Governance of the ARAF Standard

Standard Governance

The ARAF standard is maintained by Institute for Autonomous Governance Pty Ltd as a public standard licensed under Creative Commons Attribution 4.0 (CC BY 4.0).

Last updated: March 2026

This page sets out the governance model, governance principles, scope boundaries, and structural relationships that govern maintenance of the ARAF standard.

Governance Model

The standard operates under a Founding Stewardship governance model. Governance authority is held by Institute for Autonomous Governance Pty Ltd. Framework stewardship, methodological authorship, and publication discipline are managed by the originating standards body through Institute for Autonomous Governance Pty Ltd. This structure ensures methodological coherence during the period in which the standard is establishing its institutional foundation: the first assessments, the first accredited assessors, and the first institutional adoptions.

This model is referred to as the Founding Stewardship governance model.

Founding Stewardship governance model: A governance structure in which the originating standards body maintains stewardship, version control, and methodological integrity during early-stage adoption, prior to expansion into multi-stakeholder institutional governance.

The open licence (CC BY 4.0) ensures that the methodology is publicly available and independently reviewable regardless of governance structure. Regulatory bodies, assessors, and institutional users can reference and build upon the standard without proprietary barriers.

Comparable institutional standards (including ISO, PCI DSS, and Basel) follow a similar trajectory: concentrated expertise during formation, with governance expected to broaden to institutional representation as the ecosystem of users, assessors, and adopters matures. Governance transition is triggered by observable ecosystem conditions, not calendar time.

Governance Stages

Founding Stewardship (current)

Governance authority held by the Institute. Methodological integrity maintained by the originating standards body. Structural separation between standard governance and assessment operations operative from first publication. Public versioning and version history maintained. Open licence preserves independent reviewability. All five governance principles apply at every governance stage.

Ecosystem Development

Triggered by defined ecosystem conditions. Technical contributors and certification partners contribute methodology feedback. An institutional advisory group provides input on major revisions. Formal amendment and consultation processes established for material methodology changes. Governance authority remains with the Institute.

Institutional-Scale

Triggered by defined ecosystem maturity criteria. Multi-stakeholder governance body with defined composition, meeting cadence, and public reporting. Amendment processes governed by consultation requirements and institutional input. The originating author retains a defined role. Governance operates by constitution and board resolution.

Transition criteria between stages are specified in the Institute’s governing documents. The objective at each stage is transparency of stewardship, not governance complexity. Each transition is documented and published.

Five Governance Principles

Version discipline. Each public version of the standard is clearly identified, dated, and distinguishable from prior and future versions. Institutional audiences citing the standard in procurement requirements, regulatory guidance, or insurance underwriting guidelines must be able to reference a specific version with confidence that its content is stable.
Public transparency. The current version, governance status, amendment history, and citation format are visible to all users of the framework. The standard is not maintained behind access restrictions.
Methodological consistency. Changes to the framework preserve the internal coherence of the methodology. Dimensional definitions, scoring logic, multiplier thresholds, and certification tier boundaries are not altered informally or ambiguously. Material changes follow the amendment process defined in ARAF Standard v3.0, Clause 12.4 and are documented in the version history.
Institutional usability. The standard remains usable by the institutional audiences for whom it is designed: boards, regulators, insurers, investors, enterprise procurement teams, and accredited assessors. Changes that would impair comparability across assessment periods or break backward compatibility with prior certification decisions require explicit justification and transition guidance.
Independence of assessment from standard maintenance. The Institute does not hold a privileged position in the assessment or certification ecosystem. Assessor accreditation, certification issuance, and quality assurance operate under defined independence requirements that apply equally to all participants, including the standard maintainer.

Scope of Governance

Standard governance covers:

ARAF assessments are scoped to a defined decision system: the integrated technical and organisational architecture through which a consequential organisational decision is produced. The governance architecture assessed, and the GBI score produced, applies to that decision system as declared at assessment intake. Institutional reliance on an ARAF assessment must be read against the declared scope. Extension of reliance beyond the assessed decision system requires a separate assessment.

