ACF
acfstandard.io
Developer docs
FR
Doctrine

The DDAO role

DDAO — Designated Delegated Agent Officer. The human cornerstone of ACF®. A named individual (or collegial body) responsible for an agent (or a portfolio of agents) in production. Inspired by the DPO (GDPR art. 37-39) and the CISO.

iNote
DDAO is not a marketing title nor a decorative role. It is a named, identifiable person who engages the legal liability of the company for the decisions of the agent they supervise. For that reason, ACF® requires the DDAO to be independent from the agent’s reporting chain — as the DPO is independent from the Director of Marketing.

The four missions

  1. Validation of critical decisions that the agent is designed to escalate (ACF-12 thresholds).
  2. Arbitration on unplanned escalation off-mandate situation, drift behaviour, alert from the register.
  3. Drift monitoring model drift, case distribution drift, cost drift.
  4. Periodic reviews quarterly at least, on the assigned perimeter, with a report to the governance committee.

Expected profile

The DDAO typically comes from one of three pools: (1) an existing DPO expanding their perimeter, (2) a CISO or internal audit director, (3) a product compliance lead or a senior product manager moving into a governance posture. None of these profiles is native to ACF® — formal training is explicit, via cards ACF-13 (Guided Practical Case) and ACF-14 (Teacher Guide).

Independence

The DDAO cannot report to the same manager as the agent they supervise. For a lead-qualification agent, the DDAO cannot report to the CMO. For a credit-scoring agent, the DDAO cannot report to the head of credit risk. Target architecture is a direct report to general management, to the DPO, or to the board audit committee. This is hardened in card ACF-12 (Agent Mandate).

Liability

As with the GDPR DPO, the DDAO does not bear legal liability in place of the company — the company answers for itself. But the DDAO carries functional liability: they must be able to produce, on request, the cryptographic trace of a specific decision, justify the threshold choices, and demonstrate that reviews were conducted. On an AI Act audit, they are the one summoned by the regulator.

MCP instrumentation

Three acf-mcp tools are specifically designed for the DDAO: acf.assign-ddao-controls (assign controls), acf.evaluate-agent-mandate (audit an existing mandate),acf.identify-governance-gaps (find gaps before external audit). A tooled DDAO can run a quarterly review in hours instead of days.