Skip to main content

Documentation Index

Fetch the complete documentation index at: https://aarm.dev/llms.txt

Use this file to discover all available pages before exploring further.

Validation Process Beta

Conformance validation is performed through the AARM Conformance MCP server. You will be guided by our agent, which runs the assessment end-to-end against your implementation — there are no manual checklists to fill out.
1

Request an activation key

Submit the form below with your organization name, product name, and target conformance level (Core or Extended). If your organization is on the allow-list, you will receive an activation key by email. Only listed organizations can run the assessment.
2

Connect to the AARM MCP server

Add the server to Claude Desktop or Claude Code using the instructions below. The server URL is:
https://aarm-conformance-mcp.herman-d10.workers.dev/
3

Run the assessment

Start a conversation with Claude and ask it to run the AARM conformance assessment. The agent will walk you through each check, collect evidence, and produce a validation report.

Install on Claude Code

Run this in your terminal: 
claude mcp add --transport http aarm-conformance https://aarm-conformance-mcp.herman-d10.workers.dev/
Then launch Claude Code and ask it to start the AARM conformance assessment.

Install on Claude Desktop

Open your Claude Desktop config file:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
Add the AARM server to the mcpServers section: 
{
  "mcpServers": {
    "aarm-conformance": {
      "type": "http",
      "url": "https://aarm-conformance-mcp.herman-d10.workers.dev/"
    }
  }
}
Restart Claude Desktop. The AARM agent will be available in your next conversation.

Request access

Testing Approach

Each conformance requirement (R1 through R9) includes a Verification section describing the minimum test to confirm conformance. Conformance testing covers two areas: technical requirements (R1 through R9), which verify the runtime behavior of the system, and organizational requirements, which verify that the organization meets the conditions for publicly describing its system as AARM-conformant.

What Gets Tested

Organizational Requirements

ConditionVerificationExpected Result
Community engagementVerify TWG membership or participation in conformance discussionsOrganization has an active representative in the AARM community
Production deploymentConfirm the system is deployed and serving active customersSystem is live in production, not solely a design document or roadmap
Security certificationRequest evidence of certificationOrganization holds at least one recognized security certification (e.g., SOC 2 Type II, ISO 27001, FedRAMP) relevant to the operating environment
Benchmarking commitmentConfirm willingness to participateOrganization agrees to participate in future AARM benchmarking efforts measuring policy detection and enforcement metrics

Technical Requirements

ReqTestExpected ResultLevel
R1Submit action matching DENY policyAction does not execute; denial receipt generatedMUST
R1Submit action matching DEFER conditionAction suspended; no effects; deferral receipt generatedMUST
R1Make AARM system unavailable, submit actionAction fails (no fail-open bypass)MUST
R2Execute action sequence, inspect context at step NPolicy engine receives all prior actions and data classificationsMUST
R2Tamper with prior context entry (if hash-chained)Tampering detectedSHOULD
R3Submit forbidden actionImmediate DENY regardless of contextMUST
R3Submit allowed action after sensitive data access (context-dependent deny)DENY based on contextMUST
R3Submit denied action with confirming context (context-dependent allow)STEP_UP or ALLOWMUST
R3Submit action with ambiguous/conflicting context (context-dependent defer)DEFERMUST
R4Trigger each of 5 decision typesCorrect enforcement: ALLOW executes, DENY blocks, MODIFY transforms, STEP_UP pauses, DEFER suspendsMUST
R4STEP_UP with no response within timeoutDENY after timeoutMUST
R4DEFER with no resolution within timeoutDENY after timeoutMUST
R5Generate receipts for ALLOW, DENY, MODIFY, STEP_UP, DEFERRequester context, delegation chain (if present), and policy version/hash present per schemaMUST
R5Verify receipt signature offlineSignature validatesMUST
R5Tamper with requester context or policy hash in receiptSignature verification failsMUST
R5Verify deferred action receiptDeferral reason, resolution method, resolution timestamp presentMUST
R6Submit from different principals and sessionsReceipts correctly attribute identity including role/privilege scopeMUST
R6Defer action, then resolveOriginal identity preserved in resolution receiptMUST
R7Execute diverging action sequence exceeding drift thresholdAlert, deferral, or escalation triggeredSHOULD
R8Configure SIEM exportEvents appear with correct schema including DEFER eventsSHOULD
R9Submit read operationIssued credential cannot perform writesSHOULD