AIM is IAM for AI agents — cryptographic identity, access control, and accountability by default.
Stop prompt injection. Verify agent identity. Enforce capabilities. Detect threats in real-time.
IAM secures people. SPIFFE secures workloads. Sigstore secures software. AIM secures AI agents.
📢 December 2025 Update: Java SDK now available! Both Python and Java SDKs support one-line agent registration with tags, metadata, and MCP attestation. Watch the full demo →
No Proxies. Direct Observation. AIM doesn't intercept your agent traffic. Agents report actions explicitly via SDK decorators while communicating directly with target systems. Learn more →
| Option | Best For | Link |
|---|---|---|
| ☁️ AIM Cloud | Quick start, no infrastructure | aim.opena2a.org |
| 🏠 Self-Hosted | Full control, on-premise | Deploy Guide |
Your AI agents are autonomous. They call APIs, access databases, and make decisions. But right now:
- Attackers can impersonate agents — There's no cryptographic proof of identity
- Prompt injection bypasses your guardrails — Agents can be tricked into unauthorized actions
- You have no visibility — What are your agents doing? Who authorized them?
- A single rogue agent can — Exfiltrate data, rack up API bills, delete production databases
AIM solves this with cryptographic identity, capability enforcement, and real-time threat detection.
AIM uses direct, declarative observation — not proxies or network interception. This is a fundamental design choice that preserves agent autonomy while providing complete visibility.
┌─────────────────────────────────────────────────────────────────────────┐
│ YOUR AGENT │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ @agent.perform_action(capability="db:read") │ │
│ │ def get_customer(id): │ │
│ │ return database.query(id) ───────────────────────────────┼────┼──► Target System
│ └─────────────────────────────────────────────────────────────────┘ │ (Direct Connection)
│ │ │
│ │ Reports action │
│ ▼ │
│ AIM Backend │
│ (Verification + Logging) │
└─────────────────────────────────────────────────────────────────────────┘
| Anti-Pattern | Why We Avoid It |
|---|---|
| Network Proxy | No man-in-the-middle between agent and target systems |
| Traffic Interception | No packet sniffing or request redirection |
| Transparent Wrapping | Agents explicitly declare actions via SDK decorators |
| Request Modification | Agent requests pass directly to targets unchanged |
| Approach | How It Works |
|---|---|
| Explicit Declaration | @perform_action decorator reports what the agent is doing |
| Cryptographic Signing | Agent signs actions with Ed25519 private key |
| MCP Discovery | SDK scans local config files, reports MCP servers in use |
| Capability Verification | SDK calls AIM API before executing sensitive actions |
| Operation | Overhead | Blocking? |
|---|---|---|
| Agent → Target communication | Zero | No proxy in path |
| Capability verification | ~50-200ms | Yes (per action) |
| MCP discovery & attestation | ~5-30s | No (background thread) |
| Security logging | <5ms | Configurable (sync/async) |
Key point: AIM adds no latency to the agent↔target communication path. Verification overhead applies only to the AIM reporting call, not to your agent's actual work.
- No single point of failure — If AIM is down, agents can optionally continue (fail-open mode)
- No compatibility issues — Works with any MCP server, API, or database without modification
- Full audit trail — Every action is cryptographically signed and logged
- Agent retains control — Agents explicitly choose what to report, nothing is intercepted
Real-time monitoring of all your AI agents with threat detection, trust scoring, and compliance status.
- Unified Activity Timeline — Every agent action, MCP connection, and verification in one feed
- Trust Score Visualization — 8-factor behavioral analysis with trend tracking
- Security Alerts — Severity-based alerts with acknowledgment workflow
- Compliance Checks — 10 automated checks for security and operational compliance
Centralized security operations with smart scoring and real-time threat visibility.
- Smart Security Score — 4-component algorithm measuring trust health, fleet coverage, threat response, and operational health
- Actions Today — Real-time count of all agent verifications and actions
- Blocked Actions — Capability violations blocked by policy enforcement
- MCP Server Monitoring — Track verified MCP servers and their trust status
- Risk By Category — Violations categorized by type (admin, file, database, API, etc.)
- Protection Timeline — 7-day trend of security events and blocked actions
Every agent gets a cryptographically verifiable identity that cannot be forged.
- Ed25519 Key Pairs — Industry-standard cryptographic signing
- Post-Quantum Cryptography (PQC) — ML-DSA (NIST FIPS 204) for quantum-resistant signatures
- Hybrid Mode — Ed25519+ML-DSA for defense-in-depth during cryptographic transition
- Challenge-Response Verification — Prove agent identity on every request
- Status Tracking — Active, pending, suspended, revoked states
- Metadata & Versioning — Track agent versions, repositories, documentation
Define what each agent can do. Block everything else — including prompt injection attacks.
