ACR Standard logo
About

Why the ACR Standard Exists

Agentic AI systems are increasingly deployed as autonomous agents capable of accessing tools, invoking workflows, modifying state, and producing operational effects without human intervention at each step. This creates a distinct class of runtime risk because the system can act, chain actions, and adapt in ways that static review processes do not control.

Policy-based governance alone has not solved this problem. Written policies, review committees, model cards, and post-hoc monitoring do not prevent unsafe or unauthorized actions at the moment of execution. They may describe desired behavior, but they do not enforce it.

The ACR Standard was created to close that gap. It defines the mandatory enforcement boundary through which protected AI actions must pass before execution, establishing the technical conditions that distinguish a merely instrumented AI system from a controlled AI system.

What makes ACR different

  • Runtime enforcement, not documentation-only governance
  • Testable, auditable conformance criteria at three cumulative levels
  • Implementation-independent: no vendor lock-in, any conformant approach qualifies
  • Mandatory trust path with deny-by-default posture
  • Complete threat mapping through the STRIKE taxonomy
Team

Built by practitioners, not commentators.

Adam DiStefano, Creator of the ACR Standard

Adam DiStefano

Creator of the ACR Standard

AI governance and enterprise security executive. Chairs enterprise AI Governance Committee overseeing 50+ models and agentic systems aligned to ISO/IEC 42001 and NIST AI RMF. Brings more than a decade of operational leadership across Fortune 500 and high-growth technology organizations.

Created the ACR Standard, the ACR Control Plane reference implementation, and the STRIKE threat taxonomy to define the runtime control boundary missing from existing AI governance programs. Author of three books on cybersecurity and AI governance, including ABC's of AI Security & Governance.

AI GovernanceSecurity ArchitectureAgentic AI ControlMS CybersecurityCISSPC-CISOCAISSCCSKCEH
adamdistefano.ai
Greg Crowley, Founding Advisor of the ACR Standard

Greg Crowley, CISSP, CISM

Founding Advisor

Board-level CISO and AI governance leader with 20+ years of enterprise security experience. Advises on the ACR Standard from the operational perspective of a security executive responsible for implementing AI governance controls in production enterprise environments.

Has chaired AI Governance Committees, authored ISO 42001-aligned AI management policies, and built cross-functional operating models that align security, risk, and engineering teams around agentic AI deployment. Brings practitioner credibility across enterprise security architecture, cyber resilience, executive risk communication, and regulatory alignment to the standard.

CISO LeadershipAI GovernanceISO 42001Enterprise Risk
gregcrowley.com
Engage

Work with the ACR team.

ACR Briefing

Request a technical briefing on the ACR Standard for your security, compliance, or engineering leadership. Covers architecture, conformance, and implementation planning.

Speaking & Media

Invite the ACR team to speak at your conference, podcast, or industry event on runtime AI governance, the control plane model, or the STRIKE threat taxonomy.

Standard Collaboration

Participate in advancing the ACR Standard. Contribute feedback, propose extensions, or collaborate on sector-specific profiles and implementation guidance.