MICROSOFT OPEN-SOURCED A GOVERNANCE LAYER FOR YOUR AI AGENTS

and it’s exactly what agentic ai has been missing

here’s what agent governance toolkit does:

intercepts every tool call in deterministic code before it hits the wire denied actions aren’t unlikely, they’re structurally impossible yaml policy engine lets you allow, deny, or require human approval per action zero-trust identity via spiffe/did/mtls no more 5 agents sharing one api key 4-level execution sandbox with privilege rings so agents can’t escape their scope tamper-evident merkle audit logs for compliance and incident response covers all 10/10 owasp agentic top 10 risks works with langchain, crewai, autogen, openai agents sdk, semantic kernel, and more

one pip install…any framework…python, typescript, go, rust, .net all supported

because “please follow the rules” in a system prompt is not a guardrail…it’s a suggestion

microsoft/agent-governance-toolkit

Source: https://github.com/microsoft/agent-governance-toolkit

🌍 English | 日本語 | 简体中文 | 한국어

Agent Governance Toolkit

Ship agents to production without losing sleep

🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog

Public Preview – production-quality, Microsoft-signed releases. May have breaking changes before GA.

Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install, any framework.

The Problem

Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:

1. Is this action allowed? An agent with access to send_email and query_database should not be able to drop_table. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.

2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, “an agent did it” is not an incident response.

3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.

Prompt-level safety (“please follow the rules”) is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 states this explicitly: “it is unclear if there are fool-proof methods of prevention for prompt injection.” The published numbers back this up. On JailbreakBench (Chao et al., NeurIPS 2024), the standard open robustness benchmark for LLM jailbreaks, adaptive attacks reach near-100% attack success rates against frontier safety-aligned models. Andriushchenko et al., 2024 report 100% ASR on GPT-4, GPT-3.5, Claude 3, and Llama-3 using simple prompt-only attacks, and even the strongest published prompt-layer defenses leak double-digit residual ASR. Microsoft’s own AI Red Teaming Agent formalizes Attack Success Rate (ASR), the rate of policy violations under adversarial input, as the canonical metric for this class of failure, and Lessons from Red Teaming 100 Generative AI Products concludes that “AI red teaming is never complete” because model-layer defenses are probabilistic by construction.

AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model’s intent reaches the wire. Actions the AGT kernel denies are not “unlikely.” They are structurally impossible. That is the difference between asking an agent to behave and making it incapable of misbehaving.

Quick Start

Prerequisites: Python 3.10+

pip install agent-governance-toolkit[full]

Govern any tool function in two lines:

from agentmesh.governance import govern

safe_tool = govern(my_tool, policy="policy.yaml")   # every call checked, logged, enforced

That’s it. safe_tool evaluates your YAML policy on every call, logs the decision, and raises GovernanceDenied if the action is blocked.

# policy.yaml
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
  - name: block-destructive
    condition: "action.type in ['drop', 'delete', 'truncate']"
    action: deny
    description: "Destructive operations require human approval"

  - name: require-approval-for-send
    condition: "action.type == 'send_email'"
    action: require_approval
    approvers: ["security-team"]

>>> safe_tool(action="read", table="users")
{'table': 'users', 'rows': 42}

>>> safe_tool(action="drop", table="users")
GovernanceDenied: Action denied by policy rule 'block-destructive':
  Destructive operations require human approval

Or use the full PolicyEvaluator API for programmatic control:

from agent_os.policies import (
    PolicyEvaluator, PolicyDocument, PolicyRule,
    PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)

evaluator = PolicyEvaluator(policies=[PolicyDocument(
    name="my-policy", version="1.0",
    defaults=PolicyDefaults(action=PolicyAction.ALLOW),
    rules=[PolicyRule(
        name="block-dangerous-tools",
        condition=PolicyCondition(
            field="tool_name",
            operator=PolicyOperator.IN,
            value=["execute_code", "delete_file"]
        ),
        action=PolicyAction.DENY, priority=100,
    )],
)])

result = evaluator.evaluate({"tool_name": "web_search"})    # Allowed
result = evaluator.evaluate({"tool_name": "delete_file"})   # Blocked

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([
  { action: "web_search", effect: "allow" },
  { action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"

using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;

var kernel = new GovernanceKernel(new GovernanceOptions
{
    PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
    new() { ["query"] = "latest AI news" });

// MCP server integration
builder.Services.AddMcpServer()
    .WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));

use agent_governance::{AgentMeshClient, ClientOptions};

let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);

import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"

client, _ := agentmesh.NewClient("my-agent",
    agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
        {Action: "data.read", Effect: agentmesh.Allow},
        {Action: "*", Effect: agentmesh.Deny},
    }),
)
result := client.ExecuteWithGovernance("data.read", nil)

CLI tools:

agt doctor                                        # check installation
agt verify                                        # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B         # prompt injection audit
agt lint-policy policies/                          # validate policy files

Full walkthrough: quickstart.md – zero to governed agents in 5 minutes. 🌍 Also in: 日本語 | 简体中文 | 한국어

How It Works

Agent ──► Policy Engine ──► Identity ──► Audit Log
            (YAML/OPA/Cedar)  (SPIFFE/DID/mTLS)  (Tamper-evident)
                 │                                      │
                 ├── Allowed ──► Tool executes           │
                 └── Denied  ──► GovernanceDenied        │
                                                        ▼
                                                 Decision Record

Every layer is optional. Start with govern() and add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack.

Packages

Additional Capabilities

Install

All five language SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK. See Language Package Matrix for detailed per-language coverage.

Prerequisites

• Python: 3.10+
• Node.js: 18+ / npm 9+ (TypeScript SDK)
• .NET: 8+
• Go: 1.25+
• Rust: 1.70+
• Optional: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET for Azure-integrated features

Framework Support

Full list: Framework Integrations · Quickstart Examples

Examples

Specifications

Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract: what implementations MUST, SHOULD, and MAY do.

992 conformance tests ensure code stays aligned to specs. 25 Architecture Decision Records document why.

Standards Compliance

Security

AGT enforces governance at the application middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.

Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture: Security Boundaries.

See Known Limitations for honest design boundaries and recommended layered defense.

Documentation

Contributing

Contributing Guide · Community · Security Policy · Changelog

Using AGT? Add your organization to ADOPTERS.md.

Governance

Important Notes

If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.

License

This project is licensed under the MIT License.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.