Most enterprises will fail AIUC-1 before the audit starts. Here’s the five-layer compliance architecture — built around a central control plane — that covers every domain.
The problem isn’t your models. It’s your architecture.
Right now, most enterprises deploying AI agents have some combination of: a model provider with built-in safety features, a logging tool that captures some events, a handful of policies written by legal that nobody enforces technically, and agents that connect to tools and data with static API keys and no centralized oversight.
That setup will fail AIUC-1. Not because any single piece is wrong, but because there’s no central enforcement point tying it all together.
AIUC-1 auditors don’t ask “do you have safety features?” They ask: “Can you show me, for any agent action in the last 90 days, who authorized it, what policy governed it, and what data it touched?” If the answer requires stitching together logs from five different systems with no common identity or session context, then you’ve already failed E015 (comprehensive action logging). And that’s a mandatory control.
The good news: the path to compliance is clear. It requires five layers, deployed in order, built around a single architectural concept that most enterprises are missing.
That concept is the control plane.
Every mature infrastructure domain has a control plane, a central system that governs how components interact, enforces policy, and provides visibility.
Kubernetes has one. Your network has one. Your cloud provider has one.
AI agents don’t.
Today, agents connect directly to MCP servers, APIs, databases, and internal tools. There’s no central point that authenticates them, authorizes their actions, enforces policy on every request, or logs what happened. Each agent-to-tool connection is a direct, ungoverned link.
This is the root cause of every AIUC-1 compliance failure:
Without centralized enforcement, you can’t prove access control (B006). Agents reach tools through direct connections with broad API keys. There’s no per-agent, per-tool authorization. The auditor asks “which tools can Agent X access?” and nobody knows.
Without centralized logging, you can’t prove accountability (E015). Agent actions are scattered across application logs, tool logs, and model provider logs. There’s no unified audit trail with consistent identity, session correlation, or policy decisions. The auditor asks “show me every action Agent X took last Tuesday” and you’re stitching together five log sources.
Without centralized identity, you can’t assign responsibility (E004). Agents use shared credentials or static tokens. When something goes wrong, you can’t trace the action back to a specific agent, user, or policy decision.
Without centralized policy, governance is just documentation (A003, B007). You write policies saying “agents should only access task-relevant data.” But nothing enforces it. The policy exists on paper, not in the request path. This is how shadow AI undermines compliance frameworks.
The fix isn’t more tools. It’s architecture. Specifically, it’s a control plane that sits in the network path between every agent and every tool: authenticating, authorizing, enforcing, and logging every single request.
That control plane is Layer 1 of the AIUC-1 compliance stack. And everything else from safety to testing to observability to governance depends on it.
AIUC-1 is the world’s first AI agent security, safety, and reliability standard. Built with MITRE, Stanford, MIT, and Orrick. It operationalizes six frameworks: EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS, OWASP LLM Top 10, and CSA AICM.
Six domains, 50+ controls:
A — Data & Privacy: What data can agents access? How is PII protected? How are tenants isolated?
B — Security: Are agents authenticated? Is access controlled? Are endpoints protected from scraping? Is adversarial robustness tested?
C — Safety: Are harmful outputs prevented? Is there a risk taxonomy? Is the system tested before deployment?
D — Reliability: Are hallucinations detected? Are consequential actions confirmed before execution?
E — Accountability: Is every action logged? Is there an incident response plan? Who owns each control?
F — Society: Are there guardrails against catastrophic misuse?
Compliance requires annual audits plus quarterly technical testing.
No single vendor covers all six domains. You need a deliberate architecture: five layers, deployed in sequence. Skip any layer and you’ll fail the audit.
But here’s the critical insight: Layer 1 is not just one layer among five. It’s the control plane for the entire stack. Everything else, logging, testing, observability, governance, depends on having a central enforcement point that sees every request, knows every identity, and records every decision.
This is the foundation. Deploy it first. Everything else depends on it.
What it does: An agentic gateway sits in the network path between every agent and every tool. Every request passes through it. The gateway authenticates the agent, verifies the user context, evaluates policy, enforces the decision, and logs the complete event — all in the request path, before the tool is ever reached.
What auditors actually look for:
Auditors don’t ask “do you have access control?” They ask specific questions that only a control plane can answer:
“For Agent X, show me every tool it accessed in the last 30 days.” — Requires centralized logging with agent identity (E015).
“Show me the policy that governs what this agent can access.” — Requires policy-as-code in the enforcement layer (B006).
“Prove that Customer A’s agent cannot access Customer B’s data.” — Requires tenant isolation enforced at the network layer (A005).
