** 🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog **
Important
Public Preview -- production-quality, Microsoft-signed releases. May have breaking changes before GA.
Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install
, any framework.
Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:
1. Is this action allowed? An agent with access to send_email
and query_database
should not be able to drop_table
. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.
2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, "an agent did it" is not an incident response.
3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.
Prompt-level safety ("please follow the rules") is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 states this explicitly: "it is unclear if there are fool-proof methods of prevention for prompt injection." The published numbers back this up. On JailbreakBench (Chao et al., NeurIPS 2024), the standard open robustness benchmark for LLM jailbreaks, adaptive attacks reach near-100% attack success rates against frontier safety-aligned models. Andriushchenko et al., 2024 report 100% ASR on GPT-4, GPT-3.5, Claude 3, and Llama-3 using simple prompt-only attacks, and even the strongest published prompt-layer defenses leak double-digit residual ASR. Microsoft's own AI Red Teaming Agent formalizes Attack Success Rate (ASR), the rate of policy violations under adversarial input, as the canonical metric for this class of failure, and Lessons from Red Teaming 100 Generative AI Products concludes that
*"AI red teaming is never complete"*because model-layer defenses are probabilistic by construction.
AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely." They are structurally impossible. That is the difference between asking an agent to behave and making it incapable of misbehaving.
Prerequisites: Python 3.10+
pip install agent-governance-toolkit[full]
Govern any tool function in two lines:
from agentmesh.governance import govern
safe_tool = govern(my_tool, policy="policy.yaml") # every call checked, logged, enforced
That's it. safe_tool
evaluates your YAML policy on every call, logs the decision, and raises GovernanceDenied
if the action is blocked.
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
- name: block-destructive
condition: "action.type in ['drop', 'delete', 'truncate']"
action: deny
description: "Destructive operations require human approval"
- name: require-approval-for-send
condition: "action.type == 'send_email'"
action: require_approval
approvers: ["security-team"]
>>> safe_tool(action="read", table="users")
{'table': 'users', 'rows': 42}
>>> safe_tool(action="drop", table="users")
GovernanceDenied: Action denied by policy rule 'block-destructive':
Destructive operations require human approval
Or use the full PolicyEvaluator
API for programmatic control:
PolicyEvaluator example
from agent_os.policies import (
PolicyEvaluator, PolicyDocument, PolicyRule,
PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)
evaluator = PolicyEvaluator(policies=[PolicyDocument(
name="my-policy", version="1.0",
defaults=PolicyDefaults(action=PolicyAction.ALLOW),
rules=[PolicyRule(
name="block-dangerous-tools",
condition=PolicyCondition(
field="tool_name",
operator=PolicyOperator.IN,
value=["execute_code", "delete_file"]
),
action=PolicyAction.DENY, priority=100,
)],
)])
result = evaluator.evaluate({"tool_name": "web_search"}) # Allowed
result = evaluator.evaluate({"tool_name": "delete_file"}) # Blocked
TypeScript / .NET / Rust / Go examples
TypeScript
import { PolicyEngine } from "@microsoft/agent-governance-sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"
.NET
using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
new() { ["query"] = "latest AI news" });
// MCP server integration
builder.Services.AddMcpServer()
.WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));
Rust
use agent_governance::{AgentMeshClient, ClientOptions};
let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);
Go
import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"
client, _ := agentmesh.NewClient("my-agent",
agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
{Action: "data.read", Effect: agentmesh.Allow},
{Action: "*", Effect: agentmesh.Deny},
}),
)
result := client.ExecuteWithGovernance("data.read", nil)
CLI tools:
agt doctor # check installation
agt verify # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B # prompt injection audit
agt lint-policy policies/ # validate policy files
Full walkthrough: quickstart.md -- zero to governed agents in 5 minutes. 🌍 Also in: 日本語 | 简体中文 | 한국어
Agent ──► Policy Engine ──► Identity ──► Audit Log
(YAML/OPA/Cedar) (SPIFFE/DID/mTLS) (Tamper-evident)
│ │
├── Allowed ──► Tool executes │
└── Denied ──► GovernanceDenied │
▼
Decision Record
Every layer is optional. Start with govern()
and add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack.
