Important
Public Preview — Microsoft-signed, production-quality releases. May have breaking changes before GA. Open a GitHub issue for feedback.
Runtime governance for AI agents — deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE for autonomous agents. Covers all 10 OWASP Agentic risks with 9,500+ tests.
Works with any stack — AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents, and 20+ more. Python · TypeScript · .NET · Rust · Go.
What it does: Sits between your agent framework and the actions agents take. Every tool call, resource access, and inter-agent message is evaluated against policy before execution. Deterministic — not probabilistic.
What it doesn't do: This is not a prompt guardrail or content moderation tool. It governs agent actions, not LLM inputs/outputs. For model-level safety, see Azure AI Content Safety.
Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log (< 0.1 ms)
Why it matters: Prompt-based safety ("please follow the rules") has a 26.67% policy violation rate in red-team testing. AGT's kernel-level enforcement: 0.00%.
# 1. Install
pip install agent-governance-toolkit[full]
# 2. Check your installation
agt doctor
# 3. Verify OWASP compliance
agt verifyThen govern your first action:
from agent_os.policies import PolicyEvaluator, PolicyDocument, PolicyRule, PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
evaluator = PolicyEvaluator(policies=[PolicyDocument(
name="my-policy", version="1.0",
defaults=PolicyDefaults(action=PolicyAction.ALLOW),
rules=[PolicyRule(
name="block-dangerous-tools",
condition=PolicyCondition(field="tool_name", operator=PolicyOperator.IN, value=["execute_code", "delete_file"]),
action=PolicyAction.DENY, priority=100,
)],
)])
result = evaluator.evaluate({"tool_name": "web_search"}) # ✅ Allowed
result = evaluator.evaluate({"tool_name": "delete_file"}) # ❌ Blocked deterministicallyTypeScript
import { PolicyEngine } from "@agentmesh/sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny".NET
using AgentGovernance;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
new() { ["query"] = "latest AI news" });
// result.Allowed == trueRust
use agentmesh::{AgentMeshClient, ClientOptions};
let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);Go
import agentmesh "github.com/microsoft/agent-governance-toolkit/sdks/go"
client, _ := agentmesh.NewClient("my-agent",
agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
{Action: "data.read", Effect: agentmesh.Allow},
{Action: "*", Effect: agentmesh.Deny},
}),
)
result := client.ExecuteWithGovernance("data.read", nil)
// result.Allowed == trueFull walkthrough: QUICKSTART.md — zero to governed agents in 10 minutes with YAML policies, OPA/Rego, and Cedar support.
| Capability | What It Does | Links |
|---|---|---|
| Policy Engine | Every action evaluated before execution — sub-millisecond, deterministic. Supports YAML, OPA/Rego, and Cedar policies | Agent OS · Benchmarks |
| Zero-Trust Identity | Ed25519 + quantum-safe ML-DSA-65 credentials, trust scoring (0–1000), SPIFFE/SVID | AgentMesh |
| Execution Sandboxing | 4-tier privilege rings, saga orchestration, kill switch | Runtime · Hypervisor |
| Agent SRE | SLOs, error budgets, replay debugging, chaos engineering, circuit breakers | Agent SRE |
| MCP Security Scanner | Detect tool poisoning, typosquatting, hidden instructions in MCP definitions | MCP Scanner |
| Shadow AI Discovery | Find unregistered agents across processes, configs, and repos | Agent Discovery |
| Agent Lifecycle | Provisioning → credential rotation → orphan detection → decommissioning | Lifecycle |
| Governance Dashboard | Real-time fleet visibility — health, trust, compliance, audit events | Dashboard |
| Unified CLI | agt verify, agt doctor, agt lint-policy — one command for everything |
CLI |
| PromptDefense Evaluator | 12-vector prompt injection audit for compliance testing | Evaluator |
| Framework | Integration |
|---|---|
| Microsoft Agent Framework | Native Middleware |
| Semantic Kernel | Native (.NET + Python) |
| Microsoft AutoGen | Adapter |
| LangGraph / LangChain | Adapter |
| CrewAI | Adapter |
| OpenAI Agents SDK | Middleware |
| Google ADK | Adapter |
| LlamaIndex | Middleware |
| Haystack | Pipeline |
| Dify | Plugin |
| Azure AI Foundry | Deployment Guide |
Full list: Framework Integrations · Quickstart Examples
| Risk | ID | AGT Control |
|---|---|---|
| Agent Goal Hijacking | ASI-01 | Policy engine blocks unauthorized goal changes |
| Excessive Capabilities | ASI-02 | Capability model enforces least-privilege |
| Identity & Privilege Abuse | ASI-03 | Zero-trust identity with Ed25519 + ML-DSA-65 |
| Uncontrolled Code Execution | ASI-04 | Execution rings + sandboxing |
| Insecure Output Handling | ASI-05 | Content policies validate all outputs |
| Memory Poisoning | ASI-06 | Episodic memory with integrity checks |
| Unsafe Inter-Agent Comms | ASI-07 | Encrypted channels + trust gates |
| Cascading Failures | ASI-08 | Circuit breakers + SLO enforcement |
| Human-Agent Trust Deficit | ASI-09 | Full audit trails + flight recorder |
| Rogue Agents | ASI-10 | Kill switch + ring isolation + anomaly detection |
Full mapping: OWASP-COMPLIANCE.md · Regulatory alignment: EU AI Act, NIST AI RMF, Colorado AI Act
Governance adds < 0.1 ms per action — roughly 10,000× faster than an LLM API call.
