Agent Governance Toolkit

Microsoft released Agent Governance Toolkit (AGT), a Python library that enforces policies, identity controls, sandboxing, and SRE practices for autonomous AI agents. The toolkit intercepts every tool call, message, and delegation in deterministic application code before execution, making policy violations structurally impossible rather than relying on prompt-level safety measures that have near-100% attack success rates against frontier models. AGT addresses the three core governance questions of whether an action is allowed, which agent performed it, and how to produce tamper-evident audit records for regulators.

🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog Important Public Preview -- production-quality, Microsoft-signed releases. May have breaking changes before GA. Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install , any framework. Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions: 1. Is this action allowed? An agent with access to send email and query database should not be able to drop table . OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected. 2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, "an agent did it" is not an incident response. 3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied. Prompt-level safety "please follow the rules" is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 https://genai.owasp.org/llmrisk/llm01-prompt-injection/ states this explicitly: "it is unclear if there are fool-proof methods of prevention for prompt injection." The published numbers back this up. On JailbreakBench Chao et al., NeurIPS 2024 https://arxiv.org/abs/2404.01318 , the standard open robustness benchmark for LLM jailbreaks, adaptive attacks reach near-100% attack success rates against frontier safety-aligned models. Andriushchenko et al., 2024 https://arxiv.org/abs/2404.02151 report 100% ASR on GPT-4, GPT-3.5, Claude 3, and Llama-3 using simple prompt-only attacks, and even the strongest published prompt-layer defenses leak double-digit residual ASR. Microsoft's own AI Red Teaming Agent https://learn.microsoft.com/azure/ai-foundry/concepts/ai-red-teaming-agent formalizes Attack Success Rate ASR , the rate of policy violations under adversarial input, as the canonical metric for this class of failure, and Lessons from Red Teaming 100 Generative AI Products https://www.microsoft.com/en-us/security/blog/2025/01/13/3-takeaways-from-red-teaming-100-generative-ai-products/ concludes that "AI red teaming is never complete" because model-layer defenses are probabilistic by construction. AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely." They are structurally impossible . That is the difference between asking an agent to behave and making it incapable of misbehaving. Prerequisites: Python 3.10+ pip install agent-governance-toolkit full Govern any tool function in two lines: python from agentmesh.governance import govern safe tool = govern my tool, policy="policy.yaml" every call checked, logged, enforced That's it. safe tool evaluates your YAML policy on every call, logs the decision, and raises GovernanceDenied if the action is blocked. policy.yaml apiVersion: governance.toolkit/v1 name: production-policy default action: allow rules: - name: block-destructive condition: "action.type in 'drop', 'delete', 'truncate' " action: deny description: "Destructive operations require human approval" - name: require-approval-for-send condition: "action.type == 'send email'" action: require approval approvers: "security-team" safe tool action="read", table="users" {'table': 'users', 'rows': 42} safe tool action="drop", table="users" GovernanceDenied: Action denied by policy rule 'block-destructive': Destructive operations require human approval Or use the full PolicyEvaluator API for programmatic control: PolicyEvaluator example from agent os.policies import PolicyEvaluator, PolicyDocument, PolicyRule, PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults evaluator = PolicyEvaluator policies= PolicyDocument