Skip to content
ARAF Standard ARAF Standard ARAF Standard

ARAF for Enterprise Procurement

ARAF Standard

Enterprise Procurement

Section titled “Enterprise Procurement”

ARAF provides a structured governance signal for enterprise procurement teams evaluating vendors with autonomous decision systems.

See assessment output → /report-preview

Institutional Applications

ARAF for Enterprise Procurement

When an enterprise deploys an autonomous system, it becomes accountable for the consequences of the decisions that system produces, regardless of whether the system was built in-house or procured from a vendor. Governance assessment addresses that accountability as part of vendor evaluation, not in response to an adverse outcome.

The procurement governance problem

Technical performance claims are insufficient. Procurement teams must evaluate whether the vendor can demonstrate how consequential decisions are produced, governed, and reconstructed from contemporaneous records.

01

The Deployment Accountability Problem

Enterprise organisations increasingly procure products and services that rely on autonomous systems participating in consequential decisions.

Fraud detectionCredit scoringCompliance monitoringPricing optimisationAutomated customer supportSupply chain optimisationHR screeningContract review

In ARAF, the governance object is not only the autonomous system itself. It is the Decision Supply Chain through which consequential decisions are produced.

Accountability for the consequences of these decisions does not transfer to the vendor by virtue of procurement. The deploying enterprise remains the entity that boards, insurers, regulators, and courts will hold responsible when outcomes are challenged. What procurement can do is create contractual rights and governance visibility, but only if those rights were designed for autonomous decision infrastructure, not retrofitted from standard technology agreements.

Enterprise procurement teams historically drive rapid adoption of governance standards. SOC 2 spread through cloud software markets because enterprise buyers required it before vendors could access their procurement processes. ARAF is designed to perform the equivalent function for autonomous decision governance: a procurement prerequisite that translates vendor governance claims into a structured, independently verified signal.

02

What Governance Documentation Procurement Needs

Enterprise procurement processes require vendors to demonstrate several forms of governance assurance. Traditional assurance frameworks address infrastructure governance. Autonomous systems require a different layer: governance of the decision infrastructure through which consequential outcomes are produced.

Accountability architecture

Which organisational roles supervise the system, how governance decisions are documented, and who holds accountability at each link in the Decision Supply Chain. Addressed by ARAF Dimension 1 (Autonomy Gradient) and Dimension 4 (Liability Architecture).

Data governance

How the system uses, processes, and stores data, including training data provenance, jurisdictional obligations, and consent frameworks. Addressed by ARAF Dimension 2 (Data Sensitivity Exposure).

Decision traceability

Whether the vendor can reconstruct how a specific decision was produced, from data inputs through model inference to the final output, using contemporaneous governance records. Addressed by the ARAF Evidence Standard and the Decision Supply Chain framework.

Incident response capability

Whether the vendor can investigate and explain system behaviour when outcomes are challenged, with contemporaneous evidence rather than retrospective reconstruction. Addressed by ARAF Dimension 6 (Adaptive Stability) and the outcome evidence category.

03

The Governance Signal Procurement Receives

An ARAF assessment produces structured governance information that procurement teams can review during vendor evaluation: a structured signal rather than a narrative vendor disclosure.

  • Dimensional governance profile - governance posture across six dimensions, identifying where exposure exists in the vendor’s system architecture
  • Governance Benchmark Index (GBI) - composite governance score on a 1.0 to 5.0 scale; lower scores represent stronger governance posture
  • Multiplier analysis - structural governance risks where dimensional weaknesses compound

  • Evidence quality assessment – whether governance records are infrastructure-generated (Tier 1), contemporaneously documented (Tier 2), retrospectively reconstructed (Tier 3), or management representation (Tier 4).

    Tier 4: Management Representation. Formal written representation where no contemporaneous record exists. Not admissible for coherence assessment at any tier. Where management representation is the only available source for a control, the control must be assessed as not evidenced and the finding recorded accordingly. The presence of Tier 4 as the primary evidence source for any control is a significant coherence finding. Infrastructure-generated evidence reduces reliance on vendor representations and increases the reliability of governance assurance.

  • Certification tier - the vendor’s certification designation based on the GBI score (see below)

ARAF defines three certification tiers based on the GBI score.

ARAF Assessed

Independent evaluation completed. The system’s governance posture has been assessed and documented by an accredited assessor. No minimum GBI score required. Entry level: the minimum a procurement team should accept before engaging in governance representation discussions with the vendor.

ARAF Compliant - GBI ≤ 2.50

Minimum institutional governance threshold met. The governance posture supports standard insurance coverage terms and satisfies the governance threshold that enterprise procurement processes should treat as the baseline for vendor qualification.

ARAF Certified - GBI ≤ 1.75

Full agentic bankability conditions met. The governance posture supports classification, insurance, financing, and the highest level of institutional reliance. Appropriate for vendor systems operating at the highest autonomy levels or in the most consequential deployment contexts.

04

ARAF and Traditional Assurance Frameworks

ARAF complements existing enterprise assurance frameworks. It does not replace them.

