ACR Runtime Control Plane Standard v1.0.1
The normative specification defining required control outcomes, decision semantics, evidence properties, and conformance criteria. Implementation-independent, testable, and auditable.
Three cumulative conformance levels.
- Action logging
- Decision logging
- Correlation identifiers
- Agent identity and purpose records
- Policy decision records
- Audit export capability
- Minimum retention enforcement
Does not require mandatory pre-execution blocking for all protected actions. The conformance claim must identify every execution path outside enforcement scope.
- Mandatory pre-execution control
- Deny-by-default behavior
- Identity and purpose binding
- Policy enforcement at Execution Boundary
- Approval gating for escalated actions
- Executor-side verification
- Containment with kill path
A protected action without valid control-plane authorization must fail. The executor must reject replayed, tampered, and unauthorized execution requests.
- All Level 2 capabilities
- Enforcement at all three Boundaries
- Full four-state decision model (ALLOW/DENY/MODIFY/ESCALATE)
- Drift detection with thresholded response
- Graduated containment
- Quarterly containment testing
- Tamper-evident high-risk logging
- Full STRIKE mapping
- Formal escalation authority matrix
- Safe-state definitions
- Audit-ready evidence bundles
Verification requires controlled tests demonstrating all four decision outcomes, reconstructable incident records, drift conditions triggering documented response tiers, and on-schedule kill-switch test records.
ACR controls mapped to five governance frameworks.
| ACR ID | Control | Pillar | ISO 42001 | NIST AI RMF | NIST CSF 2.0 | ISO 27001 | NIST ZT |
|---|---|---|---|---|---|---|---|
| ACR-1-01 | Agent Identity | P1 | A.6.2.2 | MAP 1.1 | ID.AM-01 | A.5.16 | 3.1, 3.2 |
| ACR-1-02 | Purpose Binding | P1 | A.6.2.3 | MAP 1.5 | ID.AM-02 | A.5.18 | 3.3 |
| ACR-1-03 | Agent Manifest | P1 | A.6.2.4 | GOV 1.3 | ID.AM-03 | A.5.9 | 3.1 |
| ACR-2-01 | Input Boundary | P2 | A.8.2 | MAN 2.1 | PR.DS-01 | A.8.3 | 4.1 |
| ACR-2-02 | Execution Boundary | P2 | A.8.4 | MAN 2.2 | PR.DS-02 | A.8.5 | 4.2 |
| ACR-2-03 | Output Boundary | P2 | A.8.5 | MAN 2.4 | PR.DS-10 | A.8.10 | 4.3 |
| ACR-2-04 | Deny-by-Default | P2 | A.6.1.2 | MAN 3.1 | PR.AA-01 | A.5.15 | 3.4 |
| ACR-2-05 | Policy Versioning | P2 | A.6.1.4 | GOV 1.4 | GV.PO-01 | A.5.1 | --- |
| ACR-3-01 | Behavioral Baseline | P3 | A.9.3 | MEA 2.1 | DE.AE-02 | A.8.16 | 5.1 |
| ACR-3-02 | Drift Scoring | P3 | A.9.4 | MEA 2.3 | DE.AE-03 | A.8.16 | 5.2 |
| ACR-3-03 | Response Tiers | P3 | A.9.5 | MEA 2.6 | RS.MI-01 | A.5.26 | 5.3 |
| ACR-4-01 | Decision Logging | P4 | A.9.2 | MEA 1.1 | DE.CM-01 | A.8.15 | 6.1 |
| ACR-4-02 | Correlation Identifiers | P4 | A.9.2 | MEA 1.2 | DE.CM-06 | A.8.15 | 6.2 |
| ACR-4-03 | Tamper-Evident Logging | P4 | A.9.8 | MEA 1.3 | PR.DS-06 | A.8.15 | 6.3 |
| ACR-4-04 | Retention Enforcement | P4 | A.9.9 | MEA 1.4 | PR.DS-11 | A.5.33 | --- |
| ACR-4-05 | Audit Export | P4 | A.9.10 | MEA 1.5 | ID.IM-04 | A.5.35 | --- |
| ACR-5-01 | Kill Capability | P5 | A.10.1 | MAN 4.1 | RS.MI-02 | A.5.26 | 7.1 |
| ACR-5-02 | Graduated Containment | P5 | A.10.2 | MAN 4.2 | RS.MI-01 | A.5.26 | 7.2 |
| ACR-5-03 | Safe-State Definitions | P5 | A.10.3 | MAN 4.3 | RC.RP-01 | A.5.29 | 7.3 |
| ACR-5-04 | Quarterly Testing | P5 | A.10.4 | MAN 4.4 | RS.AN-07 | A.5.30 | --- |
| ACR-6-01 | Action Tiering | P6 | A.7.3 | GOV 2.1 | GV.RM-01 | A.5.12 | 8.1 |
| ACR-6-02 | Escalation Matrix | P6 | A.7.4 | GOV 2.2 | GV.RR-01 | A.5.25 | 8.2 |
| ACR-6-03 | Approval Records | P6 | A.7.5 | GOV 2.3 | GV.SC-01 | A.5.25 | 8.3 |
Informative crosswalk mappings are provided for orientation. Conformance to the ACR Standard is evaluated solely against the requirements defined therein.