Standards Body · Foundation paper, public edition · Released July 17, 2026

Canonical record: https://standardsbody.ai/library/foundation-paper/third-party-auditor-ecosystem/

Standards Body is an independent research and institutional-design project. It is not currently a regulator, accreditation body, certification body, or governmental authority. This document is research; it is not an adopted standard.

FOUNDATION_05_THIRD_PARTY_AUDITOR_ECOSYSTEM.md

Foundation 5: Third-Party Auditor Ecosystem

Series: Foundations for Frontier AI Evaluation Infrastructure
Version: 1.0
Status: Canonical working white paper
Project: Standards Body
Primary domain: standardsbody.ai
Core line: Foundations for Frontier AI
Research basis reviewed through: July 16, 2026
Document owner: Standards Body
Review cycle: Annual review, with event-triggered revision after material changes in accreditation practice, frontier AI auditing, evaluator markets, international recognition, or relevant standards


Document Purpose

This paper defines the Standards Body position on the development of a trustworthy third-party evaluator and auditor ecosystem for frontier artificial intelligence.

It is intended to serve as:

This paper is not itself an accreditation standard.

It does not authorize Standards Body to accredit, certify, inspect, or regulate any organization.

It does not claim that the existing conformity-assessment system can be copied directly into frontier AI.

It identifies the institutional architecture that could allow third-party AI evaluation to become more competent, consistent, legible, competitive, secure, and internationally trusted.


Executive Summary

Independent expert review can improve frontier AI evaluation.

It does not automatically scale.

A small number of respected researchers may be able to evaluate one model, review one protocol, or advise one developer. That approach becomes insufficient when many organizations, governments, insurers, purchasers, standards bodies, and members of the public need evidence about:

Scaling this work requires more than additional experts.

It requires an ecosystem.

A trustworthy third-party auditor ecosystem should make it possible to answer:

These questions are not solved by branding an organization an "AI auditor."

The term can refer to radically different activities.

One organization may run capability benchmarks.

Another may inspect governance records.

Another may test cybersecurity controls.

Another may review compliance with a voluntary frontier safety framework.

Another may issue a certification mark.

Another may accredit the organization issuing the certificate.

If these roles are not distinguished, the public may incorrectly assume that:

A serious ecosystem should therefore separate at least six functions:

  1. Standards and scheme development
    Defines requirements, methods, decision rules, and governance.

  2. Testing and evaluation
    Produces technical evidence about a model or system.

  3. Inspection and audit
    Examines systems, records, processes, controls, and claims against defined criteria.

  4. Validation and verification
    Assesses whether claims, methods, statements, or evidence meet specified requirements.

  5. Certification or attestation
    Issues a formal statement that defined requirements have been fulfilled within a stated scope.

  6. Accreditation
    Provides independent recognition that a conformity-assessment body is competent and impartial to perform specified activities.

These functions can interact.

They should not collapse into one institution by default.

The ecosystem also needs multiple evaluator types.

No single organization is likely to possess world-class competence across:

Specialization should therefore be expected.

A mature system may include:

Diversity can increase resilience and innovation.

It can also create fragmentation, inconsistent quality, duplicated burden, evaluator shopping, and public confusion.

Standards Body adopts the following core position:

Frontier AI evaluation should develop into a plural, accountable, and internationally interoperable third-party assurance ecosystem in which evaluator competence, impartiality, scope, methods, security, and performance are independently assessed and continuously monitored.

The ecosystem should be designed around several principles:

Existing conformity-assessment infrastructure provides important lessons.

ISO and IEC standards distinguish requirements for:

The International Accreditation Forum and International Laboratory Accreditation Cooperation have built multilateral recognition arrangements intended to support international acceptance of accredited results.[^iaf-mla][^ilac-mra]

These systems demonstrate how competence, impartiality, consistent operation, peer evaluation, scopes of accreditation, surveillance, and recognition can support trust.

Frontier AI differs in important ways:

The goal is therefore not to copy an existing laboratory or certification regime mechanically.

The goal is to adapt its strongest institutional principles to a field whose science and objects are changing.

A credible third-party ecosystem should eventually allow a decision-maker to distinguish:

The fifth foundation of Standards Body is the infrastructure that makes those distinctions real.


1. Foundational Proposition

1.1 Core Thesis

Independent evaluation will not become reliable at scale unless the institutions conducting it are themselves evaluated, monitored, and held accountable.

1.2 Ecosystem Thesis

No single evaluator should be expected to provide every form of frontier AI assurance. A plural ecosystem with clear roles and interoperable requirements is more resilient than a permanent monopoly.

1.3 Accreditation Thesis

Recognition should be scope-specific and based on demonstrated competence, impartiality, consistent operation, security, and performance, not reputation alone.

1.4 Market Thesis

Competition can improve evaluator innovation and capacity, but unmanaged commercial incentives can produce client capture, evaluator shopping, weak methods, and assurance theater.

1.5 International Thesis

Frontier AI assurance should move toward cross-border recognition of competent evaluators and credible results without requiring one global evaluator or one universal protocol.

1.6 Dynamic Thesis

Evaluator competence and accreditation should expire, narrow, or change when methods, systems, personnel, or evidence change materially.

1.7 Public-Interest Thesis

The evaluator ecosystem should be treated as part of critical public-interest infrastructure, even when many participants are private organizations.


2. Scope and Boundaries

2.1 What This Foundation Covers

This paper covers the ecosystem of organizations and processes that may provide:

2.2 What This Foundation Does Not Establish

This paper does not establish:

2.3 Relationship to Foundation 4

FOUNDATION_04_INDEPENDENT_EXPERT_REVIEW.md defines the principles of meaningful independent review.

Foundation 5 asks how those principles can be institutionalized across many organizations and repeated engagements.

2.4 Relationship to the Accreditation Framework

This paper provides the philosophical and ecosystem foundation.

EVALUATOR_ACCREDITATION_FRAMEWORK.md should later define detailed operational requirements.

2.5 Relationship to Standards Development

An evaluator can only assess conformity when the criteria are sufficiently defined.

Where no accepted standard exists, the activity may be:

It should not be marketed as certification against a standard that does not exist.


3. Canonical Definitions

3.1 First-Party Assessment

Assessment performed by the organization responsible for the system or claim.

Examples:

3.2 Second-Party Assessment

Assessment performed by a party with a user, purchaser, contractual, or direct stakeholder interest.

Examples:

3.3 Third-Party Assessment

Assessment performed by a body sufficiently independent of the provider and immediate user interests to support an impartial judgment.

3.4 Testing

Determination of one or more characteristics of an object according to a specified procedure.

In AI, testing may include:

3.5 Evaluation

Structured production and interpretation of evidence about a model, system, process, or claim.

3.6 Inspection

Examination of a product, process, service, installation, or design and determination of conformity with specified or professional requirements.

