ARMCF: A Practitioner Control Framework for AI and Agentic Risk Management

Today, organizations are forced to adopt AI faster than their governance, procurement, and security assurance models can adapt. Existing AI security standards provide strong foundations, but organizations still face a translation problem. Many AI governance frameworks describe sound principles but often stop short of the technical enforcement and SecOps integration that operational teams need.

SACR developed the AI and Agentic Risk Management and Control Framework, or ARMCF, to help close that gap.

ARMCF is a practitioner-oriented operating framework for governing, securing, monitoring, responding to and recovering AI and agentic systems. It applies the familiar six-function lifecycle of NIST CSF 2.0: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER to the specific risks created by AI systems with access to data, identities, tools and downstream actions.

The framework helps organizations:

  1. Maintain visibility into sanctioned and shadow AI systems.
  2. Define risk appetite, accountability and acceptable levels of autonomy.
  3. Assess data flows, dependencies and potential blast radius.
  4. Preserve evidence, restore systems safely and improve controls after incidents.
  5. Map control decisions to established security, AI governance and assurance frameworks.

 

The AI and Agentic Risk Management and Control Framework (ARMCF) was designed to help organizations govern, secure, monitor, and recover AI and agentic systems using a lifecycle model that aligns with familiar cybersecurity and risk disciplines. It synthesizes established concepts from NIST AI RMF, NIST SP 800-53, ISO/IEC 42001, MITRE ATLAS, OWASP LLM Top 10, CIS Controls, CSA AICM 1.1, SOC 2, and related sources into a single operating model for teams that need both technical depth and auditability.

The framework exists because AI-enabled systems, especially those with tool access and autonomous action-taking capability, create governance and control gaps that are not fully resolved when organizations apply traditional cyber controls without AI-specific interpretation. ARMCF addresses that gap by defining six lifecycle-aligned domains, mapping them to recognized frameworks, and translating them into practical control objectives, risk scenarios, and implementation steps that security and risk leaders can operationalize.

Industry Resources For Practitioners

ARMCF Downloadable Framework

For technical leaders, ARMCF offers a common language for risk identification, policy design, control selection, security architecture, detection engineering, and incident response. For non-specialist readers, its core message is simpler: organizations should not adopt AI and agentic systems at speed unless they can identify what they use, define who is accountable, constrain what AI can access, observe how it behaves, and recover safely when things go wrong.

Scope Definition

ARMCF applies to AI systems with autonomous decision-making or action-taking capability, including LLM-backed applications, orchestrated multi-agent pipelines, tool-using agent workflows, and AI-assisted human workflows where AI model output materially influences decisions. It covers systems that are built internally, integrated through APIs, procured as AI-enabled SaaS, or introduced indirectly through embedded features in third-party products.

The most material organizational risk often comes less from the model itself than from the operating environment around it: context access, tool invocation, external dependencies, delegated permissions, and weak governance. ARMCF therefore treats AI as both a technology risk and an operating model risk, which makes it useful for security architecture, third-party governance, internal audit, compliance, and resilience planning.

In practice, ARMCF applies to any AI capability that can influence meaningful business outcomes, access sensitive data, trigger downstream actions, or create accountability exposure for the organization. Read-only summarization tools may require lighter governance, while fully autonomous systems require a much broader set of controls and oversight.

Driving Factors

ARMCF is driven by the need to bring governance, security, threat modeling, resilience, and auditability into one operating model rather than treating them as separate workstreams.

This design reflects the reality that organizations are adopting AI faster than standards, procurement processes, and assurance models can fully adapt to.

One major driver is the fragmentation of existing guidance. Traditional cybersecurity frameworks provide strong foundations for control design and monitoring, but they do not always express risks such as prompt injection, insecure tool orchestration, agent identity misuse, data leakage, or autonomous overreach in language that operational teams can directly act on. AI governance frameworks, meanwhile, often describe principles well but may stop short of detailed security enforcement or SOC integration.

A second driver is the emergence of agentic systems as a different risk class. ARMCF explicitly addresses tool-calling agents, multi-step planning systems, unsupervised execution patterns, model supply chains, Model Context Protocol (MCP) style brokered tool access, and identity delegation concerns because those elements expand the potential blast radius of compromise beyond a single model. In practical terms, an AI system that can send email, modify files, call APIs, or execute workflow steps must be governed more like a privileged digital actor than like a static software component.

