ACR Runtime Control Architecture
A 7-layer runtime control stack that establishes the mandatory enforcement boundary between autonomous AI agents and protected enterprise systems.
Every protected action traverses the full stack.
Human Authority Layer
Escalation authority matrix, approval gating, break-glass capability, timeout enforcement
Containment Layer
Kill capability, graduated isolation, safe-state definitions, quarterly testing
Drift Detection Layer
Behavioral baselines, thresholded response tiers, drift scoring, calibration evidence
Observability Layer
Complete decision trails, correlation identifiers, tamper-evident logging, audit export
Policy Enforcement Layer
Input, Execution, and Output Boundary controls. Machine-enforceable, runtime-executed
Decision Engine Layer
Four-state model: ALLOW, DENY, MODIFY, ESCALATE. Deterministic precedence ordering
Identity & Purpose Layer
Agent identity binding, purpose declaration, scope constraints, manifest management
From uncontrolled to controlled.
Without ACR
- Agents reach tools directly with raw credentials
- Policy exists as documentation, not enforcement
- Monitoring detects problems after harm propagates
- No mandatory trust path for protected actions
- Containment requires manual intervention
- Audit reconstruction depends on unstructured logs
With ACR
- Every action traverses mandatory control plane trust path
- Policy is machine-enforced at runtime boundaries
- Pre-execution control prevents unauthorized actions
- Deny-by-default when no authorization condition is met
- Graduated automated containment with 30-second kill
- Correlation-ID-based audit export, reconstructable
The system fails secure, never fails open.
Fail-Secure
Control plane unavailable: deny all protected actions, enter safe-state. No implicit trust.
Fail-Safe
Policy engine timeout or indeterminate result: treat as DENY, log failure condition.
High Availability
Containment capability remains operable even when the agent runtime is unavailable, unresponsive, or compromised.
Break-Glass
Emergency override: scoped, time-limited, tamper-evident logged, mandatory post-use review.
Concrete improvements from runtime control.
| Metric | Before ACR | After ACR |
|---|---|---|
| Unauthorized execution attempts | Undetected | Blocked at boundary |
| Mean time to containment | Hours to days | < 30 seconds |
| Audit reconstruction | Manual log search | Correlation-ID based export |
| Drift response | Post-incident review | Thresholded automatic tiers |
| Policy enforcement | Documentation-only | Machine-enforced at runtime |
How a refund action traverses the control plane.
Agent proposes refund action for customer order #4821
Control plane intercepts: validates agent identity and purpose (customer-service-agent, refund_processing)
Policy evaluation: checks refund amount against tier limit ($500), verifies customer verification status
Decision: ALLOW (amount within tier, customer verified, agent within scope)
Authority issued: scoped execution token bound to refund action, target payment API, 60s TTL
Protected executor verifies token: issuer, audience, payload hash, expiration
Refund executes. Evidence logged with correlation ID linking full decision chain.