A Cloud Security Alliance Powered Project

The system category for agentic runtime security.

AARM defines the security controls an AI agent runtime must implement before any action is executed — intercept, evaluate against policy, decide, and produce a tamper-evident record.

Read the Specification Browse Builders

60+ Builders5 Conformant Products16 TWG MembersCSA Verified

Two conformance levels

Clear requirements for products serious about AI agent security.

✓ AARM Core

R1 – R6

All six requirements are MUST. Satisfying these is the baseline for AARM conformance — pre-execution interception through identity binding.

View requirements →

✦ AARM Extended

R1 – R9

Core plus three SHOULD requirements: semantic drift tracking, telemetry export, and least-privilege enforcement.

View requirements →

Conformant builders

Products that satisfy AARM specification requirements.

All 60+ builders →

Noma Securityconformant

A unified platform to secure and govern your AI and agents, delivering enterprise-grade protection.

Runlayerconformant

One platform for MCPs, Skills, and Agents, with purpose-built security, fine-grained governance, and complete observability.

Formalconformant

Formal enforces least-privilege at the wire protocol layer for humans and AI agents.

Operant AIconformant

Discover, Detect, and Defend your AI, Agents, and MCP in real-time.

MintMCPconformant

Enterprise governance platform for AI agents and MCP servers.

11 threat classes addressed

AARM systems are designed to defend against all known classes of attack on agentic AI.

Prompt injectionData exfiltrationConfused deputyGoal hijackingMemory poisoningIntent driftCross-agent propagationOver-privileged credentialsSide-channel leakageEnvironmental manipulationMalicious tool output

Cloud Security Alliance

Join the AARM Working Group

A system category specification built by security practitioners, researchers, and builders. Come shape the future of AI agent security.

Join the CSA Working Group