A third driver is the need for regulated organizations to preserve auditability. Security and risk leaders in financial services, healthcare, public sector, and critical infrastructure environments need traceable ownership, documented risk acceptance, evidence preservation, and cross-mapping to recognized standards before AI adoption can scale safely. ARMCF responds by embedding accountability, logging, classification, evidence handling, and framework mappings into its structure rather than leaving them as afterthoughts.

“An AI system that can send email, modify files, call APIs, or execute workflow steps must be governed more like a privileged digital actor than like a static software component.”

Aim and Purpose

ARMCF provides a governance and risk layer that sits above the technical control stack and helps organizations that are building, deploying, or procuring AI and agentic systems to operate them safely and consistently. Its purpose is to translate AI and agentic risks into implementable management expectations, technical safeguards, monitoring requirements, and recovery processes.

At a strategic level, the framework helps leadership define acceptable autonomy, prohibited use cases, risk ownership, and the minimum control posture expected before production deployment. At an operational level, it helps engineering, security, and risk teams discover AI assets, model threats, constrain permissions, monitor behavior, handle incidents, and improve controls over time.

The practical value of this dual aim is that ARMCF supports both governance conversations in the boardroom and design conversations in architecture review forums. It gives senior managers a structure for accountability and readiness, while giving practitioners a method for assessing their environments and prioritizing remediation.

Core principles

Figure 1: ARMCF Core Principles

ARMCF is built around five core principles: accountability, proportionality, lifecycle coverage, security-by-design, and auditability.

  1. Accountability: every production AI system should have a named owner, a defined risk function, and a clear RACI for lifecycle decisions such as procurement, deployment, monitoring, and decommissioning. Without that discipline, organizations cannot reliably determine who is authorized to accept AI risk, approve change, or respond to incidents.
  2. Proportionality: ARMCF recognizes that not all AI systems present equal risk and explicitly supports classification by risk tier, autonomy level, data sensitivity, and use case criticality. This enables organizations to apply stronger controls to high-impact or agentic systems without burdening low-risk use cases with the same level of friction.
  3. Lifecycle Coverage: ARMCF is structured around six domains—GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER—which together reflect the full operational lifecycle of secure AI adoption. Meaningful readiness requires movement from policy to implementation, to monitoring, to response, to recovery in a coherent and repeatable way that uses principles and pillars familiar to other security frameworks.
  4. Security-by-Design for Agentic Systems: Prompt inspection, tool allowlisting, agent identity, data minimization, software supply chain integrity, and behavioral monitoring appear in the framework as baseline control concepts because AI risk emerges from system interaction, not only from model content. In simple terms, ARMCF assumes that good intentions and acceptable use policies are not enough without technical enforcement and observable evidence.
  5. Auditability: The framework repeatedly emphasizes structured inventories, risk scoring, evidence preservation, SIEM export, sign-off, review dates, and roadmap milestones because mature AI governance must be inspectable and defensible under scrutiny. That orientation makes the framework especially relevant to organizations with internal audit, regulatory, or customer assurance obligations.

“ARMCF assumes that good intentions and acceptable use policies are not enough without technical enforcement and observable evidence.”

Figure 2: ARMCF Lifecycle

Pillars and Domains

ARMCF is organized into six domains that act as the framework’s operational pillars.

  1. GOVERN: Establishes accountability, policy, risk appetite, inventory discipline, third-party governance, and fairness expectations.
  2. IDENTIFY: Covers asset discovery, data-flow understanding, AI-specific threat modeling, risk scoring, and blast-radius analysis.
  3. PROTECT: Defines preventive controls across prompts, outputs, tools, agent identity, least-privilege data handling, secure development, and workload isolation.
  4. DETECT: Focuses on telemetry, behavioral baselines, anomaly detection, data exfiltration monitoring, SIEM integration, and supply chain monitoring.
  5. RESPOND: Defines incident classification, containment, evidence handling, escalation, and root-cause analysis for AI-specific events.
  6. RECOVER: Addresses restoration, re-validation, control improvement, and lessons learned.

