{"slug": "agent-governance-toolkit", "title": "Agent Governance Toolkit", "summary": "Microsoft released Agent Governance Toolkit (AGT), a Python library that enforces policies, identity controls, sandboxing, and SRE practices for autonomous AI agents. The toolkit intercepts every tool call, message, and delegation in deterministic application code before execution, making policy violations structurally impossible rather than relying on prompt-level safety measures that have near-100% attack success rates against frontier models. AGT addresses the three core governance questions of whether an action is allowed, which agent performed it, and how to produce tamper-evident audit records for regulators.", "body_md": "**\n🚀 Quick Start ·\n📋 Specifications ·\n📦 PyPI ·\n📝 Changelog\n**\n\nImportant\n\n**Public Preview** -- production-quality, Microsoft-signed releases. May have breaking changes before GA.\n\nPolicy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One `pip install`\n\n, any framework.\n\nYour AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:\n\n**1. Is this action allowed?** An agent with access to `send_email`\n\nand `query_database`\n\nshould not be able to `drop_table`\n\n. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.\n\n**2. Which agent did this?** In a multi-agent system, five agents might share a single API key. When something goes wrong, \"an agent did it\" is not an incident response.\n\n**3. Can you prove what happened?** Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.\n\nPrompt-level safety (\"please follow the rules\") is not a control surface. It is a polite request to a stochastic system. [OWASP LLM01:2025](https://genai.owasp.org/llmrisk/llm01-prompt-injection/) states this explicitly: *\"it is unclear if there are fool-proof methods of prevention for prompt injection.\"* The published numbers back this up. On [JailbreakBench (Chao et al., NeurIPS 2024)](https://arxiv.org/abs/2404.01318), the standard open robustness benchmark for LLM jailbreaks, adaptive attacks reach **near-100% attack success rates** against frontier safety-aligned models. [Andriushchenko et al., 2024](https://arxiv.org/abs/2404.02151) report 100% ASR on GPT-4, GPT-3.5, Claude 3, and Llama-3 using simple prompt-only attacks, and even the strongest published prompt-layer defenses leak double-digit residual ASR. Microsoft's own [AI Red Teaming Agent](https://learn.microsoft.com/azure/ai-foundry/concepts/ai-red-teaming-agent) formalizes **Attack Success Rate (ASR)**, the rate of policy violations under adversarial input, as the canonical metric for this class of failure, and [ Lessons from Red Teaming 100 Generative AI Products](https://www.microsoft.com/en-us/security/blog/2025/01/13/3-takeaways-from-red-teaming-100-generative-ai-products/) concludes that\n\n*\"AI red teaming is never complete\"*because model-layer defenses are probabilistic by construction.\n\nAGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code *before* the model's intent reaches the wire. Actions the AGT kernel denies are not \"unlikely.\" They are **structurally impossible**. That is the difference between asking an agent to behave and making it incapable of misbehaving.\n\n**Prerequisites:** Python 3.10+\n\n```\npip install agent-governance-toolkit[full]\n```\n\nGovern any tool function in two lines:\n\n``` python\nfrom agentmesh.governance import govern\n\nsafe_tool = govern(my_tool, policy=\"policy.yaml\") # every call checked, logged, enforced\n```\n\nThat's it. `safe_tool`\n\nevaluates your YAML policy on every call, logs the decision, and raises `GovernanceDenied`\n\nif the action is blocked.