AIUC-1 Alignment Tracker
Live status of ARX's substantive alignment with the AIUC-1 standard, control by control. This is the operating source of truth for "where do we actually stand" — distinct from the readiness plan (program path) and the customer-facing mapping (what tenants inherit). Updated on every PR that touches an AIUC-1 control. Last reviewed: 2026-04-27 (Wave 2 batch 1).
Status disclosure: ARX does not hold an AIUC-1 attestation today. This tracker shows substantive alignment progress against the standard's control set; certification (Type II report) is targeted Q2 2027 after the readiness completion (Q3 2026) and a 6-month observation window. See the communications FAQ for how to read this status.
Status legend
- Met — control is implemented, evidence is collectable, owner named.
- Partial — control is partially in place; specific shortfall noted.
- Gap — no implementation yet.
- N/A — control not applicable to ARX's scope (justified inline).
Coverage is reported as Met / Partial / Gap counts only. Percentage coverage is a number for an audit report, not for a working backlog.
Scope reminder
ARX pursues AIUC-1 under the platform / infrastructure track with a thin builder-track scope for first-party AI surfaces (the LLM router at arxsec-api/app/llm/, the MCP server at arx-mcp-server/, and any LLM-augmented internal feature that ships). Controls below are evaluated against this scope. See the mapping page for the full scope statement.
Summary
| Family | Met | Partial | Gap | N/A |
|---|
| SAF — Safety | 1 | 4 | 0 | 0 |
| SEC — Security | 4 | 1 | 1 | 0 |
| REL — Reliability | 3 | 2 | 0 | 0 |
| ACC — Accountability | 2 | 2 | 1 | 0 |
| PRV — Data Privacy | 4 | 1 | 1 | 0 |
| SOC — Society | 2 | 1 | 2 | 0 |
| Cross-cutting | 2 | 2 | 2 | 0 |
SAF — Safety
| Control | Status | Evidence / Gap |
|---|
| Declared intent manifest enforced at connector boundary | Met | Documented in governance docs; enforcement in connector layer. |
| Behavioral drift detection with severity classification + auto-suspend | Met | Documented; auto-suspend on critical drift. |
| Per-feature manifest for first-party AI surfaces | Partial | Router and MCP surfaces have informal scope; explicit manifests landing with system cards. |
| Adversarial-prompt regression suite for the LLM router | Partial | Scaffold under arxsec-api/tests/llm/red_team/ with 6 starter cases. Real corpus growth incremental. |
| Pre-release eval gate that blocks deployment on regression failure | Partial | pytest entrypoint runs and asserts every BLOCKER case. CI deploy-gate wiring remaining. |
| Red-team program targeting ARX's own AI surfaces | Partial | Customer-targeted red-team primitives shipped; ARX-targeted program documentation pending. |
SEC — Security
| Control | Status | Evidence / Gap |
|---|
| Tenant isolation at DB layer (RLS) | Met | Inherited from SOC 2 program. |
Connector scope binding (permitted_operations) | Met | SOC 2 mapping (INV-005). |
| LLM router credential isolation per (org_id, provider) | Met | arxsec-api/app/llm/credentials.py keys lookups on (org_id, provider); never returns cross-tenant keys. |
| LLM router threat model | Met | Eight threats T-1..T-8 documented. |
| MCP server threat model | Met | Eight threats M-1..M-8 documented. |
| Zero-retention agreements with foundation-model vendors, renewal-tracked | Gap | Org / Legal work — not solvable in repo. Tracked under subprocessors. |
REL — Reliability
| Control | Status | Evidence / Gap |
|---|
| Provider-neutral LLM failover (transient → next; deterministic re-raises) | Met | arxsec-api/app/llm/router.py failover loop; errors.py distinguishes transient from user errors. |
| Circuit breaker per provider, shared via Redis | Met | arxsec-api/app/llm/circuit_breaker.py. |
| Versioning + rollback for agents | Met | SOC 2 mapping CC8.1. |
| SLO / breach-reporting policy for AI surfaces | Partial | Eval pass-rate measurable via the eval harness scaffold; router uptime / MCP availability SLOs not yet published. |