“Who authorized this specific action?” — Requires identity attribution linking every action to a human owner (E004).
“What happens if you revoke this agent’s access right now?” — Requires real-time enforcement, not cached tokens (B007).
A centralized gateway answers all of these from a single system. Without it, you’re assembling evidence from five different tools, hoping they agree.
AIUC-1 controls addressed (8 mandatory controls):
Control | Requirement | How the Control Plane Delivers |
B006 | Limit agent system access | Per-agent, per-tool authorization on every request |
B004 | Prevent endpoint scraping | Rate limiting and behavioral detection at the gateway |
B007 | Enforce user access privileges | SSO/JWT identity verification on every request |
A003 | Limit data collection | Tool-level least privilege — agents only reach authorized tools |
A005 | Prevent cross-customer exposure | Tenant-aware routing and credential isolation |
E004 | Assign accountability | Every action attributed to agent identity + human owner |
E015 | Comprehensive action logging | Full request/response logging with identity, policy, and session context |
E005 | Cloud vs. on-prem assessment | Self-hosted or cloud deployment — your choice |
Why it enables every other layer:
Layer 4 (observability) needs logs → the control plane generates them. Layer 3 (testing) needs a controlled environment → the control plane provides it. Layer 5 (governance) needs enforcement of policies → the control plane enforces them. Layer 2 (safety) needs to know what agents accessed → the control plane tracks it.
Without Layer 1, the other four layers are flying blind.
Implementation with Pomerium:
Pomerium is a zero trust agentic gateway purpose-built for this role. It sits in the network path, enforces identity-aware policy on every request, provides tool-level MCP authorization (not just server-level), tracks sessions across multi-step agent workflows, and generates comprehensive audit trails, all from a single enforcement point.
Deploy it. Route all agent-to-tool traffic through it. Enable audit logging. You’ve covered 8 mandatory AIUC-1 controls and built the foundation for every layer above. (For more on how these controls map to industry security guidelines, see how Pomerium turns SANS critical AI security guidelines into enforceable agentic controls.)
If you don’t have a centralized gateway, you can’t pass AIUC-1. The mandatory controls in Domains A, B, and E require centralized access control, identity attribution, and comprehensive logging. No combination of model safety features, observability tools, or governance documents substitutes for a control plane in the request path.
See how Pomerium delivers Layer 1 →
Controls what the agent says. Independent of what it can access.
What it does: The control plane (Layer 1) governs what agents can reach. Layer 2 governs what agents output. These are different problems. A properly authorized agent can still hallucinate, output PII, generate toxic content, or fall victim to prompt injection.
Layer 2 filters inputs (catching injection attacks before they reach the model) and outputs (catching harmful content, PII, and hallucinations before they reach the user).
AIUC-1 controls addressed:
Control | Requirement | How This Layer Delivers |
C003 | Prevent harmful outputs | Output classifiers detect toxic, dangerous, or biased content |
D001 | Prevent hallucinations | Hallucination detection flags fabricated facts or data |
B005 | Real-time input filtering | Input filters catch prompt injection and jailbreak attempts |
F001/F002 | Guardrails against misuse | Content policies block CBRN and exploitation content |
Tooling: Anthropic Constitutional AI, OpenAI Moderation API, Azure AI Content Safety, AWS Bedrock Guardrails, Protect AI, custom classifiers for domain-specific policies.
Key point: Layer 2 without Layer 1 is incomplete. You can filter harmful outputs all day, but if agents access data they shouldn’t, content filtering can’t fix an access control problem. Both layers are mandatory.
Validates that Layers 1 and 2 actually work.
What it does: AIUC-1 doesn’t accept self-assessment. Mandatory controls require quarterly adversarial testing (B001), pre-deployment safety validation (C002), and periodic third-party evaluation of safety (C004) and hallucination rates (D002).
This layer builds testing into your operational rhythm: automated adversarial prompt suites, red-team exercises, safety benchmarks, and hallucination evaluations that are run every quarter, and documented for the auditor.
AIUC-1 controls addressed:
Control | Requirement | Cadence |
B001 | Adversarial robustness testing | Quarterly |
C002 | Internal testing before deployment | Pre-deployment |
C004 | Third-party safety evaluation | Quarterly |
D002 | Third-party hallucination evaluation | Quarterly |
Services: Schellman (authorized AIUC-1 auditor), HackerOne AI, Bishop Fox, internal red teams with adversarial prompt libraries (MITRE ATLAS attack library).
