@bibryam: AI Agent Governance Toolkit - by Microsoft Runtime governance for AI agents through deterministic policy enforcement, z…
Summary
Microsoft released the Agent Governance Toolkit, an open-source runtime enforcement tool for AI agents that provides deterministic policy enforcement, zero-trust identity, and sandboxing, covering all 10 OWASP Agentic risks with over 13,000 tests.
View Cached Full Text
Cached at: 05/21/26, 01:36 PM
AI Agent Governance Toolkit - by Microsoft Runtime governance for AI agents through deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE for autonomous agents. Covers all 10 OWASP Agentic risks with 13,000+ tests. https://github.com/microsoft/agent-governance-toolkit…
microsoft/agent-governance-toolkit
Source: https://github.com/microsoft/agent-governance-toolkit
Agent Governance Toolkit
📖 Docs · 🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog
Public Preview – production-quality, Microsoft-signed releases. May have breaking changes before GA.
Runtime governance for AI agents. Every tool call, resource access, and inter-agent message is evaluated against policy before execution – deterministic, sub-millisecond, and auditable.
Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log (< 0.1 ms)
Prompt-based safety (“please follow the rules”) has a 26.67% policy violation rate in red-team testing. AGT’s application-layer enforcement: 0.00%.
Python · TypeScript · .NET · Rust · Go. Works with LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK, Semantic Kernel, AWS Bedrock, and 20+ more.
Quick Start
pip install agent-governance-toolkit[full]
from agent_os.policies import (
PolicyEvaluator, PolicyDocument, PolicyRule,
PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)
evaluator = PolicyEvaluator(policies=[PolicyDocument(
name="my-policy", version="1.0",
defaults=PolicyDefaults(action=PolicyAction.ALLOW),
rules=[PolicyRule(
name="block-dangerous-tools",
condition=PolicyCondition(
field="tool_name",
operator=PolicyOperator.IN,
value=["execute_code", "delete_file"]
),
action=PolicyAction.DENY, priority=100,
)],
)])
result = evaluator.evaluate({"tool_name": "web_search"}) # ✅ Allowed
result = evaluator.evaluate({"tool_name": "delete_file"}) # ❌ Blocked
TypeScript / .NET / Rust / Go examples
TypeScript
import { PolicyEngine } from "@microsoft/agent-governance-sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"
.NET
using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
new() { ["query"] = "latest AI news" });
// MCP server integration
builder.Services.AddMcpServer()
.WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));
Rust
use agent_governance::{AgentMeshClient, ClientOptions};
let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);
Go
import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"
client, _ := agentmesh.NewClient("my-agent",
agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
{Action: "data.read", Effect: agentmesh.Allow},
{Action: "*", Effect: agentmesh.Deny},
}),
)
result := client.ExecuteWithGovernance("data.read", nil)
CLI tools:
agt doctor # check installation
agt verify # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B # prompt injection audit
agt lint-policy policies/ # validate policy files
Full walkthrough: quickstart.md – zero to governed agents in 10 minutes with YAML, OPA/Rego, and Cedar policies. 🌍 Also in: 日本語 | 简体中文 | 한국어
Core Capabilities
Policy Engine
Deterministic allow/deny evaluation for every agent action. Sub-millisecond latency (0.012ms p50 for single rule, 35K ops/sec concurrent). Supports YAML, OPA/Rego, and Cedar policy languages. Fail-closed by default – if the engine errors, the action is denied.
Agent OS · Benchmarks · Spec
Zero-Trust Identity
Ed25519 + quantum-safe ML-DSA-65 agent credentials. Behavioral trust scoring (0–1000) that decays when agents act outside expected patterns. SPIFFE/SVID compatible. Trust ceilings propagate through delegation chains – a delegated agent can never exceed its parent’s trust level.
Execution Sandboxing
Four privilege rings (kernel, supervisor, user, untrusted) with hardware-style isolation semantics. Saga orchestration for multi-step workflows with automatic compensation on failure. Kill switch for immediate agent termination.
Runtime · Hypervisor · Spec
Agent SRE
SLOs, error budgets, replay debugging, chaos engineering, and circuit breakers for agent fleets. OTel-native observability with structured governance events.
