The system category for agentic runtime security.
Autonomous Action Runtime Management (AARM) is an open system specification for securing AI-driven actions at runtime. It defines what a runtime security system must do — not how to build it. An AARM system intercepts actions before execution, evaluates them against policy and contextual intent, enforces authorization decisions (allow, deny, modify, defer, or step-up), and records tamper-evident receipts binding action, context, and outcome for forensic reconstruction.
Agent proposes action
│
▼
┌───────────────────┐
│ AARM Control │ ← intercept every action
│ Plane │ ← accumulate session context
│ │ ← evaluate against policy + intent
│ ALLOW / DENY / │ ← decide with 5 possible outcomes
│ MODIFY / STEP_UP │ ← produce tamper-evident receipt
│ / DEFER │
└───────────────────┘
│
▼
Action executes (or doesn't)
| ID | Requirement | Level | Conformance |
|---|---|---|---|
| R1 | Pre-execution interception | MUST | Core |
| R2 | Context accumulation | MUST | Core |
| R3 | Policy evaluation with intent alignment | MUST | Core |
| R4 | Five authorization decisions | MUST | Core |
| R5 | Tamper-evident receipts | MUST | Core |
| R6 | Identity binding | MUST | Core |
| R7 | Semantic distance tracking | SHOULD | Extended |
| R8 | Telemetry export (OpenTelemetry) | SHOULD | Extended |
| R9 | Least-privilege enforcement | SHOULD | Extended |
AARM Core — satisfy R1–R6. Baseline conformance.
AARM Extended — satisfy R1–R9. Full governance maturity.
Full specification: aarm.dev/spec · arXiv: 2602.09433
AARM addresses 11 attack classes on agentic AI systems:
Prompt injection Data exfiltration Confused deputy Goal hijacking Memory poisoning Intent drift Cross-agent propagation Over-privileged credentials Side-channel leakage Environmental manipulation Malicious tool output
Builders can claim one of two conformance levels:
AARM Core ✓ R1 R2 R3 R4 R5 R6
AARM Extended ✦ R1 R2 R3 R4 R5 R6 R7 R8 R9
To claim conformance:
- Satisfy all MUST requirements for your target level
- Complete the testing protocol and compile an evidence package
- Engage with the working group before submitting
- Submit your evidence — review takes up to 14 days
Products that have claimed AARM conformance are listed at aarm.dev/builders. The registry is community-verified — builders submit evidence, the TWG reviews.
To get listed, open an issue or submit a PR with your evidence package.
AARM is a Cloud Security Alliance Technical Working Group project. The TWG governs the specification, conformance process, and builder registry through open collaboration.
Authors: Herman Errico (Vanta), Akul Loomba
Contributors: 12 security practitioners, researchers, and builders — full list
This repository contains the source for aarm.dev — the spec site, builder registry, and conformance requirements.
src/
├── app/
│ ├── spec/ ← full specification (v1.0)
│ ├── conformance/ ← requirements + how to claim
│ ├── builders/ ← builder registry + detail pages
│ └── working-group/ ← TWG members
├── data/
│ ├── builders.ts ← registry data
│ └── builder-details.ts
└── components/
Stack: Next.js · TypeScript · Tailwind CSS · Vercel
npm install
npm run dev # → localhost:3000
npm run build # type-check + buildSpecification changes, new builder submissions, and conformance feedback are all welcome.
- Spec changes — open an issue describing the proposed requirement change
- Builder submissions — open a PR adding your entry to
src/data/builders.ts - Conformance questions — open a discussion or reach out via the TWG
AARM is a system category specification. Specification text is licensed under CC BY 4.0. Website source is MIT.