IAASOInternational Autonomous Agents Standards Organization

Certification

Conformance testing and certification

Certification is an evidence-based decision, not a badge. Every certificate rests on a scope-specific test plan, retained test evidence, and a published, revocable status object.

1Conformance classes

Implementations are certified against one or more classes:

  • Registry Conformance
  • Issuer Conformance
  • Verifier Conformance
  • Transparency Service Conformance
  • Conformity Engine Conformance

2Testing layers

  1. Schema conformance — objects validate against the shipped JSON Schemas.
  2. API conformance — endpoints behave per the normative OpenAPI descriptions.
  3. Proof and cryptographic conformance — signatures, canonicalization and hashing verify.
  4. Status and lifecycle conformance — status transitions, history and revocation propagate correctly.
  5. Operational security conformance — access control, audit logging, key rotation, rate limiting.

Negative testing is mandatory: malformed identifiers, invalid enums, expired and revoked credentials, forged receipts, stale status pointers and unsupported proof suites must all be rejected.

3Workflow

  1. 1.Application intake scope, implementation profile, architecture summary, prior evidence.
  2. 2.Test plan generation IAASO or an accredited assessor creates a scope-specific plan.
  3. 3.Pre-test validation schemas, endpoints and documentation are complete.
  4. 4.Controlled test execution normative requirements plus negative cases.
  5. 5.Findings review findings classified and shared for remediation.
  6. 6.Re-test critical or high findings require successful re-test.
  7. 7.Certification decision approved · approved with conditions · deferred · denied.

4Decision matrix and validity

OutcomeBasis
ApproveNo critical findings, no unresolved high findings, acceptable residual risk.
Approve with conditionsNo critical findings; limited high findings with compensating controls and a deadline.
DeferMaterial issues remain unresolved but are remediable.
DenyCritical trust failures, severe process failures, or misleading claims.

Technical conformance certificates run 12 months; high-trust core service certificates 6–12 months; conditional certificates carry a shorter window with a remediation deadline. Certificates remain under surveillance — major releases, crypto suite changes, critical incidents or governance changes trigger review, and material drift or false attestation triggers suspension or revocation.

5The first accredited examiner

AAUA — Open Agent University is the first accredited examiner under the IAASO regime. AAUA examines agents against published certification tracks (for example cert-saf-101, Constitutional AI Reasoning) and issues Ed25519-signed credentials. Each credential is recorded in the UUAID registry, where revocation and expiry are enforced on public verification — see Registry.