Getting Started with ACR
Deploy the ACR Runtime Control Plane in 4 weeks using a structured pilot plan. Includes use case walkthroughs, Python SDK integration patterns, and the open-source reference implementation.
Control plane runs as containerized services
To clone the reference implementation repository
Agents must reach the ACR API endpoint
One-time setup to pull container images
Quick Deploy
Get the ACR control plane running in under 5 minutes with the reference implementation.
# 1. Clone the repository
git clone https://github.com/AdamDiStefanoAI/acr-framework
cd acr-framework/implementations/acr-control-plane
# 2. Start the control plane
docker-compose up -d
# 3. Verify health (MANDATORY before proceeding)
curl -X POST http://localhost:8000/acr/health \
-H "Content-Type: application/json" \
-d '{"version":"1.0"}'
# Expected: {"status":"healthy"}
# 4. Open the operator console
# Navigate to http://localhost:8000/console4-Week Pilot Plan
A structured pilot designed to run in parallel with existing operations. No existing agent behavior changes in Week 1. ACR deploys in observation mode, with enforcement activating progressively.
Platform Team
Control plane live, health check passing, console accessible
Health check returns {"status":"healthy"} and all team members can access the console.
- Clone repository: github.com/AdamDiStefanoAI/acr-framework
- Deploy using docker-compose up -d (reference implementation)
- Validate health check: curl to /acr/health returns {"status":"healthy"}
- Open operator console and confirm accessibility for all pilot team members
- Schedule kickoff meeting with all pilot teams
- Document deployment configuration and any environment-specific changes
BU Owners + Developers
3+ agents registered, code instrumented, policies submitted
Operator console shows agent activity with actions appearing in the action log.
- BU Owners register minimum 3 agents (1 customer support, 1 internal ops, 1 SecOps recommended)
- BU Owners submit policy YAML for each agent
- Platform converts YAML to Rego and deploys policies
- Developers instrument agent code using the Python SDK
- Test each agent in staging and verify actions appear in the console action log
- Identify any no-code agents that cannot be instrumented (log as gap items)
Security Operations
Baseline established, first drift/block events reviewed, false positive rate measured
Block rate below 5%; at least one real exception reviewed and dispositioned.
- Review all actions in the console daily
- Adjudicate any blocked actions: approve legitimate ones, confirm blocks are correct
- Measure false positive rate (legitimate actions incorrectly blocked)
- Work with BU Owners to tune policies that generate excessive false positives
- Confirm drift detection baselines are establishing correctly
- Test kill switch: activate on a non-production agent, verify response time
All Teams + CISO
Compliance evidence bundle, pilot report, go/no-go for production rollout
CISO reviews evidence; program approved for production expansion.
- Export compliance evidence bundle for all pilot agents and actions
- Compile pilot metrics: agents registered, actions evaluated, blocks, drift events, SLA compliance
- Document all known gaps encountered during the pilot
- Present findings to CISO and leadership
- Decision: proceed to production rollout, extend pilot, or address gaps first
- If proceeding: draft production deployment plan
What Good Looks Like at Week 4
- 100% of registered agents visible in the operator console
- All sensitive actions passing through ACR trust path evaluation before execution
- Human approval workflows operational for high-risk actions
- Behavioral baseline established for each agent with drift detection active
- Full audit trail available for compliance evidence export
- Kill-switch tested and confirmed operational
Worked Examples
Two production-ready use cases that demonstrate ACR governing real enterprise agents. Each includes the scenario, agent policy, and runtime behavior.
Customer Support Agent
BU Owners, Product Managers, Support Operations
A customer support AI agent handles inbound requests. It queries the CRM, looks up order history, sends emails, and creates support tickets. For refund requests over $100, a human must review and approve before the refund is issued.
The agent can issue refunds of any size with no oversight, no audit trail, and no approval gate.
Every action passes through the control plane. Refunds over $100 are automatically routed to the BU owner for approval. Everything is logged with evidence bundles.
agent_id: "support-001"
purpose: "customer_support"
allowed_tools:
- query_customer_db
- send_email
- create_ticket
blocked_tools:
- bulk_export
- delete_customer_record
human_approval_required:
- action: issue_refund
condition: amount_cents > 10000
approver: [email protected]
sla_minutes: 60Incident Response Agent
Security Operations, SecOps Engineers, CISO
A SecOps triage agent triages incoming alerts. It queries logs, creates tickets, and runs read-only investigative queries automatically. Host isolation requires confidence above 90%. Below that threshold, a human SecOps engineer must approve.
The agent can isolate hosts autonomously at any confidence level, with no containment safeguards if behavior escalates.
ACR gates remediation actions on confidence thresholds. Below 90%, actions are held for human approval. Drift detection triggers containment if the agent attempts mass isolation.
agent_id: "secops-001"
purpose: "incident_response"
allowed_tools:
- create_ticket
- read_only_log_queries
- enrich_indicator
conditional_tools:
- action: isolate_host
condition: confidence >= 0.9
otherwise: human_approval_required
blocked_tools:
- delete_logs
- modify_firewall_rules
drift_alert:
threshold: 3
action: contain_to_read_onlyPython SDK Integration
Add ACR governance to your Python agent in about 15 lines per sensitive action. Install with pip install acr-client, then use the pattern below.
from acr_client import ACRAgent
agent = ACRAgent(
agent_id="support-001",
acr_endpoint="http://your-acr-url:8000"
)
# Evaluate before every sensitive action
decision = agent.evaluate({
"action": "issue_refund",
"parameters": {
"amount_cents": 15000,
"customer_id": "cust_abc123",
"order_id": "order_456"
},
"context": {
"intent": "customer_request",
"session_id": "sess_789"
}
})
if decision["disposition"] == "ALLOW":
result = crm.issue_refund(
customer_id="cust_abc123",
amount_cents=15000,
acr_token=decision["authority"]
)
agent.log_outcome(result, decision["evidence_id"])
elif decision["disposition"] == "APPROVAL_REQUIRED":
print(f"Pending approval. Ref: {decision['evidence_id']}")
elif decision["disposition"] == "DENY":
print(f"Blocked: {decision['reason']}")
agent.log_outcome({"status": "blocked"}, decision["evidence_id"])Reference Implementation
The full ACR control plane reference implementation is open-source under Apache 2.0. Includes the control plane API, policy engine (OPA/Rego), operator console, audit log, drift detection, and kill switch.
Explore the Framework
Download schemas, audit logs, and policy templates
Per-pillar verification criteria for assessment prep
Detailed enforcement points per pillar
7-layer runtime control stack overview
Interactive wizard to build custom ACR policies
Score your current governance readiness