EthicalityEthicality
Apply

Certification Standard · Deployer

Ethical Use of AI Management Standard

— EUMS v1.0

EUMS establishes requirements for organisations that deploy, procure, operate, oversee, or rely upon AI systems. It is intended to provide independent assurance that AI is used responsibly, transparently, safely, lawfully, and with meaningful human accountability — regardless of sector, geography, or vendor.

Document control

Version
1.0
Status
Ratified
Domains
10 (EU01–EU10)
Risk tiers
4
Maturity
L1–L4

Section 1 · What EUMS is

A certification standard for organisations that deploy or procure AI.

EUMS is the Ethical Use of AI Management Standard — an independent certification standard for organisations that buy, deploy, or rely on AI systems built by others. It is focused on the three things regulators, boards, and customers actually ask about: governance, accountability, and risk management.

EUMS does not assess the underlying model. It assesses the organisation around the model — the policies, the people, the vendor controls, the incident handling, and the disclosures.

Section 2 · Scope

A deployer standard. Not a builder standard.

EUMS applies to

  • · AI procurement
  • · AI deployment
  • · AI-assisted decision making
  • · AI governance
  • · AI oversight
  • · AI monitoring
  • · AI workforce impacts
  • · AI vendor management

EUMS does not assess

  • · Model architecture
  • · Training methodology
  • · Underlying model development

Those are addressed by AIMSS. Organisations may hold one or both certifications.

Section 3 · The standard at a glance

The five domains of EUMS.

EUMS is organised around five domains. Each one corresponds to a question a regulator, board member, or customer is entitled to ask — and to which a certified organisation must be able to answer in writing.

  1. §3.1

    AI Governance Framework

    A written framework establishing accountability for AI inside the organisation: an accountable executive, an AI register, an acceptable-use policy, and clear escalation paths.

  2. §3.2

    Risk Assessment & Classification

    Every AI system in use is classified by risk tier and assessed for privacy, rights, bias, workforce, and safety impacts before deployment. High-tier systems receive heavier controls.

  3. §3.3

    Vendor & Supply-Chain Accountability

    Suppliers are evaluated, their claims independently verified, contracts reviewed for AI-specific terms, and exit plans maintained. AI procurement is treated with the same rigour as any critical supplier relationship.

  4. §3.4

    Ongoing Monitoring & Incident Response

    Deployed systems are continuously monitored. An incident register is maintained. Failures are investigated and corrected on a defined cadence — and certification is at risk if they are concealed.

  5. §3.5

    Transparency & Stakeholder Communication

    Affected persons are informed when AI is used in a decision that concerns them, given meaningful explanations, and offered a route to appeal. Public transparency statements are maintained.

The full standard expands these into ten technical control domains (EU01–EU10) below, each with shall-statements, required evidence, and review cadence.

Section 3A · Applicability

Who EUMS applies to.

Enterprises using third-party AI tools

Any organisation embedding AI from external vendors into customer-facing or internal workflows — copilots, content tools, decision support, automation platforms.

Organisations deploying AI in regulated industries

Healthcare, financial services, insurance, legal services, education, and public-sector bodies whose AI use already attracts regulatory scrutiny under sector rules.

Procurement teams embedding AI into workflows

Procurement, vendor management, and transformation functions seeking a defensible standard to apply across new AI purchases and to require of their suppliers.

Section 3B · Certification process

What certification involves.

  1. Step 01

    Self-assessment intake

    A structured four-step application capturing your organisation, AI use, governance posture, and contact.

  2. Step 02

    Structured audit

    An Ethicality assessor evaluates documentary evidence and conducts interviews against the EUMS framework.

  3. Step 03

    Board review

    Findings are escalated to the Ethicality board for final review and certification decision.

  4. Step 04

    Blue Ribbon issuance

    On approval, the Blue Ribbon mark is issued and the organisation is published to the Public Registry.