Key point: Layer 1’s gateway provides the controlled environment for testing. Testers run adversarial scenarios through the control plane, and every test action is logged with full context. Without Layer 1, testing is ad hoc and unauditable.
Turns raw logs into intelligence, anomaly detection, and compliance reports.
What it does: Layer 1 generates comprehensive logs. Layer 4 makes them actionable, aggregating events from the gateway, model, and application layers into a unified view with anomaly detection, dashboards, and automated alerting.
AIUC-1 controls addressed:
Control | Requirement | How This Layer Delivers |
B002 | Detect adversarial input | Anomaly detection flags suspicious request patterns |
E015 | Comprehensive logging (augmented) | Correlates gateway logs with application context |
Tooling: Splunk, Elastic, Microsoft Sentinel, Datadog, Grafana.
Key point: Observability without a control plane is like putting dashboards on incomplete data. Layer 4 is only as good as the logs Layer 1 feeds it. Start with comprehensive gateway logging; add analytics on top.
The organizational layer that turns technology into compliance.
What it does: Technology enables compliance. Governance ensures it. This layer covers the policies, ownership assignments, incident response plans, and vendor management processes that auditors require as documentation.
AIUC-1 controls addressed:
Control | Requirement | Deliverable |
A001/A002 | Data use policies | Written policy: what agents can access, how outputs can be used |
C001 | Risk taxonomy | Formal risk classification document |
E001/E002/E003 | Incident response plans | Playbooks for breach, harmful output, hallucination scenarios |
E004 | Accountability assignments | RACI matrix mapping every control to an owner |
E006 | Vendor due diligence | Evaluation checklist for model providers and tool vendors |
F001/F002 | Misuse guardrails | Documented CBRN and catastrophic misuse safeguards |
Key point: Governance without enforcement is theater. You can write a policy saying “agents should only access task-relevant data” — but without Layer 1 enforcing it on every request, the policy is unverifiable. Auditors will ask: “How do you know this policy is enforced?” Layer 1 provides the answer.
Before you commit to the five-layer model, consider why the alternatives don’t work:
“Model safety alone is enough.” You deploy Anthropic’s safety features and OpenAI’s moderation API. Your agents generate clean, safe outputs. But Agent X is accessing customer databases it shouldn’t touch, with a shared API key that grants access to every table. Content filtering can’t fix an access control problem. You fail B006, A003, and E015.
“We’ll start with SIEM and observability.” You deploy Splunk and build dashboards. But the logs you’re ingesting are incomplete — application-level logs without consistent identity, session context, or policy decisions. The auditor asks “show me every tool Agent X accessed” and your logs can’t answer because there’s no centralized enforcement point generating authoritative logs. You fail E015.
“Governance first — let’s write policies.” You hire a consultant. You produce a 50-page governance framework with beautiful risk taxonomies and incident response plans. But nothing is enforced technically. Agents still connect directly to tools with static API keys. The auditor asks “how do you enforce this policy?” and you have no answer. You fail B006, B007, and A003.
“We’ll bolt security onto our API gateway.” You configure Kong or NGINX with some auth rules. But API gateways don’t understand agent context, session state, tool-level authorization, or delegation chains. They authenticate requests — they don’t enforce agentic policy. You partially cover B007 but fail B006 (tool-level access), E015 (agent-aware logging), and A005 (tenant isolation).
Each of these approaches addresses a piece of AIUC-1. None of them provides the control plane. And without the control plane, the other layers can’t deliver.
The five-layer model works because it starts with the control plane and builds up. Enforcement first. Then safety. Then testing. Then observability. Then governance. Each layer depends on the one below it.
Goal: Every agent request flows through the gateway. Every action is logged. Access is controlled.
Actions: Deploy Pomerium Agentic Gateway. Route all agent-to-tool traffic through it. Enable tool-level authorization policies. Configure identity provider integration (Okta, Azure AD, Google Workspace). Enable comprehensive audit logging. Validate multi-tenant isolation.
Success criteria: 100% of agent requests flow through the gateway. Every request is logged with full identity, policy decision, and session context. Auditor can trace any action to a user identity within 30 seconds.
Controls covered: B006, B004, B007, A003, A005, E004, E015, E005 — 8 mandatory controls from a single deployment.
Goal: Harmful outputs are blocked. Prompt injection is caught. Hallucinations are flagged.
Actions: Deploy input filtering (AWS Bedrock Guardrails or Azure AI Content Safety). Deploy output filtering (Anthropic safety features or Protect AI). Implement hallucination detection. Test with adversarial prompts.
Controls covered: C003, D001, B005, F001/F002.