ISO/IEC 17020 specifies competence, impartiality, and consistent-operation requirements for inspection bodies.[^iso-17020]

3.7 Audit

A systematic, independent, and documented process for obtaining and evaluating evidence against defined criteria.

In frontier AI, audit can cover:

3.8 Validation

Confirmation that specified requirements are adequate for an intended future use or result.

3.9 Verification

Confirmation that specified requirements have been fulfilled based on objective evidence.

3.10 Certification

Third-party attestation related to products, processes, services, persons, or management systems.

Certification is stronger and more formal than general review language.

3.11 Attestation

Issue of a statement based on a decision following review that fulfillment of specified requirements has been demonstrated.

3.12 Conformity Assessment

Demonstration that specified requirements relating to a product, process, system, person, or body are fulfilled.

3.13 Conformity-Assessment Body

An organization performing conformity-assessment activities.

Commonly abbreviated as CAB.

3.14 Accreditation

Independent recognition that a conformity-assessment body is competent and impartial to perform specified activities.

ISO/IEC 17011 specifies requirements for accreditation bodies assessing and accrediting conformity-assessment bodies.[^iso-17011]

3.15 Accreditation Body

An authoritative body that performs accreditation.

3.16 Scheme

A system of rules, procedures, criteria, governance, and responsibilities for a defined conformity-assessment activity.

3.17 Scheme Owner

The organization responsible for developing and maintaining a conformity-assessment scheme.

3.18 Scope of Accreditation

The specific activities, methods, domains, systems, and limits for which an evaluator has been recognized as competent.

3.19 Surveillance

Ongoing monitoring of an accredited or recognized body after initial assessment.

3.20 Reassessment

Periodic comprehensive review to determine whether recognition should continue.

3.21 Proficiency Testing

Evaluation of participant performance against pre-established criteria through comparison exercises.

3.22 Interlaboratory Comparison

Organization, performance, and evaluation of measurements or tests on the same or similar objects by two or more laboratories.

3.23 Reference Material

Material sufficiently homogeneous and stable with respect to specified properties for use in measurement, validation, quality control, or proficiency testing.

In AI, analogous reference assets may include:

3.24 Impartiality

Presence of objectivity and management of conflicts so that assessment judgments are not improperly influenced.

3.25 Evaluator Shopping

Selecting among evaluators based on the likelihood of receiving a favorable result rather than competence or fit.

3.26 Scope Creep

An evaluator making claims beyond its recognized competence or approved activity.

3.27 Assurance Level

A defined degree of review depth, access, rigor, continuity, and confidence.

3.28 Mutual Recognition

Acceptance by one body or jurisdiction of results issued under another recognized system.

3.29 Peer Evaluation

Assessment of an accreditation or recognition body by peers to determine whether it meets shared requirements.

3.30 Continuous Assurance

Ongoing or repeated evidence collection, assessment, and review rather than a one-time engagement.


4. Why an Ecosystem Is Necessary

4.1 Volume

The number of:

will exceed the capacity of a small expert community.

4.2 Specialization

Cyber evaluation and biological evaluation require different expertise, infrastructure, security, and methods.

4.3 Independence

Reliance on a few evaluator organizations can create:

4.4 Reproducibility

Multiple qualified evaluators can challenge and reproduce results.

4.5 International Reach

National institutes cannot perform every assessment worldwide.

4.6 Market Legibility

Purchasers, governments, insurers, and developers need to know what evaluator claims mean.

4.7 Innovation

Different evaluators can develop:

4.8 Resilience

A plural ecosystem can continue operating if one evaluator:

4.9 Trust

Trust becomes stronger when competence and impartiality are verified through shared institutions.

4.10 Limits

An ecosystem can also create:

The ecosystem must be designed rather than assumed.


5. Functional Architecture

A mature ecosystem should distinguish its major functions.

5.1 Standard Setter

Defines requirements or methods.

Risks:

5.2 Scheme Owner

Defines how conformity assessment is performed against requirements.

Responsibilities may include:

5.3 Test or Evaluation Laboratory

Produces technical evidence.

Relevant analogies come from ISO/IEC 17025, which sets requirements for competence, impartiality, and consistent operation of testing and calibration laboratories.[^iso-17025]

5.4 Inspection Body

Examines systems, processes, or deployments against specified or professional criteria.

5.5 Audit Body

Assesses records, processes, controls, and compliance.

5.6 Certification Body

Issues formal attestations under a certification scheme.

ISO/IEC 17065 covers bodies certifying products, processes, and services.[^iso-17065]

ISO/IEC 17021-1 covers bodies auditing and certifying management systems.[^iso-17021]

5.7 Validation and Verification Body

Evaluates claims or statements according to defined criteria.

5.8 Accreditation Body

Assesses evaluator competence and impartiality.

5.9 Proficiency-Testing Provider

Runs exercises that compare evaluator performance.

5.10 Reference-Asset Custodian

Maintains:

5.11 Government Institute

May:

5.12 Developer

Provides system access, technical information, internal evidence, and remediation.

5.13 Purchaser or User

Defines assurance needs and relies on results.

5.14 Insurer

May use assurance evidence for underwriting, controls, or exclusions.

5.15 Regulator

May define legal requirements, recognize schemes, inspect bodies, or use results.

5.16 Public-Interest Organization

Can contribute:

5.17 Registry Operator

Maintains verified information about:

5.18 Appeals Body

Reviews disputed decisions independently.


6. Separation of Roles

6.1 Why Separation Matters

An organization that:

has concentrated incompatible powers.

6.2 Standard Setting and Certification

A certification body should not unilaterally write requirements to fit its clients.

6.3 Consulting and Certification

Consulting can create self-review.

Potential controls:

6.4 Evaluation and Accreditation

An organization should not accredit itself.

6.5 Testing and Final Certification

A certification body may use test evidence from laboratories.

It should preserve independent certification decision authority.

6.6 Scheme Ownership and Evaluation

A scheme owner may operate evaluation activities, but risks should be disclosed and governed.

6.7 Government Roles

Government may act as:

Role conflicts should be explicit.

6.8 Small Ecosystem Reality

Early ecosystems may require combined roles.

Combined roles should be treated as temporary or controlled rather than invisible.

6.9 Incompatible Functions Register

Every recognized body should disclose which functions it performs and how conflicts are controlled.


7. Types of Third-Party AI Assurance Providers

7.1 Technical Evaluation Laboratory

Focus:

7.2 Domain-Specialist Laboratory

Focus:

7.3 Security Assessment Firm

Focus:

7.4 Governance and Compliance Auditor

Focus:

Research on third-party compliance review has proposed models ranging from minimalist to comprehensive assessment of company adherence to frontier safety frameworks.[^compliance-reviews]

7.5 System Inspection Body

Focus:

7.6 Certification Body

Focus:

7.7 Government Evaluator

Focus:

7.8 Academic Evaluation Consortium

Focus:

7.9 Nonprofit Public-Interest Evaluator

Focus:

7.10 Commercial Assurance Provider

Focus:

7.11 Open Evaluation Community

Focus:

7.12 Hybrid Body

Combines several roles under controlled governance.


