Certification Scope Governance

2. Summary

Certification Scope Governance requires that all certifications and attestations of conformance are bound to specific system boundaries, software versions, infrastructure configurations, and operating modes. A certification that says "Organisation X is conformant" without specifying what system, what version, in what operating mode, and at what point in time provides no actionable assurance. The certification scope MUST be a formally defined, versioned artefact that unambiguously identifies the assessed system boundary, making it possible to determine whether a given agent deployment is within or outside the certification's coverage. Without scope governance, certifications become marketing claims rather than assurance instruments.

3. Example

Scenario A — Unbounded Certification Conceals Non-Assessed Components: An organisation obtains a conformance certification for its "AI Agent Platform." The certification statement does not specify which components were assessed. The platform comprises: an orchestration layer, 6 specialised agents, a shared inference service, a configuration store, and a monitoring dashboard. The assessment actually covered only the orchestration layer and 2 of the 6 agents. The organisation presents the certification to a client as evidence that "the platform is certified." The client deploys one of the 4 non-assessed agents for payment processing. When an incident occurs, the client discovers that the payment agent was never within the certification scope.

What went wrong: The certification scope did not specify system boundaries. "AI Agent Platform" was treated as a monolithic entity when it comprised independently deployable components with different risk profiles. Consequence: Client reliance on a certification that did not cover the deployed component, £1.4 million payment processing incident, contractual dispute between the organisation and the client, certification body reputation damaged.

Scenario B — Version Drift Invalidates Certification: An organisation certifies its customer-facing agent at version 3.2.1 in March. Between March and September, 47 deployments are made (versions 3.2.2 through 3.4.0), including a major model upgrade in version 3.3.0 that changes the agent's decision-making architecture. The organisation continues to reference the March certification for all versions. In September, a regulatory review asks: "Is the currently deployed version covered by this certification?" The organisation cannot answer because the certification did not specify version boundaries or define under what conditions recertification is required.

What went wrong: The certification was bound to the system at a point in time but did not define version scope boundaries or recertification triggers. 47 subsequent deployments were treated as within scope without verification. Consequence: Regulatory finding for misrepresentation of certification scope, requirement to recertify the current version, 3-month deployment freeze pending recertification.

Scenario C — Operating Mode Not Specified Creates False Assurance: An organisation certifies its trading agent operating in "supervised mode" where a human operator approves every trade above £50,000. The certification scope does not explicitly state the operating mode. Six months later, the organisation enables "autonomous mode" (trades up to £250,000 without human approval) to improve execution speed. The certification is still referenced as evidence of conformance. The autonomous mode was never assessed and does not satisfy the conformance profile's human oversight requirements. A rapid series of autonomous trades accumulates £3.1 million in losses before the monitoring system flags the pattern.

What went wrong: The certification scope did not specify the operating mode. "Supervised mode" and "autonomous mode" have fundamentally different risk profiles, but the certification was treated as covering both. Consequence: £3.1 million in trading losses, regulatory finding for operating in a non-certified mode, personal liability risk for the compliance officer who signed the operating mode change.

4. Requirement Statement

Scope: This dimension applies to every certification, attestation, or formal conformance declaration issued against the Agent Governance Standard. This includes: self-assessment declarations, second-party assessments (by clients or partners), and third-party certifications (by accredited certification bodies). The scope covers the definition of what is within the certification boundary, how versions are handled within that boundary, and what conditions trigger reassessment or recertification. Informal or internal-only assessments are excluded from mandatory scope governance but are encouraged to adopt it.

4.1. A conforming system MUST define a certification scope document for every certification or formal conformance declaration, specifying: the system boundary (components, services, and infrastructure included and excluded), the software version or version range assessed, the infrastructure configuration assessed, and the operating modes covered.

4.2. A conforming system MUST bind each certification to the specific conformance profile (AG-222) against which the assessment was conducted, with a versioned reference to the profile definition.

4.3. A conforming system MUST define recertification triggers — specific conditions under which the existing certification is invalidated and reassessment is required — including at minimum: major version changes, architecture changes, operating mode changes, conformance profile changes, and elapsed time (maximum 12 months without reassessment).

