ACR Standard logo
Runtime Control Standard

Agentic AI needs a control plane. ACR defines the standard.

The ACR Runtime Control Plane Standard v1.0.1 defines the normative requirements for a mandatory enforcement layer governing autonomous AI agent actions at runtime. It establishes the minimum technical conditions under which an AI system may be classified as a controlled system.

View the ArchitectureExplore the StandardExplore the Control Plane
Why Existing Governance Fails

Agentic AI changed the control problem.

Speed asymmetry

Agents act in milliseconds. Human review cycles operate in hours or days. By the time a governance committee reviews an action, the agent has already executed thousands more.

Bypass risk

If agents can reach tools without traversing the control plane, governance is theater. Policy documents do not prevent unauthorized execution at runtime.

Post-hoc is too late

Monitoring what happened after execution cannot prevent harm. Observability without enforcement records damage but does not stop it.

The Enforcement Boundary

The control plane is the mandatory trust path.

Orchestration
ACR Control Plane
Protected Execution
Human Authority
Observability
“If agents can reach tools without traversing the control plane, governance is theater.”
Six Control Pillars

Operational controls, not just principles.

P1

Identity & Purpose Binding

Every agent must have a unique identity and a declared purpose. Constraints are tied to that purpose. No anonymous or unscoped execution.

P2

Policy Enforcement

Machine-enforceable runtime policies at Input, Execution, and Output Boundaries. Documentation-only policies do not satisfy this requirement.

P3

Drift Detection

Behavioral baselines, thresholded response tiers, and evidence of calibration. Anomalous behavior triggers proportionate containment responses.

P4

Observability

Complete decision trails: who acted, what was proposed, what controls applied, what disposition produced, and what downstream execution occurred.

P5

Containment

Externally operable kill capability, graduated isolation, documented safe-states, and quarterly containment testing. Independent of agent runtime.

P6

Human Authority

Risk-tiered action classification, escalation authority matrices, approval gating, break-glass capability, and timeout enforcement.

Each pillar maps to controls from ISO/IEC 42001, NIST AI RMF, NIST CSF 2.0, ISO 27001, and NIST SP 800-207.

ACR Ecosystem

Standard, reference implementation, and threat model.

ACR Standard v1.0.1

The normative specification defining required control outcomes, decision semantics, evidence properties, and conformance criteria. Implementation-independent and testable.

View Standard

Reference Implementation

Open-source reference implementation demonstrating one conformant approach. Conformance does not require use of this implementation.

View on GitHub

STRIKE Threat Model

Threat taxonomy for agentic AI: Spoofing, Tampering, Reflection Abuse, Information Leakage, Kill Chain Extension, and Emergence.

Explore STRIKE
Start Here

Find your entry point.

Security & Architecture

Start with the Architecture page to understand the 7-layer control stack and the enforcement boundary. Then review the Control Plane for trust path mechanics.

Architecture

GRC & Compliance

Start with the Standards Crosswalk to see how ACR maps to ISO 42001, NIST AI RMF, NIST CSF, ISO 27001, and NIST SP 800-207. Review conformance levels.

Standards

Engineering & Platform

Start with the Control Specs for detailed technical specifications per pillar. Review enforcement points, failure modes, and evaluation criteria.

Control Specs