- Declared Capabilities —
db:read,api:call,file:write, etc. - Runtime Enforcement — Unauthorized actions blocked at API layer
- Risk Level Detection — Automatic risk assessment from capability patterns
- Violation Logging — Every blocked action is recorded for audit
Verify the Model Context Protocol servers your agents connect to.
- Server Registration — Register and verify MCP servers with public keys
- Connection Tracking — Monitor which agents connect to which servers
- Configuration Drift Detection — Detect when server configs change unexpectedly
- Tool Inventory — Track available tools per MCP server
Monitor your entire MCP ecosystem with comprehensive supply chain visibility.
- Supply Chain Dashboard — View all MCP servers, verification status, and attestation health
- ABOM (Agent Bill of Materials) — Complete inventory of all agents, their capabilities, MCP connections, and dependencies
- Confidence Score Distribution — Visual breakdown of server trust levels (High/Good/Medium/Low)
- Attestation Activity Trends — 7-day graph showing attestation patterns across your organization
- Capability Drift Alerts — Automatic detection when MCP server tools change unexpectedly
- Auto-Attestation — SDK automatically creates attestations on first tool use
- Server Dependencies — Track which agents depend on which MCP servers
Secure multi-agent systems with visibility into agent collaboration patterns.
- Connection Declaration — Agents declare which services and agents they communicate with
- Multi-Agent Patterns — Support for orchestrator/worker, peer-to-peer, and hub-and-spoke topologies
- Dependency Graphs — Visualize agent-to-agent and agent-to-MCP relationships
- Framework Integration — Works with CrewAI, AutoGen, LangGraph, and other multi-agent frameworks
- Trust Propagation — Understand trust implications across agent networks
8-factor algorithm that continuously evaluates agent trustworthiness based on behavior.
| Factor | Weight | What It Measures |
|---|---|---|
| Verification Status | 25% | Has the agent passed cryptographic verification? |
| Uptime & Availability | 15% | Is the agent consistently available? |
| Action Success Rate | 15% | Do the agent's actions succeed or fail? |
| Security Alerts | 15% | Any security violations or warnings? |
| Compliance Score | 10% | Passing compliance checks? |
| Age & History | 10% | How long has this agent been active? |
| Drift Detection | 5% | Any unexpected configuration changes? |
| User Feedback | 5% | Manual trust adjustments from admins |
Complete inventory of your AI agent ecosystem for supply chain security and compliance.
Unlike traditional SBOM (Software Bill of Materials) for code dependencies, ABOM provides visibility into AI-specific components:
| Component | What It Tracks |
|---|---|
| Agents | All registered agents, their types, capabilities, and trust scores |
| MCP Servers | Connected Model Context Protocol servers and their tools |
| Capabilities | What each agent can do (db:read, api:call, file:write, etc.) |
| Connections | Agent-to-MCP relationships and attestation history |
| Drift Events | When capabilities change unexpectedly |
Why ABOM Matters:
- Compliance Audits — Know exactly what AI components your organization uses
- Incident Response — Quickly identify affected agents when an MCP server is compromised
- Change Management — Track capability drift and unauthorized tool additions
- Risk Assessment — Understand the blast radius of any single agent or MCP server
Export Formats: CycloneDX-compliant JSON for integration with existing SBOM tooling.
Sensitive operations require real-time admin approval before execution.
- Request Workflow — Agents request elevated access
- Admin Approval — Approve or deny with reason
- Time-Limited — Access expires automatically
- Full Audit Trail — Every request and decision logged
Configure enforcement modes and detection rules for your entire organization.
- Global Enforcement Mode — Choose between MONITORING (observe) and STRICT (enforce) modes
- MONITORING: Actions are logged and alerted but never blocked — ideal for development
- STRICT: Policies are enforced and unauthorized actions are blocked — ideal for production
- Capability Violation Detection — Detect when agents exceed their registered capabilities
- Data Exfiltration Detection — Detect unusual data transfer patterns
- Trust Score Policies — Block or alert on agents with low trust scores
- Failed Authentication Monitoring — Alert on repeated auth failures
Note: In MONITORING mode, individual policy blocking decisions are overridden to allow all actions while still generating alerts. Switch to STRICT mode to enforce policies.
Every action, verification, and security event is logged for compliance.
- SOC 2 Ready — Full audit trail for compliance auditors
- HIPAA Compatible — Secure access logging for healthcare
- GDPR Aligned — Data access tracking and consent management
- Export Capabilities — CSV/JSON export for external analysis
- Docker and Docker Compose
- Git
git clone https://github.com/opena2a-org/agent-identity-management.git
cd agent-identity-management
docker compose up -dLogin: [email protected] / AIM2025!Secure
Navigate to Settings → SDK Download in the dashboard.
