Security Model

AIM implements defense-in-depth security with multiple layers of protection, from cryptographic verification to behavioral analysis, ensuring comprehensive security for AI agent operations.

Ed25519 Key Pairs

Every agent registered with AIM receives an Ed25519 key pair. Ed25519 is a high-performance elliptic curve signature scheme that produces 64-byte signatures with 128-bit security. Keys are generated locally and stored in the AIM data directory.

# Key storage location
~/.opena2a/aim-core/
  identities/
    <agent-id>/
      private.key    # Ed25519 private key (never leaves the machine)
      public.key     # Ed25519 public key (shared with verifiers)
      identity.json  # Agent metadata, capabilities, creation timestamp

# Create an agent identity via CLI
opena2a identity create --name my-agent

# Verify an existing identity
opena2a identity trust

Private keys never leave the local filesystem. Public keys are registered with the AIM server (if using the platform) or shared directly between agents (if using aim-core standalone).

Tamper-Evident Audit Log

AIM maintains a cryptographically chained audit log. Each entry includes a SHA-256 hash of the previous entry, creating a tamper-evident chain. If any log entry is modified or deleted, the chain breaks and verification fails. The audit log tracks:

  • Agent registration and identity creation events
  • Capability grants and revocations
  • Action executions with signed payloads
  • Trust score changes and the factors that triggered them
  • MCP server connections and attestation results
  • Policy violations and enforcement actions
  • Configuration changes to security settings
  • Capability drift detection events

Trust Score: 8-Factor Algorithm

Trust scores range from 0 to 100 and are recalculated dynamically based on agent behavior. The algorithm weights eight factors:

Identity Verification20%

Valid Ed25519 key pair, signature verification history

Attestation Count15%

Number of successful cryptographic attestations

Capability Compliance15%

Actions within declared capability boundaries

Behavioral Consistency12%

Deviation from established usage patterns

MCP Server Trust12%

Aggregate trust of connected MCP servers

Error Rate10%

Frequency of failed or rejected operations

Audit Completeness8%

Presence of complete, unbroken audit chain

Age and Activity8%

Time since creation and regularity of activity

Core Security Principles

Zero Trust Architecture

Every request is verified, authenticated, and authorized. No implicit trust based on network location.

Least Privilege Access

Agents and users receive minimum permissions required for their tasks.

Defense in Depth

Multiple security layers ensure that if one fails, others maintain protection.

Event-Driven Monitoring

Event-driven analysis of activities with behavioral anomaly detection.

Security Layers

Layer 1: Authentication & Identity

Ed25519 Cryptographic Signatures: Military-grade public key cryptography for agent verification
JWT with Rotation: Short-lived access tokens with automatic refresh token rotation
API Key Management: SHA-256 hashed keys with expiration and usage tracking
Multi-Factor Authentication: Optional 2FA for human users via TOTP

Layer 2: Authorization & Access Control

Role-Based Access Control (RBAC): Fine-grained permissions with Admin, Manager, Member roles
Resource-Level Permissions: Control access to specific resources and operations
Dynamic Policy Engine: Runtime evaluation of security policies based on context
Capability-Based Security: Explicit capability grants for agent operations

Layer 3: Encryption & Data Protection

TLS 1.3 in Transit: All API communications encrypted with modern TLS
AES-256 at Rest: Database and file storage encryption using AES-256-GCM
Key Management: Automated key rotation with secure key vault storage
Secret Handling: Environment-based secrets with no hardcoded credentials

Layer 4: Monitoring & Threat Detection

Anomaly Detection: Statistical analysis identifies unusual behavioral patterns
Comprehensive Audit Logging: Every action logged with full context for compliance
Security Event Correlation: Cross-reference events to detect complex attack patterns
Automated Alert System: Instant notifications for security events via email/webhook

Threat Model & Mitigations

ThreatMitigation
Unauthorized Agent AccessEd25519 signatures, API key validation, trust scoring
Data ExfiltrationRate limiting, anomaly detection, audit logging
Privilege EscalationRBAC, least privilege, capability boundaries
MCP Server CompromisePublic key verification, capability restrictions
Replay AttacksNonce validation, timestamp checks, token rotation
Insider ThreatsAudit trails, approval workflows, separation of duties
Supply Chain AttacksDependency scanning, container signing, SBOM tracking

MCP Server Attestation

AIM cryptographically verifies every MCP (Model Context Protocol) server your agents connect to using Ed25519 digital signatures. This ensures that only trusted, verified servers can interact with your agents.

What Gets Verified

  • MCP Server Identity: Ed25519 public key verification
  • Declared Capabilities: read_files, execute_code, database_access, etc.
  • Capability Drift Detection: Alerts when capabilities change unexpectedly
  • Connection Patterns: Frequency and usage analysis

Automatic Discovery

  • Claude Desktop Config: Scans automatically for MCP servers
  • Common MCPs: Detects filesystem-mcp, postgres-mcp, github-mcp, etc.
  • Confidence Scoring: Multi-agent attestations build trust scores
  • Automated Alerts: Notifications on unexpected capability changes

How It Works: Each MCP server generates an Ed25519 key pair. The public key is registered with AIM, and all capabilities are cryptographically signed. When an agent connects to the MCP, AIM verifies the signature and tracks capability usage to detect anomalies.

Compliance & Certifications (2026 Roadmap)

Roadmap Item: The following compliance certifications are planned for 2026. AIM's architecture is designed to support these standards, but formal certifications are not yet complete.

SOC 2 Type II (2026)

  • • Security controls
  • • Availability monitoring
  • • Processing integrity
  • • Confidentiality measures
  • • Privacy protection

HIPAA (2026)

  • • PHI encryption
  • • Access controls
  • • Audit logging
  • • BAA support
  • • Incident response

GDPR (2026)

  • • Data minimization
  • • Right to deletion
  • • Data portability
  • • Consent management
  • • DPA available

Security Best Practices

For Administrators

  • • Enable 2FA for all admin accounts
  • • Regularly review audit logs
  • • Implement approval workflows
  • • Monitor trust score trends
  • • Keep AIM updated

For Developers

  • • Never hardcode credentials
  • • Use environment variables
  • • Implement proper error handling
  • • Follow least privilege principle
  • • Regularly rotate API keys

Learn More

Authentication Guide →Compliance Details →Trust Scoring →Security APIs →