defense 2026

Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

Herman Errico

0 citations · 41 references · arXiv (Cornell University)
α

Published on arXiv

2602.09433

Excessive Agency

OWASP LLM Top 10 — LLM08

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

AARM establishes action execution as a stable, model-agnostic security boundary, enabling interception and contextual authorization of AI-driven tool calls to defend against prompt injection, confused deputy attacks, and intent drift before they produce irreversible consequences.

AARM (Autonomous Action Runtime Management)

Novel technique introduced

As artificial intelligence systems evolve from passive assistants into autonomous agents capable of executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms - log aggregation, perimeter defense, and post-hoc forensics - cannot protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers. This paper introduces Autonomous Action Runtime Management (AARM), an open specification for securing AI-driven actions at runtime. AARM defines a runtime security system that intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction. We formalize a threat model addressing prompt injection, confused deputy attacks, data exfiltration, and intent drift. We introduce an action classification framework distinguishing forbidden, context-dependent deny, and context-dependent allow actions. We propose four implementation architectures - protocol gateway, SDK instrumentation, kernel eBPF, and vendor integration - with distinct trust properties, and specify minimum conformance requirements for AARM-compliant systems. AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary. This specification aims to establish industry-wide requirements before proprietary fragmentation forecloses interoperability.

Key Contributions

  • AARM specification: a runtime security system that intercepts AI agent actions before execution, accumulates session context, and enforces policy-based authorization with tamper-evident audit receipts
  • Action classification framework distinguishing forbidden, context-dependent-deny, context-dependent-allow, and defer actions, handling cases where available context is insufficient for a conclusive decision
  • Four implementation architectures (protocol gateway, SDK instrumentation, kernel eBPF, vendor integration) with distinct trust properties, plus minimum conformance requirements for interoperable AARM-compliant systems

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
llm agentsautonomous ai systemsmcp-based tool serversagentic ai pipelines
Read PDF arXiv DOI

Similar Papers

defense

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents

2025 4 cit.
100%
defense

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents

2025 0 cit.
100%
defense

Tracking Capabilities for Safer Agents

2026 0 cit.
100%
defense

TraceAegis: Securing LLM-Based Agents via Hierarchical and Behavioral Anomaly Detection

2025 2 cit.
100%
defense

Securing AI Agent Execution

2025 7 cit.
92%
defense

From Tool Orchestration to Code Execution: A Study of MCP Design Choices

2026 0 cit.
92%
defense

Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors

2026 0 cit.
79%
defense

Authenticated Workflows: A Systems Approach to Protecting Agentic AI

2026 0 cit.
79%