Python:
from aim_sdk import secure, AgentType
agent = secure(
"my-ai-assistant",
agent_type=AgentType.LANGCHAIN,
capabilities=["db:read", "api:call"],
tags=["production", "customer-facing"],
metadata={"model": "gpt-4", "department": "support"}
)
@agent.perform_action(capability="db:read")
def get_customer(customer_id: str):
return {"id": customer_id, "name": "Jane Doe"}
result = get_customer("cust-123")Java:
import org.opena2a.aim.client.AIMClient;
import org.opena2a.aim.client.AgentType;
AIMClient agent = AIMClient.secure(
"my-ai-assistant",
Arrays.asList("db:read", "api:call"),
AgentType.LANGCHAIN,
null, // talksTo
"Customer support AI agent",
Arrays.asList("production", "customer-facing"),
Map.of("model", "gpt-4", "department", "support")
);
// Verify before action
User user = agent.performAction("db:read", "users", () -> {
return userRepository.findById(userId);
});Watch the dashboard update in real-time as your agent registers and performs actions.
| SDK | Language | Installation | Features |
|---|---|---|---|
| Python SDK | Python 3.8+ | pip install aim-sdk |
Decorators, auto-detection, MCP integration, PQC support |
| TypeScript SDK | Node.js 18+ | npm install @opena2a/aim-sdk |
Full PQC support, async/await, type-safe |
| Java SDK | Java 17+ | Maven/Gradle | LangChain4j integration, Spring AI, enterprise security |
The Java SDK includes enterprise-grade security infrastructure:
| Component | Description |
|---|---|
| SecurityLogger | SOC/SIEM compatible JSON event logging for Splunk, ELK, Datadog |
| RiskDetector | Pattern-based risk analysis (LOW → CRITICAL) |
| AttestationCache | Caches MCP attestations with 24h TTL and drift detection |
| SupplyChainReporter | ABOM (Agent Bill of Materials) generation for compliance |
| LangChain4j Integration | AIMToolExecutor wraps tools with capability verification |
| Spring AI Integration | AIMFunctionCallingAdvisor for Spring Boot applications |
Both SDKs support the same core parameters:
| Parameter | Python | Java | Description |
|---|---|---|---|
name |
name |
agentName |
Unique agent identifier (required) |
agent_type |
agent_type |
agentType |
Agent type (auto-detected or explicit) |
capabilities |
capabilities |
capabilities |
List of capabilities (e.g., ["db:read"]) |
mcp_servers |
mcp_servers |
talksTo |
MCP servers the agent uses |
tags |
tags |
tags |
Tags for categorization |
metadata |
metadata |
metadata |
Custom key-value metadata |
description |
description |
description |
Human-readable description |
Credential Caching: Both SDKs cache credentials in ~/.aim/. Use force_new=True (Python) to force re-registration.
| Feature | Description |
|---|---|
| Agent Type Detection | Auto-detects framework (LangChain, CrewAI, etc.) or LLM provider (Claude, GPT, etc.) |
| Key Generation | Creates Ed25519 keypair for cryptographic identity |
| Registration | Registers agent with AIM backend |
| Verification | Completes challenge-response authentication |
| Action Logging | Logs every decorated action with metadata |
| Capability Check | Blocks unauthorized actions before execution |
| Risk Assessment | Auto-detects risk level from capability patterns |
The SDK automatically detects your agent type from imported packages:
| Category | Types | Auto-Detection |
|---|---|---|
| LLM Providers | Claude, GPT, Gemini, Llama, Mistral, Cohere | Detects anthropic, openai, etc. |
| Frameworks | LangChain, LlamaIndex, CrewAI, AutoGen, LangGraph, Haystack, Semantic Kernel | Detects framework imports |
| Copilots | Copilot, Assistant, Chatbot | For interactive assistants |
| Autonomous | AutoGPT, BabyAGI | Self-directed agents |
Or specify explicitly:
from aim_sdk import secure, AgentType
agent = secure("my-agent", agent_type=AgentType.CREWAI)The SDK automatically determines risk levels based on capability patterns:
@agent.perform_action(capability="weather:fetch") # → low (read-only, public data)
@agent.perform_action(capability="db:write") # → medium (data modification)
@agent.perform_action(capability="file:delete") # → high (destructive action)
@agent.perform_action(capability="payment:process") # → critical (financial operation)
# Override when needed
@agent.perform_action(capability="internal:api", risk_level="critical")Both SDKs have known issues identified during code review that are tracked for resolution. See the SDK Security & Stability Fixes section in ROADMAP.md for details.
