A documented AI policy doesn't stop an agent's next action.
You need a control plane that intercepts, decides, and logs — at runtime.
As autonomous agents move from pilot to production, the dominant risk is no longer "the policy is unclear." It's that nothing enforces the policy in the moment an agent acts. Containment.ai is the runtime control plane that closes that gap — and it's built to a neutral, open standard so you can evaluate it against more than our own marketing. We align with AARM v1.0, the Cloud Security Alliance's runtime-governance specification, and we extend it with the data-layer detection AARM intentionally leaves open. The LLM-boundary proxy described here is our connected tier; the flagship High-Assurance Gateway delivers the same discipline in-path for the highest-assurance, air-gap-capable environments.
Runtime governance for autonomous agents — aligned with AARM v1.0 (Cloud Security Alliance).
The runtime-governance gap
GRC platforms tell you what your policy says. They do not intercept, block, or log an agent action as it happens.
The governance tools most enterprises already own document policy: who approved which model, what the acceptable-use rules are, which frameworks apply. That is necessary and it is not enough. A documented policy does not stop a paste, a tool call, or an LLM-mediated exfiltration of regulated content. When an autonomous agent decides to act, the question is no longer "what does the policy say" — it is "what enforced the policy in that millisecond."
That enforcement layer is a distinct category: the runtime control plane. It sits in the path of agent actions and, for every one, intercepts before execution, evaluates against policy with full context, and writes a tamper-evident record. This is the category Containment.ai builds in — and rather than define it with our own bespoke vocabulary, we anchor to a neutral industry standard so buyers can compare vendors on equal terms.
What AARM is
The neutral standard for the category — and why we anchor to it.
The specification
AARM (Autonomous Action Runtime Management) is the Cloud Security Alliance's open specification for governing autonomous AI agents at runtime. Authored at Vanta and donated to the CSAI Foundation in April 2026, it is governed by a working group spanning hyperscaler, GRC, runtime-security, large-enterprise, and defense-relevant constituencies — among them Microsoft, Vanta, Noma Security, Zenity, Elastic, Truist, and Darktrace. AARM defines a set of runtime requirements: every agent action must be intercepted before execution, evaluated against policy with full context, and logged in tamper-evident form. It also describes four reference architectures — Protocol Gateway, SDK Instrumentation, Kernel / eBPF Hooks, and Vendor-Native Integration.
Why we anchor to it
The CSA is neutral, vendor-independent, and explicitly focused on agentic AI. A neutral standard lets a buyer evaluate every runtime-governance vendor against one yardstick instead of against each vendor's own claims. We chose AARM as our public alignment anchor for exactly that reason — and because the Protocol Gateway pattern in its taxonomy describes the LLM-boundary proxy we had already built.
The AARM decision verbs
AARM R4 defines five decisions every runtime must support. Containment.ai ships four of them today — ALLOW, DENY, MODIFY, and DEFER; STEP_UP is on the roadmap.
ALLOW
A benign agent call passes through, with an audit record written. Policy matched, no regulated content detected, decision logged.
DENY
A prompt containing HIPAA PHI, SEC MNPI, or export-controlled text is blocked at the boundary. The agent receives a structured error; the regulated bytes never reach the LLM.
MODIFY
A prompt containing a secret or PII is allowed through with the sensitive content redacted. The agent keeps working; the LLM never sees the bytes that matter.
STEP_UP (on the roadmap)
A sensitive action triggers a step-up auth challenge: the agent receives a structured re-auth prompt and the action holds until the human completes the challenge. This verb is on our roadmap and not yet shipping.
DEFER
A borderline action is paused for human review in an approval queue until the designated approver acts. The audit record captures both the original signal and the approval outcome.
See all five live
A 30-minute walkthrough against your own test prompts. Every decision lands in audit_events with full context.
How Containment.ai aligns — and what it adds
We implement the Protocol Gateway pattern at the LLM-call boundary, and we extend the standard at the data layer.
We align at the boundary
Our proxy intercepts agent traffic to OpenAI, Anthropic, Bedrock, and Azure OpenAI before the call is dispatched, evaluates it against policy in real time, and writes a tamper-evident audit receipt per decision — the Protocol Gateway pattern, at the LLM-call boundary. We are honest about scope: we do not mediate every protocol AARM contemplates. Direct HTTP from agent code, local filesystem, shell, and raw database access remain out of scope for the LLM-boundary proxy and are flagged as gaps in our attestation.
We add the detection vocabulary
AARM defines threat classes but is intentionally silent on detection vocabulary — how a runtime recognizes regulated content. That is the layer we bring: a catalog of content-class detectors (HIPAA PHI, SEC MNPI, ITAR/EAR export-control, PII, secrets, source-code leakage, prompt injection, and more) that sit at the boundary and decide whether the data crossing it is allowed to leave. The standard says "intercept and decide"; we supply what the decision is made of.
Our alignment claim, stated conservatively
The full per-requirement status lives in the attestation document, not in a marketing badge.
| Specification | Containment.ai claim |
|---|---|
|
AARM v1.0
Cloud Security Alliance / CSAI Foundation
|
Aligned with AARM v1.0
See our self-attestation for per-requirement status.
|
We do not claim "AARM Core conformant" today. "AARM-aligned" is the strongest claim we publish until per-requirement implementation work in the attestation reaches a tier we can defend in a Conformance Program submission.
Who this is for
Security & compliance teams standardizing on a yardstick
You want to evaluate runtime-governance vendors against a neutral standard, not each vendor's bespoke claims. AARM gives you that yardstick; our attestation tells you where we land on it.
Teams putting agents into regulated workflows
HIPAA, SEC, export-control, and GDPR are in scope, and an agent could move that data. You need the detection vocabulary on top of the runtime decision model — which is exactly the layer we add.
Defense & NatSec evaluators
AARM alignment is a credibility signal for programs assessing agentic-AI risk. For the highest-assurance end, pair it with our High-Assurance Gateway.
Platform teams shipping autonomous agents
You're operationalizing agents and need a runtime decision per action with an audit trail. See the full control model on the Agent Governance page.
Where it fits in the stack
AARM is the standard our runtime governance aligns to. These products are how it shows up.
AI Chat Firewall
Governs people using AI chat assistants in the browser.
Agent Governance
The runtime control plane for agent actions — where the five AARM verbs actually run.
High-Assurance Gateway
The same governance for air-gapped and cross-domain deployment.
See the five verbs run live
A 30-minute demo against your own test prompts. ALLOW, DENY, MODIFY, DEFER (STEP_UP on the roadmap) — every decision audited, tamper-evident, in an AARM-aligned shape.
Want the deeper alignment detail and the AARM v1.0 spec? See the alignment detail page →