Certification Framework
INSTITUTE FOR AUTONOMOUS GOVERNANCE PTY LTD
Section titled “INSTITUTE FOR AUTONOMOUS GOVERNANCE PTY LTD”ACN 696 112 277
ARAF STANDARD — FRAMEWORK DOCUMENT
Section titled “ARAF STANDARD — FRAMEWORK DOCUMENT”Certification
Section titled “Certification”Trust requires a signal.
Boards cannot oversee what they cannot compare. Insurers cannot price what they cannot classify. Investors cannot diligence what they cannot measure. Governance that has been built, documented, and independently assessed still cannot function as market infrastructure unless it can be communicated in a form that institutional audiences can use without conducting the full assessment themselves.
Certification is the mechanism that produces that communication: the compressed, independently verified signal that allows governance quality to travel through markets.
The market is not waiting for perfect governance. It is waiting for measurable governance.
§ 01 What Certification Does
Section titled “§ 01 What Certification Does”ARAF certification performs three functions that parallel the role credit ratings perform for credit risk.
| FUNCTION | DESCRIPTION |
|---|---|
| Information Compression | A credit rating compresses the complex analysis of a borrower’s creditworthiness into a single comparable symbol. An ARAF certification compresses the complex assessment of an autonomous system’s governance posture into a GBI score and certification tier that communicates governance quality without requiring the recipient to conduct the full assessment. The assessment evaluates governance posture across six dimensions: autonomy level, data sensitivity exposure, contract infrastructure, liability architecture, commercial leverage, and adaptive stability. |
| Accountability Transfer | When an accredited ARAF assessor issues a certification, it accepts professional responsibility for the quality of the assessment that produced it. That accountability transfer is what gives the signal credibility: it is not a claim by the organisation about itself, but a representation by an independent assessor operating under a defined methodology. |
| Market Creation | Certification makes governance posture comparable across autonomous system deployments. Without comparability, governance quality cannot be priced. Without pricing, governance investment cannot produce a return. This pattern is consistent across adjacent infrastructure markets: SOC 2 certification became a commercial prerequisite for enterprise software procurement. PCI DSS became a condition of payment network participation. ISO 27001 became a procurement requirement for government-facing technology vendors. ARAF certification applies the same market-forming mechanism to autonomous system governance. |
§ 02 Certification Tiers
Section titled “§ 02 Certification Tiers”ARAF defines three certification tiers based on the Governance Benchmark Index (GBI). Lower GBI scores indicate stronger governance posture.
| TIER | GBI THRESHOLD | DESCRIPTION |
|---|---|---|
| ARAF Assessed | — | Independent evaluation completed. The system’s governance posture has been assessed and documented by an accredited assessor. The system may require remediation before reaching institutional thresholds. |
| ARAF Compliant | ≤ 2.50 | Minimum institutional threshold met. The governance posture supports standard insurance coverage terms and satisfies the governance threshold that enterprise procurement and regulatory engagement require. |
| ARAF Certified | ≤ 1.75 | Full agentic bankability supported. The governance posture supports the full conditions of institutional reliance: the system can be classified, governed, insured, financed, and relied upon by the institutional audiences that must assume responsibility for its behaviour. Certification at this tier supports the most favourable coverage terms, the strongest investor governance signal, and the fullest board assurance. |
The tiers create a governance progression that institutions can track over time. An insurer can price conditional coverage during the remediation period and transition to standard terms upon Compliant certification. An investor can model the governance discount at one tier and the valuation benefit on reaching the next.
§ 03 The Assessor Accreditation Standard
Section titled “§ 03 The Assessor Accreditation Standard”Certification is only as credible as the assessors who produce it. The ARAF assessor accreditation standard establishes four requirements:
01 Demonstrated qualification. Assessors must demonstrate competence in governance assessment methodology, including the six ARAF dimensions, the multiplier logic, and the evidentiary standard that governance records must satisfy.
