AARM Specification

Autonomous Action Runtime Management (AARM) is an open system specification — not a product — for securing AI agent actions at runtime. It defines what a runtime security system must do: intercept actions before execution, accumulate session context, evaluate against organisational policy, enforce authorisation decisions (allow, deny, modify, defer, or require approval), and record tamper-evident receipts. Covers threat models including prompt injection, confused deputy, privilege amplification, goal hijacking, and cross-agent propagation. Published with an arXiv paper and a technical working group.

Addresses the runtime security gap where existing tools (SIEM, API gateways, firewalls, prompt guardrails) fail for autonomous agents. Defines action classification into four categories: forbidden, context-dependent, routine, and novel. The specification's policy engine and action mediation layer concepts map directly to OWASP Agentic risks around excessive agency, insufficient access controls, and insecure tool integration.

Use as a reference architecture when designing or evaluating agent security systems. Not something you install — it's a specification you build against or use to assess whether vendor solutions provide genuine runtime agent security. Particularly valuable for security architects designing agentic AI governance frameworks.

Risks addressed — mapped to both OWASP Top 10 standards. 1 in LLM, 6 in Agentic.

What Yuntona stores. Single source of truth — fork it on GitHub.

name: AARM Specification
slug: aarm-specification
type: Mixed
category: AI Governance & Standards
url: https://aarm.dev

reviewed:   2026-04
added:      2026-04
updated:    2026-04

risks:
  llm:  [LLM06]
  asi:  [ASI01, ASI02, ASI04, ASI06, ASI07, ASI09]

complexity:    Plug & Play
pricing:       —
audience:      AppSec
lifecycle:     [deploy]

tags: [Academic, Agentic, Open Source, Runtime Security, Specification]