ACR Standard logo
Six Control Pillars

Operational Controls for Runtime AI Governance

Each pillar defines specific control mechanisms, evidence requirements, and verification criteria. Together they form the complete control surface of the ACR Runtime Control Plane.

P1

Identity & Purpose Binding

Every agent must have a unique identity and a declared purpose. Constraints are tied to that purpose. The system must maintain an authoritative agent record containing agent_id, owner, purpose, risk tier, allowed tools, forbidden tools, approved data access scope, and operational boundaries.

Control Mechanisms

  • Unique agent identity with cryptographic proof
  • Declared purpose with scope constraints
  • Authoritative agent manifest or record
  • Identity validation for every protected action
  • Purpose change requires authorized control path, versioning, and audit trail
  • Revocation prevents future action execution

Evidence Requirements

  • Agent registry with required fields
  • Identity validation logs
  • Manifest version history
  • Out-of-scope denial records
P2

Policy Enforcement

The control plane enforces policy at three boundaries: Input, Execution, and Output. Policy enforcement is machine-enforceable and runtime-executed. Documentation-only policies do not satisfy this requirement.

Control Mechanisms

  • Input Boundary: schema validation, prompt sanitization, injection detection, source trust
  • Execution Boundary: tool allowlisting, destination restriction, parameter validation, rate limits, approval gating
  • Output Boundary: PII/PHI redaction, output filtering, destination-aware release restrictions
  • Deny-by-default when policy engine unavailable
  • Versioned policy definitions with decision evidence

Evidence Requirements

  • Policy decision records with version, outcome, justification
  • Boundary control audit logs
  • Policy engine failure and denial records
P3

Drift Detection

The system detects deviations from intended role, expected patterns, or approved boundaries. Drift detection requires a defined behavioral baseline, detection signals, thresholded response criteria, and evidence of review or calibration.

Control Mechanisms

  • Behavioral baseline established before unrestricted execution (30 days minimum or documented temporary baseline)
  • Monitoring: tool usage, data access, action frequency, repeated denials, escalation pressure, novel sequences, off-hours activity
  • Normalized drift score (0.0 to 1.0) or severity classification
  • Response tiers: throttle, restrict, isolate, kill
  • Threshold crossings trigger documented response without ad hoc interpretation

Evidence Requirements

  • Baseline version and training basis
  • Drift signal history
  • Threshold values and response actions
  • False-positive review and calibration records
P4

Observability

The system logs all actions and all decisions. Observability records enable reconstruction of who acted, what was proposed, what controls applied, what disposition produced, what approvals occurred, and what downstream execution resulted.

Control Mechanisms

  • Telemetry records: schema version, event ID, timestamp, event type, agent ID, purpose, correlation ID, decision outcome, policy results
  • Correlation identifiers across the full action chain
  • High-risk events in tamper-evident or append-only form
  • Retention: 90 days minimum for all events, 13 months for high-risk
  • Audit-ready export without manual reconstruction
  • Privacy-preserving treatment for sensitive fields

Evidence Requirements

  • Sample event records with required fields
  • Evidence export samples
  • Retention policy documentation
  • High-risk log integrity configuration
P5

Containment

The system maintains containment capability independent of the agent runtime. This includes an externally operable kill capability, isolation modes, documented safe-states, and logging of all containment actions.

Control Mechanisms

  • Kill capability: operates outside agent runtime, invocable by authorized humans, completes within 30 seconds
  • Graduated containment: throttle, restrict, isolate, kill
  • Safe-state per production agent: defines permitted actions, disabled actions, escalation path, evidence preservation
  • Rollback support documented (or compensating controls if not possible)
  • Quarterly testing of kill-switch and safe-state procedures

Evidence Requirements

  • Kill-switch test records
  • Safe-state test records
  • Containment tier activation logs
  • Quarterly test evidence with retention
P6

Human Authority

Human authority remains the final governance layer for actions classified above the autonomous tier. The system classifies actions into risk tiers and maintains an escalation authority matrix.

Control Mechanisms

  • Risk-tiered action classification: autonomous, review/gating, explicit approval
  • New or unclassified high-impact actions default to highest approval class
  • Escalation authority matrix: roles, delegation limits, backup approvers, timeout behavior
  • Approval records with full context: identity, purpose, action, parameters, policy basis, drift state, timeout deadline
  • Break-glass capability (if provided): scoped, time-limited, tamper-evident, mandatory post-use review

Evidence Requirements

  • Action tier classification records
  • Approval and denial records
  • Escalation authority matrix
  • Break-glass event logs and review records