\n\n```\n# policy.yaml\napiVersion: governance.toolkit/v1\nname: production-policy\ndefault_action: allow\nrules:\n - name: block-destructive\n condition: \"action.type in ['drop', 'delete', 'truncate']\"\n action: deny\n description: \"Destructive operations require human approval\"\n\n - name: require-approval-for-send\n condition: \"action.type == 'send_email'\"\n action: require_approval\n approvers: [\"security-team\"]\n>>> safe_tool(action=\"read\", table=\"users\")\n{'table': 'users', 'rows': 42}\n\n>>> safe_tool(action=\"drop\", table=\"users\")\nGovernanceDenied: Action denied by policy rule 'block-destructive':\n Destructive operations require human approval\n```\n\nOr use the full `PolicyEvaluator`\n\nAPI for programmatic control:\n\n**PolicyEvaluator example**\n\n```\nfrom agent_os.policies import (\n PolicyEvaluator, PolicyDocument, PolicyRule,\n PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults\n)\n\nevaluator = PolicyEvaluator(policies=[PolicyDocument(\n name=\"my-policy\", version=\"1.0\",\n defaults=PolicyDefaults(action=PolicyAction.ALLOW),\n rules=[PolicyRule(\n name=\"block-dangerous-tools\",\n condition=PolicyCondition(\n field=\"tool_name\",\n operator=PolicyOperator.IN,\n value=[\"execute_code\", \"delete_file\"]\n ),\n action=PolicyAction.DENY, priority=100,\n )],\n)])\n\nresult = evaluator.evaluate({\"tool_name\": \"web_search\"}) # Allowed\nresult = evaluator.evaluate({\"tool_name\": \"delete_file\"}) # Blocked\n```\n\n**TypeScript / .NET / Rust / Go examples**\n\n**TypeScript**\n\n``` js\nimport { PolicyEngine } from \"@microsoft/agent-governance-sdk\";\n\nconst engine = new PolicyEngine([\n { action: \"web_search\", effect: \"allow\" },\n { action: \"shell_exec\", effect: \"deny\" },\n]);\nengine.evaluate(\"web_search\"); // \"allow\"\nengine.evaluate(\"shell_exec\"); // \"deny\"\n```\n\n**.NET**\n\n```\nusing AgentGovernance;\nusing AgentGovernance.Extensions.ModelContextProtocol;\nusing AgentGovernance.Policy;\n\nvar kernel = new GovernanceKernel(new GovernanceOptions\n{\n PolicyPaths = new() { \"policies/default.yaml\" },\n});\nvar result = kernel.EvaluateToolCall(\"did:mesh:agent-1\", \"web_search\",\n new() { [\"query\"] = \"latest AI news\" });\n\n// MCP server integration\nbuilder.Services.AddMcpServer()\n .WithGovernance(options => options.PolicyPaths.Add(\"policies/mcp.yaml\"));\n```\n\n**Rust**\n\n``` js\nuse agent_governance::{AgentMeshClient, ClientOptions};\n\nlet client = AgentMeshClient::new(\"my-agent\").unwrap();\nlet result = client.execute_with_governance(\"data.read\", None);\nassert!(result.allowed);\n```\n\n**Go**\n\n``` python\nimport agentmesh \"github.com/microsoft/agent-governance-toolkit/agent-governance-golang\"\n\nclient, _ := agentmesh.NewClient(\"my-agent\",\n agentmesh.WithPolicyRules([]agentmesh.PolicyRule{\n {Action: \"data.read\", Effect: agentmesh.Allow},\n {Action: \"*\", Effect: agentmesh.Deny},\n }),\n)\nresult := client.ExecuteWithGovernance(\"data.read\", nil)\n```\n\nCLI tools:\n\n```\nagt doctor # check installation\nagt verify # OWASP compliance check\nagt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence\nagt red-team scan ./prompts/ --min-grade B # prompt injection audit\nagt lint-policy policies/ # validate policy files\n```\n\nFull walkthrough: [quickstart.md](/microsoft/agent-governance-toolkit/blob/main/docs/quickstart.md) -- zero to governed agents in 5 minutes.\n🌍 Also in: [日本語](/microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.ja.md) | [简体中文](/microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.zh-CN.md) | [한국어](/microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.ko.md)\n\n```\nAgent ──► Policy Engine ──► Identity ──► Audit Log\n (YAML/OPA/Cedar) (SPIFFE/DID/mTLS) (Tamper-evident)\n │ │\n ├── Allowed ──► Tool executes │\n └── Denied ──► GovernanceDenied │\n ▼\n Decision Record\n```\n\nEvery layer is optional. Start with `govern()`\n\nand add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack.\n\n| Package | Description |\n|---|---|\nAgent OS |\n\n**Agent Mesh****Agent Runtime****Agent SRE****Agent Compliance****Agent Marketplace****Agent Lightning****Agent Hypervisor**| Capability | Description |\n|---|---|\nMCP Security Gateway |\nTool poisoning detection, drift monitoring, typosquatting, hidden instruction scanning (\n|\n\n**Shadow AI Discovery**[Discovery](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-discovery))** Governance Dashboard**[Dashboard](/microsoft/agent-governance-toolkit/blob/main/examples/demos/governance-dashboard))** PromptDefense Evaluator**[Evaluator](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-compliance/src/agent_compliance/prompt_defense.py))**Contributor Reputation**[Action](/microsoft/agent-governance-toolkit/blob/main/.github/actions/contributor-check))| Language | Package | Command |\n|---|---|---|\nPython |\n`agent-governance-toolkit` |\n\n`pip install agent-governance-toolkit[full]`\n\n**TypeScript**`@microsoft/agent-governance-sdk`\n\n`npm install @microsoft/agent-governance-sdk`\n\n**Copilot CLI**`@microsoft/agent-governance-copilot-cli`\n\n`npx @microsoft/agent-governance-copilot-cli install`\n\n**Claude Code**`@microsoft/agent-governance-claude-code`\n\n`claude --plugin-dir ./agent-governance-claude-code`\n\n**.NET**`Microsoft.AgentGovernance`\n\n`dotnet add package Microsoft.AgentGovernance`\n\n**.NET MCP**`Microsoft.AgentGovernance.Extensions.ModelContextProtocol`\n\n`dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol`\n\n**Rust**`agent-governance`\n\n`cargo add agent-governance`\n\n**Go**`agent-governance-toolkit`\n\n`go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang`\n\nAll five language SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK.\nSee ** Language Package Matrix** for detailed per-language coverage.\n\n**Individual Python packages**\n\n| Package | PyPI | Description |\n|---|---|---|\n| Agent OS |\n`agent-os-kernel` |\n\n`agentmesh-platform`\n\n`agentmesh-runtime`\n\n`agent-sre`\n\n`agent-governance-toolkit`\n\n`agent-discovery`\n\n`agent-hypervisor`\n\n`agentmesh-marketplace`\n\n`agentmesh-lightning`\n\n**Python**: 3.10+** Node.js**: 18+ / npm 9+ (TypeScript SDK)**.NET**: 8+** Go**: 1.25+** Rust**: 1.70+** Optional**:`AZURE_CLIENT_ID`\n\n,`AZURE_TENANT_ID`\n\n,`AZURE_CLIENT_SECRET`\n\nfor Azure-integrated features\n\n| Framework | Integration |\n|---|---|\nMicrosoft Agent Framework |\n\n**Semantic Kernel**[AutoGen](https://github.com/microsoft/autogen)[LangGraph](https://github.com/langchain-ai/langgraph)/[LangChain](https://github.com/langchain-ai/langchain)[CrewAI](https://github.com/crewAIInc/crewAI)[OpenAI Agents SDK](https://github.com/openai/openai-agents-python)[Google ADK](https://github.com/google/adk-python)[LlamaIndex](https://github.com/run-llama/llama_index)[Haystack](https://github.com/deepset-ai/haystack)[Mastra](https://github.com/mastra-ai/mastra)[Dify](https://github.com/langgenius/dify)[Azure AI Foundry](https://learn.microsoft.com/azure/ai-studio/)Full list: [Framework Integrations](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agentmesh-integrations) · [Quickstart Examples](/microsoft/agent-governance-toolkit/blob/main/examples/quickstart)\n\n| Example | Framework | What it demonstrates |\n|---|---|---|\n|\n\n[crewai-governed](/microsoft/agent-governance-toolkit/blob/main/examples/crewai-governed)[smolagents-governed](/microsoft/agent-governance-toolkit/blob/main/examples/smolagents-governed)[maf-integration](/microsoft/agent-governance-toolkit/blob/main/examples/maf-integration)[mcp-trust-verified-server](/microsoft/agent-governance-toolkit/blob/main/examples/mcp-trust-verified-server)[cedarling-governed](/microsoft/agent-governance-toolkit/blob/main/examples/cedarling-governed)[governance-dashboard](/microsoft/agent-governance-toolkit/blob/main/examples/demos/governance-dashboard)Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract: what implementations MUST, SHOULD, and MAY do.