Executive Summary
- A certification market for AI agent security has emerged in 2026, but it does not yet close the MCP governance gap. Three frameworks are active: AIUC-1 (agent-level certification), ISO 42001 (organization-level AI management system), and CSA’s MCP Security initiative (protocol-level tooling). Each addresses a different layer. None provides the auditable MCP server governance most enterprise buyers need.
- AIUC-1 is the most operationally relevant new standard for enterprise buyers: it certifies AI agent products (not organizations) against 50+ technical and legal safeguards, is audited by an independent third party (Schellman), and updates quarterly — the Q1 2026 refresh explicitly added MCP security, third-party risk management, and agent identity controls. UiPath became the first enterprise platform certified, March 9, 2026.
- ISO 42001 certification costs $180,000–$320,000 for a mid-market company (200–500 employees), takes 4–9 months, and governs AI management systems at the organizational level — not individual agent deployments. It is the governance backbone; it does not test MCP server behavior.
- The CSA MCP Security initiative (a Cloud Security Alliance project) has published the Top 10 MCP Server Security Risks and Top 10 MCP Client Security Risks, with a formal MCP Security Baseline (v0.1) forthcoming. The community-maintained audit-db tracks public MCP server security assessments. This is scanning infrastructure, not a certification scheme.
- The structural gap: enterprise buyers negotiating AI vendor agreements in 2026 cannot ask a vendor “are you AIUC-1 certified for MCP?” and get a meaningful answer from most vendors. The only certified platform is UiPath. SOC 2 Type II covers MCP gateway infrastructure for a handful of specialized vendors (MintMCP) but the AICPA Trust Services Criteria were not written for autonomous agents — and auditors now treat “no human request” as a formal accountability gap.
What Is Actually Available in 2026
AIUC-1: The First Agent-Level Certification Standard
The Artificial Intelligence Underwriting Company launched AIUC-1 as the first AI agent security, safety, and reliability standard. The standard was developed with input from Orrick, MITRE, Stanford, MIT, and over 500 risk professionals including CISOs from Google Cloud and MongoDB. MITRE now maintains the ATLAS components.
AIUC-1 covers six domains: data and privacy, safety, security, reliability, accountability, and society. On the security dimension, it specifically tests against jailbreaks, prompt injections, and unauthorized tool calls — the three attack vectors most relevant to MCP-connected agents.
Certification requires implementing 50+ technical, operational, and legal safeguards and passing third-party adversarial testing. Schellman — the largest specialized cybersecurity auditor — became the first authorized AIUC-1 auditor in early 2026.
The Q1 2026 quarterly update explicitly added MCP security, third-party risk management, and agent identity and permissions to the AIUC-1 control set. This is direct acknowledgment that MCP-connected agent deployments require distinct controls beyond what prior agent security frameworks addressed.
UiPath became the first enterprise automation platform to achieve AIUC-1 certification on March 9, 2026. The audit covered over 2,000 enterprise risk scenarios across three UiPath products: Intelligent Extraction Processing, Agents, and Autopilot. Certificate validity: 12 months. Technical testing must be repeated every 3 months to maintain validity.
Source credibility: MEDIUM-HIGH. AIUC-1 is a private standard from a commercial certifying body, not an international standards organization. Schellman’s involvement adds auditor credibility. The standard is not peer-reviewed or government-endorsed. UiPath has commercial interest in publicizing the certification.
ISO 42001: Organization-Level AI Governance, Not Agent Certification
ISO/IEC 42001 is an international standard for Artificial Intelligence Management Systems. Published in 2023, it covers the full AI lifecycle: planning, development, deployment, monitoring, and retirement. Schellman is also a leading ISO 42001 auditor — positioning itself as the primary compliance auditor across both tracks.
ISO 42001 is sector-agnostic and applies to organizations that develop, provide, or use AI products and services. High-risk sectors (credit decisioning, clinical diagnostics, public-sector automation) are leading adoption.
What ISO 42001 does not do: it does not test specific MCP server behavior, agent tool access, or prompt injection defenses. It establishes governance processes, not technical controls for agentic architectures.
For mid-market companies, the investment is substantial:
| Company Size | Total First-Year Cost | Certification Timeline |
|---|---|---|
| 50–200 employees | $85,000–$150,000 | 4–6 months |
| 200–500 employees | $180,000–$320,000 | 6–9 months |
| 500+ employees | $350,000–$650,000 | 6–12 months |
| Annual surveillance audit | $8,000–$15,000/yr | Ongoing |
The audit itself runs in two stages: Stage 1 (1–2 days of documentation review) and Stage 2 (3–9+ days evaluating system effectiveness). Recertification every 3 years costs 60–70% of initial fees.
