Skip to main content

Conformance Levels

LevelRequirements
AARM CoreR1–R5 (all MUST)
AARM ExtendedR1–R8 (all MUST + SHOULD)

Required (MUST)

R1: In-Line Authorization

Block actions before execution based on policy. 
✓ Denied actions do not execute
✓ No effects on target systems
✓ Denial recorded in receipt

R2: Parameter Validation

Validate parameters against constraints. 
✓ Type validation
✓ Range/limit enforcement  
✓ Allowlist/blocklist matching
✓ Pattern validation

R3: Step-Up Authorization

Support human approval workflows. 
✓ Execution blocks pending approval
✓ Configurable approver routing
✓ Timeout handling
✓ Decision recorded in receipt

R4: Tamper-Evident Receipts

Generate signed receipts for all actions. 
✓ Complete action representation
✓ Requester context + delegation chain
✓ Policy decision and reason
✓ Policy version or hash
✓ Cryptographic signature
✓ Offline verification

R5: Identity Binding

Bind actions to a non-forgeable requester context. 
✓ Human principal
✓ Agent/service identity
✓ Session context
✓ Privilege scope
✓ Delegation chain (when applicable)
✓ Integrity-protected requester context

R6: Least Privilege

Support credential scoping. 
○ Just-in-time issuance
○ Operation-specific scoping
○ Automatic rotation

R7: Telemetry Export

Export to security platforms. 
○ Real-time streaming
○ Standard schemas (OCSF)
○ Configurable filtering

R8: Effect Capture

Record downstream state changes. 
○ State hashes
○ Resource identifiers
○ Downstream correlation

Summary Table

IDLevelRequirement
R1MUSTBlock before execution
R2MUSTParameter validation
R3MUSTHuman approval workflows
R4MUSTSigned receipts
R5MUSTIdentity binding
R6SHOULDLeast privilege
R7SHOULDTelemetry export
R8SHOULDEffect capture