\n\n| Specification | Scope | Tests |\n|---|---|---|\n|\n\n[AgentMesh Identity and Trust](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-IDENTITY-TRUST-1.0.md)[Agent Hypervisor Execution Control](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-HYPERVISOR-EXECUTION-CONTROL-1.0.md)[AgentMesh Trust and Coordination](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-TRUST-COORDINATION-1.0.md)[Agent SRE Governance](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-SRE-GOVERNANCE-1.0.md)[MCP Security Gateway](/microsoft/agent-governance-toolkit/blob/main/docs/specs/MCP-SECURITY-GATEWAY-1.0.md)[Agent Lightning Fast-Path](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-LIGHTNING-FAST-PATH-1.0.md)[Framework Adapter Contract](/microsoft/agent-governance-toolkit/blob/main/docs/specs/FRAMEWORK-ADAPTER-CONTRACT-1.0.md)[Audit and Compliance](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AUDIT-COMPLIANCE-1.0.md)[AgentMesh Wire Protocol](/microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-WIRE-1.0.md)**992 conformance tests** ensure code stays aligned to specs. [25 Architecture Decision Records](/microsoft/agent-governance-toolkit/blob/main/docs/adr) document why.\n\n| Standard | Coverage |\n|---|---|\n|\n\n[NIST AI RMF 1.0](/microsoft/agent-governance-toolkit/blob/main/docs/compliance/nist-ai-rmf-alignment.md)[EU AI Act](/microsoft/agent-governance-toolkit/blob/main/docs/compliance)[SOC 2](/microsoft/agent-governance-toolkit/blob/main/docs/compliance/soc2-mapping.md)AGT enforces governance at the application middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.\n\n**Production recommendation:** Run each agent in a separate container for OS-level isolation. See [Architecture: Security Boundaries](/microsoft/agent-governance-toolkit/blob/main/docs/ARCHITECTURE.md).\n\n| Tool | Coverage |\n|---|---|\n| CodeQL | Python + TypeScript SAST |\n| Gitleaks | Secret scanning on PR/push/weekly |\n| ClusterFuzzLite | 7 fuzz targets (policy, injection, MCP, sandbox, trust) |\n| Dependabot | 13 ecosystems |\n| OpenSSF Scorecard | Weekly scoring + SARIF upload |\n\nSee [Known Limitations](/microsoft/agent-governance-toolkit/blob/main/docs/LIMITATIONS.md) for honest design boundaries and recommended layered defense.\n\n| Category | Links |\n|---|---|\nGetting Started |\n|\n\n**Architecture**[System Design](/microsoft/agent-governance-toolkit/blob/main/docs/ARCHITECTURE.md)·[Threat Model](/microsoft/agent-governance-toolkit/blob/main/docs/security/threat-model.md)·[ADRs](/microsoft/agent-governance-toolkit/blob/main/docs/adr)(25)**Specifications**[All Specs](/microsoft/agent-governance-toolkit/blob/main/docs/specs)(10 formal specs, 992 conformance tests)** API Reference**[Agent OS](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/README.md)·[AgentMesh](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-mesh/README.md)·[Agent SRE](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-sre/README.md)**Compliance**[OWASP](/microsoft/agent-governance-toolkit/blob/main/docs/compliance/owasp-agentic-top10-architecture.md)·[EU AI Act](/microsoft/agent-governance-toolkit/blob/main/docs/compliance)·[NIST AI RMF](/microsoft/agent-governance-toolkit/blob/main/docs/compliance/nist-ai-rmf-alignment.md)·[SOC 