Skip to main content

Description

AARM is embedded within the agent runtime as an SDK, middleware layer, or instrumentation hook. Tool invocations pass through AARM code before reaching tool implementations. The SDK intercepts function calls, maintains context, evaluates policies (locally or via remote service), and emits receipts. 
┌─────────────────────────────┐
│        Agent Runtime        │
│  ┌───────────────────────┐  │       ┌──────────────┐
│  │     Agent Logic       │  │       │   Policy     │
│  └──────────┬────────────┘  │       │   Service    │
│             ▼               │       └──────┬───────┘
│  ┌───────────────────────┐  │              │
│  │     AARM Hook         │──┼──────────────┘
│  └──────────┬────────────┘  │
│             ▼               │       ┌──────────────┐
│  ┌───────────────────────┐  │       │   Receipt    │
│  │     Tool Calls        │  │       │   Store      │
│  └───────────────────────┘  │       └──────────────┘
└─────────────────────────────┘
The key advantage is direct access to agent internals, enabling context accumulation that external observers cannot achieve.

Trust Properties

PropertyValue
Enforcement pointApplication level — depends on correct integration
Bypass riskHigher than gateway — bugs or misconfiguration could bypass AARM
Context richnessMaximum — direct access to original request, reasoning traces, memory
Semantic distanceFull precision — access to original request and current action
Failure modeConfigurable — fail closed recommended

Context Accumulation Advantages

The SDK excels because it operates inside the agent runtime:
  • Original request capture — intercepts user’s initial request without explicit passing
  • Reasoning trace access — includes chain-of-thought and tool selection rationale
  • Memory access — observes agent memory for poisoning or anomalous context
  • Real-time drift detection — detects intent drift before actions are attempted

Action Classification Support

ClassificationSupportNotes
Forbidden✅ FullStatic policy rules with immediate denial
Context-Dependent Deny✅ FullRich context detects intent misalignment
Context-Dependent Allow✅ FullAccess to original request verifies legitimate intent
Context-Dependent Defer✅ FullCan collect additional runtime data to resolve autonomously

Framework Integration

FrameworkIntegration Pattern
LangChainCustom callback handlers (on_tool_start, on_tool_end)
OpenAI Agents SDKMiddleware wrapping tool execution functions
AutoGPT / CrewAIPlugin architecture with custom tool wrappers
Custom agentsDecorator pattern wrapping tool functions

When to Use

  • You control the agent code and can modify it
  • Rich context is essential for policy decisions
  • Intent drift detection is a priority
  • Self-hosted agents with engineering capacity

When Not to Use

  • Agent code cannot be modified
  • Agent is a SaaS product you do not control
  • Framework evolves rapidly, creating version coupling