AIM Documentation
AIM (Agent Identity Management) gives every AI agent a cryptographic identity, capability-based authorization, and a tamper-evident audit trail. It is for developers and platform teams who need to prove which agent took an action, confirm it was authorized, and keep a verifiable record for compliance. Install the SDK with pip install aim-sdk, or run identity and trust commands through the OpenA2A CLI with npm install -g opena2a-cli.
What is AIM?
AIM (Agent Identity Management) provides cryptographic identity for AI agents. Every agent gets an Ed25519 key pair that uniquely identifies it, enabling verifiable signatures on actions, tamper-evident audit logs, and capability-based access control. AIM answers the question: "Which agent did what, when, and was it authorized?"
Identity
Ed25519 key pairs for every agent. Verify who is making requests.
Audit
Tamper-evident log of every action. Full traceability for compliance.
Policy
Capability-based access control. Agents only do what they are allowed to.
Trust
8-factor trust scoring. Dynamic risk assessment based on behavior.
Install via CLI
npm install -g opena2a-cliThe OpenA2A CLI includes AIM commands for identity creation, trust scoring, and agent security scanning. Run opena2a identity create --name my-agent to generate your first agent identity.
1. Choose your setup
AIM Platform
Dashboard, fleet management, RBAC, compliance reporting, cross-agent analytics. Requires Docker.
docker compose up -d@opena2a/aim-core
No serverEd25519 identity, capability policy, trust scoring, and audit log in a single npm package. No infrastructure.
npm install @opena2a/aim-core2. Pick your path
Python Developer
Secure agents with the Python SDK. LangChain, CrewAI, and Anthropic/OpenAI integrations.
Java Developer
@SecureAction annotations, Spring Boot integration, and LangChain4j support.
Security Engineer
Trust scoring, security policies, alerts, and compliance reporting.
Platform Admin
Installation, user management, API keys, audit logs, and dashboard setup.
3. Key concepts
Trust Scoring
8-factor algorithm for dynamic risk assessment
MCP Servers
Register and verify MCP servers with security policies
REST API
Complete API reference with request/response examples
5-step Fine-Grained Authorization
On the server, every privileged action runs through five checks before execution. The first four carry a low latency budget. Step 5 calls the NanoMind security classifier, a 3M-parameter local Mamba model, with a larger budget reserved for high-risk operations. No external calls.
| Step | Check | Latency budget |
|---|---|---|
| 1 | Capability | <10ms |
| 2 | Attribute | <10ms |
| 3 | Context | <10ms |
| 4 | Chain | <10ms |
| 5 | Intent (NanoMind) | up to 800ms on high-risk operations |
Risk detection in the Python SDK
@perform_action auto-detects the risk level from the capability string using two lookup tables. A namespace prefix sets a baseline, an action suffix adjusts it, and when the two disagree the higher risk wins. A SPECIFIC_CAPABILITY_MAP overrides both for known patterns (for example user:delete escalates to critical). Pass risk_level="critical" to override, and jit_access=True to pause execution until a human approves in the dashboard.
Namespace prefix
| Risk | Prefixes |
|---|---|
| Critical | payment:, admin:, system:, billing:, finance: |
| High | email:, notification:, sms:, user:, auth:, secret:, credential: |
| Medium | db:, database:, file:, storage:, cache: |
| Low | api:, weather:, search:, geocode:, translate:, time:, math:, util: |
Action suffix
| Risk | Suffixes |
|---|---|
| Low | :read, :fetch, :get, :list, :query, :view, :check, :validate |
| Medium | :write, :update, :create, :modify, :save, :upload |
| High | :delete, :send, :execute, :run, :invoke, :export, :transfer |
| Critical | :process, :refund, :charge, :approve, :drop, :truncate, :wipe, :terminate |
Framework and LLM auto-detection
secure() auto-detects the framework from imports (langchain, crewai, llama_index, anthropic, openai). When both a framework and an LLM provider are present, the framework wins.
# python
from aim_sdk import secure
# langchain import present alongside an openai import:
# the framework (langchain) wins over the LLM provider (openai)
agent = secure("my-first-agent")Server integrations
Available in Self-hosted mode. SIEM adapters forward audit events; CyberArk integration covers vaulted retrieval and privileged session recording.
SIEM adapters
Splunk HEC and Microsoft Sentinel Data Collector. Buffered batch delivery, retry, and severity filtering.
CyberArk
CCP for vaulted credential retrieval. PSM for privileged session recording.
Two trust-scoring models
The local and server trust scores measure different things, and both can run for the same agent when local-to-server reporting is enabled. The local 8-factor score (TypeScript) answers whether the agent's security posture is set up correctly, computed from local files. The server 9-factor score (Go) answers whether the agent is behaving in a way that should still be trusted right now, updated on every action.
Local trust (8 factors, TypeScript)
| Factor | Weight |
|---|---|
| Identity | 20% |
| Capabilities | 15% |
| Audit log | 10% |
| Secrets managed | 15% |
| Config signed | 10% |
| Skills verified | 10% |
| Network controlled | 10% |
| Heartbeat monitored | 10% |
Server trust (9 factors, Go)
| Factor | Weight |
|---|---|
| Verification status | 25% |
| Uptime | 15% |
| Action success rate | 15% |
| Security alerts | 15% |
| Compliance | 10% |
| Execution isolation | 10% |
| Agent age | 5% |
| Drift detection | 3% |
| User feedback | 2% |