| Metric | Latency (p50) | Throughput |
|---|---|---|
| Policy evaluation (1 rule) | 0.012 ms | 72K ops/sec |
| Policy evaluation (100 rules) | 0.029 ms | 31K ops/sec |
| Kernel enforcement | 0.091 ms | 9.3K ops/sec |
| Concurrent (50 agents) | — | 35,481 ops/sec |
Full methodology: BENCHMARKS.md
| Language | Package | Command |
|---|---|---|
| Python | agent-governance-toolkit |
pip install agent-governance-toolkit[full] |
| TypeScript | @agentmesh/sdk |
npm install @agentmesh/sdk |
| .NET | Microsoft.AgentGovernance |
dotnet add package Microsoft.AgentGovernance |
| Rust | agentmesh |
cargo add agentmesh |
| Go | agentmesh |
go get github.com/microsoft/agent-governance-toolkit/sdks/go |
All 5 SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. See SDK Feature Matrix for detailed per-language coverage.
Individual Python packages
| Package | PyPI | Description |
|---|---|---|
| Agent OS | agent-os-kernel |
Policy engine, capability model, audit logging, MCP gateway |
| AgentMesh | agentmesh-platform |
Zero-trust identity, trust scoring, A2A/MCP/IATP bridges |
| Agent Runtime | agentmesh-runtime |
Privilege rings, saga orchestration, termination control |
| Agent SRE | agent-sre |
SLOs, error budgets, chaos engineering, circuit breakers |
| Agent Compliance | agent-governance-toolkit |
OWASP verification, integrity checks, policy linting |
| Agent Discovery | agent-discovery |
Shadow AI discovery, inventory, risk scoring |
| Agent Hypervisor | agent-hypervisor |
Reversibility verification, execution plan validation |
| Agent Marketplace | agentmesh-marketplace |
Plugin lifecycle management |
| Agent Lightning | agentmesh-lightning |
RL training governance |
Getting Started
- Quick Start — Zero to governed agents in 10 minutes
- Tutorials — 30 step-by-step guides
Architecture & Reference
- SDK Feature Matrix — Per-language capability comparison
- Architecture — System design, security model, trust scoring
- Architecture Decisions — ADR log
- Threat Model — Trust boundaries and STRIDE analysis
- API: Agent OS · AgentMesh · Agent SRE
Compliance & Deployment
- OWASP Compliance — Full ASI-01 through ASI-10 mapping
- Azure Deployment — AKS, AI Foundry, Container Apps
- NIST AI RMF Alignment · EU AI Act · SOC 2 Mapping
Extensions
This toolkit provides application-level governance (Python middleware), not OS kernel-level isolation. The policy engine and agents run in the same process — the same trust boundary as every Python agent framework.
Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture — Security Boundaries.
| Tool | Coverage |
|---|---|
| CodeQL | Python + TypeScript SAST |
| Gitleaks | Secret scanning on PR/push/weekly |
| ClusterFuzzLite | 7 fuzz targets (policy, injection, MCP, sandbox, trust) |
| Dependabot | 13 ecosystems |
| OpenSSF Scorecard | Weekly scoring + SARIF upload |
If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.
This project is licensed under the MIT License.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.