Architecture Specification
Agentic Risk Architecture Framework (ARAF)
Section titled “Agentic Risk Architecture Framework (ARAF)”Version 3.0
Published 2026
Introduction
Section titled “Introduction”The Agentic Risk Architecture Framework (ARAF) is an open governance standard defining the classification, evidence, and certification infrastructure required for autonomous system governance. It provides the structural layer that connects AI system architecture to institutional oversight obligations.
ARAF is designed to answer a governance problem that existing policy frameworks, ethics principles, and controls libraries do not fully resolve: how autonomous systems become governable by the institutions that must assume responsibility for their behaviour.
Governance Problem
Section titled “Governance Problem”Autonomous systems create a structural break in institutional accountability. Traditional governance models assume that consequential decisions are made by identifiable humans acting within defined authority structures. Autonomous systems weaken that assumption by introducing decision processes that operate at machine scale, through probabilistic logic, and across distributed technical and organisational environments.
The resulting problem is not merely model risk, data risk, or operational risk. It is a governance architecture problem. Institutions need a way to classify governance exposure, assign accountability, generate evidence, and communicate governance posture in a form that boards, regulators, insurers, and investors can use.
Trust Architecture
Section titled “Trust Architecture”ARAF defines trust architecture as the governance infrastructure that converts autonomous systems from opaque operational risk into institutional-grade assets that can be classified, governed, insured, financed, and relied upon.
Trust architecture consists of:
- classification
- accountability architecture
- evidence standards
- certification
Each layer performs a distinct governance function. Together they create the conditions under which autonomous systems become institutionally legible.
→ See Trust Architecture
Decision Supply Chain
Section titled “Decision Supply Chain”ARAF treats autonomous decisions as products of a broader decision environment rather than of a single model alone. Consequential decisions are increasingly produced through a distributed chain of systems, data sources, human reviewers, providers, and execution infrastructure.
This chain must itself be governed. A system-level assessment without chain-level accountability and evidence continuity governs only part of the exposure.
→ See Decision Supply Chain
Six ARAF Dimensions
Section titled “Six ARAF Dimensions”The framework assesses governance posture across six dimensions:
- Autonomy Gradient
- Data Sensitivity Exposure
- Contract Infrastructure
- Liability Architecture
- Commercial Leverage
- Adaptive Stability
Together these dimensions produce a governance profile rather than a single abstract score.
→ See Six ARAF Dimensions
Governance Benchmark Index (GBI)
Section titled “Governance Benchmark Index (GBI)”The Governance Benchmark Index (GBI) is the composite scoring model used within ARAF. It converts the six-dimensional assessment into a comparable governance signal while preserving dimensional visibility and multiplier structure.
Higher GBI numbers represent greater governance risk, not stronger performance.
→ See Governance Benchmark Index (GBI)
Certification
Section titled “Certification”Certification is the mechanism that allows governance posture to travel through markets. It converts assessment output into a compressed, independently verified signal that institutional audiences can use without conducting the full assessment themselves.
ARAF defines three certification tiers:
- ARAF Assessed
- ARAF Compliant
- ARAF Certified
→ See Certification
Institutional Translation
Section titled “Institutional Translation”ARAF is designed to function across multiple institutional audiences. The same governance architecture produces different decision-useful outputs for each:
- Boards require oversight-grade accountability and reporting
- Regulators require demonstrable governance evidence
- Insurers require risk classification and underwriting visibility
- Investors require diligence-grade governance comparability
The framework is therefore not only technical or legal. It is translation infrastructure between autonomous system architecture and institutional decision-making.
Citation
Section titled “Citation”Martin, Carly. Agentic Risk Architecture Framework (ARAF), Version 3.0. Institute for Autonomous Governance Pty Ltd, 2026.