AARM
Join TWG
Upcoming EventAAuth Night: Moving Beyond OAuth· 111 Minna St, San Francisco, CA
A Cloud Security Alliance Powered Project

The system category for agentic runtime security.

AARM defines the security controls an AI agent runtime must implement before any action is executed — intercept, evaluate against policy, decide, and produce a tamper-evident record.

Read the SpecificationBrowse Builders

The AARM specification has been adopted by

67
companies building on AARM
7
completed a formal conformance review

Two conformance levels

Clear requirements for products serious about AI agent security.

✓ AARM Core
R1 – R6

All six requirements are MUST. Satisfying these is the baseline for AARM conformance — pre-execution interception through identity binding.

View requirements →
✦ AARM Extended
R1 – R9

Core plus three SHOULD requirements: semantic drift tracking, telemetry export, and least-privilege enforcement.

View requirements →

Conformant builders

Products that satisfy AARM specification requirements.

All 67 builders →
Noma Securityextended

Noma discovers, governs, and protects AI and agents across the enterprise — from homegrown AI to SaaS agents and coding assistants.

Runlayerextended

Enterprise control plane for MCP servers, skills, plugins, and agents — host, govern, and secure the AI tools employees rely on.

Operant AIextended

Runtime application protection for AI agents, MCP, and agentic workloads — intercepts tool calls, prompts, and shell executions before execution.

Agent Governance Toolkit (Microsoft)extended

Open-source runtime policy enforcement, execution rings, and tamper-evident audit chain for autonomous AI agents

Formalcore

Protocol-aware reverse proxy enforcing least privilege at the wire-protocol level for data, infrastructure, and AI agent traffic.

MintMCPcore

Enterprise governance platform for AI agents and MCP servers.

Highflamecore

Highflame is the enterprise control fabric for AI agents, coding assistants, and the MCP tools they rely on. It gives every agent — built in-house or installed from a marketplace — its own verifiable credential, and checks each action against runtime policy before it executes: at the model, in IDEs like Cursor and Claude Code, and at the tool gateway over MCP and A2A — without changing how teams build. The platform combines ZeroID, an open-source agent identity layer, with real-time threat detection, human-in-the-loop approvals, an agent kill switch with instant revocation, and a tamper-evident audit trail that traces every action back to a person.

11 threat classes addressed

AARM systems are designed to defend against all known classes of attack on agentic AI.

Prompt injectionData exfiltrationConfused deputyGoal hijackingMemory poisoningIntent driftCross-agent propagationOver-privileged credentialsSide-channel leakageEnvironmental manipulationMalicious tool output
Cloud Security Alliance

Join the AARM Working Group

A system category specification built by security practitioners, researchers, and builders. Come shape the future of AI agent security.

Join the CSA Working Group
Morty Proxy This is a proxified and sanitized view of the page, visit original site.