits untouched between audits is almost certainly inaccurate by the time it is needed.

It depends on your customers. If your buyers are mostly US-based, starting with SOC 2 is common practice. If you sell internationally or need a recognized certificate, starting with ISO 27001 builds the broader management system foundation and tends to make the subsequent SOC 2 faster. Either order works.

What matters is building one security program rather than two. A good SOC 2 guide can help you assess which starting point makes the most sense for your current market and customer base.

For most organizations, ISO 27001 takes more time and effort on the first attempt, mainly because of the management system requirements. SOC 2 has no equivalent to the ISMS clauses, the Statement of Applicability, or the internal audit and management review cycle.

The controls themselves are comparable in difficulty. It is the surrounding management system that makes ISO 27001 the heavier lift, and the reason why arriving from SOC 2, with your control library already built, gives you a meaningful head start.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

Prompt Injection: AI’s Biggest Security Risk

When researchers found that Microsoft 365 Copilot could be tricked into leaking corporate data from a single email, the flaw got a clean public identifier: CVE-2025-32711, severity 9.3. When a bug hunter coaxed ChatGPT into producing valid Windows product keys by framing the request as a guessing game, it got nothing.  Both were prompt injections. Only one is trackable. That Vulnerability Tracking Gap in AI Security, and what it costs defenders, is the subject of this article. What Is a CVE and Why Does It Matter for Software Security? A CVE (Common Vulnerabilities and Exposures) is a unique public identifier for a specific software flaw. It gives the whole industry one name for one bug, so a researcher in Berlin and an analyst in Bahrain know they mean the same thing. The Role of MITRE’s CVE Program in Traditional Vulnerability Management The CVE program is run by the MITRE Corporation, a US nonprofit. Since 1999 it has assigned hundreds of thousands of IDs, each tied to a discrete, reproducible defect in a defined product and version. A CVE is the connective tissue of coordinated disclosure: a researcher reports the flaw, the vendor patches it, the ID is published, and defenders map it to their own assets. Without that shared label, the same bug ends up with three names and no clear owner. The National Vulnerability Database (NVD) and CVSS Scoring The National Vulnerability Database, maintained by NIST, enriches each CVE with a CVSS (Common Vulnerability Scoring System) score from 0 to 10. That lets teams triage: a 9.3 jumps the queue, a 4.0 waits. Why Prompt Injection Breaks the Traditional CVE Model The CVE model assumes a bug lives in code, sits in a version, and can be fixed. Prompt injection violates all three. Prompt Injection as a Class of Attack, Not a Discrete Bug Prompt injection smuggles instructions into the data an LLM reads, so the model follows the attacker rather than the user. OWASP ranks it as LLM01, the top entry in its 2025 Top 10 for LLM Applications. It is a property of how language models work, not one line of faulty code, so you cannot file a CVE against it. A SQL injection either works or it does not. A prompt injection might succeed nine times in ten, fail on the eleventh, then stop working after a silent model update, which makes the “reproducible” part of reporting genuinely hard. Model Versioning vs. Software Versioning Software has clean