REASON

acf.advisor

ACF® governance advice from a free-text case — one paragraph in, one structured evaluation out: activated principles, critical dimensions, autonomy level, risk class, applicable articles, first actions, operational risks. This is the conversion tool from documentation library to governance advisor.

!Warning

This tool produces a preliminary evaluation from free-text heuristics — not legal advice. requires_human_review is always true. For a more defensible qualification, re-run through acf.classify-agent with qualified enums.

When to use

Use this tool when a case owner (CIO, business line, consultant) arrives with a prose description of their AI agent and needs a structured first verdict on the applicable ACF® governance: which principles fire, which maturity dimensions are critical, which autonomy level fits, which regulatory obligations trigger, which fiches to mobilise in what order. It is the “first step” tool before rigorous qualification.

It answers the board-level question: “where do we start on this case?”. The output is designed to be served to an AI committee or a DDAO who will decide the next steps.

Input parameters

One required field (the case description), three optional context fields that tighten the calibration.

case_descriptionstring (20-2000)required

Free-text case description: what the agent does, who runs it, what it acts on, who validates. The sharper the description, the stronger the inference heuristics.

sectorstring (≤80)

Sector (“banking”, “healthtech”, “public sector”…). Without a sector, criticality uses a neutral calibration.

jurisdiction"eu" | "uk" | "us" | "ca" | "ch" | "br" | "jp" | "other"

Primary deployment jurisdiction. By default the tool reasons assuming EU.

deployment_scale"pilot" | "department" | "enterprise" | "public"

Deployment scale. Influences criticality and the recommended first actions.

locale"en" | "fr"default: "en"

Language of the textual output.

Output schema

Output is a structured object with autonomy level, risk level, activated principles, critical dimensions, prioritised fiches, applicable articles, first actions, operational risks, signed footer.

autonomy_level{ level: "N0"|"N1"|"N2"|"N3", rationale: string }

Inferred ACF® autonomy level and its rationale.

risk_level{ level: "low"|"medium"|"high"|"unacceptable", rationale: string }

AI Act-compatible risk class, derived from the ACF-02 criticality.

activated_principles{ code: string, why: string }[]

ACF® principles (P1 to P4) triggered by the case, each justified.

critical_dimensions{ code: string, why: string }[]

Maturity dimensions (D1 to D6) on the critical path for this case.

priority_fiches{ code: string, order: number, why: string }[]

ACF® cards to mobilise, in order, with the reason for each.

applicable_articles{ regulation: string, article: string, why: string }[]

AI Act / GDPR / DORA / NIS2 / ISO 42001 articles mobilised by the case.

first_actionsstring[] (≤5)

The first five operational actions to kick off.

operational_risksstring[]

Typical operational risks tied to the inferred profile.

confidence"low" | "medium" | "high"

Global confidence of the evaluation. Stays “medium” by default when input is prose only.

assumptionsstring[]

Explicit assumptions made during inference (notably enums inferred from text).

gaps_to_validatestring[]

Gaps to close via human review, including the systematic recommendation to re-run through classify-agent.

rationale_per_rule{ rule_id, rule_version, fired, evidence }[]

Per-rule trace: identifier, version, fired status, evidence from the input text.

requires_human_reviewtrue

Constant. No call returns false.

Example call

An internal HR assistant proposing a shortlist validated by a recruiter:

advisor.tstypescript

import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";

const transport = new StdioClientTransport({
  command: "npx",
  args: ["-y", "acf-mcp"],
});
const client = new Client({ name: "demo", version: "1.0" }, {});
await client.connect(transport);

const result = await client.callTool({
  name: "acf.advisor",
  arguments: {
    case_description:
      "We are rolling out an internal HR assistant that summarises candidate CVs, proposes a shortlist score, and writes the shortlist to our ATS. A recruiter validates each shortlist before any candidate is contacted. The agent reads structured candidate profiles (name, email, education) and uses a GPAI under the hood for the summarisation.",
    sector: "human-resources",
    jurisdiction: "eu",
    deployment_scale: "department",
    locale: "en",
  },
});

console.log(JSON.stringify(result.content, null, 2));