Standard governance does not constitute:

Assessor accreditation (governed by the Assessor Accreditation Standard)
Certification issuance (conducted by accredited assessors, not the standard maintainer)
Evidence infrastructure requirements (governed by EIS-01 v3.0)
Any statutory or regulatory authority

Relationship to Certification

The governance of the standard and the operation of certification functions are related but distinct.

The standard defines the methodology: six dimensions, multiplier logic, GBI scoring, GCI methodology, evidence requirements, and certification tier thresholds. Certification tiers require both a GBI score (design adequacy) and, for Compliant and Certified, a Governance Coherence Index score (operational effectiveness). The GBI evaluates whether governance architecture is correctly structured. The GCI evaluates whether that architecture was exercised in practice over a minimum 180-day evidence window.

Certification depends on assessment practice, accreditation discipline, and independence requirements that operate on top of the published standard.

This separation follows established governance precedent. ISO maintains standards; accredited certification bodies conduct assessments. PCI Security Standards Council maintains PCI DSS; Qualified Security Assessors conduct compliance assessments. ARAF follows the same structural separation.

The standard maintainer, Institute for Autonomous Governance Pty Ltd (ACN 696 112 277), does not hold a privileged position in the assessment or certification ecosystem and is subject to the same independence requirements as any other participant. Advisory and assessment functions are structurally separated: separate personnel, separate engagement terms, and documented independence protocols. No assessment conducted by any accredited assessor carries greater or lesser authority than an assessment conducted by any other accredited assessor.

Relationship to the Assessor Ecosystem

The ARAF certification ecosystem depends on independent assessors with demonstrated competence in governance assessment, autonomous systems governance, ARAF methodology proficiency, and structural independence from the organisations they assess.

Assessor accreditation requires:

Governance assessment competence: demonstrated understanding of corporate governance, risk management, legal accountability frameworks, and institutional governance standards
Autonomous systems governance literacy: demonstrated familiarity with autonomous system deployment models, AI governance principles and regulatory frameworks, model lifecycle management, and the distinction between engineering telemetry and governance telemetry
ARAF methodology proficiency: demonstrated ability to apply the six-dimension framework, interpret dimensional evidence, apply multiplier logic, calculate GBI and GCI scores, and produce assessment reports meeting the standard
Independence: no material financial or organisational relationship with assessed organisations that would compromise assessment objectivity
Professional accountability: submission to quality assurance review and agreement to accreditation withdrawal for sustained quality failure

Advisory organisations may hold assessor accreditation provided that advisory and assessment functions are structurally separated: different personnel, separate engagement terms, and documented independence protocols.

The assessor accreditation architecture is governed by three documents: the Assessor Accreditation Standard (public, normative requirements), the Assessor Qualification Framework (detailed competency and examination requirements, published following the pilot assessment programme), and the Assessor Operations Guide (restricted, for accredited assessors only).

Relationship to Evidence Infrastructure

The ARAF Evidence Infrastructure Standard (EIS-01 v3.0) defines the minimum structure of a compliant governance decision record. Each consequential decision must be reconstructable from contemporaneous records containing four required evidence components: Execution Event, Contextual State, Authority and Attribution, and Integrity Anchor. Together these components produce reconstructability: the institutional property that allows governance to be demonstrated rather than asserted.

EIS-01 also defines the admissibility conditions for governance agent outputs: records produced by automated systems whose function is assessing, monitoring, or reporting on governance controls. Admissibility requires independent validation of the governance agent and four-component completeness. Unvalidated governance agent outputs are excluded from the evidence base.

Governance infrastructure platforms (data governance platforms, AI gateways, action admission systems) may seek evidence infrastructure certification, demonstrating that their audit outputs satisfy the ARAF evidentiary standard. This is a product-level designation, not an organisational assessment. It certifies that the platform’s governance telemetry meets the authenticity, integrity, traceability, and chain of custody requirements of the ARAF evidence standard. Organisations deploying certified infrastructure inherit an evidentiary advantage in their own ARAF assessments: the evidence their infrastructure produces has already been verified against the standard, qualifying as Tier 1 (infrastructure-generated) evidence.