ACR-13.03v1.1

The system operator SHALL maintain a documented dual-use risk assessment identifying potential misus

Domain

13 — Domain 13: Societal Impact and Responsible Deployment

Eval Method

EIEvidence Inspection

Risk Weight

4 / 10

Applicability

L1L2L3

Description#

The system operator SHALL maintain a documented dual-use risk assessment identifying potential misuse pathways, assessed likelihood, and implemented mitigations — reviewed at intervals defined by the certification level.

Evaluation Method#

EIEvidence Inspection

Compliance is evaluated through inspection of documentary evidence including architecture documents, configuration artifacts, and operational records.

v1.1 Details#

Profile Applicability

S,A,C

Evaluation Frequency

Annual

Platform Cert Eligible

Framework Crosswalk Refs

EU AI Act Art. 9; NIST AI RMF Map 1.5; OECD AI Principle 1.2

Classification#

Conditional Control

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-13.02: The system SHALL implement controls preventing AI-assisted generation of malware, exploitation code,Next →ACR-13.04: The system SHALL implement safeguards against generating harmful, illegal, or dangerous content as d