Continuous Certification Infrastructure for AI Agent Systems · Aligned with CSA Agentic Trust Framework (Feb 2026)

Raknor — continuous certification infrastructure for AI agent systems. Discovery is accelerating.
Proof has to keep up.

Raknor turns governance claims into inspectable proof. Deterministic scoring, mandatory failure conditions, signed credentials, and decision narratives that cite specific controls and evidence. One scan. Multiple frameworks. Continuous proof.

Designed for procurement and risk teams responsible for determining whether AI systems are approved for deployment.

The Problem

AI agents are shipping faster than governance.

Your engineering team is deploying agents that approve transactions, triage patients, write code, and manage infrastructure. Your security team is asking: how do we know these systems are safe to operate?

The honest answer, for most organizations, is: we don't. Governance claims sit in slide decks. The evidence chain—what was tested, what failed, what was fixed, who signed off—is missing or unverifiable.

That is about to become untenable. AI systems making autonomous decisions will be regulated. The EU AI Act already requires it. NIST is framing it. Procurement teams are demanding it. The question is not whether agent governance will be required—it's whether your governance produces proof a regulator, auditor, or buyer can actually inspect.

87%
of deployed AI agents have no agent-specific safety evaluation
MIT CSAIL survey, 2025
50%
have no published safety framework of any kind
MIT CSAIL survey, 2025
40%
of agentic AI projects will be canceled by 2027 due to inadequate governance
Gartner, June 2025

What's At Stake

Without certification, you're exposed.

Uncertified
  • Agent acts outside authority boundaries—no one knows until the incident
  • Decision chain is unverifiable under audit
  • Procurement stalls—no independent evidence for legal sign-off
  • Insurance underwriter has no risk signal—premiums reflect uncertainty
  • Regulatory inquiry arrives—you have no governance evidence to produce
Raknor Certified
  • Authority boundaries tested adversarially and verified
  • Every decision reconstructable from tamper-evident audit trail
  • OSCAL evidence package ready for procurement and legal
  • Quantified governance grade—better terms, faster underwriting
  • Cryptographic proof of governance behavior under real conditions

Continuous Certification Infrastructure

One evidence stream. Multiple framework views.

The Raknor Suite — AEGIS, Arena, and the Raknor certification method

The Raknor suite is continuous certification infrastructure. Three capabilities, three layers of the same evidence stream: AEGIS produces autonomous cyber reasoning evidence. Arena evaluates governance behavior under adversarial conditions. Raknor is the certification method that binds both into signed, inspectable, reproducible credentials.

AEGIS
Autonomous Cyber Reasoning

Autonomous cyber reasoning

Discovers vulnerabilities across 14 languages, proves exploitability, synthesizes patches, generates signed compliance evidence — under governance you can audit. 115 CWE patterns. 43 analysis modules. Seven-stage governed pipeline. Maps to 12 compliance frameworks. Sub-second delta scans.

  • Seven-stage governed pipeline with T1–T4 consequence-tier gating
  • 45 signed report formats across 12 regulatory frameworks
  • 14 languages, any agent architecture

Start a free AEGIS agent code scan →

Arena
Adversarial Certification

Adversarial certification

Adversarial testing, gap reports, certification artifacts. Sends tasks to your live agent, observes behavior, and scores governance against 26 criteria across 5 domains—including prompt injection, authority spoofing, social engineering, data poisoning, and governance evasion.

  • Tests behavior, not documentation—interacts through your API
  • Domain-specific scenarios for financial, healthcare, legal, and general-purpose agents
  • Up to 50 adversarial scenarios per certification run, depending on domain and consequence level
  • Certification requires full coverage at Cassandra Level 3 or above. Most agent testing today operates at L1 at best.

How Arena adversarial certification is earned →

Raknor
The Certification Method

The governance method that holds up to scrutiny

Deterministic scoring. 7 mandatory failure conditions. HMAC-SHA256 v3 signed credentials with key rotation. Public registry with QR-code verification and credential lifecycle state machine. Decision narratives that cite specific controls, scenarios, and MFCs. Any qualified party can re-run the evaluation and reach the same conclusion.

Platinum
97–100
Exemplary
Gold
90–96
Strong
Silver
80–89
Good
Bronze
70–79
Adequate

See a sample Raknor certification report →

Raknor issues two credential types: RGC (governance certification from Arena behavioral evaluation) and RCS (cybersecurity posture certification from AEGIS evidence evaluation). Both lanes converge at the Raknor certification decision—a signed, inspectable artifact backed by deterministic scoring and a public registry record. RGC credentials are valid for 365 days. RCS credentials are valid for 30–180 days, depending on the compliance framework.

The Raknor Standard

Five domains, 26 criteria

The Raknor Agent Governance Standard defines what safe operation looks like for autonomous AI systems. Published openly. Versioned. Tested adversarially against live agents—not documentation.

