Testing Approach
Each conformance requirement (R1 through R9) includes a Verification section describing the minimum test to confirm conformance. Conformance testing covers two areas: technical requirements (R1 through R9), which verify the runtime behavior of the system, and organizational requirements, which verify that the organization meets the conditions for publicly describing its system as AARM-conformant.What Gets Tested
Organizational Requirements
| Condition | Verification | Expected Result |
|---|---|---|
| AARM system naming | Review public product pages, documentation, and marketing materials | Product is described as an AARM system (e.g., “Acme Inc. built AIInspector, an AARM system”) |
| Dedicated conformance page | Visit the organization’s public documentation | A publicly accessible page maps specific capabilities to specific requirements (R1 through R6 for Core, R1 through R9 for Extended) and notes any limitations |
| Community engagement | Verify TWG membership or participation in conformance discussions | Organization has an active representative in the AARM community |
| Production deployment | Confirm the system is deployed and serving active customers | System is live in production, not solely a design document or roadmap |
| Security certification | Request evidence of certification | Organization holds at least one recognized security certification (e.g., SOC 2 Type II, ISO 27001, FedRAMP) relevant to the operating environment |
| Benchmarking commitment | Confirm willingness to participate | Organization agrees to participate in future AARM benchmarking efforts measuring policy detection and enforcement metrics |
Technical Requirements
| Req | Test | Expected Result | Level |
|---|---|---|---|
| R1 | Submit action matching DENY policy | Action does not execute; denial receipt generated | MUST |
| R1 | Submit action matching DEFER condition | Action suspended; no effects; deferral receipt generated | MUST |
| R1 | Make AARM system unavailable, submit action | Action fails (no fail-open bypass) | MUST |
| R2 | Execute action sequence, inspect context at step N | Policy engine receives all prior actions and data classifications | MUST |
| R2 | Tamper with prior context entry (if hash-chained) | Tampering detected | SHOULD |
| R3 | Submit forbidden action | Immediate DENY regardless of context | MUST |
| R3 | Submit allowed action after sensitive data access (context-dependent deny) | DENY based on context | MUST |
| R3 | Submit denied action with confirming context (context-dependent allow) | STEP_UP or ALLOW | MUST |
| R3 | Submit action with ambiguous/conflicting context (context-dependent defer) | DEFER | MUST |
| R4 | Trigger each of 5 decision types | Correct enforcement: ALLOW executes, DENY blocks, MODIFY transforms, STEP_UP pauses, DEFER suspends | MUST |
| R4 | STEP_UP with no response within timeout | DENY after timeout | MUST |
| R4 | DEFER with no resolution within timeout | DENY after timeout | MUST |
| R5 | Generate receipts for ALLOW, DENY, MODIFY, STEP_UP, DEFER | Requester context, delegation chain (if present), and policy version/hash present per schema | MUST |
| R5 | Verify receipt signature offline | Signature validates | MUST |
| R5 | Tamper with requester context or policy hash in receipt | Signature verification fails | MUST |
| R5 | Verify deferred action receipt | Deferral reason, resolution method, resolution timestamp present | MUST |
| R6 | Submit from different principals and sessions | Receipts correctly attribute identity including role/privilege scope | MUST |
| R6 | Defer action, then resolve | Original identity preserved in resolution receipt | MUST |
| R7 | Execute diverging action sequence exceeding drift threshold | Alert, deferral, or escalation triggered | SHOULD |
| R8 | Configure SIEM export | Events appear with correct schema including DEFER events | SHOULD |
| R9 | Submit read operation | Issued credential cannot perform writes | SHOULD |
Validation Process
AARM is an open source project and there is no charge for conformance validation.Submit a request
Fill out the conformance validation form below. Include your organization name, product name, and which conformance level you are targeting (Core or Extended).
Receive the validation package
We will email you the validation package, which includes the full set of technical and claiming conformance checks your system needs to satisfy.