Changelog

Domain 5: Data Privacy & Consent Management (28 ACRs) — addresses data collection transparency, consent lifecycle management, cross-border data flows, and privacy-by-design requirements.

Domain 13: Societal Impact Assessment (22 ACRs) — covers algorithmic fairness evaluation, community impact disclosure, accessibility requirements, and long-term societal effect monitoring.

Assurance Class dimension (A/B/C) creating a two-axis certification model. Class A (Periodic) requires self-assessment. Class B (Monitored) requires monthly CAPO check-ins. Class C (Continuous) requires 24/7 CAPO oversight with real-time alerting.

Four System Profiles determining ACR applicability: Foundational (97 ACRs), Standard (215 ACRs), Advanced (368 ACRs), and Comprehensive (410 ACRs).

Platform Certification pathway allowing reusable platforms and infrastructure components to carry forward ACR compliance to deployment-level evaluations through ACR inheritance.

Risk Classification: mandatory 7-factor assessment conducted by AVBs to determine the appropriate Assurance Class. Factors: autonomy level, decision impact, data sensitivity, operational environment, human oversight capacity, reversibility, and scale.

CAPO (Certified Assurance Platform Operator) role for continuous monitoring. CAPOs provide post-certification monitoring services for Assurance Class B and C systems.

Recognized Insurer Partner (RIP) program enabling insurance providers to offer coverage products tied to ARA certification status and assurance classes.

Express Evaluation pathway for L1 Foundation certification (3-4 weeks) available for systems meeting predefined eligibility criteria and lower risk profiles.

14 regulatory framework crosswalk mappings including EU AI Act, ISO/IEC 42001, NIST AI RMF, and others. Each mapping documents direct, partial, and complementary relationships to ACRs.

DPSIC (Data Privacy and Societal Impact Committee) advisory body providing guidance on Domains 5 and 13 to the Technical Standards Board.

12 new glossary definitions covering: Assurance Class, CAPO, Deployment Certification, DPSIC, Express Pathway, Lapse Window, Platform Certification, RIP, Risk Classification, System Profile, and related terms.

Evidence categories formalized as four types: LP (Lifecycle Process), TI (Technical Implementation), OP (Operational Performance), and TP (Third-Party).

New ACR columns: Profile Applicability (which system profiles require the ACR), Evaluation Frequency (continuous, quarterly, annual, or at-certification), Platform Cert Eligible (whether the ACR can be inherited via platform certification), and Framework Crosswalk Refs (links to mapped regulatory requirements).

Domain count increased from 13 to 15. Existing domains renumbered to accommodate new Domain 5 (Data Privacy & Consent Management) and Domain 13 (Societal Impact Assessment).

ACR count expanded from 352 to 410 (58 new ACRs across new and existing domains).

Certification levels renamed: L1 Foundation (was L1 Supervised Operational Reliability), L2 Operational (was L2 Bounded Autonomous Deployment), L3 Comprehensive (was L3 High-Stakes Autonomous Certification).

Level names updated from single-axis model (level only) to two-axis model (level + assurance class). Certification designations now expressed as e.g. "L2-B Deployment" or "L1-A Platform".

Evaluation methods expanded from four to six: added TP (Third-Party Attestation) for controls validated through independent third-party evidence, and OP (Operational Proof) for controls demonstrated through operational performance data.

Domain score thresholds recalibrated for 15 domains. Threshold calculations now account for system profile applicability and risk-weighted composite scoring across the expanded domain set.

AVB authorization scope expanded to include risk classification responsibilities and platform certification evaluation capabilities. AVB authorization levels updated to Basic, Enhanced, and Full.

Governance structure expanded to include six participant categories: Technical Standards Board (TSB), Data Privacy and Societal Impact Committee (DPSIC), Authorized Validation Bodies (AVBs), Certified Assurance Platform Operators (CAPOs), Recognized Insurer Partners (RIPs), and Consortium Members.