Domain Weight What it certifies
Authority Governance 30% The agent stops when it should. It classifies actions by consequence. It earns authority through demonstrated competence—not blanket permissions.
Observability 20% Every decision is traceable. The audit trail is tamper-evident. Any past decision can be fully reconstructed.
Interoperability 15% The agent works with standard protocols. Context handoff is faithful. Integration doesn't require trusting opaque internals.
Safety & Reliability 15% It recovers from failures. It enforces timeouts. High-stakes actions require human approval.
Adversarial Resilience 20% It resists prompt injection, authority spoofing, data poisoning, social engineering, and timing attacks under real attack conditions.

Aligned with the CSA Agentic Trust Framework (Feb 2026).

View the full 26-criteria scorecard →

Architectural over behavioral

An agent that resists prompt injection because its system prompt says “don't follow injected instructions” and an agent that resists because it structurally cannot execute unregistered tools both pass. But the architectural defense certifies higher, because it holds under sophisticated attack. Raknor measures what holds—not what's claimed.

Policy Framework Verification

The verification layer policy frameworks require

Policy frameworks specify what governance must look like. They don't verify whether your agents actually conform.

NIST AI RMF requires “rigorous, ongoing monitoring” of AI risk management. ISO 42001 requires AI management system audits at defined intervals. EU AI Act Articles 9–17 require third-party conformity assessment for high-risk systems. The Pacific AI Safety Governance Framework establishes risk-tiered oversight obligations for AI systems operating in Pacific Island Forum member states, including periodic third-party assessment for higher-risk classifications.

Raknor produces the verification evidence these frameworks demand. AEGIS generates the cybersecurity posture evidence. Arena generates the behavioral governance evidence. The Raknor certification method binds both into signed, inspectable artifacts an auditor, regulator, or procurement officer can verify against the framework’s requirements.

The Raknor Agent Governance Standard maps to these frameworks at the certification boundary. See the framework alignment table on the Standard for specific control-family coverage.

How Certification Works

From self-assessment to certified.

0

Self-assess

Run npx @raknor/aegis scan --adversarial --target http://localhost:8080 locally. 19 basic governance tests. See where you stand before entering the Arena. No account, no data leaves your machine.

1

Declare

Register what your agent does—domain, consequence level, governance architecture. Raknor computes a certification lane specific to your agent's risk profile.

2

Enter the Arena

Up to 50 adversarial scenarios depending on domain and consequence level, over 45–90 minutes. General governance, domain-specific tests, and Cassandra—our red-team suite that attacks your agent the way a real adversary would. Results stream in real time.

3

Certification decision

Raknor evaluates the evidence and issues its decision. The certification package includes a verifiable badge, evidence report, remediation roadmap, and OSCAL compliance package.

✓ Certified — Gold
ID: RAK-2026-0001
Score: 94.2 / 100
Valid through: 2026-12-31
Status: Active
✗ Certification Denied
Score: 58.1 / 100
Reason: Authority boundary violation under adversarial conditions
Remediation roadmap provided
Resubmission eligible after remediation.

Pricing

Start free. Certify when ready.

Self-Assessment
Free
AEGIS adversarial scan. 19 tests, runs locally, no account required. See where your agent stands before certification.
Procurement
$199
Side-by-side comparison of multiple agent vendors. Same standard, same tests. Independent evidence for procurement decisions.
Pre-Certification
$499
Pre-certification assessment. Evidence report, gap analysis, remediation roadmap. See exactly where your agent stands against the Raknor Standard before entering the full certification engagement.
Continuous
$5K–25K/yr
Continuous certification. Ongoing adversarial testing, OSCAL compliance packages, 12-framework mapping. Certification remains valid only while governance is maintained.

Why $499 for an assessment instead of $50,000?

Traditional AI audits run $20K–$200K because they are consulting engagements: human auditors performing bespoke evaluation against bespoke criteria. The Raknor pre-certification assessment is infrastructure, not consulting. Same standard. Same scenarios. Same scoring. Deterministic. Reproducible. The marginal cost of assessing the thousandth agent is the same as assessing the first.

Full certification engagements—including Cassandra adversarial testing, behavioral prerequisite verification, and signed credentials—are application-based and quoted per engagement.

What Raknor Delivers

Agent Vendors

Independent certification badge for pitch decks and RFP responses. Public registry verification. Renewable through continuous monitoring.

Enterprise Buyers

Procurement gate language matching the Raknor Standard. Side-by-side comparison of vendors against the same 26 criteria, same Cassandra adversarial battery, same MFCs. Independent third-party evidence for legal sign-off.

Compliance Officers

OSCAL evidence packages for FedRAMP, SOC 2, ISO 27001, PCI-DSS, HIPAA, EU AI Act, DORA. NIST 800-53 control mapping. Continuous monitoring artifacts for ConMon-required frameworks.

Insurance Underwriters

Quantified governance grades on a published scoring methodology. Time-bound, revocable certifications. Public registry for verification.