ISO 42001 integrates cleanly with ISO 27001 (information security) — organizations with existing ISO 27001 programs can accelerate ISO 42001 implementation by approximately 2 months. CSA STAR for AI layers additional technical and assurance rigor on top of the ISO 42001 governance backbone.
Source credibility: HIGH. ISO is an international standards body. Cost and timeline estimates are from multiple independent compliance consultants, not the certifying body.
CSA MCP Security Initiative: Tooling, Not Certification
The Cloud Security Alliance launched an MCP Security Resource Center (labs.cloudsecurityalliance.org/mcp) as a community project, with the GitHub organization ModelContextProtocol-Security hosting the primary tooling.
Published work as of April 2026:
- Top 10 MCP Server Security Risks — mapped to CSA CCM/CAIQ/AICM
- Top 10 MCP Client Security Risks — mapped to CSA CCM/CAIQ/AICM
- audit-db — community-maintained database of MCP server audit results and security assessments
- vulnerability-db — tracks CVEs and security advisories
- mcpserver-audit — scanning tool that examines MCP servers for security vulnerabilities, scores findings using AIVSS (AI Vulnerability Scoring System), and publishes to audit-db
Forthcoming: MCP Security Baseline v0.1 — the first structured control baseline specific to MCP deployments.
The CSA initiative provides scanning infrastructure and community intelligence. It is not a certification scheme — no independent auditor attests to an MCP server’s compliance with a standard. The audit-db is community-maintained, not independently verified.
Source credibility: MEDIUM-HIGH. CSA is a recognized security industry organization. Community-maintained databases have variable quality.
The SOC 2 Gap in Agentic AI
The AICPA Trust Services Criteria that underpin SOC 2 audits were written before autonomous agents existed. Auditors in 2026 are applying the existing TSC to AI agent deployments — and finding structural gaps at four control areas.
The most significant: CC6 (logical and physical access controls) requires privileged actions to be traceable to an accountable individual. When an AI agent performs actions using a shared service account or generic system identity, auditors treat this as a formal accountability gap. “Auditors will often treat ‘no human request’ as a major accountability gap.”
The three other failure points:
- CC7 (system operations monitoring): Ephemeral infrastructure creates logging inconsistencies; when short-lived instances are not consistently instrumented, auditors cannot verify controls operated continuously.
- CC8 (change management): If an AI pipeline updates production without a ticket, test artifact, or documented rollback procedure, it conflicts directly with CC8 requirements.
- Data handling: Organizations cannot always trace personal data lineage through training, inference, and logs simultaneously.
SOC 2 covers MCP gateway infrastructure for specialized vendors like MintMCP (SOC 2 Type II, monitored by Drata). What gateway-level SOC 2 does not cover: the behavior of individual MCP servers connected through that gateway, the tool definitions those servers expose, or what happens when server definitions change post-audit.
The market response is predictable: MCP gateway vendors are the first to achieve SOC 2 because they can scope their control environment. Individual MCP server publishers — the ~13,000 on GitHub as of early 2026 — are not in scope.
Key Data Points
| Standard | What It Certifies | Who Audits | Mid-Market Cost | Certification Scope |
|---|---|---|---|---|
| AIUC-1 | AI agent products (vendor-level) | Schellman | Not published | 50+ technical/legal/operational safeguards; adversarial testing |
| ISO 42001 | Organization AI management system | Schellman, A-LIGN, others | $180K–$320K (200–500 employees) | Governance process, not technical agent behavior |
| SOC 2 Type II | Service organization controls | AICPA-licensed auditors | $30K–$150K+ | Gateway infrastructure; does not cover MCP server behavior |
| CSA MCP Baseline v0.1 | Protocol-level control baseline | None (forthcoming) | Free | Scanning tools; not a certification scheme |
| Vendor | Certification Status (April 2026) |
|---|---|
| UiPath | AIUC-1 certified (Schellman, March 9, 2026); ISO 42001 certified |
| MintMCP | SOC 2 Type II (AICPA SOC); HIPAA BAA available |
| Anthropic | ISO 42001 (via Microsoft Azure hosted) |
| Most MCP server publishers | No certification, no attestation |
What This Means for Your Organization
The certification market for AI agent security is emerging at exactly the speed you would expect from a protocol that is 18 months old: faster than the enterprise procurement cycle can validate it, slower than the attack surface is expanding. Three frameworks exist. None closes the full loop.
