Agent Governance Toolkit

May 9, 2026 · View on GitHub

Agent Governance Toolkit

📖 Documentation Site · 🚀 Quick Start · 📦 PyPI · 📝 Changelog

Important

Public Preview — Microsoft-signed, production-quality releases. May have breaking changes before GA. Open a GitHub issue for feedback.

Tip

v3.5.0 is out! Latest stable release with Bedrock adapter, prompt defense improvements, and governance hardening. Changelog →

Runtime governance for AI agents -- deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE for autonomous agents. Covers all 10 OWASP Agentic risks with 13,000+ tests.

Works with any stack — AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents, and 20+ more. Python · TypeScript · .NET · Rust · Go.

What This Is (and Isn't)

What it does: Sits between your agent framework and the actions agents take. Every tool call, resource access, and inter-agent message is evaluated against policy before execution. Deterministic — not probabilistic.

What it doesn't do: This is not a prompt guardrail or content moderation tool. It governs agent actions, not LLM inputs/outputs. For model-level safety, see Azure AI Content Safety.

Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log    (< 0.1 ms)

Why it matters: Prompt-based safety ("please follow the rules") has a 26.67% policy violation rate in red-team testing. AGT's deterministic application-layer enforcement: 0.00%.

Get Started in 90 Seconds

# 1. Install
pip install agent-governance-toolkit[full]

# 2. Check your installation
agt doctor

# 3. Verify OWASP compliance
agt verify

# 4. Verify runtime evidence, when available
agt verify --evidence ./agt-evidence.json

# 5. Fail CI on weak runtime evidence
agt verify --evidence ./agt-evidence.json --strict

# 6. Red-team your agent's security posture
agt red-team scan ./prompts/ --min-grade B --strict

Then govern your first action:

from agent_os.policies import PolicyEvaluator, PolicyDocument, PolicyRule, PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults

evaluator = PolicyEvaluator(policies=[PolicyDocument(
    name="my-policy", version="1.0",
    defaults=PolicyDefaults(action=PolicyAction.ALLOW),
    rules=[PolicyRule(
        name="block-dangerous-tools",
        condition=PolicyCondition(field="tool_name", operator=PolicyOperator.IN, value=["execute_code", "delete_file"]),
        action=PolicyAction.DENY, priority=100,
    )],
)])

result = evaluator.evaluate({"tool_name": "web_search"})    # ✅ Allowed
result = evaluator.evaluate({"tool_name": "delete_file"})   # ❌ Blocked deterministically

TypeScript

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([
  { action: "web_search", effect: "allow" },
  { action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"

.NET

using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;

var kernel = new GovernanceKernel(new GovernanceOptions
{
    PolicyPaths = new() { "policies/default.yaml" },
});

var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
    new() { ["query"] = "latest AI news" });
// result.Allowed == true

builder.Services
    .AddMcpServer()
    .WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));

Rust

use agent_governance::{AgentMeshClient, ClientOptions};

let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);

import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"

client, _ := agentmesh.NewClient("my-agent",
    agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
        {Action: "data.read", Effect: agentmesh.Allow},
        {Action: "*", Effect: agentmesh.Deny},
    }),
)
result := client.ExecuteWithGovernance("data.read", nil)
// result.Allowed == true

Full walkthrough: quickstart.md — zero to governed agents in 10 minutes with YAML policies, OPA/Rego, and Cedar support. 🌍 Also available in: 日本語 | 简体中文 | 한국어]

What You Get

Capability	What It Does	Links
Policy Engine	Every action evaluated before execution — sub-millisecond, deterministic. Supports YAML, OPA/Rego, and Cedar policies	Agent OS · Benchmarks
Contributor Reputation	Screens PR/issue authors for social engineering: credential laundering, spray patterns, network coordination. Reusable GitHub Action for any repo	Action · Scripts
Zero-Trust Identity	Ed25519 + quantum-safe ML-DSA-65 credentials, trust scoring (0–1000), SPIFFE/SVID	AgentMesh
Execution Sandboxing	4-tier privilege rings, saga orchestration, kill switch	Runtime · Hypervisor
Agent SRE	SLOs, error budgets, replay debugging, chaos engineering, circuit breakers	Agent SRE
MCP Security Scanner	Detect tool poisoning, typosquatting, hidden instructions in MCP definitions	MCP Scanner
Shadow AI Discovery	Find unregistered agents across processes, configs, and repos	Agent Discovery
Agent Lifecycle	Provisioning → credential rotation → orphan detection → decommissioning	Lifecycle
Governance Dashboard	Real-time fleet visibility — health, trust, compliance, audit events	Dashboard
Unified CLI	`agt verify`, `agt red-team`, `agt doctor`, `agt lint-policy` — one command for everything	CLI
PromptDefense Evaluator	12-vector prompt injection audit for compliance testing	Evaluator

Works With Your Stack

Framework	Integration
Microsoft Agent Framework	Native Middleware
Semantic Kernel	Native (.NET + Python)
Microsoft AutoGen	Adapter
LangGraph / LangChain	Adapter
CrewAI	Adapter
OpenAI Agents SDK	Middleware
pi-mono	TypeScript SDK Integration
Google ADK	Adapter
LlamaIndex	Middleware
Haystack	Pipeline
Dify	Plugin
Azure AI Foundry	Deployment Guide