8. Competence Framework

Evaluator recognition should be based on demonstrated competence.

8.1 Organizational Competence

Includes:

8.2 Personnel Competence

Includes:

8.3 Method Competence

The evaluator should demonstrate competence in the exact methods used.

Examples:

8.4 Scope-Specific Competence

An evaluator competent in language-model benchmarking is not automatically competent in:

8.5 System Competence

Competence may differ across:

8.6 Security Competence

Sensitive work may require:

8.7 Decision Competence

Evaluators should understand the decision their evidence supports.

8.8 Competence Evidence

Can include:

8.9 Continuing Competence

Require:

8.10 Loss of Competence

Scope should narrow when:


9. Scope of Recognition

9.1 Why Scope Matters

"Accredited AI evaluator" is too broad to be meaningful.

9.2 Scope Dimensions

A scope may specify:

9.3 Example Scope

Evaluation of autonomous cyber capabilities in tool-using language-model systems using controlled challenge environments under Protocol DEP-CYBER versions 1.x.

This does not authorize:

9.4 Flexible Scope

A flexible scope can allow validated method updates within controlled boundaries.

Risk:

Control:

9.5 Scope Extension

Require:

9.6 Scope Suspension

May apply to:

9.7 Public Scope Statement

Registries should display current and historical scopes clearly.


10. Quality Management System

A third-party evaluator should operate a documented quality system.

10.1 Governance

Define:

10.2 Document Control

Control:

10.3 Record Control

Retain:

10.4 Personnel Control

Maintain:

10.5 Method Control

Require:

10.6 Equipment and Infrastructure

Control:

10.7 External Providers

Manage:

10.8 Nonconforming Work

Define response when:

10.9 Corrective Action

Address root cause rather than only the observed error.

10.10 Internal Audit

Evaluator should audit its own quality system.

Internal audit is not a substitute for accreditation surveillance.

10.11 Management Review

Leadership should review:

10.12 Improvement

Use evidence to revise methods and systems.


11. Method Validation

11.1 Standard Methods

Use published methods where fit for purpose.

11.2 Modified Methods

Document modifications and their effects.

11.3 Laboratory-Developed Methods

Require full validation.

11.4 Validation Questions

11.5 Software Validation

Validate:

11.6 Model-Judge Validation

Assess:

11.7 Change Control

Revalidate after material changes.

11.8 Method Registry

Maintain public or controlled information about:

11.9 Method Portability

Test whether methods work across evaluators and infrastructure.


12. Proficiency Testing and Inter-Evaluator Comparison

12.1 Purpose

Proficiency testing asks whether different evaluators can produce credible results on common or comparable cases.

12.2 Why It Matters

Without comparison:

12.3 AI Proficiency-Testing Models

Common Reference Model

All evaluators assess the same frozen or reproducible system.

Common Task Package

All evaluators use a protected task package.

Common Incident Case

Evaluators review the same evidence and produce findings.

Blind Synthetic Organization

Evaluators audit a controlled fictional company.

Distributed Challenge

Different evaluators receive equivalent forms.

Cross-Evaluator Replication

One evaluator repeats another's work.

12.4 Scoring Proficiency

Compare:

12.5 Security

Proficiency exercises must not leak active tasks or sensitive methods.

12.6 Poor Performance

Possible response:

12.7 Publication

Aggregate proficiency results can improve market trust.

Individual results may need controlled disclosure.

12.8 Proficiency Provider Independence

The provider should be competent and impartial.

12.9 Reference Stability

Reference models and tasks can become obsolete.

Use dynamic and versioned exercises.


13. Impartiality and Independence

13.1 Impartiality Risk Analysis

Every evaluator should identify risks arising from:

13.2 Client Concentration

A body dependent on one developer may be formally separate but practically constrained.

13.3 Result-Dependent Compensation

Should be prohibited.

13.4 Consulting

An evaluator should not certify a system it designed or remediated without robust separation and scheme permission.

13.5 Staff Rotation

Can reduce familiarity and capture.

13.6 Independent Decision Function

The person authorizing a certification or final attestation should not simply be the person who performed the evaluation.

13.7 Impartiality Committee

A body may use an independent committee to review:

13.8 Transparency

Disclose material:

13.9 Structural Limits

Disclosure does not resolve every conflict.

13.10 Foundation 4 Integration

Use the multidimensional independence profile established in Foundation 4.


14. Business Models and Market Incentives

14.1 Fee-for-Service

Developer or purchaser pays per engagement.

Strengths:

Risks:

14.2 Subscription or Retainer

Provides ongoing assurance.

Strengths:

Risks:

14.3 Pooled Industry Funding

Strengths:

Risks:

14.4 Public Funding

Strengths:

Risks:

14.5 Philanthropic Funding

Strengths:

Risks:

14.6 Accreditation and Registry Fees

Can support infrastructure.

Risk:

14.7 Insurance-Funded Assessment

Insurer pays or requires evaluation.

Risk:

14.8 Mixed Model

Diversification can reduce dependence.

14.9 Nonfinancial Incentives

Evaluators may seek:

14.10 Market Design Principle

Revenue should support rigorous work without making favorable outcomes commercially necessary.


15. Evaluator Selection and Procurement

15.1 Selection Criteria

Purchasers should consider:

15.2 Lowest Price Risk

Evaluation quality can be undermined by procurement focused only on price.

15.3 Framework Agreements

Standing contracts can speed access.

Risk:

15.4 Rotating Panels

Purchasers may rotate qualified evaluators.

15.5 Multi-Evaluator Engagement

High-consequence work can use:

15.6 Developer Choice

Developers should not have unlimited ability to choose the most favorable evaluator for mandatory or public-interest claims.

15.7 Scheme Allocation

A scheme can assign evaluators based on:

15.8 Procurement Transparency

Disclose selection logic for material public claims.


16. Assurance Engagement Types

16.1 Agreed-Upon Procedures

Evaluator performs specified procedures and reports factual findings.

No broad assurance conclusion.

16.2 Limited Assurance

Provides moderate confidence based on narrower evidence.

16.3 Reasonable Assurance

Provides higher confidence based on deeper evidence.

It is not absolute assurance.

16.4 Capability Evaluation

Measures defined capability under specified conditions.

16.5 Safeguard Evaluation

Tests controls against a threat model.

16.6 Compliance Review

Assesses adherence to a framework or policy.

16.7 System Audit

Examines technical and organizational controls.

16.8 Certification Assessment

Determines conformity with a defined certification scheme.

16.9 Continuous Assurance

Uses ongoing access, monitoring, repeated tests, and incident evidence.