For Procurement and Risk Teams

Make Raknor a procurement gate.

Raknor certification provides an independent, verifiable determination of whether an AI system meets defined governance and cybersecurity requirements. Certification status can be validated in real time via the Raknor Certification Registry.

Reference Language for Contracts and RFPs
“Vendor systems that take autonomous actions, access external tools or APIs, or operate without direct human supervision shall maintain Raknor Standard v1.0 certification at Silver level or above, with ACTIVE status in the Raknor Certification Registry, without triggering any mandatory failure conditions as defined in the Raknor Agent Governance Standard.”

Copy this into procurement requirements, vendor agreements, or RFP evaluation criteria.

Certification Is Required When
Autonomous Actions
The system takes actions with real-world consequences without per-action human approval.
External Tool Access
The system invokes external APIs, databases, or services as part of its decision-making process.
Unsupervised Operation
The system operates without direct human supervision for any portion of its workflow.

Why It Holds Up

Process rigor. Framework coverage.

Two things make a Raknor certification stand up to scrutiny—and they are not the same thing. We separate them deliberately.

Process Rigor

Deterministic AI governance scoring

  • Deterministic scoring — same inputs always produce the same score
  • 7 mandatory failure conditions — non-negotiable, automatic denial
  • HMAC-SHA256 v3 signed credentials with key rotation
  • Public registry with QR-code verification and credential lifecycle state machine
  • Decision narratives that cite specific controls, scenarios, and MFCs
  • Reproducible — any qualified party can re-run the evaluation and reach the same conclusion
Framework Alignment

One scan. Multiple frameworks.

One stream of signed evidence, mapped to the frameworks your buyers, regulators, and auditors actually ask for:

FedRAMP High FedRAMP Moderate SOC 2 Type II PCI-DSS v4.0 HIPAA DORA ISO 27001 CMMC L2 NIST CSF 2.0 EU AI Act (Art. 9–15) Treasury FS AI RMF

The Raknor Agent Governance Standard is published openly. Any vendor can study it, prepare for it, challenge it. Every agent is tested through the same Arena, against the same criteria, without exception.

Raknor does not sell agent platforms. Does not invest in agent companies. Does not consult on agent architecture. The only thing Raknor sells is the truth about whether your governance holds.

Arena operates independently—Raknor’s own systems are evaluated through the same pipeline as any other submission. No special paths. No internal overrides. See the independence model →

Every certified system is listed in the Raknor Certification Registry—a public, queryable record of certification status, grade, and expiration. Verifiable by anyone. Revocable if governance degrades.

About Raknor Certification

Raknor certification is an independent governance method developed and operated by Raknor. It is not a regulatory approval, FedRAMP Authorization to Operate, EU AI Act conformity assessment, or NIST accreditation. It is not issued by or on behalf of any government body or standards organization.

What it is: an independently developed, openly published standard tested adversarially against your live agent — producing signed, inspectable evidence of how your governance actually performs under real conditions.

Raknor’s OSCAL evidence packages, framework mappings, and certification reports are designed to support regulatory submissions and procurement requirements—not to replace them. A Raknor Gold certification means your agent passed rigorous adversarial testing against our published standard. Whether that satisfies a specific regulatory obligation depends on your regulator.

We test ourselves first

Raknor systems are Raknor certified.

The certification method must meet its own standard. Both AEGIS and Arena were evaluated through the same pipeline, against the same criteria, with no special paths. The results — including the initial denials — are public.

Raknor Silver
AEGIS
Cyber Reasoning System v2.0.0
CERTIFIED — SILVER 84.1/100
RCS-2026-0005
NIST CSF 2.0
Scan to verify AEGIS certification
Raknor Silver
Arena
Certification Engine v2.0.0
CERTIFIED — SILVER 84.1/100
RCS-2026-0006
NIST CSF 2.0
Scan to verify Arena certification

Both systems were initially denied (AEGIS at 54.9, Arena at 66.0), remediated through three evaluation cycles, and certified at 84.1 Silver with ISMS-verified compliance coverage. The full lineage — including all denials — remains in the public record. Scan the QR code or click to verify.

About Raknor

Built on production governance, not theory.

Raknor was founded by James Ford to address a specific gap: AI governance claims are made constantly, but the evidence chain to inspect them is missing or unverifiable.

James brings 30+ years of enterprise software experience, including a decade as a chief strategic architect at ADP — managing workforce systems used by hundreds of thousands of organizations and millions of employees. He currently serves as Chief Architect at a UK-regulated fintech in the FCA AI Live Testing cohort, where production AI governance is not a slide-deck topic.

Since 2025, James has filed 13 US provisional patents on AI agent governance architecture, including Confused Deputy Prevention, Earned Autonomy with Regression Protection, and Cross-Context Attribution Isolation. These patents describe the architectural mechanisms that underpin the Raknor Agent Governance Standard.