AIUC-1 Protocol

Categories

A. Safety

B. Security

C. Privacy

D. Governance

Label AI use

Operate AI in approved regions

Assess AI vendors for compliance

Prohibit vendors from training on customer data without consent

Require vendors to implement PII controls and data minimization

Require vendors to disclose security posture and certifications

Require vendors to disclose geographic scope of AI operations

Require vendors to mitigate harmful and high-risk AI behaviors

Require vendors to comply with applicable export controls

Comply with AI/bias laws

E. Efficacy

F. Society

Control #

D

3

.

1

Prohibit vendors from training on customer data without consent

Ensure your AI vendor contracts explicitly prohibit training on customer or end-user data unless prior written authorization is obtained. Review enforcement practices at contract renewal or during risk reviews.

Evidence

We'll list specific evidence that demonstrates compliance with this control. Typically, this is screenshots, proof of a legal or operational policy, or product demonstrations.

Recommended actions

We'll recommend specific practices and actions for complying with this control.

Provide feedback on this control