How AI Clear scores companies: the methodology explained

Every AI Clear score is built from the same foundation: publicly available evidence, a published rubric, and a structured five-pillar framework. This post explains how the system works, what each pillar measures, and how scores translate to letter grades. *(Updated for Rubric v2.0, May 2026.)*

The five pillars

Every company is evaluated across five equally weighted pillars, each scored on a 0-100 scale and averaged equally (20% each) into the overall AI Clear Score:

P1. AI Disclosure and Inventory Does the company tell the public when and how it uses AI? We look for a dedicated AI page, in-product AI labeling, named third-party AI providers, terms-of-service AI coverage, supply chain mapping, and — for developers of covered ADMT — published technical documentation for downstream deployers and a material-update notification process. (12 criteria.)

P2. Data and Model Governance How transparent is the company about data flowing through AI systems? This covers AI-specific privacy policy language, data processing agreement AI coverage, sub-processor disclosure, training data opt-out, model provenance, model cards, data quality assessment, and the consumer right to correct factually inaccurate personal data used in ADMT decisions (per SB 26-189 §6-1-1705). (11 criteria.)

P3. Risk Management and Human Oversight What does the company publicly commit to in operational terms? We evaluate the published risk management framework, NIST AI RMF or ISO/IEC 42001 alignment, AI-specific incident response, human oversight procedures, audit cadence, responsible-AI policy, performance monitoring, and — for covered ADMT — meaningful human review with documented reviewer authority and three-year record retention. (12 criteria.)

P4. Automated Decision Transparency How transparent and contestable are AI-driven decisions about individuals? Criteria include the consequential decision inventory, decision logic explanations, the SB 26-189 pre-decision point-of-interaction notice, the 30-day post-adverse outcome plain-language disclosure, appeal and human-review mechanisms, profiling disclosure, opt-out rights, and accessibility of all consumer-facing notices for people with disabilities and limited English proficiency. (12 criteria.)

P5. AI Security and Assurance What externally verifiable proof exists that AI systems are protected? This pillar checks for SOC 2 / ISO/IEC 27001 / ISO/IEC 42001 certifications, vulnerability disclosure programs, bug bounties that explicitly cover AI attack surfaces, penetration testing cadence, model and training-data protections, adversarial robustness practices aligned to NIST AI 600-1 and NIST SP 800-218A, AI supply chain security, and AI incident history disclosure. (10 criteria.)

How scoring works

Each criterion is scored at one of three evidence thresholds: No Evidence (0), Partial Evidence (50% of allocated points), or Full Evidence (100% of allocated points). No intermediate scores. Every score requires a verifying URL as evidence. If a member of the public cannot find it, the company does not get the points.

The 57 criteria sum to 500 raw points (100 per pillar). The pillar sub-scores are averaged with equal weighting into the overall AI Clear Score on a 0-100 scale.

The grade scale

Only companies with A or B grades are eligible for AI Clear certification.

What makes this different

Three things set the AI Clear methodology apart:

1. External verification only. We never use self-reported data for the public score. Everything is based on what anyone can find publicly.
2. Published rubric. The full methodology is public. Companies and researchers can replicate any score.
3. One rubric for all. The same framework applies whether you are a healthtech startup or a Fortune 500 beauty brand.

The full methodology, including every criterion and verification method, is available at aiclear.org/methodology.