Audit and Compliance
Tamper-evident Merkle-chained audit logs. Reconstructible Decision BOMs from observability signals. Automated compliance mapping for EU AI Act, SOC 2, HIPAA, and GDPR. CloudEvents export for SIEM integration.
MCP Security Gateway
Tool poisoning detection, description drift monitoring, typosquatting checks, and hidden instruction scanning for MCP tool definitions.
Additional Capabilities
| Capability | Description |
|---|---|
| Inter-Agent Trust | Mesh-wide trust negotiation, peer signature verification, coordinated policy enforcement (Spec) |
| RL Training Governance | Violation penalties in reward signals, episode termination on critical violations (Spec) |
| Framework Adapters | 10 adapters with unified governance interceptor chain (Spec) |
| Shadow AI Discovery | Find unregistered agents across processes, configs, and repos (Discovery) |
| Agent Lifecycle | Provisioning, credential rotation, orphan detection, decommissioning (Lifecycle) |
| Governance Dashboard | Real-time fleet visibility for health, trust, and compliance (Dashboard) |
| PromptDefense Evaluator | 12-vector prompt injection audit (Evaluator) |
| Contributor Reputation | PR/issue author screening for social engineering. Reusable GitHub Action (Action) |
Specifications
Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract – what implementations MUST, SHOULD, and MAY do.
| Specification | Scope | Tests |
|---|---|---|
| Agent OS Policy Engine | Policy evaluation, rule merging, fail-closed semantics | 68 |
| AgentMesh Identity and Trust | Credentials, trust scoring, delegation chains | 135 |
| Agent Hypervisor Execution Control | Privilege rings, saga orchestration, kill switch | 80 |
| AgentMesh Trust and Coordination | Peer trust negotiation, mesh-wide policy | 62 |
| Agent SRE Governance | SLOs, error budgets, chaos, circuit breakers | 111 |
| MCP Security Gateway | Tool poisoning, drift detection, hidden instructions | 127 |
| Agent Lightning Fast-Path | RL training governance, violation penalties | 100 |
| Framework Adapter Contract | 10 adapter integrations, interceptor chain | 152 |
| Audit and Compliance | Merkle audit, compliance mapping, Decision BOM | 157 |
| AgentMesh Wire Protocol | Message format, routing, serialization | – |
992 conformance tests ensure code stays aligned to specs. 25 Architecture Decision Records document why.
Framework Support
| Framework | Integration |
|---|---|
| Microsoft Agent Framework | Native Middleware |
| Semantic Kernel | Native (.NET + Python) |
| AutoGen | Adapter |
| LangGraph / LangChain | Adapter |
| CrewAI | Adapter |
| OpenAI Agents SDK | Middleware |
| Google ADK | Adapter |
| LlamaIndex | Middleware |
| Haystack | Pipeline |
| Dify | Plugin |
| Azure AI Foundry | Deployment Guide |
| GitHub Copilot CLI | Governance installer |
Full list: Framework Integrations · Quickstart Examples
OWASP Agentic Top 10
AGT covers all 10 risks identified in the OWASP Agentic Security Top 10:
| Risk | AGT Control |
|---|---|
| ASI-01 Agent Goal Hijacking | Policy engine blocks unauthorized goal changes |
| ASI-02 Excessive Capabilities | Capability model enforces least-privilege |
| ASI-03 Identity & Privilege Abuse | Zero-trust identity with Ed25519 + ML-DSA-65 |
| ASI-04 Uncontrolled Code Execution | Execution rings + sandboxing |
| ASI-05 Insecure Output Handling | Content policies validate all outputs |
| ASI-06 Memory Poisoning | Episodic memory with integrity checks |
| ASI-07 Unsafe Inter-Agent Comms | Encrypted channels + trust gates |
| ASI-08 Cascading Failures | Circuit breakers + SLO enforcement |
| ASI-09 Human-Agent Trust Deficit | Full audit trails + flight recorder |
| ASI-10 Rogue Agents | Kill switch + ring isolation + anomaly detection |
Regulatory alignment: EU AI Act · NIST AI RMF · SOC 2
Install
| Language | Command |
|---|---|
| Python | pip install agent-governance-toolkit[full] |
| TypeScript | npm install @microsoft/agent-governance-sdk |
| Copilot CLI | npx @microsoft/agent-governance-copilot-cli install |
| .NET | dotnet add package Microsoft.AgentGovernance |
| Rust | cargo add agent-governance |
| Go | go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang |
All five languages implement core governance (policy, identity, trust, audit). Python has the full stack. See Language Package Matrix for per-language coverage.
