Detection & Anomaly

Real-time detection of MCP servers, agent capabilities, and configuration drift. AIM automatically monitors your agents and alerts you to unauthorized changes.

MCP Detection

Automatically detect MCP servers that agents communicate with. Flag unregistered servers for review.

Capability Detection

Monitor agent capabilities in real-time. Detect unauthorized file access, database queries, or network connections.

Configuration Drift

Alert when agents connect to unregistered MCP servers or attempt to use undeclared capabilities.

How Detection Works

AIM's detection system monitors agent behavior in real-time, comparing runtime activity against registered configurations. When discrepancies are detected, alerts are generated and trust scores may be adjusted.

Detection Flow

1. Agent Activity

SDK reports runtime behavior

2. Detection Engine

Compares against registered config

3. Anomaly Found

Drift or violation detected

4. Alert Generated

Trust score adjusted

Detection Types

MCP Server Detection

Identifies MCP servers that agents communicate with. New servers can be automatically registered or flagged for admin review.

Capability Detection

Monitors what capabilities agents are actually using (file access, database, network, code execution) and compares against declared permissions.

Configuration Drift

Detects when runtime behavior diverges from registered configuration. This includes connecting to unregistered MCP servers or using undeclared capabilities.

Best Practices

Enable SDK Detection

Install the AIM SDK to automatically detect and report MCP servers and capabilities.

Review Drift Alerts

Regularly check configuration drift alerts and either register legitimate MCPs or investigate unauthorized ones.

Set Up Security Policies

Configure security policies to automatically respond to detection events (e.g., block high-risk agents).

Monitor Trust Scores

Detection events affect trust scores. Monitor score changes to identify problematic agents.