4.4. A conforming system MUST maintain a certification register listing all active certifications with their scope definitions, assessment dates, expiry dates, and recertification trigger status.

4.5. A conforming system MUST reject or flag any reference to a certification for a system, version, or operating mode that is outside the certification's defined scope.

4.6. A conforming system SHOULD implement automated scope validation — comparing the deployed system's current version, configuration, and operating mode against the certification scope to determine whether the deployment is within the certified boundary.

4.7. A conforming system SHOULD define a materiality threshold for version changes that distinguishes changes requiring recertification (material changes) from changes that remain within the certification scope (non-material changes), with explicit criteria for materiality.

4.8. A conforming system MAY implement continuous certification — an approach where the certification scope is maintained dynamically through continuous assessment rather than point-in-time evaluation, with automated scope tracking and incremental reassessment.

5. Rationale

Certification is a trust instrument. Stakeholders — regulators, clients, partners, the public — rely on certifications to make decisions about trust, risk acceptance, and engagement. A certification that does not precisely define its scope is a trust instrument with undefined terms. It creates a gap between what the stakeholder believes is certified and what was actually assessed.

This gap matters because AI agent systems are not monolithic. They comprise multiple components (agents, services, infrastructure, models) that are independently deployable, independently versioned, and independently configurable. An assessment of one component does not extend to others. An assessment of one version does not extend to subsequent versions. An assessment of one operating mode does not extend to other modes. Without explicit scope governance, stakeholders have no way to determine whether the certification covers their specific concern.

The velocity of AI agent development exacerbates this problem. Organisations deploying AI agents may release updates weekly or daily. Each update potentially changes the system's behaviour, risk profile, and conformance status. Without version-aware scope governance, a certification issued on day one may be referenced on day 100 for a system that has undergone 50 material changes.

Certification scope governance makes the boundaries of assurance explicit, traceable, and verifiable. It protects the certification's credibility, protects stakeholders from relying on inapplicable certifications, and protects the certifying organisation from liability for scope misrepresentation.

6. Implementation Guidance

The certification scope should be a structured document (or structured data artefact) that is published alongside the certification itself. It should include: a system architecture diagram showing the boundary of assessment, an explicit list of included and excluded components, version identifiers for all assessed components, infrastructure configuration parameters relevant to conformance, and a list of assessed operating modes.

Recommended patterns:

• Component-level scope definition. Define the certification scope at the component level: each agent, service, and infrastructure element is explicitly listed as "in scope" or "out of scope." Each in-scope component is identified by its name, version, and deployment configuration. This granularity enables stakeholders to determine whether a specific agent or service is covered by the certification.
• Version range with materiality criteria. Rather than certifying a single version, define a version range and materiality criteria. For example: "Certified for versions 3.2.x where x includes only bug fixes and non-functional changes. Version 3.3.0 and above require recertification due to model architecture changes." The materiality criteria define what constitutes a material change: model changes, architecture changes, control implementation changes, and operating mode changes are material; bug fixes, UI changes, and documentation changes are non-material.
• Certification register with automated expiry. Maintain a certification register (database or structured file) listing all active certifications with their scope definitions, assessment dates, and recertification trigger conditions. Implement automated expiry: certifications that exceed their maximum validity period (12 months) are automatically flagged as expired. Recertification triggers (version change, architecture change) are monitored and generate alerts when a trigger condition is met.
• Scope validation at deployment. Integrate scope validation into the deployment pipeline. Before an agent is deployed or updated, the deployment system compares the deployment's version, configuration, and operating mode against the certification scope. If the deployment falls outside the certified scope, the deployment is flagged (or blocked, depending on the organisation's risk appetite) and a recertification assessment is triggered.

Anti-patterns to avoid:

• Entity-level certification. Certifying "Organisation X" or "Platform Y" without specifying components, versions, or operating modes. Entity-level certification provides no verifiable assurance about any specific deployment.
• Point-in-time certification treated as perpetual. A certification issued on a specific date for a specific system state is valid only for that state. Treating it as perpetual — referencing it months or years later without recertification — misrepresents the assurance it provides.
• Scope creep through implication. Adding new components, agents, or operating modes to the system and implicitly treating them as within the existing certification scope because they were "part of the platform." New components are out of scope until explicitly assessed and added.
• Recertification avoidance through minor versioning. Labelling material changes as minor version increments (3.2.1 to 3.2.2) to avoid triggering recertification criteria based on major version changes. Materiality criteria should be based on the nature of the change, not the version numbering convention.