version numbers. A weight update to a hosted model can ship silently, with no version a researcher can cite. Two calls to “gpt-4o” a week apart may not behave the same way, and there is no changelog to point at. Why “Patching” an LLM Differs From Patching Code Patching code closes a specific hole. A developer rewrites the faulty line, ships the diff, and the exploit path is gone for good. That clean, binary, auditable loop is the entire premise on which the CVE system rests. “Patching” a model offers none of it. There is no single line to fix, because the behavior the attacker abused is the same behavior that makes the model useful: it reads text and follows instructions. A vendor’s only levers, retraining, hardening the system prompt, or wrapping the model in input and output guardrails, all lower the odds of a successful attack rather than removing the possibility. The fix reduces the success rate from 80 percent to 5 percent and marks it as remediated. The hole is narrower, not closed. The recent record shows how thin that margin is. EchoLeak got past Microsoft’s dedicated cross-prompt-injection classifier by hiding its exfiltration channel in reference-style Markdown that the filter did not recognize, and the AgentFlayer exploit slipped through OpenAI’s URL safety check by routing stolen data through trusted Azure Blob Storage links. Each guardrail worked against the obvious version of the attack and fell to a rephrasing. There is a tuning tax on top of that: crank the filters too tight and the model starts refusing legitimate work, so vendors settle for a balance point rather than elimination.  The practical takeaway is to treat “we’ve addressed this” as risk reduction, not closure. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule A Free ASSESSMENT The Current State of AI Vulnerability Tracking Several frameworks exist. None is a true registry of individual, citable prompt injection vulnerabilities. OWASP LLM Top 10 and the LLM01 Classification The OWASP GenAI Security Project’s LLM01:2025 entry is the most cited reference point. It is a category, not a catalog: it does not enumerate specific incidents with IDs. MITRE ATLAS for Adversarial AI Threats MITRE ATLAS is an ATT&CK-style knowledge base of adversarial tactics against AI systems, documenting 16 tactics and more than 80 techniques with real-world case studies as of late 2025. It maps how attacks work, but is not a per-vulnerability ledger with scores. AVID (AI Vulnerability Database) and Its Limitations AVID, run by a nonprofit, is the closest thing to a dedicated AI vulnerability database, cataloging failure modes with reproducible evidence. But it leans on community submissions, skews toward bias and broader failure modes, and notes that the definition of an “AI vulnerability” is itself still a working one. Vendor-Specific Disclosures vs. Industry-Wide Registries Disclosure happens vendor by vendor. OpenAI patched the Windows-key jailbreak server-side; Microsoft fixed EchoLeak and issued a CVE. There is no common venue where these land side by side.   The Consequences of No Shared Threat Registry for Prompt Injection Fragmented Disclosure Across AI Vendors Each lab discloses on its own terms, on its own blog, if at all. A defender protecting a multi-model stack has to monitor a dozen channels and hope nothing slips by. Duplicate Discovery and Wasted Research Effort Researchers rediscover the same attack repeatedly. The guessing-game jailbreak, the “dead grandma” trick, and other framing attacks are variations on one theme nobody numbered. No Standardized Severity Scoring for

