AARM
Join TWG
← Builder Registry

Formal

AARM Core

Protocol-aware reverse proxy for data, infrastructure, and AI agent traffic

formal.ai

Overview

Formal is a protocol-aware reverse proxy that enforces least privilege at the wire-protocol level across data, infrastructure, and AI agent traffic. It sits between identities and resources like databases, warehouses, SSH/Kubernetes servers, and MCP servers — parsing wire protocols natively and evaluating security policies inline on every request. For AI agent workloads, Formal proxies traffic between agents and resources, applying identity resolution, query-level authorization, PII masking, tool-call filtering, and full audit capture.

Classification

Coverage surface
Data/DBNetworkMCP
Stage
Not provided yet
Type
Not provided yet
Target audience
Enterprise
Deployment
Self-hosted

Technical profile

Spec-grounded axes, verified by the TWG.

Interception architecture (R1)
Protocol Gateway
Policy model (R3)
Deterministic
Authorization decisions (R4)
ALLOWDENYMODIFYSTEP_UP
Conformance level
Core (R1–R6)

Conformance review

Specification versionAARM v1.0
Conformance tierCore (R1–R6)
Verified byHerman Errico, AARM Author
DateApril 10, 2026
R1Pre-execution interception
R2Context accumulation
R3Policy evaluation with intent alignmentDeterministic; non intent-based
R4Five authorization decisions
R5Tamper-evident receipts
R6Identity binding
R7Semantic distance tracking
R8Telemetry export
R9Least privilege enforcement

Platform capabilities

  • Universal agent network proxy covering databases, infrastructure, and MCP servers
  • Eight inline policy actions: Allow, Block, Mask, Filter, Rewrite, Quarantine, Suspend, MFA
  • Identity-aware JIT access scoped to individual commands and data
  • Panopticon audit layer with sub-second search across full history
  • PII and PHI masking at the query level for HIPAA, SOC 2, PCI DSS, and GDPR
  • Policy backtesting against 31 days of historical logs before enforcement

Architecture

Formal enforces AARM requirements through interception at two complementary layers. The first is a client-side layer that sits between AI coding tools and the model APIs they call, allowing agent tool calls to be inspected and blocked pre-execution based on policy. The second layer is a protocol-aware proxy between identities and downstream resources. It applies policies across session, request, and response stages. Because agent-originated traffic carries context from the first layer, the proxy can differentiate human-issued queries from agent-session queries and apply controls accordingly. Policy decisions, identity bindings, and tool calls are written to a tamper-evident audit trail, exportable to common SIEM and observability backends.

Key facts

Founded2023
Funding$6M+ seed (Thrive Capital)

Listed in the AARM registry. Conformance verified by the AARM working group.

Work here? Manage this listing →
Formal — AARM Builder