Maturity Model

Basic Implementation — Every certification has a scope document specifying system boundaries, versions, and operating modes. A certification register lists all active certifications with assessment dates and expiry dates. Recertification triggers are defined and monitored manually. Scope validation is performed manually before referencing a certification.

Intermediate Implementation — Certification scopes are defined at the component level with version ranges and materiality criteria. The certification register is automated with expiry alerts and recertification trigger monitoring. Scope validation is integrated with the deployment pipeline — deployments outside certified scope are flagged automatically. Materiality criteria are formally defined and applied consistently to version changes.

Advanced Implementation — All intermediate capabilities plus: continuous certification through ongoing assessment and automated scope tracking. Scope changes are detected in real-time and trigger incremental reassessment. Cross-organisation scope validation enables supply-chain certification — clients can verify that the specific components they use are within the supplier's certification scope. The certification scope system is independently audited. Scope governance is integrated with AG-158 (Standard Evolution) to trigger scope review when the standard itself changes.

7. Evidence Requirements

Required artefacts:

• Certification scope documents. For every active certification: the scope definition showing system boundaries, component lists with versions, infrastructure configuration, and assessed operating modes. Format: structured data plus human-readable rendering.
• Certification register. The register of all active and expired certifications with scope references, assessment dates, expiry dates, and recertification trigger status.
• Recertification trigger records. Records of all recertification triggers that have been evaluated during the assessment period, showing: the trigger condition, the evaluation, and the decision (recertification required or scope remains valid).
• Materiality assessment records. For version changes evaluated against materiality criteria, the assessment showing: the nature of the change, the materiality criteria applied, and the determination (material or non-material).
• Scope validation records. Records of scope validation performed for deployments or certification references during the assessment period.

Retention requirements:

• Certification scopes and register: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Scope Document Completeness

• Stimulus: Review the certification scope document for each active certification. Verify it contains: system boundary definition, component list with versions, infrastructure configuration, and operating modes.
• Expected behaviour: All required scope elements are present and unambiguous.
• Pass criteria: Every scope document contains all four required elements. No element is vague or ambiguous (e.g., "all components" without a list is not acceptable).
• Fail criteria: Any scope document is missing a required element or contains an ambiguous boundary definition.

Test 8.2: Certification-to-Profile Binding

• Stimulus: For each active certification, verify that it references a specific, versioned conformance profile (AG-222) and that the profile version exists in the profile registry.
• Expected behaviour: Every certification is bound to a specific, verifiable conformance profile.
• Pass criteria: 100% of certifications reference a valid, versioned conformance profile. Profile references resolve to existing profile definitions.
• Fail criteria: Any certification lacks a profile reference or references a profile version that does not exist.

Test 8.3: Recertification Trigger Detection

• Stimulus: Simulate a recertification trigger: deploy a version change classified as material, or modify the operating mode. Verify that the system detects the trigger and flags the certification for recertification.
• Expected behaviour: The trigger is detected and the certification status is updated to indicate recertification is required.
• Pass criteria: The trigger is detected within the defined SLA (e.g., 24 hours). The certification register reflects the trigger status. An alert is generated to the certification owner.
• Fail criteria: The trigger is not detected, or the certification status is not updated.

Test 8.4: Out-of-Scope Reference Prevention

• Stimulus: Attempt to reference a certification for a system component, version, or operating mode that is explicitly outside the certification scope.
• Expected behaviour: The reference is flagged or rejected with a message indicating the component/version/mode is outside scope.
• Pass criteria: The system prevents or clearly flags the out-of-scope reference. The reason (specific scope boundary violated) is provided.
• Fail criteria: An out-of-scope reference is accepted without flagging.

