Documentation Index
Fetch the complete documentation index at: https://aarm.dev/llms.txt
Use this file to discover all available pages before exploring further.
Overview
AI agents often run with credentials that are broader, longer-lived, and more reusable than the task actually requires. This creates privilege amplification: a small reasoning error or successful attack produces consequences far beyond the user’s original intent.How It Happens
Common failure modes:- long-lived service tokens reused across many workflows
- admin-level API keys embedded in agent runtimes
- broad OAuth scopes granted “for convenience”
- shared credentials reused across users, tasks, or tenants
Why It Matters
| Risk | Effect |
|---|---|
| Excessive scope | One tool call can affect far more resources than intended |
| Poor attribution | Shared credentials blur who authorized what |
| Long lifetime | Compromise remains useful long after the original task |
| Cross-context reuse | Authority leaks across unrelated sessions or tenants |
AARM Mitigations
Scoped identities
Bind action execution to:- human principal
- service identity
- session
- task scope
Just-in-time credentials
Mint narrow, short-lived credentials for the specific action or workflow.Policy checks on effective privilege
Treat privilege scope as part of evaluation context, not just background configuration.Detection Signals
| Signal | Indicates |
|---|---|
| Scope exceeds task intent | The action is running with more authority than required |
| Credential reused across unrelated sessions | Poor isolation |
| High-impact operation under routine workflow | Privilege-task mismatch |
| Missing user-to-service binding | Weak attribution chain |
Key Takeaway
Least privilege is not optional in agent systems. AARM treats the effective authority behind an action as part of the runtime decision, not merely as deployment background.
Next
Confused Deputy
How manipulated agents misuse legitimate credentials
Action Mediation
Where scoped credentials and invocation policy meet