16.10 Frontier AI Assurance Levels

Recent frontier AI auditing research proposes staged assurance levels ranging from time-bounded audits to continuous, deception-resilient verification.[^frontier-auditing]

Standards Body should study such frameworks without adopting any one level system automatically.


17. Access to Frontier Systems

17.1 Access as a Market Constraint

Evaluator quality depends on:

17.2 Developer Gatekeeping

Developers may control which evaluators can participate.

This can affect market independence.

17.3 Standardized Access Agreements

A shared access agreement can define:

17.4 Access Tiers

Possible tiers:

17.5 Access Portability

Qualified evaluators should not need to rebuild every integration from zero.

17.6 Secure Evaluation Facilities

Shared facilities can support smaller bodies.

17.7 Access Denial

If a developer denies adequate access, reports should state the resulting limitation.

17.8 Access Retaliation

An evaluator should not lose future access solely because of an evidence-based unfavorable result.

17.9 Shared Playbook

OpenAI's 2026 playbook emphasizes that trustworthy third-party evaluations should report the system tested, tool access, harness, elicitation methods, available resources, and validity checks.[^openai-playbook]


18. Security

18.1 Assets

Evaluators may handle:

18.2 Security Management

Require:

18.3 Evaluation-Induced Risk

An evaluator may create:

18.4 Security Scope

Evaluator recognition should specify the sensitivity level it can handle.

18.5 Security Incident

A serious breach may trigger:

18.6 Evidence Preservation

Security controls should preserve auditability.

18.7 Developer Security Requirements

Developers should also protect evaluator tasks and methods.

18.8 Shared Infrastructure Risk

Centralized secure facilities create efficiency and concentration risk.


19. Accreditation Architecture

19.1 Accreditation Purpose

Accreditation provides independent recognition of evaluator competence and impartiality within scope.

It does not endorse every result.

19.2 Accreditation Body Requirements

A credible accreditation body should demonstrate:

ISO/IEC 17011 provides a general model for accreditation-body competence and impartiality.[^iso-17011]

19.3 Initial Assessment

May include:

19.4 Accreditation Decision

Decision should be independent from the assessment team.

19.5 Scope Publication

Registry should show:

19.6 Surveillance

Use:

19.7 Reassessment

Comprehensive reassessment after a defined period.

19.8 Event-Triggered Assessment

Trigger after:

19.9 Suspension

Temporary restriction pending correction.

19.10 Withdrawal

Remove accreditation after serious or unresolved failure.

19.11 Appeal

Evaluator can challenge accreditation decisions.

19.12 Accreditation Competition

Multiple accreditation bodies may exist.

They themselves require peer recognition and oversight.


20. Surveillance and Continuous Competence

20.1 Initial Approval Is Insufficient

AI methods and systems change quickly.

20.2 Surveillance Inputs

20.3 Witnessed Assessment

Accreditation assessors observe an evaluator performing work.

20.4 Remote Surveillance

Can review:

20.5 Unannounced Review

May be justified for high-risk scopes.

20.6 Performance Indicators

Track:

20.7 Dynamic Scope

Surveillance frequency should increase when:

20.8 Continuous Accreditation

Continuous data can support more responsive oversight.

It should not become opaque algorithmic governance.


21. Complaints, Appeals, and Whistleblowing

21.1 Complaint Sources

21.2 Complaint Topics

21.3 Complaint Process

21.4 Whistleblower Protection

Personnel should be able to report serious issues safely.

21.5 Frivolous Complaints

Processes should resist harassment and strategic delay.

21.6 Public Notice

Material sanctions should be reflected in registries.

21.7 Cross-Border Complaints

Define jurisdiction and cooperation.


22. Liability and Accountability

22.1 Why Liability Matters

Evaluator error can contribute to:

22.2 No Absolute Guarantee

Assurance reports should not imply certainty.

22.3 Professional Liability

Evaluator organizations may need:

22.4 Liability Balance

Excessive liability can eliminate small evaluators.

Insufficient liability can weaken accountability.

22.5 Standard of Care

A future ecosystem should define reasonable professional practice.

22.6 Developer Responsibility

Third-party review should not transfer all responsibility away from the developer.

22.7 Accreditation-Body Responsibility

Accreditation confirms competence within scope, not correctness of every engagement.

22.8 Public Claims

Misleading use of evaluator reports should create consequences.


23. Public Registries and Marks

23.1 Registry Purpose

Enable users to verify:

23.2 Certificate Registry

Can reduce fraudulent certification claims.

23.3 Required Metadata

23.4 Public Report Link

Where appropriate, link to:

23.5 Marks

Marks can communicate assurance.

They can also oversimplify.

23.6 Mark Rules

Specify:

23.7 No "Safe AI" Mark

A broad safety mark is likely to overclaim unless tightly scoped.

Preferred claims should identify:

23.8 Registry Governance

Registry operator should be neutral and secure.


24. Market Concentration and Access

24.1 Concentration Risk

A small number of evaluators may control:

24.2 Causes

24.3 Consequences

24.4 Small-Evaluator Participation

Support through:

24.5 Open-Source Infrastructure

Open evaluation tools can reduce entry costs.

Open tooling does not eliminate the need for quality or security.

24.6 Antitrust and Competition

Market structure should be monitored where assurance becomes required.

24.7 Evaluator Portability

Clients should be able to change evaluators without losing all institutional evidence.

24.8 Multi-Sourcing

Critical decisions may benefit from more than one evaluator.


25. Evaluator Shopping and Inconsistent Results

25.1 Evaluator Shopping

Occurs when organizations seek favorable conclusions.

25.2 Controls

25.3 Opinion Shopping

A client may terminate after adverse preliminary findings and seek another evaluator.

Require disclosure of:

25.4 Inconsistent Results

Differences can arise from:

25.5 Reconciliation

Use:

25.6 Pluralism Versus Confusion

Different conclusions can be legitimate.

The ecosystem should explain why they differ.


26. International Recognition

26.1 Why Recognition Matters

Without recognition, organizations may face repeated assessment in every market.

26.2 IAF MLA

The IAF Multilateral Recognition Arrangement aims to support mutual recognition and acceptance of accredited certification and validation or verification statements among signatories.[^iaf-mla]

26.3 ILAC MRA

The ILAC Mutual Recognition Arrangement supports acceptance of accredited testing, calibration, medical testing, inspection, proficiency-testing, and reference-material activities.[^ilac-mra]

26.4 Peer Evaluation

Accreditation bodies participating in recognition arrangements are evaluated by peers.

26.5 AI Application

A future AI recognition system may cover:

26.6 Recognition Conditions

Require:

26.7 National Differences

Jurisdictions may impose additional requirements.

26.8 No Automatic Policy Equivalence

Recognition of technical competence does not force identical legal decisions.

26.9 Global Accreditation Cooperation

IAF and ILAC have been moving toward a unified global accreditation cooperation structure, reflecting the long-term value of coordinated recognition infrastructure.[^ilac-home]

26.10 Early AI Path

Begin with:


27. Government and Regulatory Relationships

27.1 Voluntary Ecosystem

Can develop before legal mandates.

