Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime
Herman Errico
TL;DR
The paper tackles the critical problem of securing AI-driven actions at runtime, arguing that irreversible, high-speed tool executions create a runtime security boundary that traditional defenses cannot reliably protect. It introduces Autonomous Action Runtime Management (AARM), an open specification that intercepts actions before execution, accumulates session context, evaluates alignment with static policy and user intent, enforces authorization decisions, and records tamper-evident receipts. The work formalizes the problem, threat model, and action-classification framework (forbidden, context-dependent deny/allow, and defer), and proposes four architectures (Protocol Gateway, SDK instrumentation, kernel eBPF, and vendor integration) with minimum conformance requirements to preserve interoperability. It also outlines research directions (intent inference, data-flow tracking, and multi-agent coordination) and provides a clear call to action for enterprises, vendors, and researchers to adopt and evolve the standard, aiming to prevent fragmentation as AI agents scale autonomy and impact.
Abstract
As artificial intelligence systems evolve from passive assistants into autonomous agents capable of executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms - log aggregation, perimeter defense, and post-hoc forensics - cannot protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers. This paper introduces Autonomous Action Runtime Management (AARM), an open specification for securing AI-driven actions at runtime. AARM defines a runtime security system that intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction. We formalize a threat model addressing prompt injection, confused deputy attacks, data exfiltration, and intent drift. We introduce an action classification framework distinguishing forbidden, context-dependent deny, and context-dependent allow actions. We propose four implementation architectures - protocol gateway, SDK instrumentation, kernel eBPF, and vendor integration - with distinct trust properties, and specify minimum conformance requirements for AARM-compliant systems. AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary. This specification aims to establish industry-wide requirements before proprietary fragmentation forecloses interoperability.