Individual Python packages
| Package | PyPI | Description |
|---|---|---|
| Agent OS | agent-os-kernel | Policy engine, capability model, audit logging, MCP gateway |
| AgentMesh | agentmesh-platform | Zero-trust identity, trust scoring, A2A/MCP/IATP bridges |
| Agent Runtime | agentmesh-runtime | Privilege rings, saga orchestration, termination control |
| Agent SRE | agent-sre | SLOs, error budgets, chaos engineering, circuit breakers |
| Agent Compliance | agent-governance-toolkit | OWASP verification, integrity checks, policy linting |
| Agent Discovery | agent-discovery | Shadow AI discovery, inventory, risk scoring |
| Agent Hypervisor | agent-hypervisor | Execution plan validation, reversibility verification |
| Agent Marketplace | agentmesh-marketplace | Plugin lifecycle management |
| Agent Lightning | agentmesh-lightning | RL training governance |
Security
AGT enforces governance at the Python middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.
Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture – Security Boundaries.
| Tool | Coverage |
|---|---|
| CodeQL | Python + TypeScript SAST |
| Gitleaks | Secret scanning on PR/push/weekly |
| ClusterFuzzLite | 7 fuzz targets (policy, injection, MCP, sandbox, trust) |
| Dependabot | 13 ecosystems |
| OpenSSF Scorecard | Weekly scoring + SARIF upload |
See Known Limitations for honest design boundaries and recommended layered defense.
Documentation
| Category | Links |
|---|---|
| Getting Started | Quick Start · Tutorials (40+) · FAQ |
| Architecture | System Design · Threat Model · ADRs (25) |
| Specifications | All Specs (10 formal specs, 992 conformance tests) |
| API Reference | Agent OS · AgentMesh · Agent SRE |
| Compliance | OWASP · EU AI Act · NIST AI RMF · SOC 2 |
| Deployment | Azure · AWS · GCP · Docker Compose |
| Extensions | VS Code · Framework Integrations |
Contributing
Contributing Guide · Community · Security Policy · Changelog
Using AGT? Add your organization to ADOPTERS.md.
Governance
| Document | Purpose |
|---|---|
| GOVERNANCE.md | Decision-making, roles, contributor ladder |
| CHARTER.md | Technical charter (LF Projects format) |
| MAINTAINERS.md | Maintainers and organizations |
| SECURITY.md | Vulnerability reporting and response SLAs |
| CODE_OF_CONDUCT.md | Microsoft Open Source Code of Conduct |
Important Notes
If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.
License
This project is licensed under the MIT License.
Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.
Similar Articles
@_vmlops: MICROSOFT OPEN-SOURCED A GOVERNANCE LAYER FOR YOUR AI AGENTS and it's exactly what agentic ai has been missing here's w…
Microsoft open-sourced the Agent Governance Toolkit, a governance layer for AI agents that enforces policies, identity, sandboxing, and audit logs to ensure safe and compliant autonomous agent operations.
Runtime Governance: The Missing Layer for AI Agents in 2026
The article discusses the need for runtime governance in AI agents to balance autonomy with compliance, introducing SAFi, an open-source framework that enforces policies in real-time and audits actions.
Is anyone actually enforcing AI governance, or just writing policies?
The article discusses the gap between documented AI governance policies and the practical enforcement of these rules within runtime AI agent workflows.
AI agent management tools by governance layer not by feature list
An analysis highlighting that most enterprise AI agent security investments focus on model layer guardrails and observability, leaving critical gaps at the access and protocol layers. Citing a 2026 report, 75% of enterprise AI agents remain unsecured due to near-zero coverage in these layers.
Microsoft offers devs a better way to control AI agent behavior
Microsoft introduced the Agent Control Specification (ACS), an open-source standard that gives developers a unified way to define and enforce policies for AI agents across different frameworks and environments.