Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

TL;DR

This paper presents AARM, a comprehensive open specification for securing AI-driven actions at runtime by intercepting, evaluating, and recording actions to prevent security breaches in autonomous AI systems.

Contribution

It introduces AARM, a novel, model-agnostic runtime security framework with formal threat models, classification, and multiple implementation architectures for safeguarding autonomous AI actions.

Findings

AARM effectively intercepts and evaluates AI actions before execution.

The framework addresses key threats like prompt injection and data exfiltration.

Multiple implementation architectures offer flexible trust models.

Abstract

As artificial intelligence systems evolve from passive assistants into autonomous agents capable of executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms - log aggregation, perimeter defense, and post-hoc forensics - cannot protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers. This paper introduces Autonomous Action Runtime Management (AARM), an open specification for securing AI-driven actions at runtime. AARM defines a runtime security system that intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction. We formalize a threat model addressing prompt injection, confused deputy attacks, data exfiltration, and intent drift. We introduce an action classification framework distinguishing forbidden, context-dependent deny, and context-dependent allow actions. We propose four implementation architectures - protocol gateway, SDK instrumentation, kernel eBPF, and vendor integration - with distinct trust properties, and specify minimum conformance requirements for AARM-compliant systems. AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary. This specification aims to establish industry-wide requirements before proprietary fragmentation forecloses interoperability.