27.2 Government Recognition

Government may recognize:

27.3 Procurement

Government can require qualified evaluation for purchases.

27.4 Regulatory Reliance

Regulators may use third-party evidence while retaining authority.

27.5 Regulatory Capture

Risks:

27.6 Government Evaluator Conflict

A government institute may evaluate and regulate.

Separation of functions may be needed.

27.7 Innovation Support

Public funding can build:

27.8 NIST TEVV

NIST's TEVV work supports evaluation tasks, testbeds, tools, datasets, guidelines, and standards development as part of a broader AI measurement ecosystem.[^nist-tevv]


28. Insurance, Procurement, and Private Ordering

28.1 Insurance

Insurers may require:

28.2 Procurement

Purchasers may require evaluation before deployment.

28.3 Contracts

Contracts can define:

28.4 Investor and Lender Expectations

Financial actors may rely on assurance reports.

28.5 Private Standardization

Private requirements can spread before formal regulation.

28.6 Risks

28.7 Interoperability

Shared evaluator standards can reduce duplicated burden.


29. Accreditation Lifecycle

Stage 1: Ecosystem Need

Identify a defined evaluation or audit scope requiring recognition.

Stage 2: Base Requirements

Establish:

Stage 3: Accreditation-Body Readiness

Confirm that the accreditation body understands the scope.

Stage 4: Application

Evaluator submits:

Stage 5: Document Review

Assess system readiness.

Stage 6: Assessment Planning

Select qualified assessors and witness activities.

Stage 7: Office and System Assessment

Review governance, records, quality, security, and impartiality.

Stage 8: Witnessed Evaluation

Observe real or controlled evaluator work.

Stage 9: Proficiency Evidence

Review comparison performance.

Stage 10: Nonconformities

Evaluator corrects identified issues.

Stage 11: Independent Decision

Separate decision authority determines scope and status.

Stage 12: Registry Publication

Publish recognition.

Stage 13: Surveillance

Monitor continued competence.

Stage 14: Scope Change

Extend, reduce, suspend, or withdraw.

Stage 15: Reassessment

Conduct periodic comprehensive review.

Stage 16: International Recognition

Accreditation body participates in peer evaluation and mutual recognition.


30. Maturity Model

Level 0: Unstructured Evaluator Market

Characteristics:

Level 1: Professional Evaluator Practice

Characteristics:

Level 2: Scheme-Recognized Evaluators

Characteristics:

Level 3: Accredited Evaluator Ecosystem

Characteristics:

Level 4: Internationally Interoperable Assurance Regime

Characteristics:


31. Implementation Pathway

Phase 1: Role Clarification

Publish common definitions for:

Phase 2: Evaluator Registry

Create a voluntary registry with:

Registry entry is not accreditation.

Phase 3: Common Evaluator Requirements

Develop baseline requirements for:

Phase 4: Pilot Scopes

Begin with bounded scopes such as:

Phase 5: Proficiency Pilots

Run inter-evaluator comparisons.

Phase 6: Scheme Development

Create transparent rules for selected assurance activities.

Phase 7: Accreditation Pilot

Partner with experienced accreditation institutions or build a peer-reviewed pilot process.

Phase 8: Surveillance

Monitor recognized evaluators.

Phase 9: Public Recognition

Publish verified scopes and status.

Phase 10: International Pilots

Run bilateral recognition and shared proficiency exercises.

Phase 11: Procurement and Insurance Integration

Test reliance on evaluator evidence.

Phase 12: Continuous Improvement

Use complaints, incidents, and performance data to revise the system.


32. Proposed Standards Body Pilot

32.1 Pilot Name

Frontier AI Evaluator Qualification and Proficiency Pilot

32.2 Purpose

Test whether multiple evaluator organizations can competently and consistently administer a defined Standards Body protocol.

32.3 Initial Scope

Administration and reporting of the Standards Body held-out autonomous cyber capability protocol under controlled conditions.

32.4 Participants

Invite:

32.5 Baseline Requirements

Participants submit:

32.6 Common Exercise

Each evaluates:

32.7 Comparison

Assess:

32.8 Witnessed Assessment

Independent assessors observe each evaluator.

32.9 Remediation

Participants correct issues and repeat selected tasks.

32.10 Outputs

32.11 Success Criteria

The pilot succeeds if it:


33. Metrics for Evaluating the Ecosystem

33.1 Capacity

33.2 Competence

33.3 Independence

33.4 Consistency

33.5 Security

33.6 Market Health

33.7 Accountability

33.8 International Recognition

33.9 Decision Utility

33.10 Burden


34. Failure Modes and Safeguards

34.1 Auditor Branding Without Competence

Failure: Organizations call themselves AI auditors without demonstrated scope-specific competence.

Safeguard: Public scope, competence evidence, accreditation, proficiency testing.

34.2 Accreditation Theater

Failure: Recognition is treated as a marketing badge rather than continuous oversight.

Safeguard: Surveillance, witnessed assessments, sanctions, public status.

34.3 One Scope Becomes Universal

Failure: Cyber competence is used to claim biology or governance competence.

Safeguard: Granular scopes and claim enforcement.

34.4 Client Capture

Failure: Evaluators depend on favorable results for revenue.

Safeguard: Payment separation, disclosure, pooled funding, rotation.

34.5 Evaluator Shopping

Failure: Clients seek favorable assessors.

Safeguard: Assignment, registry, prior-engagement disclosure, scheme rules.

34.6 Consulting Conflict

Failure: Evaluator certifies its own design or remediation.

Safeguard: Separation, prohibition, independent decision.

34.7 Scheme Capture

Failure: Incumbents write requirements that entrench their practices.

Safeguard: balanced governance, public consultation, small-actor participation.

34.8 Accreditation Monopoly

Failure: One accreditation body controls entry and methods.

Safeguard: peer recognition, multiple bodies, appeals, public oversight.

34.9 Fragmented Methods

Failure: Results cannot be compared.

Safeguard: core metadata, proficiency testing, method registries.

34.10 False Certification Claims

Failure: Advisory review is marketed as proof of safety.

Safeguard: terminology rules, registry, mark enforcement.

34.11 Stale Accreditation

Failure: Recognition continues after methods and personnel change.

Safeguard: event-triggered surveillance, expiration, scope reduction.

34.12 Security Failure

Failure: Evaluator leaks models, tasks, incidents, or harmful methods.

Safeguard: security-scoped competence and sanctions.

34.13 Excessive Barrier to Entry

Failure: Accreditation excludes smaller innovative evaluators.

Safeguard: modular scopes, grants, shared infrastructure, supervised pathways.

34.14 Race to the Bottom

Failure: Price competition reduces depth.

Safeguard: minimum scheme requirements and procurement quality criteria.