Full list: Framework Integrations · Quickstart Examples

OWASP Agentic Top 10 — 10/10 Covered

Risk	ID	AGT Control
Agent Goal Hijacking	ASI-01	Policy engine blocks unauthorized goal changes
Excessive Capabilities	ASI-02	Capability model enforces least-privilege
Identity & Privilege Abuse	ASI-03	Zero-trust identity with Ed25519 + ML-DSA-65
Uncontrolled Code Execution	ASI-04	Execution rings + sandboxing
Insecure Output Handling	ASI-05	Content policies validate all outputs
Memory Poisoning	ASI-06	Episodic memory with integrity checks
Unsafe Inter-Agent Comms	ASI-07	Encrypted channels + trust gates
Cascading Failures	ASI-08	Circuit breakers + SLO enforcement
Human-Agent Trust Deficit	ASI-09	Full audit trails + flight recorder
Rogue Agents	ASI-10	Kill switch + ring isolation + anomaly detection

Full mapping: OWASP-COMPLIANCE.md · Regulatory alignment: EU AI Act, NIST AI RMF, Colorado AI Act

Performance

Governance adds < 0.1 ms per action — roughly 10,000× faster than an LLM API call.

Metric	Latency (p50)	Throughput
Policy evaluation (1 rule)	0.012 ms	72K ops/sec
Policy evaluation (100 rules)	0.029 ms	31K ops/sec
Policy enforcement	0.091 ms	9.3K ops/sec
Concurrent (50 agents)	—	35,481 ops/sec

Note: These numbers measure policy evaluation only. In distributed multi-agent deployments, add ~5–50ms for cryptographic verification and mesh handshake on inter-agent messages. See Limitations — Performance for full breakdown.

Full methodology: BENCHMARKS.md

Install

Language	Package	Command
Python	`agent-governance-toolkit`	`pip install agent-governance-toolkit[full]`
TypeScript	`@microsoft/agent-governance-sdk`	`npm install @microsoft/agent-governance-sdk`
.NET	`Microsoft.AgentGovernance`	`dotnet add package Microsoft.AgentGovernance`
.NET MCP	`Microsoft.AgentGovernance.Extensions.ModelContextProtocol`	`dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol`
Rust	`agent-governance`	`cargo add agent-governance`
Go	`agent-governance-toolkit`	`go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang`

All 5 language packages implement core governance (policy, identity, trust, audit). Python has the full stack. See Language Package Matrix for detailed per-language coverage.

Individual Python packages

Package	PyPI	Description
Agent OS	`agent-os-kernel`	Policy engine, capability model, audit logging, MCP gateway
AgentMesh	`agentmesh-platform`	Zero-trust identity, trust scoring, A2A/MCP/IATP bridges
Agent Runtime	`agentmesh-runtime`	Privilege rings, saga orchestration, termination control
Agent SRE	`agent-sre`	SLOs, error budgets, chaos engineering, circuit breakers
Agent Compliance	`agent-governance-toolkit`	OWASP verification, integrity checks, policy linting
Agent Discovery	`agent-discovery`	Shadow AI discovery, inventory, risk scoring
Agent Hypervisor	`agent-hypervisor`	Reversibility verification, execution plan validation
Agent Marketplace	`agentmesh-marketplace`	Plugin lifecycle management
Agent Lightning	`agentmesh-lightning`	RL training governance

Documentation

Getting Started

Quick Start — Zero to governed agents in 10 minutes
Tutorials — 40+ numbered tutorials + 7-chapter Policy-as-Code deep dive
FAQ — Technical Q&A for customers, partners, and evaluators

Architecture & Reference

Language Package Matrix — Per-language capability comparison
Architecture — System design, security model, trust scoring
Architecture Decisions — ADR log
Threat Model — Trust boundaries and STRIDE analysis
API: Agent OS · AgentMesh · Agent SRE

Compliance & Deployment

Known Limitations — Honest design boundaries and recommended layered defense
OWASP Compliance — Full ASI-01 through ASI-10 mapping
Deployment Guides — Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose
NIST AI RMF Alignment · EU AI Act · SOC 2 Mapping

Extensions

VS Code Extension · Framework Integrations

Security

This toolkit provides application-level governance (Python middleware), not OS kernel-level isolation. The policy engine and agents run in the same process — the same trust boundary as every Python agent framework.

Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture — Security Boundaries.

📖 Known Limitations & Design Boundaries — what AGT does not do, honest performance numbers for distributed deployments, and the recommended layered defense architecture.

Tool	Coverage
CodeQL	Python + TypeScript SAST
Gitleaks	Secret scanning on PR/push/weekly
ClusterFuzzLite	7 fuzz targets (policy, injection, MCP, sandbox, trust)
Dependabot	13 ecosystems
OpenSSF Scorecard	Weekly scoring + SARIF upload

Contributing

Contributing Guide · Community · Security Policy · Changelog

Using AGT? Add your organization to ADOPTERS.md, it helps the project gain momentum and helps others discover real-world use cases.

Governance & Standards

AGT follows open governance practices aligned with foundation incubation requirements:

Document	Purpose
GOVERNANCE.md	Decision-making, roles, contributor ladder
CHARTER.md	Technical charter (LF Projects format)
MAINTAINERS.md	6 maintainers from 4 organizations
RELEASE.md	Release process, versioning, registries
SECURITY.md	Vulnerability reporting and response SLAs
CODE_OF_CONDUCT.md	Microsoft Open Source Code of Conduct
CONTRIBUTING.md	DCO, attribution policy, AI-assisted contribution rules
ADOPTERS.md	9 adopters across production, pilot, and research

Standards alignment: OWASP Agentic Top 10 (10/10) · NIST AI RMF · EU AI Act · OpenSSF Best Practices (100%)

Important Notes

If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.

License

This project is licensed under the MIT License.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.