Overview
AARM is a specification, not an implementation. The choice of implementation architecture significantly affects security guarantees, deployment complexity, and operational characteristics. The four architectures are defined by what you control:| Architecture | You Control | Enforcement Point | Bypass Resistance | Context Richness | Defer Support |
|---|---|---|---|---|---|
| Protocol Gateway | Network | Network | High | Limited | Partial |
| SDK / Instrumentation | Code | Application | Medium | Full | Full |
| Kernel / eBPF | Host | Kernel | Very High | None | Limited |
| Vendor Integration | Policy only | Vendor runtime | Vendor-dependent | Vendor-dependent | Limited–Moderate |
The Control Hierarchy
Architecture selection depends on what you control:- Full control (self-hosted): All architectures available. Choose based on capability requirements.
- Code control (managed infrastructure): Gateway and SDK available. eBPF may not be possible without host access.
- Network control only: Gateway is the primary option.
- No control (SaaS): Vendor Integration is the only option. If the vendor does not offer hooks, push for support using the specification as leverage.
Selecting an Architecture
- Choose Gateway when you control the network, protocol adoption (e.g., MCP) is high, and minimal agent modification is required. Good balance of enforcement strength and integration simplicity.
- Choose SDK when you control the agent code, rich context is essential for intent alignment, and your team can maintain the integration. Best for sophisticated intent drift detection and autonomous deferral resolution.
- Choose eBPF when you control the host, maximum bypass resistance is required, and forbidden action enforcement is the priority. Must be paired with a semantic-aware architecture for AARM conformance.
- Choose Vendor Integration when the agent is a SaaS product you do not control and the vendor offers synchronous governance hooks. The only option for third-party agents.
Action Classification Support
Not all architectures can enforce all four action classifications equally:| Classification | Gateway | SDK | eBPF | Vendor |
|---|---|---|---|---|
| Forbidden | ✅ Full | ✅ Full | ✅ Strong | ✅ Full |
| Context-Dependent Deny | ✅ Good | ✅ Full | ⚠️ Weak | Depends on context |
| Context-Dependent Allow | ⚠️ Partial | ✅ Full | ❌ Not feasible | Depends on context |
| Context-Dependent Defer | ⚠️ Partial | ✅ Full | ⚠️ Limited | ⚠️ Limited–Moderate |
All Architectures Must Implement
Regardless of deployment pattern, every AARM architecture implements the same core components:- Action Mediation — intercept before execution
- Context Accumulation — track session state
- Policy Evaluation — static policy + intent alignment
- Approval Workflows — STEP_UP decisions
- Deferral Workflows — DEFER decisions
- Receipt Generation — tamper-evident records
- Telemetry Export — structured events