An open system specification for securing AI-driven actions at runtime.
As AI systems evolve from text generators into autonomous agents executing consequential actions—API calls, database mutations, financial transactions—the security boundary shifts from model outputs to tool execution.
AARM defines what a runtime security system must do:
- Intercept actions before execution
- Evaluate against policy
- Enforce decisions (allow / deny / modify / require approval)
- Record tamper-evident receipts
Agent ──► AARM System ──► Tools/APIs
│
▼
Action Receipts
Traditional security doesn't address AI-driven actions:
- SIEM — observes after execution; can't prevent harm
- API gateways — verify who, not what the action means
- Firewalls — agents operate inside the perimeter
- Prompt guardrails — filter text, not actions
- Human-in-the-loop — doesn't scale; can be exploited
AARM fills this gap with runtime enforcement at the action layer.
| Resource | Description |
|---|---|
| Specification | Problem, definition, components |
| Threat Model | What AARM defends against |
| Architectures | Gateway, SDK, eBPF options |
| Conformance | R1–R8 requirements |
| Research Paper | IEEE-style technical paper |
Contributions welcome. See CONTRIBUTING.md.
npm i -g mint # Install Mintlify CLI
mint dev # Run at http://localhost:3000SIEM was built for events. AARM is built for actions.