For a CISO evaluating an AI vendor that uses MCP, the practical procurement question is not “are you certified?” It is four questions: Which MCP servers does your product connect to? Can you contractually commit to notifying us before server definitions change? Do you maintain an immutable audit log of all agent-initiated tool calls? Who is liable when a third-party MCP server causes a breach? The MCP vendor contract governance gap documented in prior research remains unaddressed by any certification scheme in April 2026.
ISO 42001 is worth pursuing for organizations in regulated industries with EU operations or those building proprietary AI systems — the $180,000–$320,000 mid-market cost is real, but EU AI Act compliance for high-risk systems will require equivalent documentation regardless. If ISO 27001 is already in place, the marginal cost drops and the timeline compresses to 4–6 months.
AIUC-1 matters most as a vendor procurement filter, not an organizational certification. Ask vendors whether they are AIUC-1 certified before signing. If the answer is no and MCP connectivity is part of the product, the four MCP contract clauses from the prior corpus research are the substitute: server allowlist obligation, server-definition-change notification, third-party server liability allocation, and audit-log delivery SLA.
The CSA MCP Security Baseline v0.1 will be the first free, protocol-specific control set. When it publishes, it will be the most cost-effective way to assess internal MCP deployments against a structured standard. Worth tracking — no action required until it ships.
If questions about how these frameworks apply to your specific vendor agreements are useful to work through, I’m reachable at brandon@brandonsneider.com.
Sources
-
AIUC-1 Launch — Artificial Intelligence Underwriting Company (2025–2026). https://aiuc.com/research/introducing-aiuc-1. Credibility: MEDIUM-HIGH (private standards body; Schellman auditor adds credibility).
-
UiPath Achieves AIUC-1 Certification (March 9, 2026). https://www.uipath.com/newsroom/uipath-achieves-aiuc-1-certification. Credibility: MEDIUM (vendor announcement; independent audit by Schellman).
-
CSA MCP Security Resource Center (2025–2026). https://labs.cloudsecurityalliance.org/mcp/. Credibility: MEDIUM-HIGH (CSA is a recognized security organization; community-maintained data has variable quality).
-
ModelContextProtocol-Security GitHub (October 2025–present). https://github.com/ModelContextProtocol-Security. CSA community project. Credibility: MEDIUM-HIGH.
-
How AI Agents Impact SOC 2 Trust Services Criteria — Teleport (2026). https://goteleport.com/blog/ai-agents-soc-2/. Credibility: MEDIUM-HIGH (vendor-authored but accurately describes AICPA TSC framework).
-
ISO 42001 Certification Cost Breakdown: What Enterprise AI Teams Pay in 2026 — Elevate Consulting (2026). https://elevateconsult.com/insights/iso-42001-certification-cost-breakdown-what-enterprise-ai-teams-pay-in-2026/. Credibility: MEDIUM (consulting firm estimate; consistent with multiple independent sources).
-
AI Governance and ISO 42001 FAQs — Schellman (2026). https://www.schellman.com/blog/ai-services/ai-governance-and-iso-42001-faqs. Credibility: HIGH (Schellman is a leading ISO 42001 auditor; first authorized AIUC-1 auditor).
-
SOC 2 Compliance with Model Context Protocol — MintMCP (2026). https://www.mintmcp.com/whitepaper-soc2. Credibility: MEDIUM (vendor-authored; SOC 2 Type II certification is independently attested).
-
ISO/IEC 42001 — AI Management Systems — ISO (2023). https://www.iso.org/standard/42001. Credibility: HIGH (international standards body).
-
AIUC-1 Compliance Framework for AI Agent Risk — 360 Advanced (2026). https://360advanced.com/aiuc-1-a-new-compliance-framework-for-ai-agent-risk/. Credibility: MEDIUM (independent compliance firm analysis).
Brandon Sneider | brandon@brandonsneider.com April 2026
See also (wiki)
- ai-cybersecurity — security framework for AI deployments including certification and compliance requirements
- vendor-security-questionnaires — security questionnaire standards and vendor certification expectations
- model-risk-management — third-party model risk and certification requirements for regulated industries