02 Documented methodology adherence. Assessors must conduct assessments according to the published ARAF methodology. The methodology is open (licensed under CC BY 4.0), making the assessment process independently reviewable by any institutional audience that relies on the output.
03 Independence. Assessors must be independent of the organisation being assessed. No assessor may certify an organisation with which it has a commercial relationship that could compromise assessment objectivity.
04 Accountability. Assessors are accountable for the quality of the assessments they produce. The accreditation standard includes a review mechanism that can result in accreditation withdrawal where assessors fail to meet the standard.
The accreditation architecture was designed with specific reference to the failure mode documented in the FTC’s 2014 action against TRUSTe, where TRUSTe failed to conduct annual recertifications for companies holding privacy seals in over 1,000 instances, meaning companies continued displaying certification seals without the promised annual verification of their practices. The ARAF standard addresses this failure directly: ARAF Certified status carries a 24-month validity with mandatory 12-month interim surveillance, and ARAF Compliant status carries a 12-month validity. Certification that is not reassessed expires. Assessors are additionally subject to accountability review, and accreditation is contingent on maintaining assessment quality.
Self-Certification
Self-certification does not satisfy the ARAF independence requirement. An organisation that produces its own ARAF assessment has produced a self-assessment, not a certification.
Self-reported governance is evidence of intent. Independent assessment is evidence of fact.
§ 04 The Certification Lifecycle
Section titled “§ 04 The Certification Lifecycle”Autonomous systems change faster than most governed assets. Models are retrained. Deployment contexts expand. Data sources evolve. A certification that was accurate at issuance may not describe the system operating six months later. The ARAF certification lifecycle is designed to address this, following the structural model that aviation applies to airworthiness: initial certification, event-triggered reassessment, and scheduled maintenance.
Stage 01 — Initial Assessment
Section titled “Stage 01 — Initial Assessment”The initial ARAF assessment evaluates governance posture across all six dimensions and produces:
Stage 02 — Scheduled Reassessment
Section titled “Stage 02 — Scheduled Reassessment”The maximum interval between formal reassessments is tier-specific: Reassessment confirms that governance posture has been maintained, or identifies where it has changed and what remediation is required.
Stage 03 — Event-Triggered Reassessment
Section titled “Stage 03 — Event-Triggered Reassessment”Material changes trigger reassessment regardless of the ordinary reassessment cycle, including:
Certification Withdrawal
Section titled “Certification Withdrawal”Certification may be withdrawn where:
§ 05 Certification and the Foreseeability Standard
Section titled “§ 05 Certification and the Foreseeability Standard”An organisation that has obtained ARAF Certified or ARAF Compliant status from an accredited assessor holds contemporaneous, independently produced evidence that its governance architecture was assessed against a defined standard and found adequate at the time of assessment.
That evidence does not constitute a statutory safe harbour. But it is precisely the kind of contemporaneous evidence that courts assessing the standard of care, insurers evaluating coverage, and regulators conducting supervisory review will find relevant to whether reasonable precautions were taken.
§ 06 The Assessment
Section titled “§ 06 The Assessment”An ARAF assessment is a governance decision. Organisations preparing for assessment should:
- Conduct a preliminary self-review against the six ARAF dimensions to identify the dimensional profile and likely remediation areas
- Prepare governance documentation across the four evidence categories (design, deployment, operational, and outcome evidence)
- Engage an accredited ARAF assessor
- Complete the structured assessment process (typically conducted over a period of weeks, scaled to system complexity)
- Review the GBI score, dimensional profile, and remediation roadmap
- Address remediation items before seeking higher certification where necessary
Martin, Carly. Agentic Risk Architecture Framework (ARAF), Version 3.0. Institute for Autonomous Governance Pty Ltd, 2026.
© 2026 Institute for Autonomous Governance Pty Ltd
Institutional Reliance
Section titled “Institutional Reliance”ARAF certification is designed to support institutional reliance.
Certification provides:
- independently produced governance signal
- structured classification
- comparable assessment output
Institutions do not rely on governance claims. They rely on governance signals.