name="my-policy", version="1.0", defaults=PolicyDefaults action=PolicyAction.ALLOW , rules= PolicyRule name="block-dangerous-tools", condition=PolicyCondition field="tool name", operator=PolicyOperator.IN, value= "execute code", "delete file" , action=PolicyAction.DENY, priority=100, , result = evaluator.evaluate {"tool name": "web search"} Allowed result = evaluator.evaluate {"tool name": "delete file"} Blocked TypeScript / .NET / Rust / Go examples TypeScript js import { PolicyEngine } from "@microsoft/agent-governance-sdk"; const engine = new PolicyEngine { action: "web search", effect: "allow" }, { action: "shell exec", effect: "deny" }, ; engine.evaluate "web search" ; // "allow" engine.evaluate "shell exec" ; // "deny" .NET using AgentGovernance; using AgentGovernance.Extensions.ModelContextProtocol; using AgentGovernance.Policy; var kernel = new GovernanceKernel new GovernanceOptions { PolicyPaths = new { "policies/default.yaml" }, } ; var result = kernel.EvaluateToolCall "did:mesh:agent-1", "web search", new { "query" = "latest AI news" } ; // MCP server integration builder.Services.AddMcpServer .WithGovernance options = options.PolicyPaths.Add "policies/mcp.yaml" ; Rust js use agent governance::{AgentMeshClient, ClientOptions}; let client = AgentMeshClient::new "my-agent" .unwrap ; let result = client.execute with governance "data.read", None ; assert result.allowed ; Go python import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang" client, := agentmesh.NewClient "my-agent", agentmesh.WithPolicyRules agentmesh.PolicyRule{ {Action: "data.read", Effect: agentmesh.Allow}, {Action: " ", Effect: agentmesh.Deny}, } , result := client.ExecuteWithGovernance "data.read", nil CLI tools: agt doctor check installation agt verify OWASP compliance check agt verify --evidence ./agt-evidence.json --strict fail CI on weak evidence agt red-team scan ./prompts/ --min-grade B prompt injection audit agt lint-policy policies/ validate policy files Full walkthrough: quickstart.md /microsoft/agent-governance-toolkit/blob/main/docs/quickstart.md -- zero to governed agents in 5 minutes. 🌍 Also in: 日本語 /microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.ja.md | 简体中文 /microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.zh-CN.md | 한국어 /microsoft/agent-governance-toolkit/blob/main/docs/i18n/quickstart.ko.md Agent ──► Policy Engine ──► Identity ──► Audit Log YAML/OPA/Cedar SPIFFE/DID/mTLS Tamper-evident │ │ ├── Allowed ──► Tool executes │ └── Denied ──► GovernanceDenied │ ▼ Decision Record Every layer is optional. Start with govern and add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack. | Package | Description | |---|---| Agent OS | Agent Mesh Agent Runtime Agent SRE Agent Compliance Agent Marketplace Agent Lightning Agent Hypervisor | Capability | Description | |---|---| MCP Security Gateway | Tool poisoning detection, drift monitoring, typosquatting, hidden instruction scanning | Shadow AI Discovery Discovery /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-discovery Governance Dashboard Dashboard /microsoft/agent-governance-toolkit/blob/main/examples/demos/governance-dashboard PromptDefense Evaluator Evaluator /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-compliance/src/agent compliance/prompt defense.py Contributor Reputation Action /microsoft/agent-governance-toolkit/blob/main/.github/actions/contributor-check | Language | Package | Command | |---|---|---| Python | agent-governance-toolkit | pip install agent-governance-toolkit full TypeScript @microsoft/agent-governance-sdk npm install @microsoft/agent-governance-sdk Copilot CLI @microsoft/agent-governance-copilot-cli npx @microsoft/agent-governance-copilot-cli install Claude Code @microsoft/agent-governance-claude-code claude --plugin-dir ./agent-governance-claude-code .NET Microsoft.AgentGovernance dotnet add package Microsoft.AgentGovernance .NET MCP Microsoft.AgentGovernance.Extensions.ModelContextProtocol dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol Rust agent-governance cargo add agent-governance Go agent-governance-toolkit go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang All five language SDKs implement core governance policy, identity, trust, audit . Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK. See Language Package Matrix for detailed per-language coverage. Individual Python packages | Package | PyPI | Description | |---|---|---| | Agent OS | agent-os-kernel | agentmesh-platform agentmesh-runtime agent-sre agent-governance-toolkit agent-discovery agent-hypervisor agentmesh-marketplace agentmesh-lightning Python : 3.10+ Node.js : 18+ / npm 9+ TypeScript SDK .NET : 8+ Go : 1.25+ Rust : 1.70+ Optional : AZURE CLIENT ID , AZURE TENANT ID , AZURE CLIENT SECRET for Azure-integrated features | Framework | Integration | |---|---| Microsoft Agent Framework | Semantic Kernel AutoGen https://github.com/microsoft/autogen LangGraph https://github.com/langchain-ai/langgraph / LangChain https://github.com/langchain-ai/langchain CrewAI https://github.com/crewAIInc/crewAI OpenAI Agents SDK https://github.com/openai/openai-agents-python Google ADK https://github.com/google/adk-python LlamaIndex https://github.com/run-llama/llama index Haystack https://github.com/deepset-ai/haystack Mastra https://github.com/mastra-ai/mastra Dify https://github.com/langgenius/dify Azure AI Foundry https://learn.microsoft.com/azure/ai-studio/ Full list: Framework Integrations /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agentmesh-integrations · Quickstart Examples /microsoft/agent-governance-toolkit/blob/main/examples/quickstart | Example | Framework | What it demonstrates | |---|---|---| | crewai-governed /microsoft/agent-governance-toolkit/blob/main/examples/crewai-governed smolagents-governed /microsoft/agent-governance-toolkit/blob/main/examples/smolagents-governed maf-integration /microsoft/agent-governance-toolkit/blob/main/examples/maf-integration mcp-trust-verified-server /microsoft/agent-governance-toolkit/blob/main/examples/mcp-trust-verified-server cedarling-governed /microsoft/agent-governance-toolkit/blob/main/examples/cedarling-governed governance-dashboard /microsoft/agent-governance-toolkit/blob/main/examples/demos/governance-dashboard Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract: what implementations MUST, SHOULD, and MAY do. | Specification | Scope | Tests | |---|---|---| | AgentMesh Identity and Trust /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-IDENTITY-TRUST-1.0.md Agent Hypervisor Execution Control /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-HYPERVISOR-EXECUTION-CONTROL-1.0.md AgentMesh Trust and Coordination /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-TRUST-COORDINATION-1.0.md Agent SRE Governance /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-SRE-GOVERNANCE-1.0.md MCP Security Gateway /microsoft/agent-governance-toolkit/blob/main/docs/specs/MCP-SECURITY-GATEWAY-1.0.md Agent Lightning Fast-Path /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENT-LIGHTNING-FAST-PATH-1.0.md Framework Adapter Contract /microsoft/agent-governance-toolkit/blob/main/docs/specs/FRAMEWORK-ADAPTER-CONTRACT-1.0.md Audit and Compliance /microsoft/agent-governance-toolkit/blob/main/docs/specs/AUDIT-COMPLIANCE-1.0.md AgentMesh Wire Protocol /microsoft/agent-governance-toolkit/blob/main/docs/specs/AGENTMESH-WIRE-1.0.md 992 conformance tests ensure code stays aligned to specs. 25 Architecture Decision Records /microsoft/agent-governance-toolkit/blob/main/docs/adr document why. | Standard | Coverage | |---|---| | NIST AI RMF 1.0 /microsoft/agent-governance-toolkit/blob/main/docs/compliance/nist-ai-rmf-alignment.md EU AI Act /microsoft/agent-governance-toolkit/blob/main/docs/compliance SOC 2 /microsoft/agent-governance-toolkit/blob/main/docs/compliance/soc2-mapping.md AGT enforces governance at the application middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary. Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture: Security Boundaries /microsoft/agent-governance-toolkit/blob/main/docs/ARCHITECTURE.md . | Tool | Coverage | |---|---| | CodeQL | Python + TypeScript SAST | | Gitleaks | Secret scanning on PR/push/weekly | | ClusterFuzzLite | 7 fuzz targets policy, injection, MCP, sandbox, trust | | Dependabot | 13 ecosystems | | OpenSSF Scorecard | Weekly scoring + SARIF upload | See Known Limitations /microsoft/agent-governance-toolkit/blob/main/docs/LIMITATIONS.md for honest design boundaries and recommended layered defense. | Category | Links | |---|---| Getting Started | | Architecture System Design /microsoft/agent-governance-toolkit/blob/main/docs/ARCHITECTURE.md · Threat Model /microsoft/agent-governance-toolkit/blob/main/docs/security/threat-model.md · ADRs /microsoft/agent-governance-toolkit/blob/main/docs/adr 25 Specifications All Specs /microsoft/agent-governance-toolkit/blob/main/docs/specs 10 formal specs, 992 conformance tests API Reference Agent OS /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/README.md · AgentMesh /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-mesh/README.md · Agent SRE /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-sre/README.md Compliance OWASP /microsoft/agent-governance-toolkit/blob/main/docs/compliance/owasp-agentic-top10-architecture.md · EU AI Act /microsoft/agent-governance-toolkit/blob/main/docs/compliance · NIST AI RMF /microsoft/agent-governance-toolkit/blob/main/docs/compliance/nist-ai-rmf-alignment.md · SOC 2 /microsoft/agent-governance-toolkit/blob/main/docs/compliance/soc2-mapping.md Deployment Azure /microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md · AWS /microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md · GCP /microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md · Docker Compose /microsoft/agent-governance-toolkit/blob/main/docs/deployment/README.md Extensions VS Code /microsoft/agent-governance-toolkit/blob/main/agent-governance-typescript/agent-os-vscode · Framework Integrations /microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agentmesh-integrations Contributing Guide /microsoft/agent-governance-toolkit/blob/main/CONTRIBUTING.md · Community /microsoft/agent-governance-toolkit/blob/main/docs/COMMUNITY.md · Security Policy /microsoft/agent-governance-toolkit/blob/main/SECURITY.md · Changelog /microsoft/agent-governance-toolkit/blob/main/CHANGELOG.md Using AGT? Add your organization to ADOPTERS.md /microsoft/agent-governance-toolkit/blob/main/docs/ADOPTERS.md . | Document | Purpose | |---|---| | CHARTER.md /microsoft/agent-governance-toolkit/blob/main/docs/CHARTER.md MAINTAINERS.md /microsoft/agent-governance-toolkit/blob/main/MAINTAINERS.md SECURITY.md /microsoft/agent-governance-toolkit/blob/main/SECURITY.md CODE OF CONDUCT.md /microsoft/agent-governance-toolkit/blob/main/CODE OF CONDUCT.md ANTITRUST.md /microsoft/agent-governance-toolkit/blob/main/ANTITRUST.md TRADEMARKS.md /microsoft/agent-governance-toolkit/blob/main/TRADEMARKS.md If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data. The only official sources for the Agent Governance Toolkit are: | Resource | Location | |---|---| Source code | | Documentation microsoft.github.io/agent-governance-toolkit https://microsoft.github.io/agent-governance-toolkit/ Python packages pypi.org/user/agentgovtoolkit https://pypi.org/user/agentgovtoolkit/ npm packages @microsoft/agentmesh-sdk , @microsoft/agent-os-kernel on npmjs.com https://www.npmjs.com/ NuGet packages Microsoft.AgentGovernance. on nuget.org https://www.nuget.org/ Rust crates agent-os-kernel , agentmesh on crates.io https://crates.io/ The project team does not maintain or endorse any third-party websites, packages, or documentation sites claiming to be official. If you encounter a suspicious site or package using the Agent Governance Toolkit name, please report it through the channels described in SECURITY.md /microsoft/agent-governance-toolkit/blob/main/SECURITY.md . This project is licensed under the MIT License /microsoft/agent-governance-toolkit/blob/main/LICENSE . This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general . Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.