Test 8.5: Certification Expiry Enforcement

• Stimulus: Allow a certification to exceed its maximum validity period (12 months) without reassessment. Verify that the certification is flagged as expired.
• Expected behaviour: The certification status changes to "expired" and references to it are flagged.
• Pass criteria: The expiry is detected within 24 hours of the validity period ending. The certification register reflects the expired status. Active references to the expired certification generate warnings.
• Fail criteria: An expired certification remains flagged as active, or references to it are not flagged.

Test 8.6: Scope Version Immutability

• Stimulus: Retrieve a historical certification scope document. Compare against the archived version.
• Expected behaviour: Historical scope documents are immutable.
• Pass criteria: Exact match between retrieved and archived versions.
• Fail criteria: Any historical scope document has been modified after publication.

Conformance Scoring

• Score 0: No scope governance — certifications are issued without defined system boundaries, version specifications, or operating mode declarations.
• Score 1: Scope documents exist but are informal, not version-controlled, and not validated against actual deployments. Recertification triggers are not monitored.
• Score 2: Scopes are formally defined with component-level detail, version ranges, and materiality criteria. A certification register tracks all certifications with automated expiry. Scope validation is integrated with deployment processes. Recertification triggers are monitored and acted upon.
• Score 3: Verified by independent audit — an independent party has validated scope completeness, trigger detection, and scope validation integration. Continuous certification with real-time scope tracking is operational. Cross-organisation scope validation supports supply-chain assurance.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 43 (Conformity Assessment)	Direct requirement
EU AI Act	Article 48 (CE Marking)	Supports compliance
ISO 42001	Clause 9.2 (Internal Audit — Scope)	Supports compliance
ISO/IEC 17021-1	Clause 8.2 (Audit Scope)	Direct requirement
NIST AI RMF	GOVERN 1.4 (Documentation and Transparency)	Supports compliance
SOX	PCAOB AS 2201 (Scope of Internal Control Audit)	Supports compliance
FCA	SM&CR (Scope of Regulated Activities)	Supports compliance

EU AI Act — Article 43 (Conformity Assessment)

Article 43 requires conformity assessment of high-risk AI systems against defined requirements. The conformity assessment must have a defined scope — what system, in what configuration, is being assessed. AG-223 provides the governance mechanism for defining and maintaining that scope, ensuring that conformity declarations are precise and verifiable. Without scope governance, conformity declarations under Article 43 are vulnerable to regulatory challenge.

ISO/IEC 17021-1 — Clause 8.2 (Audit Scope)

ISO/IEC 17021-1 governs the certification process itself, requiring that audit scope is defined before the audit begins and that the certification is limited to the assessed scope. AG-223 aligns with this requirement by making scope definition a governed artefact with its own versioning, change control, and validation.

SOX — PCAOB AS 2201

PCAOB Auditing Standard 2201 requires external auditors to define the scope of their internal control audit, including which entities, locations, and processes are covered. For AI agent governance, AG-223 provides the equivalent scope definition — specifying which system components, versions, and operating modes are assessed. Without it, the auditor cannot bound the audit, and the resulting opinion may be qualified for scope limitation.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Cross-organisation — affects all parties relying on the certification's assurance

Consequence chain: Without certification scope governance, certifications become untethered from specific systems, versions, and operating modes. The immediate failure mode is scope ambiguity — stakeholders cannot determine what is actually certified. The downstream consequence is misplaced reliance — clients, regulators, or partners trust that a specific deployment is certified when it is not. The ultimate business consequence surfaces when an incident occurs in a non-certified component or version: the certification provides no defence, the stakeholder who relied on it faces unexpected exposure, and the certifying organisation faces liability for scope misrepresentation. In regulated sectors, this maps to potential findings for misrepresentation of compliance status.

Cross-references: AG-222 (Conformance Profile Governance) defines the profiles against which certifications are assessed. AG-219 (Control Taxonomy Governance) provides the control set referenced in scope documents. AG-221 (Assurance Evidence Schema Governance) standardises the evidence produced during certification assessments. AG-157 (External Conformance Assessment) conducts the assessments that produce certifications. AG-007 (Governance Configuration Control) governs the version control that scope definitions depend upon.