惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
J
Java Code Geeks
H
Help Net Security
B
Blog RSS Feed
G
Google Developers Blog
博客园 - 司徒正美
MongoDB | Blog
MongoDB | Blog
量子位
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
P
Proofpoint News Feed
小众软件
小众软件
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
V
V2EX
月光博客
月光博客
C
Check Point Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
Help Net Security
Help Net Security
Schneier on Security
Schneier on Security
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
T
Tenable Blog
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
大猫的无限游戏
大猫的无限游戏
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
NISL@THU
NISL@THU
GbyAI
GbyAI
博客园 - Franky
S
Secure Thoughts
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
U
Unit 42

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
AARM: Securing the Agentic Runtime | CSA
2026-04-30 · via Cloud Security Alliance

Written by Jim Reavis, Co-founder and Chief Executive Officer, CSA.

Over the past year, I have found myself returning to the same observation in many different conversations: we are not simply watching AI improve. We are watching a new operational layer in computing emerge in front of us. Autonomous agents are beginning to write code, manage infrastructure, process transactions, interact with enterprise systems, and make decisions in environments that were previously governed almost entirely by human judgment and deterministic software.

At the same time, frontier models are not improving in a smooth, linear fashion. They are making step-level advances that rapidly change what these agents can do. This is why I have been describing the cybersecurity challenge in terms of two exponentials: the growth in model capability and the viral adoption of agents. Each trend is important on its own. But where they intersect, we are confronted with a security problem that does not fit neatly into the frameworks we have relied on for the past two decades.

The question we kept coming back to at Cloud Security Alliance and CSAI Foundation was deceptively simple: how do you secure what an autonomous system actually does? That question has led us through research, working groups, hands-on experimentation, and many discussions with practitioners who are trying to secure real agentic systems before the industry has settled on mature patterns for doing so.

Our first instinct, naturally, was to map agent security into familiar paradigms. Identity matters. Access control matters. Zero Trust matters. Governance frameworks matter. None of these go away. In fact, they become even more important. But as we explored the problem more deeply, it became clear that something fundamental was missing. Agents do not merely access systems. They act within them.

That distinction is critical. An agent may interpret context, form a goal, call multiple tools, chain together workflows, and adjust its behavior based on intermediate results. The traditional security question of “should this user have access?” is still necessary, but it is no longer sufficient when the “user” is an autonomous system making real-time decisions across an enterprise environment. What matters is not only whether an agent has access, but whether a specific action is appropriate in a specific context, whether it aligns with the intended objective, whether its behavior remains within acceptable boundaries as the workflow unfolds, and whether we can intervene when it begins to drift.

That realization reframed the problem for us. We were not just dealing with identity, infrastructure, application security, or AI governance in isolation. We were dealing with runtime governance of autonomous action. That is a different level of abstraction, and it requires a security model that can reason about what agents are doing while they are doing it.

As we worked through this problem space, one framework kept surfacing as a promising way to organize the discussion: Autonomous Action Runtime Management, or AARM. What we found compelling about AARM is that it starts with the action itself. Rather than looking only at the identity of the actor or the system being accessed, AARM asks how actions should be evaluated and governed at runtime across dimensions such as context, intent, policy, and behavior.

That language maps well to the reality we are seeing. Agentic actions depend heavily on situational context. Intent is often inferred rather than explicitly declared. Policies need to become more adaptive. Behavior must be observed continuously, not simply approved once at the point of access. AARM does not solve every problem, and we should be careful not to overstate its maturity. But it gives us a practical structure for describing the class of problems that agentic systems introduce. It feels less like forcing a new technology into old categories and more like meeting the problem where it actually exists.

It is also important to be clear that AARM is a work in progress, and that is not a weakness. The agentic runtime security space is moving too quickly for anyone to credibly claim that we already have a finished answer. New architectures, deployment models, tool interfaces, and failure modes are emerging constantly. A static framework created too early would almost certainly miss important lessons from the field.

The value of AARM is that it can develop as a living framework. It can be shaped by practitioners, researchers, enterprises, AI builders, and security teams that are actively learning how these systems behave in production-like environments. This is the right posture for CSA: not to pretend that the problem is solved, but to create a vendor-neutral place where the industry can converge on better concepts, shared language, and practical guidance.

One of the most encouraging aspects of this effort is that AARM did not emerge in isolation. It has been shaped by industry engagement and by people who are directly grappling with agentic security challenges. We are especially pleased that Herman Errico of Vanta will continue to chair this work as AARM becomes part of the Cloud Security Alliance research portfolio. Herman brings a practical, builder-oriented perspective that is essential for a field changing this quickly, and his continued leadership gives the effort both continuity and momentum.

We also want to thank Vanta for supporting AARM’s transition into a CSA-led initiative. That kind of openness matters. When a useful framework is brought into a broader, vendor-neutral community, it gives the entire industry a better chance to learn together. No single company is going to solve agentic security on its own. The problem is too complex, the deployment patterns are too diverse, and the pace of change is too fast.

As part of the CSAI Foundation’s broader mission to secure the agentic control plane, AARM gives us an important foundation for thinking about runtime enforcement and governance. It connects naturally with other CSA and CSAI efforts, including the AI Controls Matrix, STAR for AI, RiskRubric, and the Agentic Trust Framework. But perhaps more importantly, it gives us a concrete place to continue the conversation about how autonomous systems should be governed while they are operating.

We are still early. We are still learning how agents behave in real-world environments. We are still discovering new attack surfaces, new control gaps, and new patterns of misuse and failure. We expect to see a whole host of new types of agents inspired by open source projects and industry innovation. We are also learning how to balance safety and usability, because agents will only deliver value if they are both effective and trustworthy. Over-constraining them may defeat their purpose. Under-governing them may create unacceptable risk.

AARM is one step toward answering what I believe will become one of the defining cybersecurity questions of this era: how do we ensure that autonomous systems act in ways that are safe, aligned, accountable, and observable at scale?

We do not have all the answers yet. But we do believe the industry needs a serious, practical, and collaborative effort focused on the runtime behavior of agents. AARM gives us a promising path forward, and we are excited to help develop it with the broader CSA community.