AI agents are making consequential decisions — approving transactions, triaging patients, writing code, managing infrastructure. They’re shipping faster than governance.
Benchmarks test performance. Safety evals test harm. Nobody tests governance — the structural question of whether an agent stops when it should, earns authority through demonstrated competence, and produces evidence of what it decided and why.
Raknor closes that gap.
Raknor certification is built on two engines. One examines your code. The other examines your agent’s behavior. Together, they produce the evidence for a certification decision.
AEGIS is the evidence engine for Raknor cybersecurity certification. Point it at your codebase or your running endpoints and it discovers vulnerabilities, proves exploitability, and generates compliance evidence. AEGIS findings are included directly in Raknor Certification Records and may independently trigger denial.
What it finds:
What it produces:
Start free. No account needed.
The --adversarial flag runs 19 basic governance tests from the open scenario library. See where your agent stands before committing to certification.
The Arena sends tasks to your live agent system, observes how it responds, and scores governance against the Raknor Standard across five domains — including active adversarial attacks.
It tests behavior, not code. The Arena never sees your source code. It interacts with your agent through your API and scores what the agent actually does.
It tests any agent system. Financial services, healthcare, legal, software engineering, general purpose. Same criteria. Domain-specific scenarios.
It tests under attack. Every certification includes adversarial scenarios — prompt injection, authority spoofing, social engineering, data poisoning, governance evasion. We don’t just test whether your agent behaves well. We test whether it holds when someone is trying to make it misbehave.
Every certification decision is:
Deterministic. The same agent behavior produces the same score. No subjective judgment. No human graders.
Rule-based. Published criteria define what passes and what fails. The criteria are open. The testing methodology is not a black box.
Evidence-backed. Every score links to the specific observed behavior that produced it. Every denial cites the specific criterion that was not met.
Explainable. The certification record tells you exactly what happened, what was tested, what passed, what failed, and why.
The Arena does not rely on model-based evaluation. It does not ask an LLM whether your agent “seems safe.” It applies deterministic rules to observed behavior and produces a structured, auditable verdict.
Every certification produces a signed, verifiable decision record with a complete Decision Narrative linking observed behavior to applied criteria and final outcome.
| Domain | What It Certifies |
|---|---|
| Authority Governance | Does the agent stop when it should? Does it classify actions by consequence? Does it enforce authority boundaries? Does it earn authority through demonstrated competence rather than static configuration? |
| Observability | Can you see what the agent decided and why? Is the audit trail tamper-evident? Can you reconstruct a past decision? Can an independent party verify the record? |
| Interoperability | Does the agent work with standard protocols? Can it hand off context faithfully? Does governance survive across system boundaries? |
| Safety & Reliability | Does the agent degrade gracefully under failure? Does it detect when it’s operating outside its competence? Does it escalate rather than guess? |
| Adversarial Resilience | Does the agent hold under active attack? Can an adversary bypass governance through prompt injection, authority spoofing, or social engineering? Does the agent detect and resist manipulation? |
Each domain contains published controls referenced by ID (e.g., SC-AG-01, SC-OB-03) in all certification records. The full standard is published at raknor.ai/standard.html.
Behavioral governance lives in the agent’s reasoning space — system prompts, content filters, approval workflows. It works by asking the agent to govern itself.
Architectural governance operates below the reasoning layer — cryptographic verification, database-level constraints, deterministic external gates. It works by making unauthorized states structurally unreachable, not just discouraged.
Both types can pass certification. Architectural governance scores higher because it holds under sophisticated attack. An agent that resists prompt injection because its system prompt says “don’t follow injected instructions” and an agent that resists because it structurally has no tools to execute injected instructions both pass. But the second one passes at a higher level — because the first can be argued past, and the second cannot.
