ACR Standard logo
Control Plane

The Mandatory Runtime Enforcement Layer

The ACR Control Plane is the runtime enforcement layer governing autonomous AI systems. Every protected action must traverse the trust path through the control plane before execution.

Core Definition

What is the ACR Control Plane?

The ACR Control Plane is the runtime enforcement layer governing autonomous AI systems. It is the mandatory enforcement boundary through which protected AI actions MUST pass prior to execution. AI systems that do not implement a Runtime Control Plane are considered uncontrolled systems under this standard.

ACR is:

  • A runtime control architecture
  • An enforcement system
  • A decision authority layer

ACR is not:

  • A policy framework
  • A governance checklist
  • A monitoring system
Trust Path

The 9-step trust path every protected action must traverse.

1

Agent proposes action

2

Control plane intercepts the proposed action before any protected execution occurs

3

Identity and purpose are validated against the authoritative agent record

4

Policy is evaluated across the relevant control boundaries

5

A final decision is produced: ALLOW, DENY, MODIFY, or ESCALATE

6

If ALLOW or MODIFY, the control plane issues execution authority scoped to the approved action

7

The protected executor verifies the execution authority and action binding

8

The action executes only if executor verification succeeds

9

Evidence is logged for the request, decision, verification result, and execution outcome

Decision Model

Every action resolves to exactly one disposition.

ALLOW

The action is authorized as proposed. Execution authority is issued.

DENY

The action is not authorized and MUST NOT execute. No execution authority is issued.

MODIFY

The action is not authorized as proposed but MAY proceed only in the transformed form emitted by the control plane.

ESCALATE

The action MUST NOT execute autonomously and MUST await an approved escalation outcome from human authority.

Deterministic Precedence (highest to lowest):

DENYESCALATEMODIFYALLOW
Requirements

An ACR Control Plane MUST:

Sit on the path to action rather than operate purely as an observer
Evaluate every action before downstream execution
Produce deterministic outcomes for a given action context, policy set, identity state, and system state
Deny by default when no explicit authorization condition is satisfied
Bind each execution authorization to the specific action, target executor, agent identity, and expiration data
Ensure no raw downstream credential available to the agent can bypass control-plane authority
Maintain a system of record for actions, decisions, approvals, and outcomes
Provide containment capability that remains operable when the agent runtime is unavailable or compromised
Control Boundaries

Enforcement at three mandatory boundaries.

Input Boundary

Schema validation, prompt sanitization, injection and jailbreak detection, length and content limits, source trust evaluation. Controls what influences agent behavior.

Execution Boundary

Tool allowlisting, destination restriction, parameter validation, spend and rate limits, data access authorization, approval gating. Controls what agents can do.

Output Boundary

PII/PHI redaction, output filtering, transformation, destination-aware release restrictions. Controls what agents can release externally or commit downstream.