🌍 English | 日本語 | 简体中文 | 한국어

Agent Governance Toolkit

Ship agents to production without losing sleep

🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog

Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install, any framework.

The Problem

Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:

1. Is this action allowed? An agent with access to send_email and query_database should not be able to drop_table. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.

2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, "an agent did it" is not an incident response.

3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.

Prompt-level safety ("please follow the rules") is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 states this explicitly: "it is unclear if there are fool-proof methods of prevention for prompt injection." The published numbers back this up. Andriushchenko et al. (ICLR 2025) report 100% attack success rate on GPT-4o, GPT-3.5, Claude 3, and Llama-3 using adaptive attacks with logprob access and suffix optimization, evaluated against the JailbreakBench benchmark (Chao et al., NeurIPS 2024). Microsoft's own AI Red Teaming Agent formalizes Attack Success Rate (ASR), the rate of policy violations under adversarial input, as the canonical metric for this class of failure. Lessons from Red Teaming 100 Generative AI Products reinforces the point: "mitigations do not eliminate risk entirely" and red teaming must be a continuous process because model-layer defenses are probabilistic by construction.

AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely." They are structurally impossible. That is the difference between asking an agent to behave and making it incapable of misbehaving.

Quick Start

Prerequisites: Python 3.10+

pip install agent-governance-toolkit[full]

For Claude Code, add AGT as a plugin marketplace and install the governance plugin:

/plugin marketplace add microsoft/agent-governance-toolkit
/plugin install agt-governance@agent-governance-toolkit

Govern any tool function in two lines:

from agentmesh.governance import govern

safe_tool = govern(my_tool, policy="policy.yaml")   # every call checked, logged, enforced

That's it. safe_tool evaluates your YAML policy on every call, logs the decision, and raises GovernanceDenied if the action is blocked.

# policy.yaml
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
  - name: block-destructive
    condition: "action.type in ['drop', 'delete', 'truncate']"
    action: deny
    description: "Destructive operations require human approval"

  - name: require-approval-for-send
    condition: "action.type == 'send_email'"
    action: require_approval
    approvers: ["security-team"]

>>> safe_tool(action="read", table="users")
{'table': 'users', 'rows': 42}

>>> safe_tool(action="drop", table="users")
GovernanceDenied: Action denied by policy rule 'block-destructive':
  Destructive operations require human approval

Or use the full PolicyEvaluator API for programmatic control:

from agent_os.policies import (
    PolicyEvaluator, PolicyDocument, PolicyRule,
    PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)

evaluator = PolicyEvaluator(policies=[PolicyDocument(
    name="my-policy", version="1.0",
    defaults=PolicyDefaults(action=PolicyAction.ALLOW),
    rules=[PolicyRule(
        name="block-dangerous-tools",
        condition=PolicyCondition(
            field="tool_name",
            operator=PolicyOperator.IN,
            value=["execute_code", "delete_file"]
        ),
        action=PolicyAction.DENY, priority=100,
    )],
)])

result = evaluator.evaluate({"tool_name": "web_search"})    # Allowed
result = evaluator.evaluate({"tool_name": "delete_file"})   # Blocked

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([
  { action: "web_search", effect: "allow" },
  { action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"

using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;

var kernel = new GovernanceKernel(new GovernanceOptions
{
    PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
    new() { ["query"] = "latest AI news" });

// MCP server integration
builder.Services.AddMcpServer()
    .WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));

use agent_governance::{AgentMeshClient, ClientOptions};

let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);

import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"

client, _ := agentmesh.NewClient("my-agent",
    agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
        {Action: "data.read", Effect: agentmesh.Allow},
        {Action: "*", Effect: agentmesh.Deny},
    }),
)
result := client.ExecuteWithGovernance("data.read", nil)

CLI tools:

agt doctor                                        # check installation
agt verify                                        # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B         # prompt injection audit
agt lint-policy policies/                          # validate policy files

Full walkthrough: quickstart.md -- zero to governed agents in 5 minutes. 🌍 Also in: 日本語 | 简体中文 | 한국어

How It Works

Agent ──► Policy Engine ──► Identity ──► Audit Log
            (YAML/OPA/Cedar)  (SPIFFE/DID/mTLS)  (Tamper-evident)
                 │                                      │
                 ├── Allowed ──► Tool executes           │
                 └── Denied  ──► GovernanceDenied        │
                                                        ▼
                                                 Decision Record

Every layer is optional. Start with govern() and add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack.

Packages

Additional Capabilities

Install

All five language SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK. See Language Package Matrix for detailed per-language coverage.

Prerequisites

• Python: 3.10+
• Node.js: 18+ / npm 9+ (TypeScript SDK)
• .NET: 8+
• Go: 1.25+
• Rust: 1.70+
• Optional: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET for Azure-integrated features

Framework Support

Full list: Framework Integrations · Quickstart Examples

Examples

Specifications

Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract: what implementations MUST, SHOULD, and MAY do.

992 conformance tests ensure code stays aligned to specs. 29 Architecture Decision Records document why.

Standards Compliance

Security

AGT enforces governance at the application middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.

Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture: Security Boundaries.

See Known Limitations for honest design boundaries and recommended layered defense.

Documentation

Contributing

Contributing Guide · Community · Discord · Security Policy · Changelog

Using AGT? Add your organization to ADOPTERS.md.

Governance

Important Notes

If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.

Official Sources

The only official sources for the Agent Governance Toolkit are:

The project team does not maintain or endorse any third-party websites, packages, or documentation sites claiming to be official. If you encounter a suspicious site or package using the Agent Governance Toolkit name, please report it through the channels described in SECURITY.md.

License

This project is licensed under the MIT License.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.