Goal: Policies are documented, owners are assigned, incident plans are written.
Actions: Write data use policies. Define risk taxonomy. Create incident response playbooks. Build accountability RACI matrix. Establish vendor due diligence process.
Controls covered: A001, A002, C001, E001–E003, E004, E006, F001/F002.
Goal: Continuous validation through quarterly adversarial testing and safety evaluation.
Actions: Engage Schellman or red-team firm for Q1. Automate regression tests for Q2–Q4. Benchmark hallucination rates quarterly. Document all results.
Controls covered: B001, C002, C004, D002.
Every AIUC-1 control, mapped to the layer that addresses it:
Control | Domain | Description | Primary Layer |
A001 | Data & Privacy | Input data policy | Layer 5 |
A002 | Data & Privacy | Output data policy | Layer 5 |
A003 | Data & Privacy | Limit data collection | Layer 1 |
A004 | Data & Privacy | Protect IP | Layer 1 + Layer 5 |
A005 | Data & Privacy | Prevent cross-customer exposure | Layer 1 |
A006 | Data & Privacy | Prevent PII leakage | Layer 2 |
B001 | Security | Adversarial testing | Layer 3 |
B002 | Security | Detect adversarial input | Layer 2 + Layer 4 |
B004 | Security | Prevent endpoint scraping | Layer 1 |
B005 | Security | Real-time input filtering | Layer 2 |
B006 | Security | Limit agent system access | Layer 1 |
B007 | Security | Enforce user access privileges | Layer 1 |
C001 | Safety | Risk taxonomy | Layer 5 |
C002 | Safety | Internal testing before deployment | Layer 3 |
C003 | Safety | Prevent harmful outputs | Layer 2 |
C004 | Safety | Third-party safety eval | Layer 3 |
D001 | Reliability | Prevent hallucinations | Layer 2 |
D002 | Reliability | Third-party hallucination eval | Layer 3 |
D003/D004 | Reliability | Confirmation before consequential actions | Layer 1 + Layer 5 |
E001 | Accountability | Failure plan for breaches | Layer 5 |
E002 | Accountability | Failure plan for harmful outputs | Layer 5 |
E003 | Accountability | Failure plan for hallucinations | Layer 5 |
E004 | Accountability | Assign accountability | Layer 1 + Layer 5 |
E005 | Accountability | Cloud vs. on-prem assessment | Layer 1 |
E006 | Accountability | Vendor due diligence | Layer 5 |
E015 | Accountability | Comprehensive action logging | Layer 1 + Layer 4 |
F001 | Society | Guardrails against misuse | Layer 2 + Layer 5 |
F002 | Society | CBRN safeguards | Layer 5 |
Bold = Layer 1 (control plane) is the primary mechanism. Note how many mandatory controls depend on it.
Starting with governance instead of enforcement. You write policies but can’t prove they’re enforced. Auditors will ask “how do you enforce this?”; and without a control plane, the answer is “we trust the agents to follow the rules.” That’s not compliance. Deploy Layer 1 first, then write policies that match what the gateway actually enforces.
Assuming model safety covers access control. Content filtering prevents harmful outputs. It doesn’t prevent unauthorized data access. These are different attack surfaces. You need both Layer 1 (access) and Layer 2 (content).
Skipping the audit trail. E015 is mandatory. Auditors ask for it in the first 30 minutes. Without comprehensive, centralized logging, you fail immediately. No amount of safety features or governance documentation compensates for missing logs.
Treating AIUC-1 as a one-time project. Quarterly testing is mandatory (B001, C004, D002). If you pass the annual audit and stop testing, you’re out of compliance by month four.
Bolting agent security onto an API gateway. API gateways authenticate requests. Agentic gateways enforce identity-aware, session-aware, tool-level policy. These are architecturally different. If your “agent security” is a set of auth rules on Kong or NGINX, you’re covering B007 but missing B006, E015, A003, and A005.
AIUC-1 compliance is an architecture problem, not a tooling problem. The five-layer model works because it starts with the right foundation — a control plane that sees every request, enforces every policy, and logs every action — and builds safety, testing, observability, and governance on top.
The enterprises that pass AIUC-1 audits didn’t get there by buying a single tool or writing a governance document. They built the architecture.
Layer 1 is the control plane. It’s where compliance starts.
Assess your AIUC-1 readiness. Pomerium maps your agent infrastructure to the five-layer compliance stack and identifies gaps before your auditor does.
Start your AIUC-1 readiness assessment →
Or deploy Layer 1 now: Pomerium’s agentic gateway is open source and deploys in under 30 minutes.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
