Runlayer

✓ AARM CONFORMANT — EXTENDEDMCP & AI agent security · runlayer.com ↗

Overview
Conformance
About

Status

Conformant

Tier

Extended (R1–R9)

Verified

April 2026

Builder Member

Yes

Description

Runlayer is the enterprise control plane for MCP servers, skills, and agents. It gives organizations a single place to host, govern, and secure the AI tools their employees already rely on — across clients like Cursor, Claude Code, ChatGPT, VS Code, and any other MCP-compatible client — without forcing users to change their workflows.The platform combines a curated catalog of vetted MCP servers, skills, and agents with real-time threat detection, identity-aware access control, and full observability across every agent action. Runlayer integrates natively with identity providers like Okta and Entra, supports SSO and SCIM, and can be deployed in Runlayer’s cloud or self-hosted behind a customer’s VPC with zero data egress.Runlayer’s relevance to AARM is direct: it operates at the exact chokepoint where agents call tools, which makes it a natural enforcement point for runtime authorization, context accumulation, and tamper-evident auditing of autonomous agent activity.

Platform capabilities

MCP gateway

Proxies every tool call between AI clients and MCP servers, applying policies and security models in real time before requests reach downstream systems.

Shadow detection & enforcement

Endpoint-level visibility and enforcement on local machines via MDM, EDR, or client hooks — catching activity that bypasses the gateway path.

Threat detection models

Purpose-built ML models trained on large corpora of MCP-specific attacks, covering tool calls, list operations, and full-session intent analysis.

Identity-aware access control

Deep integration with Okta, Entra, and other IdPs for SSO, SCIM, conditional access, and fine-grained attribute-based authorization.

Unified audit & observability

Tamper-evident logs of every agent action, tool call, and platform event — with full session reconstruction across clients and tools.

Human-in-the-loop approvals

Slack-based approval workflows for sensitive agent actions, scoped to the agent creator or designated approvers.

Integration coverage

Runlayer is designed to sit in front of the AI tools enterprises already use, without changing developer workflows or requiring custom client builds.

AI clients

Supports 300+ MCP-compatible clients including Cursor, VS Code, Claude Code, GitHub Copilot, ChatGPT, Claude Desktop, and Windsurf. Any client implementing MCP works out of the box.

MCP servers, skills, and agents

Curated catalog covering 18,000+ MCP servers, skills, plugins, and agents. Internal APIs can be converted into MCP servers with the same access controls and observability as external ones.

Identity and security stack

Native integration with Okta, Entra, and other major identity providers. Exports audit logs and telemetry to Splunk, Datadog, Honeycomb, Panther (via S3), CSV, and directly through MCP itself.

Deployment models

Available as a managed cloud offering or self-hosted behind the customer’s VPC with zero data egress.

Conformance record


Specification version	AARM v1.0
Conformance tier	Extended (R1–R9)
Verified by	Herman Errico, AARM author
Date	April 2026

Architecture

Runlayer enforces AARM requirements through two complementary interception patterns. The first is a gateway pattern that sits between AI clients and MCP servers, proxying every tool call through a control plane where policies and security models evaluate the request before it reaches downstream systems. The second is a shadow pattern that extends visibility and enforcement to endpoints, so activity originating on local developer machines is also brought under the same policy surface.Context accumulation is handled through full session reconstruction across clients and tools, giving the platform end-to-end visibility into agent intent, reasoning, and actions — even though the underlying MCP protocol does not natively expose session identifiers. This accumulated context feeds into both deterministic policies (for example, identity-scoped allow/deny rules, attribute-based access, and restrictions on destructive tool classes) and non-deterministic security models that evaluate intent alignment across the full agent lifecycle.Authorization decisions, identity bindings, and policy evaluations are written to an append-only audit layer that records agent activity, user-initiated platform actions, and delegation events. Agents operate with their own distinct identities and act on behalf of the users that invoked them, making the full chain from human to agent to tool call traceable end to end.

AARM requirement coverage

Core requirements (R1–R6 MUST) extended requirements (R7–R9 SHOULD)

Requirement	Description	Status
R1	Pre-Execution Interception	✅ Met
R2	Context Accumulation	✅ Met
R3	Policy Evaluation with Intent Alignment	✅ Met
R4	Five authorization decisions (ALLOW / DENY / MODIFY / STEP_UP)	✅ Met
R5	Immutable audit log	✅ Met
R6	Identity Binding	✅ Met
R7	Semantic distance tracking	✅ Met
R8	Telemetry Export	✅ Met
R9	Least Privilege Enforcement	✅ Met

Company

Runlayer is building the trust layer between enterprises and their AI future — making MCP enterprise-ready so organizations can adopt AI agents across the business with complete observability and control. The company launched out of stealth in November 2025 with $11M in seed funding led by Khosla Ventures’ Keith Rabois and Felicis.The founding team has built AI products at scale, including shipping Zapier’s MCP, Agents, and AI Actions to millions of users. Runlayer works closely with David Soria Parra, the co-creator of the Model Context Protocol, who joined as an advisor and angel investor.Within four months of launching, Runlayer signed dozens of customers including eight unicorns and public companies such as Gusto, dbt Labs, Instacart, and Opendoor — reflecting the urgency enterprises feel around securing agent access to their most sensitive systems.

Key facts


Founded	2025
Funding	$11M seed (Khosla Ventures, Felicis)
Customers	Dozens of enterprises including Gusto, dbt Labs, Instacart, Opendoor
Leadership	Andrew Berman (CEO), Tal Peretz, Vitor Balocco
Deployment	Cloud or self-hosted (VPC)

Contact


Website	runlayer.com ↗
LinkedIn	linkedin.com/company/runlayer ↗

This page is maintained by the AARM Technical Working Group. To report an inaccuracy or request an update, open a GitHub issue.

Overview

Conformance

System Components

Implementation Architectures

Threat Model

Related Research

Description

Platform capabilities

MCP gateway

Shadow detection & enforcement

Threat detection models

Identity-aware access control

Unified audit & observability

Human-in-the-loop approvals

Integration coverage

Conformance record

Architecture

AARM requirement coverage

Core requirements (R1–R6 MUST) extended requirements (R7–R9 SHOULD)

Company

Key facts

Contact

Overview

Conformance

System Components

Implementation Architectures

Threat Model

Related Research

Documentation Index

​Description

​Platform capabilities

MCP gateway

Shadow detection & enforcement

Threat detection models

Identity-aware access control

Unified audit & observability

Human-in-the-loop approvals

​Integration coverage

​Conformance record

​Architecture

​AARM requirement coverage

​Core requirements (R1–R6 MUST) extended requirements (R7–R9 SHOULD)

​Company

​Key facts

​Contact

Description

Platform capabilities

Integration coverage

Conformance record

Architecture

AARM requirement coverage

Core requirements (R1–R6 MUST) extended requirements (R7–R9 SHOULD)

Company

Key facts

Contact