Skip to main content

Description

Enterprises increasingly use SaaS agents (ChatGPT, Claude.ai, Microsoft Copilot) where they control none of the infrastructure — no network paths, no runtime code, no compute environments. For these environments, AARM enforcement must occur inside the vendor’s infrastructure. Architecture D positions AARM as a vendor-side extension. The vendor provides hooks that execute before tool invocations, allowing customers to plug in AARM-conformant policy engines. 
┌──────────────────────────────────────────┐
│           Vendor Environment             │
│  ┌────────┐   ┌─────────┐   ┌────────┐  │
│  │ Agent  │──►│  AARM   │──►│ Tools  │  │
│  │        │   │Extension│   │        │  │
│  └────────┘   └────┬────┘   └────────┘  │
│                    │                     │
└────────────────────┼─────────────────────┘
                     │ evaluate

              ┌─────────────┐
              │  Customer   │
              │  Policy     │
              │  Service    │
              └─────────────┘

Synchronous Execution Requirement

Vendor-side governance hooks MUST execute synchronously and prior to any side-effectful tool execution. No tool effects may occur before the hook returns a decision.Asynchronous or best-effort hooks that permit execution to proceed before evaluation completes do not satisfy AARM requirements.

The Integration Model

If a vendor allows customers to install tools that expand what an agent can do (plugins, MCP servers, extensions), they should equally allow governance extensions that constrain what an agent can do. The integration surface is identical; only the purpose differs.
DomainCapability ExtensionGovernance Extension
BrowsersExtensions (add features)Content blockers, policy engines
MobileApps (add capabilities)MDM profiles (constrain behavior)
CloudServices (add capabilities)IAM policies, SCPs (constrain access)
AgentsTools/Plugins (add actions)AARM (constrain actions)
Every mature platform eventually needs both. Agents are early in this evolution.

Vendor Requirements

For Architecture D to function, vendors must provide:
RequirementDetails
Pre-action hookSynchronous callback before each tool invocation with action details and context
Decision enforcementBlock, modify, defer, or escalate based on extension response (ALLOW, DENY, MODIFY, STEP_UP, DEFER)
Context availabilityAt minimum: tool, operation, parameters, and requester context (human principal, agent/service identity, session, privilege scope). Delegation chain should be provided when applicable. Richer context enables stronger policies
Receipt exportExport or receive action receipts for customer audit trails, including requester context and policy version/hash
Timeout handlingConfigurable behavior when policy service is unavailable. Fail closed (DENY) MUST be supported

Action Classification Support

ClassificationSupportDependency
Forbidden✅ FullRequires only tool + parameters
Context-Dependent DenyVariesRequires vendor to expose prior actions and data classifications
Context-Dependent AllowVariesRequires vendor to expose original request and conversation history
Context-Dependent Defer⚠️ Limited–ModerateCan suspend when vendor provides partial or ambiguous context

Trust Properties

PropertyValue
Enforcement pointInside vendor runtime at vendor-provided hook
Bypass resistanceDepends entirely on vendor implementation quality
Context richnessDepends on what vendor exposes
Customer controlPolicy logic is customer-controlled; enforcement is vendor-controlled
Trust dependencyMust trust vendor implements hooks correctly — unique to this architecture

Driving Vendor Adoption

Architecture D creates a collective action problem. AARM addresses this by defining what governance hooks should provide:
  • Customer requirements: Enterprises can require AARM-compatible hooks in vendor evaluations
  • Vendor differentiation: Enterprise-focused vendors differentiate by offering AARM-compliant integration
  • Ecosystem development: Third-party AARM implementations target a standard interface
The goal: shift from “does this vendor support governance?” to “is this vendor’s governance AARM-compliant?”

Precedent

StandardPattern
OAuth/OIDCStandardized authentication hooks — customers bring their own identity provider
SCIMStandardized provisioning hooks for user lifecycle
MDM profilesPlatform vendors provide hooks for enterprise policy enforcement
AARMStandardized governance hooks — customers bring their own policy engine
AARM is to agent actions what OAuth is to authentication.

When to Use

  • Agent is a SaaS product (ChatGPT, Claude.ai, Copilot)
  • You do not control the network, code, or host
  • Vendor offers synchronous governance hooks
  • Policy enforcement on third-party agents is required

When Not to Use

  • Vendor does not offer governance hooks (push for support)
  • Trust in vendor implementation is not acceptable
  • Latency requirements cannot accommodate external policy evaluation