Response

response.jsonjson

{
  "autonomy_level": {
    "level": "N1",
    "rationale": "The recruiter validates each shortlist before action — supervised execution applies. Inferred from 'recruiter validates' in the description."
  },
  "risk_level": {
    "level": "high",
    "rationale": "HR scoring + GPAI + EU jurisdiction triggers AI Act Annex III §4 (employment). Personal data is standard but the use case is recruitment-related."
  },
  "activated_principles": [
    { "code": "P1", "why": "Decision sovereignty applies to every agentic deployment, regardless of autonomy." },
    { "code": "P2", "why": "High-criticality decisions must be reconstructible after the fact." },
    { "code": "P4", "why": "Reinforced governance must match the criticality." }
  ],
  "critical_dimensions": [
    { "code": "D4", "why": "Role allocation (DDAO + sign-off) is required for N1+ autonomy." },
    { "code": "D5", "why": "Regulatory compliance dimension is on the critical path." },
    { "code": "D3", "why": "Technical control (kill switch, observability) is non-negotiable." },
    { "code": "D2", "why": "Doctrine adoption is the entry gate before any agentic deployment." }
  ],
  "priority_fiches": [
    { "code": "ACF-00", "order": 1, "why": "Read first: framework introduction." },
    { "code": "ACF-02", "order": 2, "why": "Calibrate criticality with the matrix." },
    { "code": "ACF-09", "order": 3, "why": "Define escalation thresholds." },
    { "code": "ACF-11", "order": 4, "why": "Run a formal risk assessment." }
  ],
  "applicable_articles": [
    { "regulation": "ai-act", "article": "Art. 9", "why": "Mobilised by category Annex III §4 — employment." },
    { "regulation": "ai-act", "article": "Art. 14", "why": "Mobilised by category Annex III §4 — employment." },
    { "regulation": "ai-act", "article": "Art. 26", "why": "Mobilised by category Annex III §4 — employment." },
    { "regulation": "ai-act", "article": "Art. 51", "why": "GPAI obligation." }
  ],
  "first_actions": [
    "Identify or appoint the DDAO accountable for the agent (cf. ACF-12).",
    "Document the agent constitution (decision perimeter, allowed/forbidden actions — cf. ACF-03).",
    "Open the decision register and define the retention policy (cf. ACF-05 + ACF-13).",
    "Run the formal risk assessment + DPIA if PII (cf. ACF-11)."
  ],
  "operational_risks": [
    "Audit chain breaks if the decision register is not immutable.",
    "Sign-off bottleneck if DDAO is not available in escalation SLA.",
    "Regulatory exposure escalates if Article 49 register is not maintained in sync with internal register."
  ],
  "confidence": "medium",
  "assumptions": [
    "human_approval, external_actions and personal_data_level were inferred from the free-text description; pass classify-agent with qualified enums for higher confidence."
  ],
  "gaps_to_validate": [
    "re-run via acf.classify-agent with structured enums for a more defensible qualification."
  ],
  "requires_human_review": true,
  "rationale_per_rule": [
    {
      "rule_id": "ai-act.annex-iii.employment",
      "rule_version": "2026-06",
      "fired": true,
      "evidence": "description mentions shortlist + ATS write in an HR context"
    },
    {
      "rule_id": "autonomy.inference.supervised",
      "rule_version": "2026-06",
      "fired": true,
      "evidence": "inferred human_approval=always, external=limited_write from description"
    }
  ],
  "doctrine_version": "ACF framework v1.0 / rules 2026-06",
  "doctrine_hash": "sha256:bf0b6d8e4731ebdc58f6d6338702c5b74af47874cf0ad3dc958cde5c5b30b9dc",
  "doctrine_signature": "ed25519:…",
  "doctrine_archive_url": "https://acfstandard.io/doctrine/v1.0/archive.json",
  "regulatory_snapshot": "EU AI Act (Reg. 2024/1689, incl. Digital Omnibus deferral) + GDPR (Reg. 2016/679) + DORA (Reg. 2022/2554) + NIS2 (Dir. 2022/2555) + ISO 42001:2023 — as of 2026-06-07",
  "generated_at": "2026-06-14T11:47:22.318Z",
  "conversion_cta": "Continue this assessment with the auditable ACF® Compliance workspace at https://acfstandard.com/compliance?ref=mcp",
  "disclaimer": "Preliminary qualification only — not legal advice. Human review required."
}

Common errors

InputTooShort — case_description < 20 chars. The tool does not guess — provide a minimal prose description.
InvalidEnumValue — jurisdiction or deployment_scale receives an out-of-list value. Fix to a canonical value or omit the field.
DoctrineSnapshotMismatch — the requested doctrine_hash is not loaded. Update acf-mcp or point at the archived version.

acf.classify-agent — re-run with qualified enums as soon as the case is precise, to gain confidence.
acf.assess-autonomy — drill into the autonomy-level decision alone when it is the blocking question.
acf.identify-governance-gaps — broaden from the isolated case to a global governance audit of the organisation.