Apply for EUMS Certification →Download the standard overview (PDF) ↓

Section 3C · Comparison

EUMS, internal policy, and doing nothing.

Most organisations are already partway through an internal AI-policy exercise. EUMS converts that work into independently verified evidence of due care.

DimensionDoing nothingInternal policy onlyEUMS certification
Independent assuranceNoneSelf-declaredVerified by an independent assessor
Evidence for regulatorsReactive, ad hocInternal documents onlyStructured evidence aligned to EU AI Act, NIST AI RMF, ISO/IEC 42001
Board defensibilityPersonal liability exposurePartial — depends on qualityExternal attestation board can rely on
Vendor leverageLimitedInternal guidance, not contractualStandardised vendor controls and exit plans
Continuous oversightNoneOptional internal reviewSurveillance visits and incident register required
Public credibilityNoneInternal onlyBlue Ribbon mark and public registry entry

Why deployers adopt EUMS

Risk down. Cost down. Confidence up.

EUMS is built for organisations using AI from third-party vendors. It is designed to reduce legal and reputational risk, lower the cost of regulatory compliance, and protect the business — by formalising the governance most companies already partly run, and giving it independent assurance.

Defensible position

An AI register, USIA, and human-oversight records are the documents regulators and plaintiffs ask for first. Having them ready de-risks enquiries before they escalate.

Lower compliance cost

One programme satisfies EU AI Act deployer duties, Colorado AI Act, NYC LL 144, and the California CPPA ADMT rules. Pay once, comply many times.

Vendor leverage

Standardised vendor assurance and exit-plan requirements give procurement real bargaining power and reduce lock-in to a single AI supplier.

Insurance and board reassurance

Independent certification is increasingly accepted as evidence of due care in D&O, professional indemnity, and cyber policies.

Proportionate, not punitive

Tier 1 internal copilots get a light baseline. Heavy controls only apply where AI affects rights or major decisions. No blanket burden.

Reuses existing controls

Procurement, privacy, HR, and internal-audit functions already produce most of the evidence. EUMS connects them, it does not duplicate them.

Ethicality is a certification body, not a regulator. EUMS does not create new legal obligations — it provides independent evidence that the obligations your business already carries are being met.

Section 4 · Deployer risk classification

Every AI system shall be classified.

Tier 1
Operational AI
Internal copilots, meeting assistants, search tools.
No external impact. No rights impacts.
Tier 2
Customer Facing AI
Chatbots, recommendation engines, customer-service automation.
External interaction. Limited consequence.
Tier 3
Consequential AI
Hiring, lending, healthcare, insurance, education.
Influences decisions affecting individuals.
Tier 4
High Consequence AI
Public services, policing, immigration, welfare, autonomous consequential decisions.
Significant rights impacts.

Section 5 · Control domains

Ten mandatory domains.

Each domain states what the organisation shall do, the evidence required, and the review cadence.

EU01

Governance & Accountability

The organisation shall:

  • maintain an AI governance framework;
  • designate an accountable executive;
  • maintain an AI register;
  • establish an AI acceptable use policy;
  • define escalation procedures.

Required evidenceGovernance Charter · AI Policy · Organisational Chart · AI Register

Review cadenceAnnual

EU02

Inventory & Classification

The organisation shall:

  • maintain a complete AI inventory;
  • assign a risk tier to each system;
  • assign a system owner;
  • review upon any material change.

Required evidenceInventory · Classification Records · Ownership Records

Review cadenceContinuous

EU03

Procurement & Vendor Assurance

The organisation shall:

  • evaluate vendors;
  • verify vendor claims;
  • review contracts;
  • maintain exit plans.

Required evidenceVendor Reviews · Procurement Records · Contracts · Exit Strategies

Review cadenceAnnual

EU04

Use-Side Impact Assessment

The organisation shall:

  • conduct a Use-Side Impact Assessment (USIA) before deployment of Tier 2–4 systems;
  • evaluate privacy, human-rights, bias, workforce, and safety impacts;
  • document mitigation controls and executive approval.