These pillars are meaningful because they translate strategic intent into operational sequencing. For example, an organization that has drafted an AI policy but lacks inventory, monitoring, or containment capability cannot credibly claim readiness for high-risk agentic deployment. ARMCF therefore encourages leaders to think in terms of control completeness rather than isolated compliance artifacts.

Figure 3: ARMCF Journey Stages

Foundational Guidance

For security and risk management leaders, ARMCF offers several foundational guidance steps.

  1. Establish policy and risk appetite before broad enablement.
    Organizations should define acceptable automation levels, prohibited use cases, approved providers, and decision rights before business units scale adoption through pilots or embedded vendor features.
  2. Maintain a live AI system registry.
    The registry should record system name, owner, use case, autonomy level, data sensitivity, deployment environment, and control-layer coverage.
  3. Model threats in AI-native terms.
    Traditional threat modeling remains useful, but ARMCF calls for coverage of prompt injection, insecure output handling, training data poisoning, denial of service, supply chain vulnerabilities, sensitive information disclosure, insecure tool design, excessive agency, automation bias, model theft, adversarial examples, and backdoored models.
  4. Enforce least privilege and observable control at each decision point.
    Agent tool access, agent identities, secrets injection, network reachability, and policy guardrails should be constrained and logged.
  5. Treat AI monitoring and incident response as first-class SecOps concerns.
    AI telemetry should flow to the SIEM, alert categories should be tuned for AI-specific attack chains, and response procedures should support kill-switch, quarantine, forensic preservation, and root-cause analysis.

Security Leadership Use Cases

ARMCF is especially useful for leaders who must align innovation with control assurance in regulated or audit-heavy environments. A CISO or security architect can use the framework to define minimum production requirements for AI systems, enforce role ownership, and prioritize investments in identity, data protection, prompt security, and monitoring.

A security risk manager can use ARMCF to standardize risk statements, map threats to controls, document residual risk, and record review cycles using the framework’s risk-register model. An internal audit or compliance function can use the cross-mapping to NIST, ISO, CIS, SOC 2, and EU AI Act-style tiers to evaluate whether AI governance claims are supported by documented processes and evidence with measurable metrics.

ARMCF gives stakeholders a shared operating model: leaders define acceptable risk, practitioners implement controls, and assurance functions verify whether those controls exist and work.

Readiness Model

ARMCF can also be read as a readiness model for AI and agentic adoption. At the most basic level, organizations need visibility: a current inventory, classification, data-flow mapping, and identification of tools and dependencies. Without that baseline, later controls become difficult to scope or test.

The next level is governance and prevention, where policy, ownership, tool allowlists, agent identities, data minimization, network isolation, and secure build controls are introduced.

After that comes operational maturity, where behavioral monitoring, prompt anomaly detection, SIEM integration, incident playbooks, and evidence preservation are embedded into daily operations.

The highest level is continuous improvement. Recovery planning, quarterly risk review, post-incident control enhancements, supply chain monitoring, and board-level reporting create the feedback loops required for sustainable governance. This staged interpretation aligns well with the implementation roadmap described in the core framework, which moves from foundation to enforcement to maturity over a defined period.

Figure 4: ARMCF Framework Mappings

Mapping and Assurance

One of ARMCF’s strengths is that it does not ask organizations to abandon familiar frameworks. Instead, it acts as a translation layer that maps AI-specific needs to known governance and security structures such as NIST AI RMF, NIST SP 800-53, ISO 42001, CIS Controls, SOC 2, MITRE ATLAS, OWASP LLM Top 10, and CSA AICM 1.1. In regulated settings, assurance depends on demonstrating continuity with recognized models rather than introducing entirely isolated methodologies.

The control mapping in the core framework spreadsheet that accompanies this paper shows how ARMCF controls connect to source obligations. Examples include linking GV-1 to NIST AI RMF GOVERN and NIST 800-53 risk management controls, PT-1 to NIST 800-53 input validation and transmission confidentiality, PT-3 to identity and access enforcement, DT-4 to SecOps monitoring, and RC-4 to continuous improvement requirements. These mappings help practitioners explain why a given control matters not only for AI safety but also for governance, audit, and assurance alignment. For each control, the mapping spreadsheet also provides a suggested measurable metric along with scoring guidance as examples of how a control can be defined, applied and then consistently measured.

