Runlayer Achieves Full AARM Conformance as Agent Runtime Security Specification Hits 40 Companies

Runlayer announced it has achieved AARM Extended Conformance across all nine requirements (R1 through R9) of the open specification for securing AI agent actions at runtime, according to a blog post published April 28. The partnership pairs Runlayer’s MCP governance platform with AARM’s open standard, which now counts 40 conformant and aligned companies and a 14-member Technical Working Group, per the AARM specification site.

What AARM Defines

AARM (Autonomous Action Runtime Management) is an open system specification authored by Herman Errico, Senior PM at Vanta, with a Technical Working Group that includes security leaders from Elastic, Darktrace, Truist, Gusto, Ballistic Ventures, and IEEE, according to an analysis by Max Corbridge of Secure Agentics.

The specification defines what a runtime security system for AI agents must do, not how to build one. An AARM-conformant system must intercept AI-driven actions before execution, accumulate session context including prior actions and data accessed, evaluate actions against organizational policy and contextual intent alignment, enforce authorization decisions (allow, deny, modify, defer, or require approval), and record tamper-evident receipts binding action, context, decision, and outcome for forensic reconstruction, according to the specification documentation.

The core principle: the action boundary, the moment an agent tries to take an action, is the security boundary.

Why Traditional Security Fails for Agents

AARM identifies five characteristics of AI agents that break existing security models, as detailed in the Secure Agentics analysis:

Irreversibility. You can filter bad text from a model’s output. You cannot un-send an email, un-drop a database table, or un-wire a payment. Tool executions produce permanent effects the moment they fire.

Speed. Humans manage two to five meaningful actions per minute. Agents run hundreds. Any review queue that assumes human-speed throughput is inadequate.

Contextual risk. Individual actions can each be permitted while their combination constitutes a breach. Reading customer records is fine. Sending an email is fine. Both together in sequence: data exfiltration.

As Corbridge writes, “SIEM tells you what happened after an event. API gateways verify who is calling, not what the call means in context. Firewalls protect your external perimeters whilst agents can cause harm in your internal environment.”

Runlayer’s Implementation

Runlayer’s platform intercepts every tool call between AI clients and MCP servers, applies fine-grained policies before requests reach downstream systems, and produces tamper-evident logs for full session reconstruction, per the company’s announcement. The company has existing partnerships with Box and 1Password for enterprise content and credential access governance in agent workflows.

An Emerging Standards Layer

AARM’s growth to 40 conformant companies signals that agent runtime security is coalescing around shared standards rather than fragmenting into incompatible proprietary approaches. The specification’s focus on action-level security, rather than prompt-level guardrails or network-layer monitoring, reflects the operational reality that agents cause damage through tool execution, not through text generation. For enterprises evaluating agent platforms, AARM conformance is becoming a procurement checkbox alongside SOC 2 and ISO 27001.