ACR Runtime Control Plane Standard
Version 1.0.1. The normative specification for runtime enforcement of autonomous AI systems. This document defines the minimum conditions under which AI systems can be considered controlled.
Download the Full Standard
ACR Runtime Control Plane Standard v1.0.1, branded and formatted for distribution, compliance review, and audit reference.
30 sections including annexes with policy schemas, enforcement flow examples, and audit checklists.
Document Structure
The ACR Standard is organized into 30 sections covering the complete lifecycle of runtime AI control. Each normative section defines testable, implementation-independent requirements with verification considerations for assessors.
Foreword, Scope, and Definitions
Establishes the purpose, boundaries, normative references, and terminology for the standard.
System Model and Trust Path
Defines the runtime control plane as the mandatory enforcement layer and the 9-step trust path every protected action must traverse.
Failure Conditions and Core Principle
Specifies fail-secure behavior for control plane unavailability, policy engine failures, and bypass detection.
Control Plane and Decision Engine
Requirements for pre-execution control, deny-by-default behavior, and the four-state decision model: ALLOW, DENY, MODIFY, ESCALATE.
Identity and Purpose Binding
Every agent must carry a unique identity, declared purpose, and cryptographically verifiable constraints.
Policy Enforcement
Machine-enforceable policy at Input, Execution, and Output boundaries with versioned definitions and audit trails.
Drift Detection
Behavioral baselines, normalized drift scores, and graduated response tiers from throttle through kill.
Observability
Comprehensive telemetry, tamper-evident logging for high-risk events, and audit-ready export without manual reconstruction.
Containment
Kill capabilities outside the agent runtime, graduated isolation, safe-state definitions, and quarterly testing.
Human Authority
Risk tiering, escalation matrices, approval gating, break-glass controls, and human override that remains operable during agent failure.
STRIKE Threat Mapping
Full traceability matrix mapping Spoofing, Tampering, Reflection Abuse, Information Leakage, Kill Chain Extension, and Emergence to controls and evidence.
Integration, Conformance, and Security
Three cumulative conformance levels (Observability, Enforcement, Full Runtime Control Plane Compliance), integration architecture, and security assumptions.
Three Cumulative Levels
Conformance is cumulative. Each successive level builds on the requirements of the previous one. A system claiming Level 3 must satisfy all requirements from all three levels.
Observability
- Action and decision logging
- Correlation identifiers
- Agent identity and purpose records
- Audit export capability
- Minimum retention enforcement
Enforcement
- Mandatory pre-execution control
- Deny-by-default behavior
- Identity and purpose binding
- Executor-side verification
- Containment with kill path
Full Runtime Control Plane
- Three-boundary enforcement
- Four-state decision model with MODIFY
- Drift detection with thresholded response
- STRIKE traceability matrix
- Quarterly containment testing
What the Standard Mandates
Pre-Execution Control
All protected AI actions MUST be evaluated by the control plane before execution. No bypass path is permitted.
Four-State Decision Model
Every action resolves to ALLOW, DENY, MODIFY, or ESCALATE. Precedence is deterministic: DENY > ESCALATE > MODIFY > ALLOW.
Fail-Secure Behavior
Control plane unavailability, policy engine failure, or identity validation failure MUST prevent execution and log the failure.
Tamper-Evident Logging
High-risk events MUST be stored in tamper-evident or append-only form. All ACR events retained for at least 90 days.
30-Second Kill Path
The kill capability MUST operate outside the agent runtime and complete within 30 seconds from activation to enforcement.
STRIKE Traceability
Each of the six STRIKE categories MUST map to control layers, detection mechanisms, response actions, and evidence artifacts.
Ready to Implement?
The ACR Standard is implementation-independent. Explore the architecture, control specifications, and STRIKE framework to begin aligning your AI systems with runtime enforcement requirements.