ARMCF also incorporates EU AI Act-style risk tiering concepts, distinguishing unacceptable, high, limited, and minimal risk use cases and tying them to varying expectations for domain coverage and oversight. A tiered model supports a defensible management narrative: stronger autonomy and stronger consequence require stronger governance. While full EU AI Act compliance has recently been postponed until 2027/28, it is still important to move ahead with preparations for compliance and to design new AI and agentic systems with the relevant controls in place.

“Stronger autonomy and stronger consequence require stronger governance”

Implementation Guidance

The framework’s implementation roadmap provides a practical starting point for leaders who need to move from concept to delivery. In the foundation phase, the emphasis is on inventory, risk appetite, ownership assignment, threat modeling for the highest-risk systems, prompt inspection, and tool allowlisting. These are sensible first steps because they establish visibility and the earliest preventive boundaries.

In the enforcement phase, the framework introduces stronger identity, monitoring, SIEM correlation, incident playbooks, and AI SBOM integration. This reflects a transition from governance intention to control durability, where organizations begin to instrument AI systems in the same manner they instrument privileged workloads and critical applications.

In the maturity phase, the roadmap calls for broader MITRE ATLAS detection coverage, formal risk assessment of in-scope systems, tabletop response exercises, quarterly governance review, board reporting, and evaluation against ISO 42001 or other certification readiness. That final stage is especially relevant for organizations that must demonstrate not just intent, but measurable operational competence over time.

Putting ARMCF into Practice

For executive and non-specialist readers, the simplest interpretation of ARMCF is that AI adoption requires the same seriousness organizations already apply to identity, cloud, and third-party risk. Before granting AI systems broad access or autonomy, leadership should know what systems exist, what they can do, what data they can reach, who owns them, and how they are stopped when they misbehave.

This message does not imply that AI should be slowed indefinitely. It implies that adoption should be staged, classified, and evidenced in proportion to risk. The stronger the autonomy and the higher the consequence, the stronger the governance, technical controls, and monitoring that should be expected.

Figure 5: Control Maturity Versus Risk Exposure

Closing Analysis

ARMCF is valuable because it translates the abstract challenge of AI governance into a concrete operating framework for security and risk leaders. Its main contribution is not unique or novel, but the integration of established cyber, risk, and AI guidance into a structure that reflects how agentic systems actually create business exposure.

For practitioners, the framework’s enduring strength is its balance: it is technical enough to guide architecture, controls, and incident handling, yet structured enough to support policy, auditability, and management communication. It helps organizations assess readiness, prioritize capability development, and introduce AI and agentic systems with clearer ownership, stronger controls, and more defensible assurance outcomes.

“Organizations should not adopt AI and agentic systems at speed unless they can identify what they use, define who is accountable, constrain what AI can access, observe how it behaves, and recover safely when things go wrong.”

Accompanying Resources:

SACR has provided some sample tools and adjuncts to this document that provide additional detail of the recommended controls to implement. These are laid out in the same domains and principles as the guidance sections above, and also contain mapping to popular AI, Cloud and Security frameworks as well as some suggested metrics that can be used to measure compliance with a given control.

These resources are provided for informational purposes only. They do not constitute legal, compliance, or implementation advice, and SACR does not guarantee their accuracy, completeness, or suitability for regulated environments. Organizations should validate any control mapping, metric, or implementation decision against their own risk, legal, and compliance requirements.

Please also read the FAQ for further explanation when considering risk and compliance implications.

Industry Resources For Practitioners

Full ARMCF Guide & Resources

ARMCF Control Assessment Tables

The following summary tables adapt the attached ARMCF domains and control objectives into a practitioner-friendly methodology reference set for self-assessment and readiness analysis. Teams can use them to review existing controls, identify gaps, and prioritize remediation in advance of broader AI and agentic rollout.

In the accompanying Control and Mapping Spreadsheet for ARMCF, the same domains are represented in more detail, with accompanying cross-references to existing Security frameworks, and with suggested measurement metrics and sample scoring rubrics also provided.

Domain Overview Table

The six ARMCF domains should be treated as an interconnected operating lifecycle, not as separate compliance categories. GOVERN and IDENTIFY establish the foundation; PROTECT and DETECT create enforceable control and visibility; RESPOND and RECOVER determine whether the organization can contain failure and restore operations safely. An organization’s readiness is ultimately limited by its weakest material control, not its average maturity score.