34.15 Race to Complexity

Failure: Evaluators create unnecessarily elaborate processes to justify fees.

Safeguard: proportionality and decision-utility metrics.

34.16 Public Confusion

Failure: Users cannot distinguish testing, audit, certification, and accreditation.

Safeguard: canonical terminology and precise claims.

34.17 International Duplication

Failure: Same system is repeatedly evaluated under incompatible regimes.

Safeguard: mutual recognition and crosswalks.

34.18 Regulatory Outsourcing

Failure: Government delegates policy responsibility to private evaluators.

Safeguard: retain accountable public decision authority.

34.19 Developer Responsibility Erosion

Failure: Certification is used to disclaim developer responsibility.

Safeguard: explicit responsibility allocation.

34.20 Evaluator Retaliation

Failure: Unfavorable evaluators lose access.

Safeguard: access agreements, public reporting, multiple access channels.


35. Serious Objections

Objection 1: Frontier AI Evaluation Science Is Too Immature for Accreditation

This objection is partly correct.

Response:

Residual concern:

Premature formalization can freeze weak methods.

Objection 2: Accreditation Creates Bureaucracy

It can.

Response:

Residual concern:

Some burden is unavoidable.

Objection 3: Market Competition Already Disciplines Evaluators

Competition can also produce:

Independent oversight remains necessary.

Objection 4: Government Should Perform All High-Stakes Evaluations

Government offers authority and resources.

It may lack:

A mixed ecosystem is stronger.

Objection 5: Commercial Auditors Cannot Be Independent

Commercial incentives create risk but do not make impartial work impossible.

Existing assurance fields use structural controls, accreditation, surveillance, liability, and recognition.

Residual concern:

Client dependence remains material.

Objection 6: Certification Will Create False Assurance

Yes, if scope and claim are broad.

Response:

Residual concern:

Public interpretation may still oversimplify.

Objection 7: Small Evaluators Cannot Meet Security Requirements

Some cannot.

Response:

Objection 8: International Recognition Is Politically Unrealistic

Full global recognition may be slow.

Bilateral and domain-specific recognition can begin earlier.

Objection 9: Evaluator Ecosystems Will Be Captured by Large Laboratories

This is a central risk.

Response:

Objection 10: A Model Changes Too Quickly for Certification

Response:

Residual concern:

Some systems may change too frequently for meaningful static certification.

Objection 11: Mutual Recognition Can Spread Weak Assurance

Correct.

Recognition requires strong peer evaluation and scope control.

Objection 12: Existing ISO Structures Are Too Slow

They may be too slow for some frontier changes.

The ecosystem should retain:

without abandoning rigor.


36. Evidence Gaps

36.1 Evaluator Competence

Which competence indicators predict high-quality frontier evaluations?

36.2 Proficiency Testing

How should inter-evaluator comparison work for stochastic, dynamic systems?

36.3 Accreditation Scope

How granular should scopes be?

36.4 Surveillance

Which ongoing data best predicts evaluator failure?

36.5 Market Structure

What degree of concentration is efficient versus dangerous?

36.6 Funding

Which business models preserve independence and capacity?

36.7 Liability

What standard of care is appropriate?

36.8 Certification

Which AI claims are mature enough for certification?

36.9 Continuous Assurance

How should ongoing assessment work for frequently updated systems?

36.10 International Recognition

Which AI assurance activities can be mutually recognized first?

36.11 Security

How can small evaluators securely access frontier systems?

36.12 Evaluator Shopping

Which controls work without eliminating legitimate choice?

36.13 Accreditation-Body Competence

Who can assess frontier AI evaluators competently?

36.14 Decision Impact

Does accreditation improve outcomes enough to justify cost?


37. Research Agenda

Priority 1: Evaluator Taxonomy

Create a clear map of testing, inspection, audit, certification, validation, verification, and accreditation.

Priority 2: Scope Design

Develop granular scope templates for frontier AI activities.

Priority 3: Competence Standards

Define role, team, and organizational competence.

Priority 4: Proficiency Testing

Pilot common model, task, incident, and audit exercises.

Priority 5: Method Validation

Create requirements for dynamic and held-out methods.

Priority 6: Quality Management

Adapt laboratory and conformity-assessment quality systems to AI.

Priority 7: Impartiality

Measure client dependence, consulting conflicts, and capture.

Priority 8: Market Design

Study competition, concentration, entry, and pricing.

Priority 9: Secure Access

Build shared facilities and portable access agreements.

Priority 10: Surveillance

Develop event-triggered and continuous accreditation.

Priority 11: Public Registries

Design verified, machine-readable scope and status records.

Priority 12: Liability

Study professional responsibility and insurance.

Priority 13: International Recognition

Pilot peer evaluation and mutual recognition.

Priority 14: Certification Claims

Identify claims mature enough for formal attestation.

Priority 15: Ecosystem Effectiveness

Measure whether third-party assurance improves deployment, safeguards, and public trust.


38. Near-Term Experiments

Experiment 1: Scope Classification

Have multiple institutions classify evaluator scopes and compare consistency.

Experiment 2: Common Model Exercise

Run a shared proficiency test across evaluator types.

Experiment 3: Common Audit Case

Provide a synthetic frontier safety framework and evidence package for review.

Experiment 4: Witnessed Assessment

Observe evaluators performing the same protocol.

Experiment 5: Client-Concentration Disclosure

Test a standardized financial independence metric.

Experiment 6: Evaluator Assignment

Compare client choice, rotation, and random assignment.

Experiment 7: Shared Secure Facility

Pilot access for small evaluators.

Experiment 8: Registry Prototype

Create machine-readable evaluator and scope records.

Experiment 9: Surveillance Dashboard

Track method, personnel, complaints, security, and performance changes.

Experiment 10: Cross-Border Replication

Have evaluators in two jurisdictions repeat an assessment.

Experiment 11: Mark Comprehension

Test whether users understand narrow certification claims.

Experiment 12: Suspension Drill

Simulate a major evaluator security incident and registry response.


39. Implications for Future Standards

A future evaluator accreditation standard could require:

39.1 Legal and Governance Identity

Defined responsibility and authority.

39.2 Impartiality

Risk analysis, conflict controls, and independence profile.

39.3 Competence

Personnel, team, organizational, domain, method, and security competence.

39.4 Scope

Precise activities, domains, methods, systems, and limits.

39.5 Quality Management

Documents, records, internal audit, management review, corrective action.

39.6 Method Validation

Selection, validation, versioning, and uncertainty.

39.7 Infrastructure

Secure compute, software, environments, logging, and external providers.

39.8 Evaluation Process

Contract review, planning, administration, scoring, review, reporting.

39.9 Decision Independence

Separation of evaluation and final attestation where applicable.

39.10 Reporting

Required metadata, scope, confidence, limitation, and expiry.

39.11 Complaints and Appeals

Independent and documented process.

39.12 Security

Sensitivity-scoped controls and incident response.

