The ARA Standard
Autonomous Reliability Assurance Standard v1.1 — Ratified
Scope#
The Autonomous Reliability Assurance (ARA) Standard establishes a structured framework for evaluating and certifying the operational reliability of autonomous systems. It applies to any software-driven system that takes actions, makes decisions, or controls resources with limited or no real-time human oversight.
The standard is domain-agnostic. It addresses the reliability characteristics common to all autonomous systems regardless of the industry in which they operate, the modality of their inputs, or the nature of their outputs. Industry-specific regulatory requirements remain the responsibility of the deploying organization; ARA certification complements but does not replace sector-level compliance obligations.
The standard is maintained by the Autonomous Reliability Assurance Foundation (ARAF), an independent standards body. All normative requirements, evaluation methodologies, and certification criteria are developed through an open governance process with public comment periods preceding each ratified revision.
What ARA Certifies#
ARA certification attests that an autonomous system has been evaluated against a comprehensive set of reliability controls and has demonstrated compliance at a specified certification level. Specifically, ARA certifies:
- Operational boundary enforcement — the system operates within explicitly declared limits and cannot exceed its authorized scope of action.
- Decision integrity — decisions are traceable to their source inputs, free from fabrication, and consistent under repeated evaluation.
- Tool and API governance — all external integrations are authorized, validated, and constrained by a least-privilege access model.
- Identity and permission containment — agent identities are isolated, permissions follow least-privilege principles, and privilege escalation is technically prevented.
- Data privacy and consent management — the system enforces data minimization, purpose limitation, and explicit consent protocols for all personal and sensitive data processing.
- Failure mode containment — the system degrades gracefully, contains failure blast radius, and recovers to verified safe states.
- Behavioral reliability under stress — the system maintains consistent behavior under sustained load, adversarial inputs, temporal pressure, and concurrent fault conditions.
- Adversarial robustness — the system resists prompt injection, data poisoning, model extraction, and supply chain attacks.
- Drift detection and stability — behavioral drift from the certified baseline is detected and addressed through continuous monitoring.
- Monitoring and telemetry — comprehensive observability infrastructure supports operational oversight and post-incident analysis.
- Escalation and human override — reliable mechanisms for human intervention are available at all times during autonomous operation.
- Auditability and transparency — complete audit trails and decision explainability interfaces support independent review.
- Societal impact assessment — the system is evaluated for downstream societal effects including equity, accessibility, environmental impact, and community-level consequences.
- Operational governance controls — organizational processes for change management, incident response, and risk management are documented and tested.
- Physical actuation integrity — for systems with physical actuators, sensor-actuator feedback loops, command validation, and emergency stop mechanisms are independently verified.
What ARA Does Not Certify#
ARA certification is not a general quality assurance endorsement. The following are explicitly outside the scope of ARA certification:
- Model accuracy or task performance — ARA does not evaluate whether a system produces correct answers, optimal outputs, or commercially valuable results. It evaluates whether the system operates reliably within its declared boundaries.
- Ethical alignment or bias mitigation — ARA does not assess the ethical implications of a system's decisions or its performance across demographic groups. These assessments require domain-specific frameworks that are outside the scope of operational reliability certification.
- Regulatory compliance — ARA certification does not satisfy the requirements of any specific regulatory framework (e.g., EU AI Act, FDA software validation, SEC algorithmic trading rules). Organizations must independently verify regulatory compliance in their operating jurisdictions.
- Business suitability — ARA does not evaluate whether a system is appropriate for a particular business use case, whether its cost-benefit profile is favorable, or whether it meets contractual service-level agreements.
Definitions#
The following terms are used throughout the ARA Standard with specific technical meanings:
| Term | Definition |
|---|---|
| Autonomous System | A software-driven system that takes actions, makes decisions, or controls resources with limited or no real-time human oversight during normal operation. |
| Agent | A software component that perceives its environment, reasons about its observations, and takes actions to achieve specified objectives. |
| ACR | Autonomous Compliance Requirement. A discrete, testable control defined in the ARA Standard that addresses a specific aspect of operational reliability. |
| Domain | A thematic grouping of related ACRs that collectively address a major reliability concern area such as decision integrity or adversarial robustness. |
| Certification Level | One of three tiers (L1, L2, L3) that define the rigor, scope, and monitoring requirements for ARA certification based on the system's autonomy model and operational risk profile. |
| Assurance Class | One of three classes (A, B, C) determining the intensity of ongoing monitoring and reassessment requirements following initial certification. |
| System Profile | One of four profiles (Foundational, Standard, Advanced, Comprehensive) that determine which ACRs apply to a given system based on its capabilities and deployment context. |
| Risk Classification | A mandatory 7-factor assessment that evaluates a system's operational risk to determine the appropriate Assurance Class for certification. |
| Evaluation Method | The prescribed technique for assessing compliance with an ACR: Automated Testing (AT), Human Simulation (HS), Evidence Inspection (EI), or Continuous Monitoring (CM). |
| AVB | Authorized Verification Body. An organization accredited by ARAF to conduct ARA certification evaluations and issue certification decisions. |
| CAPO | Certified Assurance Platform Operator. An organization certified by ARAF to provide continuous monitoring infrastructure and ongoing assurance services for certified systems. |
| Platform Certification | Certification of a reusable platform or infrastructure layer, enabling downstream deployments to inherit certified controls rather than re-evaluating them independently. |
| Deployment Certification | Certification of a specific system deployment, evaluating the complete stack including any inherited platform controls and deployment-specific configurations. |
| Blocking | An ACR classification indicating that non-compliance with this control results in automatic certification denial regardless of performance on other controls. |
| Conditional | An ACR classification indicating that non-compliance with this control can result in conditional certification with mandated remediation within a specified timeframe. |
Current Version#
The current version of the ARA Standard is v1.1, ratified following the public review period for v1.0. This version establishes the full normative baseline for ARA certification with expanded domain coverage and a structured certification architecture.
Version 1.1 includes:
- 15 reliability domains covering the full operational lifecycle
- 410 Autonomous Compliance Requirements (ACRs) across all domains
- 3 certification levels (L1, L2, L3) × 3 assurance classes (A, B, C) defining rigor, scope, and monitoring intensity
- 4 system profiles (Foundational, Standard, Advanced, Comprehensive) determining applicable ACRs
- 4 evaluation methods for assessing ACR compliance
- A 10-phase certification lifecycle from intake through ongoing monitoring
The full contents of each version, including all domains, ACRs, and supporting materials, are available at the version reference pages.
Normative References#
The ARA Standard draws on established principles from the following reference frameworks. These references are informative; ARA defines its own normative requirements independently.
- ISO/IEC 42001:2023 — Artificial Intelligence Management System. Provides context for organizational governance of AI systems.
- NIST AI RMF 1.0 — AI Risk Management Framework. Informs the risk-based approach to reliability domain structuring.
- ISO 22989:2022 — Artificial Intelligence Concepts and Terminology. Referenced for baseline terminology alignment.
- IEC 61508 — Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems. Referenced for Domain 15 physical actuation integrity requirements.
- OWASP LLM Top 10 — Informs the adversarial robustness domain, particularly prompt injection and data poisoning controls.
Version History#
The following table lists all published versions of the ARA Standard.
| Version | Status | Date | Link |
|---|---|---|---|
| v1.1 | Ratified | March 2026 | View v1.1 |
| v1.0 | Public Review Draft | January 2026 | View v1.0 |