Required evidenceCompleted USIA · Mitigation Plan · Executive Approval

Review cadenceAnnual

EU05

Transparency & Disclosure

The organisation shall:

  • inform affected persons when AI is used;
  • provide meaningful explanations;
  • disclose synthetic content;
  • maintain public transparency statements.

Required evidenceNotices · Disclosure Templates · Explanation Procedures

Review cadenceAnnual

EU06

Human Oversight & Appeals

The organisation shall:

  • maintain meaningful human review;
  • permit escalation;
  • permit appeals;
  • track overrides.

Required evidenceReview Procedures · Appeal Records · Override Logs

Review cadenceQuarterly

EU07

Workforce & Stakeholder Protection

The organisation shall:

  • assess workforce impacts;
  • consult affected groups;
  • maintain anti-retaliation protections;
  • monitor workplace effects.

Required evidenceConsultation Records · Impact Assessments · Complaint Logs

Review cadenceAnnual

EU08

AI Literacy & Competence

The organisation shall:

  • train personnel;
  • train reviewers;
  • train executives;
  • assess competency.

Required evidenceTraining Records · Completion Logs · Competency Framework

Review cadenceAnnual

EU09

Monitoring & Incident Management

The organisation shall:

  • monitor deployed systems;
  • maintain an incident register;
  • investigate failures;
  • correct deficiencies.

Required evidenceIncident Register · Corrective Actions · Monitoring Reports

Review cadenceContinuous

EU10

Management Review & Improvement

The organisation shall:

  • conduct an annual management review;
  • evaluate effectiveness;
  • review incidents, complaints, and performance metrics.

Required evidenceManagement Review · Board Minutes · Improvement Plans

Review cadenceAnnual

Section 6

Required certification artifacts

Minimum submission package.

  • · AI Register
  • · Risk Classifications
  • · Governance Charter
  • · AI Policy
  • · Use-Side Impact Assessments
  • · Vendor Assessments
  • · Disclosure Materials
  • · Human Review Procedures
  • · Appeal Procedures
  • · Training Records
  • · Monitoring Reports
  • · Incident Logs
  • · Management Review
  • · Public Governance Statement
§7

Performance metrics

Governance
Inventory Coverage %
Risk
Impact Assessment Coverage %
Transparency
Disclosure Compliance %
Human Oversight
Override Rate · Appeal Rate · Appeal Success Rate
Safety
Incident Rate · Critical Incident Rate
Workforce
Consultation Coverage % · Training Completion %
Vendor Assurance
Due Diligence Coverage %
§8

Nonconformity framework

Minor

Administrative deficiencies — e.g. missing review record, outdated inventory entry.

Consequence · Correction within 90 days.

Major

Control failure — e.g. missing impact assessment, missing disclosure.

Consequence · Correction within 30 days.

Critical

Systemic failure — undisclosed consequential AI, rights-affecting deployment without oversight, concealed incident, retaliation against complainants.

Consequence · Immediate certification suspension.

§9

Certification levels

Certified
No Major or Critical findings.
Certified with Conditions
Limited Major findings under remediation.
Suspended
Critical finding.
Withdrawn
Failure to remediate.
§11

Regulatory alignment

EUMS maintains formal crosswalks to the following frameworks:

  • · UNESCO Recommendation on the Ethics of AI
  • · ISO/IEC 42001
  • · EU AI Act
  • · Colorado AI Act
  • · California CPPA ADMT Rules
  • · NYC Local Law 144
  • · NIST AI RMF
  • · OECD AI Principles

View the EUMS regulatory crosswalk →

§12

Maturity model

Level 1

Foundational

Basic controls established.

Level 2

Managed

Controls documented and measured.

Level 3

Assured

Controls independently validated.

Level 4

Leading Practice

Continuous monitoring and public accountability.

Ready to be certified against EUMS v1.0?

Apply for EUMS Certification →