ACF-00 Sovereignty Score Measures the decisional sovereignty retained when deploying autonomous systems. | Art. 9Risk management system | Clause 6.1.2AI risk assessment | MAP-3AI risks and benefits | Art. 35DPIA | EDM-01Governance framework |
ACF-01 Decision Map Maps the agent's decisions and the human approval chain that governs them. | Art. 14Human oversight | Clause 8.4 / A.6AI system operation | GOVERN-1.1Defined roles | Art. 22Automated decision-making | EDM-03Risk optimisation |
ACF-02 Criticality Matrix Classifies each agent by criticality, impact and irreversibility. | Art. 6 + Annex IIIHigh-risk classification | Clause 6.1.2Risk categorisation | MAP-2Categorisation | Art. 35DPIA threshold | APO-12Managed risk |
ACF-03 Agentic Constitution Internal charter defining who decides what, how and within which limits. | Art. 5 + Art. 26Prohibited practices + deployer duties | Clause 5.2AI policy | GOVERN-2Cultivate culture | Art. 25Privacy by design | EDM-01Governance setting |
ACF-04 Agent Card Operational identity of each agent: scope, data, tools, autonomy level. | Art. 11 + Art. 26(6)Technical documentation + logs retention | Clause 7.5 + 8.1Documented information / operational planning | MAP-1System context | Art. 30Records of processing | BAI-09Managed assets |
ACF-05 Supervision & Governance Continuous supervision mechanisms with the DDAO role as the human pivot. | Art. 14 + Art. 26(5)Human oversight + deployer monitoring | Clause 5.3 + 9.1Roles + monitoring | GOVERN-3 / MANAGE-2.3Workforce / ongoing monitoring | Art. 22 + Art. 37-39Automated decisions + DPO | MEA-02Internal control |
ACF-06 Kill Switch Emergency stop procedure for a drifting agent. | Art. 14(4) + Art. 26(5)Stop button + suspend obligation | Clause 8.3Operational controls | MANAGE-4Decommissioning | Art. 22(3)Right to contest / withdraw | DSS-02Service requests & incidents |
ACF-07 First Agent Briefing Qualification dossier before the first production deployment. | Art. 11–13 + Art. 17Documentation + QMS | Clause 8.1 + 6.2Operational planning + objectives | MAP-2 + GOVERN-4Categorisation + pre-deploy testing | Art. 30 + Art. 35Records + DPIA | BAI-01Managed programmes |
ACF-08 Agentic Decision Register Cryptographic ledger of every decision the agent has taken. | Art. 12 + 19 + 26(6)Logging + retention (6 months min.) | Clause 9.1 + 7.5.3Monitoring + control of records | MEASURE-2Performance & trustworthiness | Art. 30Records of processing | MEA-01Performance monitoring |
ACF-09 Action & Improvement Plan Post-deployment continual improvement plan, driven by the DDAO. | Art. 9(4) + Art. 17Continuous risk mgmt + QMS | Clause 10.1 + 10.2Nonconformity + continual improvement | MANAGE-2Risk treatment | Art. 24 + Art. 32Responsibility + security | BAI-08Managed knowledge |
ACF-10 30-day Governance Audit Periodic internal audit demonstrating operational mastery. | Art. 17 + Art. 71QMS audit + post-market monitoring | Clause 9.2 + 9.3Internal audit + management review | GOVERN-5 + MANAGE-3.1Engagement + risk treatment review | Art. 32Security audit | MEA-02 + MEA-03Internal control + compliance |
ACF-11 Agentic Risk Assessment Risk analysis specific to agents: drift, hallucination, escalation. | Art. 9Risk management system | Clause 6.1.2AI-specific risks | MAP-3 + MAP-4Risks & benefits + trustworthiness | Art. 35DPIA | APO-12Managed risk |
ACF-12 Agent Mandate Formal, enforceable delegation of decision-making power granted to the agent. | Art. 16 + 17 + 26Provider & deployer duties | Clause 5.3Roles & authorities | GOVERN-3 + GOVERN-6Workforce + external communications | Art. 28 + 24Processor + controller responsibility | APO-05Managed portfolio |
ACF-13 Guided Case Study Worked case study, step by step, for training and mock audits. | Art. 6 + 13 + Annex IIISector examples + transparency | Clause 7.2 + 7.3Competence + awareness | MAP-2Categorisation | Art. 22Worked profiling examples | BAI-05Organisational change |
ACF-14 Teacher Guide For instructors: lesson plans, answer keys, sample exams. | Art. 4AI literacy | Clause 7.2 + 7.3Competence + awareness | GOVERN-1.6 + GOVERN-6Workforce literacy | Art. 39DPO training duty | APO-07Managed human resources |
ACF-15 Governance Simulation Sandbox exercise: replay a crisis to measure governance resilience. | Art. 9 + Art. 57-63Risk mgmt + regulatory sandboxes | Clause 9.1 + 6.2Monitoring + planned objectives | MANAGE-3 + MEASURE-3Risk treatment evaluation | Art. 32Security testing | BAI-06Managed IT changes |
ACF-16 Responsibility by Design Cross-cutting principle: accountability is wired in from design onwards. | Art. 5 + 13 + 16(b)Accountability + transparency | Clause 5.2AI policy & accountability | GOVERN-1 + MANAGE-1Accountability + risk management | Art. 5(2) + 24 + 25Accountability + by design | EDM-01Governance setting |