| Failure-mode catalog for AI features | Partial | AI IR playbook defines categories; per-failure runbooks pending. |
ACC — Accountability
| Control | Status | Evidence / Gap |
|---|
| Connector-side approval gates with audit attribution | Met | Documented in governance docs. |
| Tamper-evident audit chain with witness-bucket signing | Met | Inherited from SOC 2 program. |
| Audit-row attribution for first-party AI router calls (feature + model identity) | Partial | Today, router.py lines 206–210 skip policy/audit when agent_id is absent. Investigation in progress; implementation plan to follow. |
| Disclosure surface — distinguish recommendation vs. determination in UI | Gap | Depends on system-card render endpoint. |
| Named owner per first-party AI feature | Met | System cards name owners. |
PRV — Data Privacy
| Control | Status | Evidence / Gap |
|---|
| PII redaction at the prompt boundary | Met | Customer-facing mapping; engineering reference TBD. |
| Region-pinned routing | Met | Customer-facing mapping. |
| BYO-KMS | Met | Customer-facing mapping. |
| DPIA covering ARX's first-party LLM use, with foundation-model vendors named | Met | 12 sections; 5 risks R-1..R-5 each with mitigations. |
| Subprocessor disclosure including each foundation-model vendor | Met | Anthropic and OpenAI explicitly named with role, region, zero-retention status. |
| Customer-prompt and model-output retention policy for first-party features | Met | Router does not store prompts or completions (system card "Audit row contents"; DPIA §3.1 step 6). |
SOC — Society
| Control | Status | Evidence / Gap |
|---|
| EU AI Act risk-band classification of ARX itself, with rationale | Met | LLM router + MCP server: limited risk. Platform: not an AI system per Art. 3(1). Reclassification triggers documented. |
| System card per first-party AI feature | Met | LLM router + MCP server cards published. |
| Bias / fairness eval for any first-party feature affecting people | Gap | Currently no first-party feature meets this trigger; reassess if one ships. |
| Quarterly stakeholder review forum with documented minutes | Partial | Cadence and agenda specified in AI Risk Policy §8; first formal forum scheduled Q3 2026. |
| Per-agent EU AI Act risk classification (tenant-side, surfaced in registry) | Gap | Marketed as a customer-facing capability; engineering reference TBD. |
Cross-cutting / Org-level
| Control | Status | Evidence / Gap |
|---|
| Board-approved AI risk policy | Partial | Draft operationally authoritative; board ratification scheduled Q3 2026. |
| Named ML/AI lead on org chart | Gap | Recommendation: dual-hat with CISO + external advisor for year one. |
| Vendor risk management program covering foundation-model vendors | Met | Anthropic and OpenAI enrolled as Tier 1 with quarterly reviews; onboarding/decommissioning gates and concentration-risk handling documented. |
| AI-specific incident response playbook | Met | Nine AI incident classes AI-1..AI-9 defined; AI-2 / AI-3 default to SEV-1 with 24-hour notice. |
| Quarterly AI risk review cadence with decision log | Partial | Defined in policy; first forum scheduled Q3 2026. |
| GRC system to hold AIUC-1 evidence | Partial | Recommendation: hybrid (Drata or Vanta for org-level + dogfood ARX for AI-specific). |
MCP-server-specific gaps
| Control | Status | Evidence / Gap |
|---|
run_security_scan defaults to require_approval=true for production-tier targets | Gap | Today defaults to false. SAF-MCP.1. |
Backend cannot downgrade require_approval from a client-supplied flag — verified by regression test | Partial | Believed-correct by inspection; regression test pending. SEC-MCP.1. |
MCP server defaults to refusing manage_secrets retrieve unless explicit env-var opt-in | Met | arx-mcp-server/main.py refuses unless MCP_ALLOW_SECRET_RETRIEVE=true. |
MCP server tool allowlist via MCP_ENABLED_TOOLS env var | Met | Filters _get_all_tools and short-circuits call_tool_impl. |
Per-tool MCP attribution in backend audit row (caller_class, mcp_tool) | Gap | Pairs with the LLM-router ACC.3 audit-attribution change. ACC-MCP.1. |