| Package | Description |
|---|---|
| Agent OS |
Agent MeshAgent RuntimeAgent SREAgent ComplianceAgent MarketplaceAgent LightningAgent Hypervisor| Capability | Description | |---|---| MCP Security Gateway | Tool poisoning detection, drift monitoring, typosquatting, hidden instruction scanning ( |
Shadow AI DiscoveryDiscovery)** Governance Dashboard**Dashboard)** PromptDefense Evaluator**Evaluator)Contributor ReputationAction)| Language | Package | Command |
|---|---|---|
Python |
agent-governance-toolkit |
pip install agent-governance-toolkit[full]
TypeScript@microsoft/agent-governance-sdk
npm install @microsoft/agent-governance-sdk
Copilot CLI@microsoft/agent-governance-copilot-cli
npx @microsoft/agent-governance-copilot-cli install
Claude Code@microsoft/agent-governance-claude-code
claude --plugin-dir ./agent-governance-claude-code
.NETMicrosoft.AgentGovernance
dotnet add package Microsoft.AgentGovernance
.NET MCPMicrosoft.AgentGovernance.Extensions.ModelContextProtocol
dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol
Rustagent-governance
cargo add agent-governance
Goagent-governance-toolkit
go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang
All five language SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK. See ** Language Package Matrix** for detailed per-language coverage.
Individual Python packages
| Package | PyPI | Description |
|---|---|---|
| Agent OS | ||
agent-os-kernel |
agentmesh-platform
agentmesh-runtime
agent-sre
agent-governance-toolkit
agent-discovery
agent-hypervisor
agentmesh-marketplace
agentmesh-lightning
Python: 3.10+** Node.js**: 18+ / npm 9+ (TypeScript SDK).NET: 8+** Go**: 1.25+** Rust**: 1.70+** Optional**:AZURE_CLIENT_ID
,AZURE_TENANT_ID
,AZURE_CLIENT_SECRET
for Azure-integrated features
| Framework | Integration |
|---|---|
| Microsoft Agent Framework |
Semantic KernelAutoGenLangGraph/LangChainCrewAIOpenAI Agents SDKGoogle ADKLlamaIndexHaystackMastraDifyAzure AI FoundryFull list: Framework Integrations · Quickstart Examples
| Example | Framework | What it demonstrates |
|---|---|---|
crewai-governedsmolagents-governedmaf-integrationmcp-trust-verified-servercedarling-governedgovernance-dashboardEvery major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract: what implementations MUST, SHOULD, and MAY do.
| Specification | Scope | Tests |
|---|---|---|
AgentMesh Identity and TrustAgent Hypervisor Execution ControlAgentMesh Trust and CoordinationAgent SRE GovernanceMCP Security GatewayAgent Lightning Fast-PathFramework Adapter ContractAudit and ComplianceAgentMesh Wire Protocol992 conformance tests ensure code stays aligned to specs. 25 Architecture Decision Records document why.
| Standard | Coverage |
|---|---|
NIST AI RMF 1.0EU AI ActSOC 2AGT enforces governance at the application middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.
Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture: Security Boundaries.
| Tool | Coverage |
|---|---|
| CodeQL | Python + TypeScript SAST |
| Gitleaks | Secret scanning on PR/push/weekly |
| ClusterFuzzLite | 7 fuzz targets (policy, injection, MCP, sandbox, trust) |
| Dependabot | 13 ecosystems |
| OpenSSF Scorecard | Weekly scoring + SARIF upload |
See Known Limitations for honest design boundaries and recommended layered defense.
| Category | Links |
|---|---|
| Getting Started | |
ArchitectureSystem Design·Threat Model·ADRs(25)SpecificationsAll Specs(10 formal specs, 992 conformance tests)** API Reference**Agent OS·AgentMesh·Agent SREComplianceOWASP·EU AI Act·NIST AI RMF·SOC 2DeploymentAzure·AWS·GCP·Docker ComposeExtensionsVS Code·Framework IntegrationsContributing Guide · Community · Security Policy · Changelog
Using AGT? Add your organization to ADOPTERS.md.
| Document | Purpose |
|---|---|
CHARTER.mdMAINTAINERS.mdSECURITY.mdCODE_OF_CONDUCT.mdANTITRUST.mdTRADEMARKS.mdIf you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.
The only official sources for the Agent Governance Toolkit are:
| Resource | Location |
|---|---|
| Source code | |
Documentationmicrosoft.github.io/agent-governance-toolkit** Python packages**pypi.org/user/agentgovtoolkit** npm packages**@microsoft/agentmesh-sdk
, @microsoft/agent-os-kernel
on npmjs.comNuGet packagesMicrosoft.AgentGovernance.*
on nuget.orgRust cratesagent-os-kernel
, agentmesh
on crates.ioThe project team does not maintain or endorse any third-party websites, packages, or documentation sites claiming to be official. If you encounter a suspicious site or package using the Agent Governance Toolkit name, please report it through the channels described in SECURITY.md.
This project is licensed under the MIT License.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.