About AARM

What is AARM?

Autonomous Action Runtime Management (AARM) is a system category specification that defines what a security system must do before an AI agent executes any action — in any environment, at any scale.

The problem AARM solves

AI agents don’t just generate text — they take actions. They browse the web, write and execute code, send emails, make API calls, and manage files. As agents become more capable and more widely deployed, the blast radius of a mistake or a compromise grows with them.

Before AARM, there was no shared language for what “secure agent execution” means. Security teams couldn’t evaluate products consistently. Builders had no common benchmark to build to. Enterprises had no basis for comparison.

AARM changes that. It specifies a minimal, verifiable set of behaviors that any runtime security system must implement before it can claim to govern AI agent actions safely.

The five-step control loop

Every AARM-conformant system must implement a five-step control loop around each agent action — before the action is executed.

Intercept — Capture every agent-initiated action before it reaches the environment. No action may bypass the control plane.

Accumulate — Build a running context from the agent's stated intent, prior actions in the session, and the task thread.

Evaluate — Run the action against a policy that considers both what the action does and whether it aligns with the agent's original intent.

Decide — Produce one of five outcomes: ALLOW the action, DENY it, MODIFY it to be safe, STEP_UP to require human approval, or DEFER for later review.

Record — Produce a tamper-evident receipt for every evaluation — timestamped, identity-bound, and cryptographically verifiable.

Two conformance levels

AARM defines two levels of conformance, so implementations can start with a strong baseline and grow into full governance maturity.

AARM Core

R1–R6

All six requirements are mandatory. Covers the full intercept-accumulate-evaluate-decide-record cycle plus cryptographic identity binding. This is the baseline for conformance claims.

AARM Extended

R1–R9

Core plus three additional SHOULD requirements: semantic drift tracking across long task horizons, OpenTelemetry-compatible telemetry export, and runtime least-privilege enforcement.

What it defends against

The AARM threat model covers 11 classes of attack on agentic AI systems. An AARM-conformant implementation addresses all of them.

Prompt injectionData exfiltrationConfused deputyGoal hijackingMemory poisoningIntent driftCross-agent propagationOver-privileged credentialsSide-channel leakageEnvironmental manipulationMalicious tool output

Origins and governance

AARM was developed by a Technical Working Group (TWG) operating under the Cloud Security Alliance — the world’s leading organization dedicated to defining and raising awareness of best practices for secure cloud computing.

The specification was first published in early 2026 and is versioned publicly on GitHub. The TWG meets regularly to review proposals, validate conformance claims, and extend the threat model as the agentic AI landscape evolves.

Conformance is community-verified: builders submit an evidence package against the published testing protocol, and the TWG reviews and approves conformance claims. There is no proprietary certification body — the standard is open and the process is transparent.

Read the specification →Conformance requirements Working group arXiv paper