AI Agent Reliability and Provenance in Regulated Procurement
Regulated buyers cannot ship an AI agent on a demo. They need dated, traceable evidence that the agent is both accountable (provenance) and behaves correctly under pressure (reliability). This is the evidence stack, and how to turn it into a board-defensible shortlist, sourced and dated.
In regulated procurement, vet an AI agent against documented, dated evidence rather than vendor marketing, and separate two questions. Provenance asks whether every claim traces back to a dated public source: a SOC 2 Type II report, an ISO 42001 or AIUC-1 certificate from an accredited auditor, three or more named reference customers, a published data processing addendum. Reliabilityasks whether the agent behaves correctly under adversarial conditions: published deflection or accuracy benchmarks with methodology, outcome-based pricing that puts vendor revenue on the result, and agent-specific testing such as AIUC-1's 130 controls. A board-defensible shortlist needs both, each with a source URL and a review date, because a regulator or an internal audit committee will ask you to show your working.
Two different questions, two different evidence types
Regulated procurement fails when the two are conflated. A vendor can be heavily certified and still publish no reliability evidence; another can quote impressive accuracy numbers with nothing to trace them to. Score them separately.
Provenance: can you trace the claim?
Every material claim should resolve to a dated, independent, public artifact rather than a marketing page. These are the artifacts a procurement file can cite.
- SOC 2 Type II reportOperational security controls tested over a 6-12 month window by a third-party assessor. The floor, not the finish line.
- ISO 42001 certificateAI governance at the management-system level, certifiable since late 2023, from an accredited body with a scope statement.
- AIUC-1 certificateAgent-specific certification from the Artificial Intelligence Underwriting Company; Schellman is the first accredited auditor (Feb 2026).
- Named reference customersThree or more customers publicly cited in case studies or press, not an anonymous logo wall.
- Published DPA templateA data processing addendum naming storage regions, retention, and training opt-out; evidence the legal work is done.
Reliability: does it behave under pressure?
Provenance proves a control exists; reliability proves the agent works when a real user, or an attacker, pushes on it. These are the measurable signals.
- Published benchmarksDeflection, accuracy, or quality numbers with a stated methodology, not a marketing headline figure.
- Outcome accountabilityPer-resolution or per-outcome pricing, or a public SLA on uptime, response time, and accuracy, that ties vendor revenue to results.
- Adversarial testingAgent-specific testing against prompt injection and unsafe tool calls, as in AIUC-1's 130 controls, re-tested on a cadence.
- Time in productionMore than six months live with paying customers, so real edge cases and at least one production failure mode have been met.
Why the evidence bar is higher for regulated buyers
Production safety in the AI agent cluster is not yet solved. Gravitee's State of AI Agent Security 2026 survey of more than 900 executives and practitioners found that 88% of organisations had confirmed or suspected an AI agent security incident in the prior year. Red-team research through 2026 has shown that agents under adversarial conditions can be induced to take destructive actions and to disclose personally identifiable information through indirect prompt injection channels. In a regulated environment, that is not an engineering footnote; it is a documented liability the buyer inherits.
The difference between regulated procurement and general SaaS buying is the audit trail. A regulated buyer, whether in financial services, healthcare, government, or insurance, has to be able to show an internal audit committee or an external regulator why a vendor was chosen and what evidence supported the decision. A demo does not survive that scrutiny. A dated certificate from an accredited auditor, a named reference, and a benchmark with a stated methodology do.
That is why this directory stamps every profile with a review date, cites a source URL for each claim, and re-vets quarterly. It is also why a five-of-seven pass bar is deliberately evidence-weighted rather than reputation-weighted: a well-funded vendor with a famous founder but no public references or benchmarks is not procurement-ready, whatever the headlines say.
The 2026 regulatory drivers, dated
Regulation is why regulated buyers need provenance, but the timeline moved in 2026. Here is the current state, with the caveat that dates in this area are still shifting.
EU AI Act. A simplification package adopted in mid-2026, the Digital Omnibus, endorsed by the European Parliament in June 2026 and approved by the Council of the EU on 29 June 2026 (pending publication in the Official Journal), deferred the application of obligations for Annex III high-risk AI systems from 2 August 2026 to 2 December 2027. Transparency obligations under Article 50 still take effect in August 2026. The obligations themselves, on documentation, human oversight, and data governance, are unchanged in substance; only the enforcement timing moved. Buyers in high-risk categories (credit scoring, employment, healthcare, law enforcement, critical infrastructure) should treat the evidence as required regardless of the deferred date.
ISO 42001. The AI-specific management-system standard, certifiable since late 2023, is increasingly named in enterprise procurement RFPs as the AI-specific complement to ISO 27001. It governs how an organisation manages AI risk: policies, risk assessment, human oversight, and continual improvement.
AIUC-1. The agent-specific reliability standard from the Artificial Intelligence Underwriting Company, with Schellman as the first accredited auditor (February 2026). It comprises 51 requirements and 130 controls across six pillars and operationalizes ISO 42001, NIST AI RMF, MITRE ATLAS, and the OWASP Top 10 into agent-specific tests, with certified agents re-tested quarterly. Read the full AIUC-1 explainer.
The board-defensible checklist
Work through all seven with a dated public source for each. Provenance and reliability map onto the same seven-criterion bar this directory applies to every vendor.
- 1.Security and compliance certificationsProvenanceSOC 2 Type II plus ISO 27001, ISO 42001, or AIUC-1. Confirm Type II and the current report date.
- 2.Public reference customersProvenanceThree or more named, publicly cited customers you could in principle call.
- 3.Pricing transparencyProvenancePublic pricing or a triangulated third-party range, not contact-sales alone.
- 4.Data residency and training opt-outProvenanceA findable, written statement of storage regions, retention, and opt-out, ideally a linked DPA.
- 5.Outcome accountabilityReliabilityOutcome-based pricing or published benchmarks with methodology, or a public SLA.
- 6.Time in marketReliabilityMore than six months in production with ten or more paying customers.
- 7.Team compositionProvenanceA public team page with named founders and a named engineering or research lead.
See the 16 vendors that clear this bar in the vendor matrix, or read each criterion in full on the vetting criteria page.
Sources
- artificialintelligenceact.eu - EU AI Act implementation timeline (Annex III high-risk, Article 50 transparency)
- schellman.com - Schellman becomes first accredited AIUC-1 auditor (Feb 2026)
- iso.org - ISO/IEC 42001 AI management-system standard
- vendr.com/buyer-guides - Third-party pricing triangulation for contact-sales vendors
Editorial guide, reviewed July 2026. Not compliance certification; verify current certification status and regulatory obligations directly with each vendor and with counsel before purchase. Full source index at /sources.