Why ACF exists in 90 seconds
Written for executive committees, not architects. The question your auditor will ask on December 2, 2027, the three possible answers, and the trust infrastructure that puts you at Level 3 by construction.
This is not hypothetical: EU AI Act high-risk enforcement begins December 2, 2027.
Two snapshots on December 2, 2027
Without ACF
Without ACF, on December 2, 2027
- At 3:14 AM, your credit-scoring agent refuses 847 loans in cascade, and no one can reconstruct the decision the next day.
- The customer service agent promised a 4,200 euros refund, then the redeploy wiped any trace of the commitment.
- Your procurement agent just signed a 540,000 euros contract with an EU-sanctioned supplier, with no documented pre-screening.
- When the auditor asks who bears civil liability, the answer loops between IT, the model vendor, and the business unit.
- Your D&O insurer raises the premium by 38 percent on December 2, 2027, unable to assess agentic risk independently.
With ACF
With ACF, on the same December 2, 2027
- The 3:14 AM decision carries an Ed25519 signature, a chained SHA-256 hash, and the name of the DDAO who bears civil liability.
- The refund commitment triggers the level 2 kill switch, mapped to card ACF-11, archived before any redeploy.
- The supplier contract is classified N1 not N3, making the ACF-09 sanctions-screening card mandatory before signature.
- The auditor receives a signed PDF in 30 seconds, mapped to EU AI Act, ISO 42001, NIST AI RMF, GDPR, and COBIT.
- Your Sovereignty Score moves from 34 to 78 in six months, and the D&O insurer holds the premium at 2026 levels.
Three possible answers
The auditor asks. You have three possible answers, in increasing order of defensibility — and three matching financial consequences.
Level 1 — Silence
“We'll check with the engineering team and get back to you.”
Consequence
EU AI Act fine up to 35 million euros or 7 percent of global turnover, front page of Les Echos within 72 hours, DPO resignation the following week.
Level 2 — Application logs
“We have application logs, we can export them for you.”
Consequence
Logs inadmissible under article 1366 of the French Civil Code, forced forensic audit at 400,000 euros, 18-month defense file.
Level 3 — Cryptographic proof
“Here is the Ed25519-signed PDF, you can verify it independently with the public key.”
Consequence
Case closed in 12 minutes instead of 12 weeks, zero accounting provision, D&O premium held by the insurer.
ACF is a trust infrastructure
ACF is not a framework you deploy. It is a trust infrastructure you join, the way TLS exists for the web or SWIFT for interbank settlement. The standard does not live in your servers; it lives in any third party's ability to verify, years later, that an agentic decision occurred, who carried it, and under which doctrine.
01
Signed identity
Every agentic decision is Ed25519-signed and carries the name of the DDAO who bears civil liability; no anonymous autonomy is permitted by the standard.
02
Replicable verification
The SHA-256 hash chain and the 34 signed acf-mcp resources let a third party, years later, replay the verification without depending on you.
03
Opposable trace
The 17 by 5 mapping across EU AI Act, ISO 42001, NIST AI RMF, GDPR, and COBIT turns the trace into an opposable legal proof, not a mere technical log.
The choice on December 2, 2027
By December 2, 2027, two groups of companies will coexist: those who tried to build their audit trail alone, slow and contested at every inspection, and those who joined the trust layer and stand opposable in 12 minutes. ACF puts you in the second group by construction, not by luck.