Summary
AARM v1.0 enumerates 11 threat classes (T1-T11) defined by action mechanics —
prompt injection, confused deputy, intent drift, etc. The taxonomy is intentionally
silent on the content dimension of agent-action risk: what counts as a sensitive
payload crossing the LLM boundary. Every AARM-aligned builder today rolls its own
detector layer with no shared vocabulary, making cross-vendor comparison and
conformance review more subjective than the rest of the spec needs to be.
Containment.AI proposes contributing a content-class detector vocabulary as a
threat-class extension for a future spec revision, covering three regulatory anchors
that enterprise procurement frequently asks about but the current spec does not
address: HIPAA Protected Health Information (PHI), SEC Material Non-Public
Information (MNPI), and ITAR/EAR export-controlled technical data.
Proposed entries
T12 — Protected Health Information (PHI / HIPAA)
- Definition: Patient identifiers, clinical narratives, diagnosis codes, and the
18 HIPAA Safe Harbor identifiers as defined in 45 CFR 164.514(b)(2).
- Sample policy invocation: R3 evaluation treats any payload matching a T12
detector as a candidate for ALLOW / DENY / MODIFY, per the conformant system's
configured policy.
T13 — Material Non-Public Information (MNPI / insider trading)
- Definition: Earnings figures, M&A discussions, regulatory enforcement actions,
and other material information not yet publicly disclosed, per SEC Rule 10b-5 and
SEC v. Texas Gulf Sulphur.
- Sample policy invocation: Financial-services deployments benefit from a
T13-default DENY; surveillance-only deployments use ALLOW with audit.
T14 — Export-controlled technical data (ITAR / EAR)
- Definition: Technical data subject to the International Traffic in Arms
Regulations (22 CFR 120-130, USML categories) or Export Administration Regulations
(15 CFR 730-774, CCL categories).
- Sample policy invocation: Defense/aerospace deployments default to DENY on T14.
Scope and licensing
- The contribution is the taxonomy entries themselves (definitions + regulatory
anchors), offered under the AARM spec's license. Our underlying detector
implementations remain under Containment.AI's existing proprietary license; we can
provide non-normative reference pointers for illustration only.
- Not proposed: content-specific enforcement prescriptions (AARM stays
implementation-neutral — this adds vocabulary, not policy), and no changes to the
v1.0 action-axis design (R1-R9, T1-T11).
About us
Containment.AI, Inc. (Fairfax, VA) builds a LiteLLM-based runtime enforcement proxy
and the AI Chat Firewall browser extension for regulated industries (defense,
healthcare, financial services). We are working toward AARM Core conformance
(self-attested, not certified). Public per-requirement gap analysis vs v1.0:
https://www.containment.ai/compare/aarm
Primary contributor: Irby Thompson (CEO). An alternate technical point of contact
handles day-to-day thread follow-up.
Summary
AARM v1.0 enumerates 11 threat classes (T1-T11) defined by action mechanics —
prompt injection, confused deputy, intent drift, etc. The taxonomy is intentionally
silent on the content dimension of agent-action risk: what counts as a sensitive
payload crossing the LLM boundary. Every AARM-aligned builder today rolls its own
detector layer with no shared vocabulary, making cross-vendor comparison and
conformance review more subjective than the rest of the spec needs to be.
Containment.AI proposes contributing a content-class detector vocabulary as a
threat-class extension for a future spec revision, covering three regulatory anchors
that enterprise procurement frequently asks about but the current spec does not
address: HIPAA Protected Health Information (PHI), SEC Material Non-Public
Information (MNPI), and ITAR/EAR export-controlled technical data.
Proposed entries
T12 — Protected Health Information (PHI / HIPAA)
18 HIPAA Safe Harbor identifiers as defined in 45 CFR 164.514(b)(2).
detector as a candidate for ALLOW / DENY / MODIFY, per the conformant system's
configured policy.
T13 — Material Non-Public Information (MNPI / insider trading)
and other material information not yet publicly disclosed, per SEC Rule 10b-5 and
SEC v. Texas Gulf Sulphur.
T13-default DENY; surveillance-only deployments use ALLOW with audit.
T14 — Export-controlled technical data (ITAR / EAR)
Regulations (22 CFR 120-130, USML categories) or Export Administration Regulations
(15 CFR 730-774, CCL categories).
Scope and licensing
anchors), offered under the AARM spec's license. Our underlying detector
implementations remain under Containment.AI's existing proprietary license; we can
provide non-normative reference pointers for illustration only.
implementation-neutral — this adds vocabulary, not policy), and no changes to the
v1.0 action-axis design (R1-R9, T1-T11).
About us
Containment.AI, Inc. (Fairfax, VA) builds a LiteLLM-based runtime enforcement proxy
and the AI Chat Firewall browser extension for regulated industries (defense,
healthcare, financial services). We are working toward AARM Core conformance
(self-attested, not certified). Public per-requirement gap analysis vs v1.0:
https://www.containment.ai/compare/aarm
Primary contributor: Irby Thompson (CEO). An alternate technical point of contact
handles day-to-day thread follow-up.