Read more

CMMC Requirements for Small Businesses in November 2026

On November 10, 2026, third-party certification becomes mandatory for most small defense contractors that handle Controlled Unclassified Information. That date, the start of Phase 2 of the CMMC rollout, is the one to circle in red.  The framework itself has been binding since the 32 CFR program rule took effect on December 16, 2024, and certification clauses began appearing in new contracts on November 10, 2025. Roughly 73 percent of the Defense Industrial Base (DIB) is made up of small businesses, and a 20-person machine shop now faces the same control set as a prime with a dedicated security team. This guide breaks down what the CMMC requirements for small business actually demand: the levels, the controls, the documentation, the real cost, and the route to certification. What Is CMMC and Who Needs to Comply? The Cybersecurity Maturity Model Certification is the Department of Defense’s program for verifying that contractors protect sensitive federal information on their own systems. For years, contractors simply self-attested compliance with NIST Special Publication 800-171. CMMC ends the honor system. It keeps self-assessment for lower-risk work and adds independent audits for everything else. Two regulations run the program. 32 CFR Part 170 defines the structure, the three levels, and the assessment rules. 48 CFR amends the Defense Federal Acquisition Regulation Supplement and embeds CMMC into contracts through clause DFARS 252.204-7021. The first sets the standard, the second makes it a condition of the award. Compliance is not optional based on company size. If you process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the performance of a DoD contract or subcontract, CMMC applies. The requirement flows down from prime contractors to subcontractors and suppliers at every tier. The main carve-out is for companies that supply only commercially available off-the-shelf (COTS) products. The distinction between the two data types drives everything. FCI is information not meant for public release that is provided by or generated for the government under a contract. CUI is more sensitive: technical drawings, specifications, and procurement data the government requires you to safeguard. Which one you handle sets your level. The fastest way to check is your contract itself. Clauses such as DFARS 252.204-7012, 7019, and 7020 are strong signals that CUI is in scope. CMMC Levels Explained for Small Businesses CMMC has three levels. Most small contractors land at Level 1 or Level 2. Level 3 is reserved for a tiny fraction of the supply chain handling the most sensitive programs. Level 1 covers basic safeguarding of FCI. It maps to the 15 requirements in FAR 52.204-21, things most businesses already do, like using passwords and limiting who can access systems. Self-assessment is permitted and the cost is modest. Level 2 is where the majority of CUI-handling contractors sit. It requires all 110 security requirements in NIST SP 800-171 Revision 2, organized across 14 control families. Some non-prioritized contracts allow an annual self-assessment, but DoD estimates that around 95 percent of Level 2 contractors handle CUI critical enough to require a C3PAO assessment. Level 3 adds 24 selected enhanced requirements from NIST SP 800-172 on top of the full 110, for high-value programs targeted by advanced persistent threats. Assessments are conducted by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and a contractor must already hold Level 2 certification before a Level 3 assessment can begin. Fewer than 1 percent of contractors will need it. To determine your level, read the solicitation and ask your prime directly. If any data you touch is CUI, plan for Level 2 and assume a third-party assessment until a contract tells you otherwise. Prepare Your Business for CMMC Compliance Get ready for the November 2026 CMMC deadline with expert guidance. Talk to a CMMC Expert Core CMMC Requirements Small Businesses Must Meet Level 2 requirements break into 14 control families covering 110 individual requirements and 320 assessment objectives. Access Control and System and Communications Protection are the two heaviest domains. In practice, these families fall into two buckets. The technical controls govern how your systems behave: limiting access to authorized users, requiring multi-factor authentication, logging system activity, hardening configurations, encrypting data, and detecting and responding to incidents. The administrative controls govern how your organization behaves: training staff, screening personnel, controlling physical spaces, assessing risk, and documenting everything. A small business cannot skip a family because it is inconvenient. There is no partial credit and no small-business exemption from the 110. Documentation Requirements for Small Business Compliance Assessors evaluate evidence, not intentions. Two documents anchor the entire effort. The System Security Plan (SSP) describes your environment, your CUI boundary, and how you implement each of the 110 controls. It is a living document and the first thing any assessor reads. The Plan of Action and Milestones (POA&M) records gaps, owners, and timelines for fixing them. CMMC scores Level 2 on a 110-point scale weighted by control importance. A score of at least 88 (80 percent) can earn conditional status, but only if certain high-value controls are fully met. Conditional status gives you 180 days to close every remaining item on your POA&M and pass a closeout assessment. Some critical controls cannot be deferred to a POA&M at all. Beyond the SSP and POA&M, you need written policies and procedures for each domain, plus concrete evidence that controls operate as documented: configuration screenshots, training logs, access reviews, and audit records. Pro Tip: Build your SSP Build your SSP before you spend a dollar on tools. Mapping your current state against all 110 requirements first tells you exactly where the gaps are, so you remediate the right things in the right order instead of buying software you may not need. Technical Requirements and Controls A handful of technical controls account for most assessment failures, and they deserve direct attention. The most effective cost and risk lever is scoping: isolating CUI into a dedicated enclave, a defined set of systems and networks, so the 110 controls apply only there rather than across your

Read more

AIUC-1 AI Agent Certification: The Complete Guide

Most security certifications were built for software that follows rules. AI agents do not. They consume data, draw conclusions, call tools, and take action, increasingly without a human in the loop. That gap is what AIUC-1 was created to close: it is the first auditable security standard built specifically for AI agents, and a few enterprise buyers have started asking vendors for it by name. This guide covers what AIUC-1 actually tests, the six risk domains it audits, how the certification process works, what it costs, how long it lasts, and how it aligns with SOC 2, ISO 42001, ISO 27001, and the NIST AI Risk Management Framework. It also covers the structural questions worth asking before you treat an AIUC-1 report as proof of anything. What Is AIUC-1 Certification? AIUC-1 is a certifiable standard for AI agents created by the Artificial Intelligence Underwriting Company (AIUC), a San Francisco-based, venture-backed startup founded by people with experience at organizations including Anthropic. The standard was developed with input from Orrick, Stanford, the Cloud Security Alliance, MIT, and MITRE, and launched in mid-2025. The framework comprises 51 requirements and 130 controls, organized across six risk pillars. It evaluates whether an organization has implemented and tested the technical guardrails, operational practices, and legal policies needed to reduce the risk of unsafe, unreliable, or unauthorized AI behavior. Certification applies to a specific AI system or product, not to the organization as a whole. An AIUC-1 certificate, audit report, and badge tell enterprise buyers that an agent has been independently tested against agent-specific risks. People describe AIUC-1 as the “SOC 2 for AI agents,” and the analogy holds in spirit. The difference is what it looks at. SOC 2 examines a service organization’s general controls. AIUC-1 examines how an agent behaves under pressure: when someone tries to jailbreak it, when it is asked to do something outside its scope, when it has access to data it should not expose. Worth Knowing: About AIUC-1 AIUC-1 does not define what counts as an “AI agent.” The vendor decides which system to certify and what falls in scope. That makes scope the single most important thing to check on any certificate, because a narrowly scoped audit may not cover the agent you actually use. Why AIUC-1 Certification Matters for Enterprise AI Adoption The business case rests on a simple problem: enterprises cannot reliably assess the security of their AI vendors, and the failures are expensive. According to EY research on responsible AI, 64% of companies with over $1 billion in revenue have already lost more than $1 million to AI-related failures.  That gap shows up directly in sales cycles. When security, legal, and procurement teams evaluate an AI vendor, they ask about hallucinations, prompt injection defenses, and what happens when an agent makes an unauthorized call. SOC 2 and ISO 27001 do not answer those questions. AIUC-1 gives buyers a structured, third-party-tested answer, which is why holding the certificate can move a stalled procurement review forward. The certification also produces real engineering outcomes, not just a badge. AIUC has reported cases where a customer service agent’s hallucination rate dropped from 11% to under 2% after strengthening its groundedness filter, and another where inappropriate-tone outputs fell from 9% to under 2% through better defensive prompting and output moderation. One company found and patched a PII exposure vulnerability during the certification process itself. The Six Core Risk Domains Covered by AIUC-1 AIUC-1’s 51 requirements are grouped into six domains. Each targets a category of risk that traditional security frameworks were not designed to handle. Data and Privacy Covers how customer data is used, retained, and protected. Requirements address input and output data policies, limits on what data the agent can access, protection of IP and trade secrets, prevention of cross-customer data exposure, and prevention of PII leakage. This is where the standard forces clarity on whether customer data trains the model and how long it is kept. Security The adversarial-resistance domain. It covers third-party testing of adversarial robustness, detection and real-time filtering of malicious inputs, prevention of prompt injection and unauthorized agent actions, enforcement of user access privileges, and protection of the deployment environment. This is the heart of what separates an agent audit from a general security audit. Safety Focuses on preventing harmful and out-of-scope outputs. Requirements include defining an AI risk taxonomy, conducting pre-deployment testing, preventing harmful and customer-defined high-risk outputs, and flagging high-risk outputs for human review. Safety is partly judgment-based, which means documentation alone can sometimes satisfy a requirement, so the testing behind it deserves scrutiny. Reliability Targets the failure modes that erode trust in production: hallucinations and tool misuse. Controls cover hallucination prevention and restrictions on which tools an agent can call and when. For a customer-facing agent, this is the domain that keeps it from inventing a refund policy or triggering the wrong workflow. Accountability Covers what happens when things go wrong. Requirements include AI failure response plans, vendor due diligence, and clear AI disclosure so users know when they are interacting with an agent. With human workers, accountability is built into org charts and chains of command. Agents need an equivalent, and this domain supplies it. Society The broadest domain, focused on preventing misuse with wider consequences: AI-enabled cyber attacks and CBRN (chemical, biological, radiological, nuclear) misuse. Most enterprise agents will touch only a few of these controls, but they matter for higher-capability systems. Insider Note: Of the 130 total controls, roughly 65 are mandatory, and 65 are optional. A straightforward agent typically needs to meet around 40 controls. A complex, multi-modal agent gets closer to 65. The scoping exercise determines which apply, so two AIUC-1 certificates can represent very different amounts of work. Ready to Earn Your AIUC-1 Certification? Accelerate Your AI Certification Journey Talk to an Expert Who Needs AIUC-1 Certification? AIUC-1 is built for any company developing or deploying agentic AI that sells into enterprises. The strongest fit is an organization whose product uses AI agents in customer-facing operations, handles

Read more