ACR-3.01v1.0

All tool invocations SHALL be authorized against a documented tool access policy.

Domain

03 — Domain 3: Tool and API Governance

Eval Method

AT+EIAT+EI

Risk Weight

5 / 10

Applicability

L1L2L3

Description#

All tool invocations SHALL be authorized against a documented tool access policy.

Evaluation Method#

AT+EIAT+EI

Evaluation methodology as specified by the assigned method code.

v1.1 Details#

Profile Applicability

F,S,A,C

Evaluation Frequency

Quarterly

Platform Cert Eligible

Yes

Framework Crosswalk Refs

NIST SP 800-53 AC-3; OWASP LLM-07

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

Next →ACR-3.02: The system SHALL prevent unauthorized tool chaining where the output of one tool triggers another wi

All tool invocations SHALL be authorized against a documented tool access policy.

Description#

Evaluation Method#

v1.1 Details#

Classification#