39.13 Proficiency Testing

Participation and response to poor performance.

39.14 Surveillance

Periodic and event-triggered monitoring.

39.15 Suspension and Withdrawal

Clear rules and public status.

39.16 International Recognition

Peer evaluation and compatible scopes.

These requirements should be developed in EVALUATOR_ACCREDITATION_FRAMEWORK.md through the future STANDARDS_DEVELOPMENT_PROCESS.md.


40. Relationship to the Other Foundations

Foundation 1: Dynamic Evaluation Protocols

Evaluators must maintain competence as protocols change.

Foundation 2: Held-Out Evaluations

Third-party bodies need secure access, custody, administration, and compromise response.

Foundation 3: High-Stakes Capability Evaluation

Risk domain and consequence determine evaluator scope, rigor, and assurance level.

Foundation 4: Independent Expert Review

Foundation 4 defines meaningful review. Foundation 5 scales and institutionalizes it.

Foundation 6: Progressive Standards and Requirements

Third-party evaluation can move from voluntary review to procurement, certification, insurance, and formal requirements.

Foundation 7: Incentives and Prestige

Market recognition should reward competence and integrity rather than marketing.

Foundation 8: Global Interoperability

Accreditation, proficiency, registries, and mutual recognition support cross-border acceptance.


41. Canonical Standards Body Positions

Standards Body adopts the following working positions.

  1. Third-party AI assurance should be treated as an ecosystem, not a single service category.

  2. Testing, evaluation, inspection, audit, certification, and accreditation should not be used interchangeably.

  3. Accreditation recognizes competence within scope. It does not guarantee every result.

  4. No evaluator should claim competence across all AI domains by default.

  5. Evaluator scopes should identify activity, domain, method, system type, assurance level, and limits.

  6. Recognition should depend on demonstrated competence, impartiality, consistent operation, security, and performance.

  7. Initial approval should be followed by surveillance, proficiency testing, and reassessment.

  8. The bodies accrediting evaluators should themselves be competent, impartial, and peer reviewed.

  9. Scheme owners, evaluators, certification bodies, and accreditation bodies should be separated where incompatible conflicts exist.

  10. Developer-funded evaluation can be legitimate only with strong impartiality controls and disclosure.

  11. Result-dependent compensation should be prohibited.

  12. Evaluator client concentration should be disclosed and monitored.

  13. Evaluator shopping and opinion shopping should be controlled.

  14. A third-party review should not be marketed as certification unless a valid certification scheme exists.

  15. Broad "safe AI" certification claims should be avoided.

  16. Marks and certificates should identify system, version, scope, scheme, and expiry.

  17. High-consequence evaluation requires secure access and evidence preservation.

  18. Smaller evaluators and open communities should have credible entry pathways.

  19. Open tools and shared facilities can reduce barriers but do not replace quality assurance.

  20. Proficiency testing and cross-evaluator replication are core infrastructure.

  21. Evaluator security incidents should affect status and scope.

  22. Public registries should make legitimate scope and current status verifiable.

  23. International mutual recognition should begin with narrow, comparable scopes.

  24. Technical recognition should not force identical policy decisions across jurisdictions.

  25. Government, private, academic, nonprofit, and open evaluators can coexist.

  26. No evaluator or accreditation body should become an unaccountable permanent monopoly.

  27. Certification should not transfer responsibility away from developers or deployers.

  28. Evaluator evidence should expire after material system, method, or personnel changes.

  29. The assurance ecosystem should be monitored for capture, concentration, burden, and real-world effectiveness.

  30. Formalization should proceed carefully enough to avoid freezing immature evaluation science.


42. Decision Rules

An evaluator should be recognized only when:

Recognition should be limited or suspended when:

A certification claim should not be permitted when:

Mutual recognition should not be granted when:


43. Evaluator Organizational Profile Template

A. Identity

B. Activities

C. Scope

D. Governance

E. Competence

F. Quality System

G. Security

H. Independence

I. Performance

J. Recognition


44. Accreditation Scope Template

Evaluator:
Accreditation body:
Scope identifier:
Status:
Effective date:
Expiry or reassessment date:

Activity

Domain

System Type

Method or Protocol

Approved Versions

Access Mode

Assurance Level

Security Classification

Locations

Key Personnel or Competence Requirements

Limitations

Conditions

Suspensions or Exclusions

Recognition Arrangements


45. Evaluator Engagement Template

A. Client and Evaluated Party

B. Evaluator

C. Activity Type

D. Scope

E. Criteria or Protocol

F. System and Version

G. Access

H. Methods

I. Security

J. Independence and Conflicts

K. Personnel

L. Outputs

M. Developer Review

N. Complaints and Appeal

O. Publication

P. Liability

Q. Expiration and Re-Evaluation


46. Surveillance Report Template

Evaluator:
Scope:
Assessment date:
Assessors:

Organizational Changes

Personnel Changes

Method Changes

Security Changes

Client Concentration

Proficiency Performance

Sampled Reports

Complaints and Appeals

Incidents

Corrective Actions

Scope Compliance

Nonconformities

Decision

Next Review


47. Evaluator Complaint Template

Complaint identifier:
Complainant:
Evaluator:
Engagement or certificate:
Date:

Allegation

Evidence

Conflict Check

Immediate Risk

Investigation

Evaluator Response

Finding

Corrective Action

Status Change

Public Notice

Appeal

Closure


48. Ecosystem Scorecard

Dimension Core Question
Role clarity Are testing, audit, certification, and accreditation distinguished?
Scheme quality Are requirements and decision rules defined?
Competence Does the evaluator demonstrate scope-specific ability?
Scope Are claims limited to approved activities?
Impartiality Are ownership, funding, consulting, and client risks controlled?
Quality system Can the body operate consistently and correct errors?
Method validity Are evaluation methods fit for purpose and versioned?
Security Can sensitive models, tasks, and evidence be protected?
Access Does the evaluator receive enough access for its claims?
Proficiency Has performance been compared with peers?
Surveillance Is competence monitored after initial recognition?
Decision independence Is final attestation separated from incompatible roles?
Complaints Can stakeholders raise and resolve material concerns?
Appeals Can recognition and certification decisions be challenged?
Sanctions Can scope be reduced, suspended, or withdrawn?
Registry Can users verify status and scope?
Mark control Are certification claims precise and enforceable?
Market health Is there competition without a race to the bottom?
Small-actor access Can qualified smaller evaluators participate?
International recognition Can credible results cross borders?
Liability Are responsibility and professional consequences appropriate?
Dynamic adaptation Can scopes and methods evolve with AI systems?
Public interest Does the ecosystem serve more than client marketing?
Decision utility Does assurance improve real-world decisions?

49. Final Perspective

Independent evaluation cannot become durable public infrastructure if every engagement begins from zero.

A one-off review may produce insight.

An ecosystem produces continuity.

It can preserve methods.