2](/microsoft/agent-governance-toolkit/blob/main/docs/compliance/soc2-mapping.md)**Deployment**[Azure](/microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md)·[AWS](/microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md)·[GCP](/microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md)·[Docker Compose](/microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md)**Extensions**[VS Code](/microsoft/agent-governance-toolkit/blob/main/agent-governance-typescript/agent-os-vscode)·[Framework Integrations](/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agentmesh-integrations)[Contributing Guide](/microsoft/agent-governance-toolkit/blob/main/CONTRIBUTING.md) · [Community](/microsoft/agent-governance-toolkit/blob/main/docs/COMMUNITY.md) · [Security Policy](/microsoft/agent-governance-toolkit/blob/main/SECURITY.md) · [Changelog](/microsoft/agent-governance-toolkit/blob/main/CHANGELOG.md)\n\n**Using AGT?** Add your organization to [ADOPTERS.md](/microsoft/agent-governance-toolkit/blob/main/docs/ADOPTERS.md).\n\n| Document | Purpose |\n|---|---|\n|\n\n[CHARTER.md](/microsoft/agent-governance-toolkit/blob/main/docs/CHARTER.md)[MAINTAINERS.md](/microsoft/agent-governance-toolkit/blob/main/MAINTAINERS.md)[SECURITY.md](/microsoft/agent-governance-toolkit/blob/main/SECURITY.md)[CODE_OF_CONDUCT.md](/microsoft/agent-governance-toolkit/blob/main/CODE_OF_CONDUCT.md)[ANTITRUST.md](/microsoft/agent-governance-toolkit/blob/main/ANTITRUST.md)[TRADEMARKS.md](/microsoft/agent-governance-toolkit/blob/main/TRADEMARKS.md)If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.\n\nThe only official sources for the Agent Governance Toolkit are:\n\n| Resource | Location |\n|---|---|\nSource code |\n|\n\n**Documentation**[microsoft.github.io/agent-governance-toolkit](https://microsoft.github.io/agent-governance-toolkit/)** Python packages**[pypi.org/user/agentgovtoolkit](https://pypi.org/user/agentgovtoolkit/)** npm packages**`@microsoft/agentmesh-sdk`\n\n, `@microsoft/agent-os-kernel`\n\non [npmjs.com](https://www.npmjs.com/)**NuGet packages**`Microsoft.AgentGovernance.*`\n\non [nuget.org](https://www.nuget.org/)**Rust crates**`agent-os-kernel`\n\n, `agentmesh`\n\non [crates.io](https://crates.io/)The project team does not maintain or endorse any third-party websites,\npackages, or documentation sites claiming to be official. If you encounter a\nsuspicious site or package using the Agent Governance Toolkit name, please\nreport it through the channels described in [SECURITY.md](/microsoft/agent-governance-toolkit/blob/main/SECURITY.md).\n\nThis project is licensed under the [MIT License](/microsoft/agent-governance-toolkit/blob/main/LICENSE).\n\nThis project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft\ntrademarks or logos is subject to and must follow\n[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).\nUse of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.\nAny use of third-party trademarks or logos are subject to those third-party's policies.", "url": "https://wpnews.pro/news/agent-governance-toolkit", "canonical_source": "https://github.com/microsoft/agent-governance-toolkit", "published_at": "2026-05-27 20:45:46+00:00", "updated_at": "2026-05-27 21:15:01.104296+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-policy", "ai-tools", "ai-infrastructure"], "entities": ["Microsoft", "OWASP", "JailbreakBench", "NeurIPS"], "alternates": {"html": "https://wpnews.pro/news/agent-governance-toolkit", "markdown": "https://wpnews.pro/news/agent-governance-toolkit.md", "text": "https://wpnews.pro/news/agent-governance-toolkit.txt", "jsonld": "https://wpnews.pro/news/agent-governance-toolkit.jsonld"}}