GOVERN Methodology

The GOVERN domain establishes the authority under which AI risk is accepted and managed. Before evaluating technical safeguards, the organization should be able to identify each production AI system, its accountable owner, its permitted use, its autonomy level and the individual authorized to accept residual risk. A policy without ownership, inventory and decision rights provides limited assurance.

IDENTIFY Methodology

The IDENTIFY domain determines whether the organization understands its actual AI exposure. This includes sanctioned and shadow AI, data and context flows, reachable tools, external dependencies and the maximum potential blast radius. An assessment should consider the complete operating environment around the model, not only the model itself.

PROTECT Methodology

The PROTECT domain translates governance decisions into enforceable technical boundaries. Agent identities, tool invocation, data access, secrets, network reachability and software supply-chain integrity should be restricted by default and expanded only through deliberate approval. For agentic systems, least privilege must apply to both information access and action-taking capability.

RESPOND Methodology

The RESPOND domain tests whether the organization can contain an AI-related incident without depending on the affected system to cooperate. Response procedures should support rapid credential revocation, tool-access suspension, agent quarantine, kill-switch activation, evidence preservation and escalation to the appropriate security, legal, privacy and business stakeholders.

RECOVER Methodology

The RECOVER domain addresses the conditions required for safe restoration. Restarting an AI system is not sufficient. Before redeployment, teams should verify the model and supporting artifacts, identities, permissions, allowlists, dependencies, data integrity and behavioral baselines. Material findings should feed back into the risk register and control roadmap.

Risk Register Reference

The risk register connects credible AI risk scenarios to the controls intended to prevent, detect or contain them. The examples below are illustrative rather than exhaustive. Organizations should adapt them to their own systems and record affected assets, likelihood, impact, control effectiveness, residual risk, accountable owner, remediation actions and review dates.

Conclusion & Recommended Next Steps

ARMCF gives security and risk leaders a practical structure for doing that. It connects governance decisions to technical safeguards, observable evidence, incident response and recovery. It also gives CISOs, engineering teams, risk functions and auditors a shared language for determining whether an AI system is ready for production and what must improve before it receives broader access or authority.

Security leaders can begin applying ARMCF through five practical actions:

  1. Inventory sanctioned, embedded and shadow AI systems across the organization.
  2. Classify each system by autonomy, data sensitivity, business criticality and potential consequence.
  3. Assess the highest-risk systems against the six ARMCF domains.
  4. Prioritize material gaps in identity, tool access, data protection, monitoring, containment and recovery.
  5. Report readiness, residual risk and remediation ownership to the appropriate executive and governance stakeholders.

Begin with the systems that can access sensitive data, invoke tools, call APIs, modify records or initiate consequential business actions. These systems represent the most immediate need for defensible governance and control.

Put ARMCF into Practice

Access the accompanying ARMCF resources to begin assessing your environment:

  • Download the ARMCF Control and Mapping Spreadsheet
  • Review the full ARMCF presentation and implementation guide
  • Use the domain assessment tables to identify control gaps
  • Consult the ARMCF FAQ for additional risk and compliance context

We welcome feedback from CISOs, security architects, AI security practitioners, risk leaders and auditors applying ARMCF in real environments. Your practical experience will help us strengthen future versions of the framework as agentic architectures and security requirements continue to evolve.

Review the framework. Assess one high-risk AI system. Identify the control gaps that must be addressed before its autonomy expands.

To receive future SACR research, framework updates and practitioner guidance, subscribe to Software Analyst Cyber Research and share ARMCF with the leaders responsible for AI governance and security in your organization.

Questions or practitioner feedback? Contact the SACR research team using the contact form.

About Michelle Larson

Michelle Larson is a lingerie expert living in Brooklyn, NY, where she creates quippy written content, crafts dreamy illustrations, and runs the ethically-made loungewear line.

Related Posts

Ransomware’s New Kill Switch: Ephemeral Ransomware Resilience

Vendor Use Case Evaluation: Unified Agentic Defense Platforms (UADP)

No Comments

Table of Contents

Search

Categories

Popular Tags

cybersecurity research icon

Subscribe to the
Software Analyst

Subscribe for a weekly digest on the best private technology companies.