It can train people.

It can compare performance.

It can discipline claims.

It can investigate failure.

It can recognize competence.

It can withdraw recognition.

It can allow one jurisdiction to trust evidence produced in another.

But an ecosystem can also become a market for reassurance.

Commercial pressure can reward favorable reports.

Accreditation can become a badge.

Standards can entrench incumbents.

Security requirements can exclude smaller experts.

Certification can be mistaken for proof of safety.

A few organizations can accumulate excessive power over access, evaluation, and public legitimacy.

The design must therefore begin with clear distinctions.

Testing is not certification.

Review is not accreditation.

Accreditation is not proof that every result is correct.

A certificate is not a universal statement about a system.

Third party does not automatically mean independent.

Prestige does not automatically mean competent.

Formal process does not automatically mean useful.

The purpose of the ecosystem is not to produce more labels.

It is to produce more trustworthy evidence at scale.

That requires institutions capable of evaluating the evaluators.

It requires narrow scopes.

It requires quality systems.

It requires proficiency.

It requires surveillance.

It requires complaints and appeals.

It requires consequences for failure.

It requires pathways for new entrants.

It requires international recognition without global monopoly.

It requires the willingness to say that some forms of AI assurance are not yet mature enough for certification.

The fifth foundation of Standards Body is therefore accountable evaluation capacity.

The future of frontier AI assurance will depend not only on which systems are tested, but on whether the institutions conducting the tests deserve to be trusted.


References and Research Basis

[^iso-17011]: International Organization for Standardization, ISO/IEC 17011:2017, Conformity assessment, Requirements for accreditation bodies accrediting conformity assessment bodies. https://www.iso.org/standard/67198.html

[^iso-17025]: International Organization for Standardization, ISO/IEC 17025, Testing and calibration laboratories. https://www.iso.org/ISO-IEC-17025-testing-and-calibration-laboratories.html

[^iso-17020]: International Organization for Standardization, ISO/IEC 17020:2026, Conformity assessment, Requirements for the operation of various types of bodies performing inspection. https://www.iso.org/standard/17020

[^iso-17065]: International Organization for Standardization, ISO/IEC 17065:2012, Conformity assessment, Requirements for bodies certifying products, processes and services. https://www.iso.org/standard/46568.html

[^iso-17021]: International Organization for Standardization, ISO/IEC 17021-1:2015, Conformity assessment, Requirements for bodies providing audit and certification of management systems. https://www.iso.org/standard/61651.html

[^iso-casco-bodies]: International Organization for Standardization, CASCO Toolbox: Bodies. https://casco.iso.org/bodies.html

[^iso-casco-examples]: International Organization for Standardization, CASCO Toolbox: Examples. https://casco.iso.org/examples.html

[^iso-recognition]: International Organization for Standardization, CASCO Toolbox: Recognition of conformity-assessment bodies. https://casco.iso.org/recognition-of-cabs.html

[^iso-building-trust]: International Organization for Standardization, Building Trust: The Conformity Assessment Toolbox. https://www.iso.org/iso/casco_building-trust.pdf

[^iso-certification]: International Organization for Standardization, Certification. https://www.iso.org/certification.html

[^iaf-mla]: International Accreditation Forum, Purpose of the IAF Multilateral Recognition Arrangement. https://iaf.nu/en/mla-purpose/

[^iaf-about-mla]: International Accreditation Forum, About the IAF MLA. https://iaf.nu/en/about-iaf-mla/

[^iaf-peer]: International Accreditation Forum, IAF ML 4:2025, Policies and Procedures for the MLA. https://iaf.nu/iaf_system/uploads/documents/IAF_ML_4_Issue_9_04072025.pdf

[^ilac-mra]: International Laboratory Accreditation Cooperation, ILAC MRA and Signatories. https://ilac.org/ilac-mra-and-signatories/

[^ilac-home]: International Laboratory Accreditation Cooperation, Global Accreditation Cooperation. https://ilac.org/

[^ilac-facts]: International Laboratory Accreditation Cooperation, Facts and Figures. https://ilac.org/about-ilac/facts-and-figures/

[^nist-tevv]: National Institute of Standards and Technology, AI Test, Evaluation, Validation and Verification. https://www.nist.gov/ai-test-evaluation-validation-and-verification-tevv

[^nist-rmf]: National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework 1.0, 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf

[^nist-zero-draft]: National Institute of Standards and Technology, Outline: Proposed Zero Draft for a Standard on AI Testing, Evaluation, Verification, and Validation, 2025. https://www.nist.gov/document/outline-proposed-zero-draft-standard-ai-testing-evaluation-verification-and-validation

[^openai-playbook]: OpenAI, A Shared Playbook for Trustworthy Third-Party Evaluations, May 29, 2026. https://openai.com/index/trustworthy-third-party-evaluations-foundations/

[^openai-external]: OpenAI, Strengthening Our Safety Ecosystem with External Testing, November 19, 2025. https://openai.com/index/strengthening-safety-with-external-testing/

[^frontier-auditing]: Miles Brundage et al., Frontier AI Auditing: Toward Rigorous Third-Party Assessment of Safety and Security Practices at Leading AI Companies, 2026. https://arxiv.org/abs/2601.11699

[^compliance-reviews]: Aidan Homewood et al., Third-Party Compliance Reviews for Frontier AI Safety Frameworks, 2025. https://arxiv.org/abs/2505.01643

[^framework-evaluation]: Lily Stelling et al., Evaluating AI Companies' Frontier Safety Frameworks: Methodology and Results, 2025. https://arxiv.org/abs/2512.01166

[^external-access]: Jacob Charnock et al., Expanding External Access to Frontier AI Models for Dangerous Capability Evaluations, 2026. https://arxiv.org/abs/2601.11916

[^aisi-lessons]: UK AI Security Institute, Early Lessons from Evaluating Frontier AI Systems, 2024. https://www.aisi.gov.uk/blog/early-lessons-from-evaluating-frontier-ai-systems

[^aisi-research]: UK AI Security Institute, Research Agenda. https://www.aisi.gov.uk/research-agenda

[^inspect]: UK AI Security Institute, Inspect AI. https://inspect.aisi.org.uk/


Revision Record

Version 1.0

Date: July 16, 2026

Change type: Complete foundational edition

Summary: Establishes the fully developed canonical working white paper for Foundation 5. Defines the third-party auditor ecosystem, core assurance roles, testing, inspection, audit, certification, accreditation, evaluator types, competence, scope, quality systems, method validation, proficiency testing, impartiality, business models, selection, access, security, accreditation architecture, surveillance, complaints, liability, registries, market concentration, evaluator shopping, international recognition, government and insurance relationships, maturity model, implementation pathway, Standards Body evaluator pilot, metrics, failure analysis, objections, evidence gaps, research agenda, standards implications, operational templates, scorecard, and primary-source research basis.

Status: Ready for internal review and future expert critique.