| Attack Vector | Without AIM | With AIM |
|---|---|---|
| Agent Impersonation | Attacker claims to be agent-007 → System trusts it | Attacker can't sign cryptographic challenge → Blocked |
| Prompt Injection | Malicious prompt tricks agent into data exfiltration | Capability enforcement blocks unauthorized action at API layer |
| Malicious MCP Server | Agent connects to attacker-controlled server | MCP attestation detects unregistered server → Alert |
| Credential Theft | Stolen API key gives full access | Key bound to specific agent + capabilities → Limited blast radius |
| Configuration Drift | Attacker modifies agent config | Drift detection catches changes → Alert + optional block |
| Post-Breach Investigation | No logs, no visibility | Complete audit trail with forensic detail |
- SOC 2 Type II — Access controls, audit logging, monitoring
- HIPAA — PHI access tracking, encryption, access controls
- GDPR — Data access logging, consent tracking, right to deletion
- ISO 27001 — Security controls, risk assessment, incident management
Manage hundreds of AI agents across your organization with centralized identity, capability enforcement, and monitoring.
- Register agents programmatically via SDK or API
- Define allowed capabilities per agent
- Monitor trust scores and security alerts
- Revoke compromised agents instantly
Add security controls to your existing AI agent frameworks without rewriting your code.
Python:
from aim_sdk import secure
agent = secure("langchain-agent")
@agent.perform_action(capability="search:web")
def search_tool(query):
# Your existing tool logic
passJava (with AspectJ):
@SecureAction(capability = "search:web", resource = "search_api")
public SearchResult searchWeb(String query) {
// Your existing tool logic
}Secure patient data access with verified agent identities and complete audit trails.
- Every PHI access logged with agent identity
- Capability restrictions prevent unauthorized data access
- JIT access for sensitive operations
- Compliance reports for auditors
Deploy AI agents that meet SOC 2 compliance requirements out of the box.
- Cryptographic identity prevents impersonation
- Capability enforcement meets least-privilege requirements
- Complete audit trail for financial regulators
- Real-time alerting for suspicious behavior
Secure your CI/CD pipelines and infrastructure automation agents.
- Verify agent identity before infrastructure changes
- Restrict capabilities to specific actions
- Detect configuration drift in automation
- Full audit trail for change management
docker compose up -dkubectl apply -f k8s/Deployment guides available for:
- AWS — ECS, EKS, Fargate
- Azure — Container Apps, AKS
- GCP — Cloud Run, GKE
See infrastructure/DEPLOYMENT.md for detailed instructions.
| Resource | Description |
|---|---|
| SDK Quickstart | Secure your first agent (2 min) |
| API Quickstart | REST API examples with curl (3 min) |
| MCP Registration | Connect and verify MCP servers (3 min) |
| Post-Quantum Cryptography | ML-DSA signatures and hybrid mode |
| Agent-to-Agent Communication | Multi-agent patterns and supply chain |
| SDK Test Plan | Comprehensive SDK validation and test coverage |
| Security Assessment | Threat model and security controls |
| Full Documentation | Complete guides and API reference |
- Cryptographic agent identity (Ed25519)
- Capability-based access control
- MCP server attestation
- MCP Supply Chain Analytics dashboard
- Smart auto-attestation with capability drift detection
- 8-factor trust scoring
- Security Command Center with smart security scoring
- Complete audit trail with pagination
- Python SDK with auto-registration and MCP integration
- Java SDK with LangChain4j, Spring AI, enterprise security features
- Enterprise security infrastructure (SecurityLogger, RiskDetector, AttestationCache)
- ABOM (Agent Bill of Materials) generation for supply chain compliance
- Agent tags and metadata support
- OAuth integration (Google, Microsoft, Okta)
- Post-Quantum Cryptography (PQC) — ML-DSA (NIST FIPS 204) signatures with hybrid Ed25519+ML-DSA mode
- Agent-to-Agent (A2A) Communication — Multi-agent connection tracking and supply chain visibility
- TypeScript SDK with PQC support
- GitHub Copilot integration
- GraphQL API
- CLI tool for automation
- Webhook integrations (Slack, PagerDuty, SIEM)
See ROADMAP.md for full details.
We welcome contributions! See CONTRIBUTING.md for guidelines.
Good first issues: Check the issues labeled good-first-issue
- 📧 Email: [email protected]
- 💬 Discord: Join us
- 🔗 Website: opena2a.org
- 🐦 Twitter: @opena2a
Apache-2.0 — See LICENSE
Built for security teams who need to trust their AI agents.
⭐ Star this repo if AIM helps secure your AI infrastructure!