FrameworkWhat it addressesWhat it does not address
SOC 2Infrastructure security, availability, and confidentiality controlsGovernance of autonomous decisions produced through that infrastructure
ISO 27001Information security managementDecision accountability architecture and evidence standards for autonomous systems
ISO 42001AI management system processesComparable institutional governance signal (e.g. GBI score) that allows governance posture to be priced, compared, and acted upon by institutional audiences without conducting the underlying assessment
ARAFGovernance of autonomous decision infrastructure: accountability architecture, evidence standards, liability allocation, and Decision Supply Chain governanceInfrastructure security, availability, and information security controls (addressed by complementary frameworks above)

A vendor with SOC 2 certification has demonstrated infrastructure security governance. A vendor with ARAF certification has demonstrated autonomous decision governance. Both are relevant to enterprise procurement of autonomous systems; neither substitutes for the other.

05

Assessment Credibility

ARAF certifications are issued by independent, accredited assessors operating under a published methodology with defined qualification, independence, and accountability requirements. The methodology is open (licensed under CC BY 4.0), making the assessment process independently reviewable by any enterprise buyer that relies on the output.

Self-assessment does not satisfy the ARAF independence requirement. An organisation that produces its own ARAF assessment has produced a self-assessment, not a certification. Self-reported governance is evidence of intent. Independent assessment is evidence of fact.

The ARAF accreditation architecture was designed with specific reference to the failure mode documented in the FTC’s 2014 action against TRUSTe, where inadequate assessor oversight produced over 1,000 certifications that did not reflect actual practice. ARAF assessors are subject to accountability review, and accreditation is contingent on maintaining assessment quality.

06

Vendor Evaluation Triggers

Vendor selection

Comparing vendors offering autonomous systems capable of producing consequential decisions. Governance certification becomes a selection criterion alongside technical capability and commercial terms.

Risk and compliance review

Internal risk assessments or compliance reviews prior to deployment. Legal and compliance teams should review Decision Supply Chain governance, not only the system’s direct outputs.

Downstream governance requirements

When the organisation itself must demonstrate governance posture to its own regulators, insurers, or enterprise customers, the vendor’s governance architecture becomes part of that demonstration.

Contract renewal and incident review

At renewal, governance posture should be reassessed. Following adverse outcomes, the vendor’s assessment record provides the evidence base for investigation and remediation.

07

Decision Supply Chain Transparency

Many vendor systems operate through distributed decision infrastructure involving multiple organisations: foundation model providers, data providers, fine-tuning organisations, outsourced review teams, and infrastructure providers. The vendor’s product is the visible component. The chain through which decisions are produced is the governance object.

ARAF assessments require vendors to map their Decision Supply Chain and identify governance responsibilities across participating entities. This mapping provides procurement teams with visibility into how the vendor’s decision infrastructure operates and where contractual and governance gaps exist within it.

From the deploying enterprise’s perspective: if the vendor’s Decision Supply Chain contains unallocated accountability, that exposure does not stay with the vendor. It flows to the organisation that deployed the system. Jurisdictional complexity does not distribute accountability; it multiplies governance risk if the contractual and governance architecture has not addressed it.

08

Incorporating ARAF into Procurement

Procurement teams can incorporate ARAF governance requirements at three points in the vendor evaluation process.

Vendor qualification

Require vendors to disclose their ARAF certification status (tier, assessment date, assessor identity) as part of the initial qualification questionnaire. Where the vendor does not hold ARAF certification, require disclosure of what governance documentation the vendor can provide across the four evidence categories (design, deployment, operational, outcome). Treat ARAF Compliant (GBI ≤ 2.50) as the baseline qualification threshold for vendor systems that make or participate in consequential decisions.

Due diligence

Request the vendor’s dimensional governance profile and GBI score. Review the dimensional profile for concentrated weaknesses, particularly in Dimension 3 (Contract Infrastructure) and Dimension 4 (Liability Architecture), which directly affect the contractual relationship between the enterprise and the vendor. Where multiplier conditions are present, require the vendor to provide the remediation roadmap.

Contract terms

Include provisions requiring the vendor to: maintain current ARAF certification (at a specified minimum tier) for the duration of the agreement; notify the enterprise of material changes that trigger reassessment under the ARAF Certification Lifecycle; provide access to the assessment report (dimensional profile, GBI score, multiplier analysis, evidence quality assessment) upon request; and undergo reassessment at least every 12 months. Specific contractual mechanisms include audit rights over governance documentation, notification obligations for material model changes, certification maintenance obligations, and Decision Supply Chain disclosure requirements.

Vendor remediation pathway

Where a preferred vendor does not hold ARAF certification, procurement teams can require the vendor to undergo assessment within a defined period. The vendor receives a dimensional profile and remediation roadmap. The enterprise can set governance milestones as conditions of contract execution or renewal, allowing the vendor to achieve certification over a defined timeline while procurement proceeds on conditional terms.

09

Governance Assurance for Vendor Evaluation

Vendor Autonomous System
Independent ARAF Assessment (Accredited Assessor)
Dimensional Governance Profile + Evidence Quality Tier
GBI Score + Multiplier Analysis
Certification Tier (Assessed / Compliant / Certified)
Enterprise Procurement Decision

Certification does not guarantee system performance or eliminate procurement diligence. It provides structured, independently verified governance documentation that procurement teams can evaluate as evidence of vendor governance posture, rather than requiring each enterprise buyer to conduct the underlying governance assessment independently. The assessment methodology is open (CC BY 4.0) and the assessment is conducted by an accredited assessor operating under published independence requirements.

Specification

Six DimensionsDecision Supply ChainGovernance Benchmark IndexEvidence StandardCertificationAssessor Accreditation StandardGlossary← All Institutional Applications
© 2026 Institute for Autonomous Governance Pty Ltd · ARAF for Enterprise Procurement · CC BY 4.0