# AARM/CSA Specification v1.0

## Docs

- [Architecture C: Kernel / eBPF](https://aarm.dev/architectures/ebpf.md): Kernel-level monitoring with maximum bypass resistance — deployed as a defense-in-depth backstop.
- [Architecture A: Protocol Gateway](https://aarm.dev/architectures/gateway.md): AARM as a network-level proxy intercepting tool protocol traffic.
- [Layered Deployment](https://aarm.dev/architectures/layered-deployment.md): Combining architectures for defense-in-depth coverage across all action classifications.
- [Implementation Architectures](https://aarm.dev/architectures/overview.md): Four reference architectures for deploying AARM, based on what you control.
- [Architecture B: SDK / Instrumentation](https://aarm.dev/architectures/sdk.md): AARM embedded within the agent runtime for maximum context visibility.
- [Architecture D: Vendor Integration](https://aarm.dev/architectures/vendor-integration.md): AARM for SaaS agents where you control nothing but policy.
- [Builders Registry](https://aarm.dev/builders.md): Companies building AARM-conformant systems and those aligned with the AARM problem space.
- [Action Classification](https://aarm.dev/components/action-classification.md): How AARM categorizes actions based on policy and contextual intent alignment.
- [Action Mediation Layer](https://aarm.dev/components/action-mediation.md): Intercepts tool invocations and normalizes them to AARM's canonical action schema.
- [Approval Service](https://aarm.dev/components/approval-service.md): Human-in-the-loop authorization for high-risk and ambiguous actions.
- [Context Accumulator](https://aarm.dev/components/context-accumulator.md): Tracks session state, prior actions, and data accessed to enable context-aware policy evaluation.
- [Deferral Service](https://aarm.dev/components/deferral-service.md): Resolve DEFER decisions through progressive context collection, bounded waiting, and escalation.
- [Components Overview](https://aarm.dev/components/overview.md): The six components that make up an AARM-compliant system.
- [Policy Engine](https://aarm.dev/components/policy-engine.md): Evaluates actions against policy rules and enforces decisions.
- [Receipt Generator](https://aarm.dev/components/receipts.md): Creates tamper-evident audit records for every action.
- [Telemetry Exporter](https://aarm.dev/components/telemetry.md): Exports structured events to SIEM, SOAR, and security platforms for monitoring and compliance.
- [Conformance Requirements](https://aarm.dev/conformance/requirements.md): What a system must do to be AARM-conformant.
- [Conformance Testing](https://aarm.dev/conformance/testing.md): How to verify an AARM implementation satisfies conformance requirements.
- [What is AARM](https://aarm.dev/definition.md): Formal definition of Autonomous Action Runtime Management and what it is (and is not).
- [First Policy](https://aarm.dev/guides/first-policy.md): Learn AARM policy syntax by writing rules for common scenarios.
- [Quickstart](https://aarm.dev/guides/quickstart.md): Implement AARM patterns in your stack in under 30 minutes.
- [Autonomous Action Runtime Management (AARM)](https://aarm.dev/index.md): AARM is an open system category specification for securing AI-driven actions at runtime. Build systems that intercept, authorize, and audit autonomous actions before they execute.
- [Approval Flows](https://aarm.dev/patterns/approval-flows.md): Implement step-up authorization for high-risk actions.
- [Deferral Flows](https://aarm.dev/patterns/deferral-flows.md): Implement DEFER decisions with progressive context collection, bounded waiting, and escalation.
- [MCP Gateway](https://aarm.dev/patterns/mcp-gateway.md): Implement AARM as a protocol-level gateway for MCP tools.
- [OpenTelemetry Ingestion](https://aarm.dev/patterns/otel-ingestion.md): Ingest agent telemetry via OpenTelemetry Protocol (OTLP) as a native input source for AARM.
- [Receipt Signing](https://aarm.dev/patterns/receipt-signing.md): Generate tamper-evident receipts for forensic reconstruction.
- [The Problem](https://aarm.dev/problem.md): AI agents execute actions with real-world consequences. Traditional security architectures weren't designed for this.
- [Research](https://aarm.dev/research/aligned.md): The foundational paper, open challenges, and community research aligned with the AARM specification.
- [Research Directions](https://aarm.dev/research/open-challenges.md): Open problems in AI agent runtime security that require further research.
- [Confused Deputy](https://aarm.dev/threats/confused-deputy.md): Agents with legitimate authority are manipulated into performing operations users never intended or would not authorize.
- [Cross-Agent Propagation](https://aarm.dev/threats/cross-agent-propagation.md): Compromised agents escalating or delegating through multi-agent workflows.
- [Data Exfiltration](https://aarm.dev/threats/data-exfiltration.md): Individual actions satisfy policy while their composition constitutes unauthorized data theft.
- [Environmental Manipulation](https://aarm.dev/threats/environmental-manipulation.md): Attackers alter the surrounding system state so the agent makes harmful but seemingly justified decisions.
- [Goal Hijacking](https://aarm.dev/threats/goal-hijacking.md): Injected or inferred objectives alter the agent's planning and cause it to optimize for attacker goals.
- [Intent Drift](https://aarm.dev/threats/intent-drift.md): When agent actions gradually diverge from the user's original request.
- [Malicious Tool Outputs](https://aarm.dev/threats/malicious-tool-output.md): Adversarial tool responses designed to manipulate subsequent agent behavior.
- [Memory Poisoning](https://aarm.dev/threats/memory-poisoning.md): Persistent context is manipulated so future agent decisions are biased toward attacker objectives.
- [Over-Privileged Credentials](https://aarm.dev/threats/over-privileged-credentials.md): Static, excessive credentials amplify the blast radius of agent mistakes and attacks.
- [Threat Model](https://aarm.dev/threats/overview.md): Eleven threat categories, trust assumptions, and the attack lifecycle for AI-driven actions.
- [Prompt injection](https://aarm.dev/threats/prompt-injection.md)
- [Side-Channel Leakage](https://aarm.dev/threats/side-channel-leakage.md): Sensitive data escapes through logs, traces, metadata, and other indirect channels around tool execution.
- [Technical Working Group](https://aarm.dev/working-group.md): The AARM Technical Working Group (TWG) - the people defining, evolving, and advocating for the specification.

## Optional

- [GitHub](https://github.com/aarm-dev/docs)
- [Paper (PDF)](https://arxiv.org/abs/2602.09433)