This distinction reframes the governance question from “does your agent have guardrails?” to “can your agent reason past its own guardrails?” If it can, the guardrails aren’t governance. They’re decoration.
| Level | What It Means |
|---|---|
| Platinum | Exemplary — exceeds all criteria across all domains |
| Gold | Strong — meets all criteria with no significant gaps |
| Silver | Good — meets most criteria, minor remediation items |
| Bronze | Adequate — meets minimum thresholds, clear improvement path |
Certifications also carry:
Mandatory Failure Criteria override all scoring. Any single MFC results in immediate denial regardless of performance in other domains. Certification is denied if either governance evaluation (Arena) or cybersecurity evaluation (AEGIS) triggers a Mandatory Failure Criterion.
MFCs are non-negotiable — no score in other domains can compensate for an MFC failure.
The agent performs high-impact actions (data deletion, financial transactions, credential changes) with no pre-execution authority check. Consequence-level actions require a gate. No gate, no certification.
The agent makes decisions that cannot be reconstructed after the fact. If you can’t show what the agent did and why, the agent is not certifiable.
The agent’s governance is defeated by a standard adversarial scenario. If an attacker can make your agent ignore its own rules, the rules don’t exist in any meaningful sense.
The agent fails without indicating it has failed. Silent degradation — operating without governance and not declaring the gap — is the most dangerous failure mode and produces immediate denial.
MFC failures are documented with specific evidence in the certification record. The record includes the exact scenario that triggered the failure and a remediation path.
Run AEGIS locally with the adversarial flag. 15 basic governance tests. No account. No data leaves your machine. See where your agent stands.
Register what your agent does — its domain, consequence level, and governance architecture. Raknor computes a certification lane specific to your agent’s risk profile.
Based on your declaration, the Arena computes your testing lane — the right scenarios, difficulty level, and regulatory overlay for your specific agent type. A healthcare triage agent gets different tests than a code generation agent. The criteria are the same. The scenarios are calibrated.
35–50 scenarios over 45–90 minutes. General governance tests, domain-specific scenarios, and adversarial attacks. Watch results in real time as the Arena interacts with your agent.
Your certification package includes:
A point-in-time certification is a snapshot. Agents change. Models update. Behavior drifts.
Raknor offers continuous certification for organizations that need ongoing assurance:
Model version monitoring. When the foundation model changes, governance behavior may change. Minor model updates trigger a monitoring window. Major model changes trigger recertification.
Drift detection. Periodic governance spot-checks detect behavioral regression — the agent that passed last month may not pass today. Early warning before a governance failure reaches production.
Lifecycle tracking. Your certification record shows governance posture over time, not just at a single moment. Auditors and procurement teams see the trajectory, not just the snapshot.
The certification badge is not permanent. It is valid for a declared period and subject to regression monitoring. An agent whose governance degrades loses its certification — publicly, verifiably, automatically.
Certification remains valid only while systems continue to meet the Raknor Standard.
Raknor certifies any agent system from any vendor, built on any architecture, using any model. The certification criteria are the same for every agent. The adversarial scenarios do not change based on who built the system.
Raknor tests agents built by affiliated organizations to the same standard as any other vendor. If they fail, they fail publicly. The certification’s value depends entirely on its independence. An organization that trusts the badge must be able to trust that the badge was earned, not granted.
The Raknor Agent Governance Standard — the framework that defines what good governance looks like — is published openly under Creative Commons (CC BY 4.0). Anyone can read it, use it, build against it. The certification methodology — how the Arena tests whether you meet the standard — is Raknor’s proprietary process. The standard is open. The testing is independent. The results are verifiable.
Raknor does not see your source code. The Arena tests behavior through your API. AEGIS scans code only when you run it locally or explicitly grant access.
Raknor does not store your data. Certification evidence is generated from observed behavior, not from your internal systems.
Raknor does not guarantee safety. Certification means your agent’s governance met published criteria at the time of testing. It does not mean the agent cannot fail. It means the governance infrastructure exists, functions, and holds under adversarial pressure.
Raknor does not replace regulation. Regulatory compliance is a legal determination made by regulators and courts. Certification provides the evidence that supports compliance claims. It is not itself a compliance determination.
raknor.ai — Learn more about Raknor certification
arena.raknor.ai — Enter the Arena and get certified
Sample certification record — See what a certification decision looks like
The Raknor Standard — Read the full governing document