As artificial intelligence systems evolve from passive assistants into autonomous agents capable of executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms - log aggregation, perimeter defense, and post-hoc forensics - cannot protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers. This paper introduces Autonomous Action Runtime Management (AARM), an open specification for securing AI-driven actions at runtime. AARM defines a runtime security system that intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction. We formalize a threat model addressing prompt injection, confused deputy attacks, data exfiltration, and intent drift. We introduce an action classification framework distinguishing forbidden, context-dependent deny, and context-dependent allow actions. We propose four implementation architectures - protocol gateway, SDK instrumentation, kernel eBPF, and vendor integration - with distinct trust properties, and specify minimum conformance requirements for AARM-compliant systems. AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary. This specification aims to establish industry-wide requirements before proprietary fragmentation forecloses interoperability.

翻译：随着人工智能系统从被动助手演变为能够执行重要行动的自主代理，安全边界从模型输出转移至工具执行。传统的安全范式——日志聚合、边界防御和事后取证——无法保护那些AI驱动行动具有不可逆性、以机器速度执行且可能源自受损编排层的系统。本文提出自主行动运行时管理(AARM)，这是一种在运行时保护AI驱动行动的开放规范。AARM定义了一个运行时安全系统，该系统在执行前拦截行动、累积会话上下文、根据策略和意图对齐进行评估、执行授权决策，并记录防篡改凭证以供取证重建。我们形式化了一个威胁模型，涵盖提示注入、混淆代理攻击、数据泄露和意图漂移。我们引入了一个行动分类框架，区分禁止行动、上下文相关拒绝行动和上下文相关允许行动。我们提出了四种实现架构——协议网关、SDK插装、内核eBPF和供应商集成——各自具有不同的信任特性，并规定了符合AARM系统的最低一致性要求。AARM与模型无关、与框架无关且供应商中立，将行动执行视为稳定的安全边界。该规范旨在专有化碎片化损害互操作性之前，建立全行业范围的要求。