Skip to content

Proposal: content-class threat taxonomy extension (T12-T14: PHI, MNPI, ITAR/EAR) #9

Description

@lantholin

Summary

AARM v1.0 enumerates 11 threat classes (T1-T11) defined by action mechanics —
prompt injection, confused deputy, intent drift, etc. The taxonomy is intentionally
silent on the content dimension of agent-action risk: what counts as a sensitive
payload crossing the LLM boundary. Every AARM-aligned builder today rolls its own
detector layer with no shared vocabulary, making cross-vendor comparison and
conformance review more subjective than the rest of the spec needs to be.

Containment.AI proposes contributing a content-class detector vocabulary as a
threat-class extension for a future spec revision, covering three regulatory anchors
that enterprise procurement frequently asks about but the current spec does not
address: HIPAA Protected Health Information (PHI), SEC Material Non-Public
Information (MNPI), and ITAR/EAR export-controlled technical data.

Proposed entries

T12 — Protected Health Information (PHI / HIPAA)

  • Definition: Patient identifiers, clinical narratives, diagnosis codes, and the
    18 HIPAA Safe Harbor identifiers as defined in 45 CFR 164.514(b)(2).
  • Sample policy invocation: R3 evaluation treats any payload matching a T12
    detector as a candidate for ALLOW / DENY / MODIFY, per the conformant system's
    configured policy.

T13 — Material Non-Public Information (MNPI / insider trading)

  • Definition: Earnings figures, M&A discussions, regulatory enforcement actions,
    and other material information not yet publicly disclosed, per SEC Rule 10b-5 and
    SEC v. Texas Gulf Sulphur.
  • Sample policy invocation: Financial-services deployments benefit from a
    T13-default DENY; surveillance-only deployments use ALLOW with audit.

T14 — Export-controlled technical data (ITAR / EAR)

  • Definition: Technical data subject to the International Traffic in Arms
    Regulations (22 CFR 120-130, USML categories) or Export Administration Regulations
    (15 CFR 730-774, CCL categories).
  • Sample policy invocation: Defense/aerospace deployments default to DENY on T14.

Scope and licensing

  • The contribution is the taxonomy entries themselves (definitions + regulatory
    anchors), offered under the AARM spec's license. Our underlying detector
    implementations remain under Containment.AI's existing proprietary license; we can
    provide non-normative reference pointers for illustration only.
  • Not proposed: content-specific enforcement prescriptions (AARM stays
    implementation-neutral — this adds vocabulary, not policy), and no changes to the
    v1.0 action-axis design (R1-R9, T1-T11).

About us

Containment.AI, Inc. (Fairfax, VA) builds a LiteLLM-based runtime enforcement proxy
and the AI Chat Firewall browser extension for regulated industries (defense,
healthcare, financial services). We are working toward AARM Core conformance
(self-attested, not certified). Public per-requirement gap analysis vs v1.0:
https://www.containment.ai/compare/aarm

Primary contributor: Irby Thompson (CEO). An alternate technical point of contact
handles day-to-day thread follow-up.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions