Introduction
The Microsoft Agent Governance Toolkit is an open-source Python framework that provides comprehensive security governance for autonomous AI agents, covering all 10 OWASP Agentic Top 10 risks through policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering. With over 3,500 stars on GitHub and backing from Microsoft, this toolkit fills a critical gap in the AI agent ecosystem: as agents become more autonomous and capable, they also become more dangerous without proper governance controls. The toolkit provides deterministic, application-layer enforcement – meaning actions the governance kernel denies are structurally impossible, not just unlikely.
Key Insight: The Microsoft Agent Governance Toolkit is the first open-source framework to address all 10 OWASP Agentic Top 10 security risks, providing 7 with full coverage and 3 with partial coverage, using deterministic enforcement that makes denied actions structurally impossible rather than just unlikely.
The Problem: Why AI Agent Security Matters
Autonomous AI agents represent a fundamental shift in how software operates. Unlike traditional applications that follow predetermined logic, agents make decisions independently, call tools dynamically, and interact with external systems without human review at each step. This autonomy introduces three critical security questions that traditional security models cannot answer:
1. Is this action allowed? An agent with access to send_email and query_database should not be able to drop_table. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.
2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, “an agent did it” is not an incident response.
3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.
Prompt-level safety (“please follow the rules”) is not a control surface – it is a polite request to a stochastic system. Research confirms this: adaptive attacks achieve 100% success rate against GPT-4o, GPT-3.5, Claude 3, and Llama-3 when evaluated against the JailbreakBench benchmark. The Agent Governance Toolkit does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model’s intent reaches the wire.
Takeaway: Traditional security models assume human oversight for every action. Autonomous AI agents break this assumption – they can execute actions at machine speed without human review, making policy enforcement and sandboxing essential rather than optional.
What is the Agent Governance Toolkit?
The Agent Governance Toolkit (AGT) is Microsoft’s open-source framework for governing autonomous AI agents. It provides four core pillars of security governance, each addressing a distinct category of risk:
-
Policy Enforcement – Define and enforce rules that govern agent behavior using YAML policies, OPA (Open Policy Agent), or Cedar policy languages. The policy engine evaluates every action against declarative rules before execution.
-
Zero-Trust Identity – Verify agent identity and permissions at every action boundary using SPIFFE/DID/mTLS. No trusted sessions – each action is individually authenticated and authorized.
-
Execution Sandboxing – Isolate agent actions in controlled runtime environments with four privilege rings. Limit resource consumption and contain the blast radius of compromised agents.
-
Reliability Engineering – Circuit breakers, SLO monitoring, error budgets, chaos testing, and output validation ensure predictable agent behavior and graceful degradation.
The toolkit is available in five languages (Python, TypeScript, .NET, Rust, Go) with Python having the full stack. It integrates with 14+ agent frameworks including LangChain, AutoGen, CrewAI, Semantic Kernel, OpenAI Agents SDK, and Google ADK.
| Approach | Policy Enforcement | Zero-Trust Identity | Sandboxing | Reliability | OWASP Coverage |
|---|---|---|---|---|---|
| Agent Governance Toolkit | Full | Full | Full | Full | 7/10 Full + 3/10 Partial |
| Traditional API Security | Partial | Session-based | None | None | 2/10 |
| Agent Frameworks (LangChain, CrewAI) | None | None | None | Partial | 0-2/10 |
| Custom Middleware | Ad-hoc | Ad-hoc | Ad-hoc | Ad-hoc | Varies |
Architecture Overview
The architecture diagram illustrates how the four core pillars of the Agent Governance Toolkit work together to provide comprehensive security for autonomous AI agents.
Policy Engine
The Policy Engine is the first line of defense in the governance pipeline. It evaluates every agent action against a set of declarative policy rules before the action is executed. Policies can define allow-lists of permitted actions, deny-lists of forbidden actions, conditional rules based on context, and rate limits to prevent abuse. The engine supports YAML, OPA (Open Policy Agent), and Cedar policy languages, allowing teams to choose the policy syntax that fits their workflow. The govern() function wraps any tool in a single line, evaluating your policy on every call and raising GovernanceDenied if the action is blocked.
Zero-Trust Identity
The Zero-Trust Identity layer verifies the identity and permissions of the agent at every action boundary, not just at session start. Using SPIFFE/DID/mTLS protocols, each individual action – whether reading a file, calling an API, or executing a command – is independently authenticated and authorized. This eliminates the “trusted session” vulnerability where an authenticated agent can perform any action within its session. The trust-gate requires DID-based identity verification before any agent-to-agent handoff, preventing identity spoofing in multi-agent systems.
Execution Sandbox
The Execution Sandbox isolates agent actions in controlled runtime environments using four privilege rings. This prevents agents from accessing unauthorized system resources, limits resource consumption, and contains the blast radius of any compromised agent. The sandbox provides defense-in-depth by ensuring that even if an agent bypasses policy and identity checks, it cannot escape its isolated environment. The static reviewer also detects unsafe code patterns like pickle.loads() without HMAC verification and flags eval() and exec() calls.
Reliability Layer
The Reliability Layer ensures that agents behave predictably and recover gracefully from failures. It includes circuit breakers that open after N consecutive failures, preventing cascade failures across the agent mesh. Rate limiting caps per-minute tool invocations. The AgentBehaviorMonitor tracks per-agent metrics including tool call rate, failure rate, and privilege escalation attempts, quarantining agents that exceed thresholds. Output validation catches hallucinated or fabricated actions before they reach external systems.
Audit Logging
The Audit Logging component runs alongside all four pillars, providing a tamper-evident hash-chain record of every agent action, policy decision, identity verification, and sandbox event. Each audit entry contains the SHA-256 hash of the previous entry, making tampering detectable. This enables compliance reporting, forensic analysis, and continuous improvement of governance policies.
Amazing: The toolkit’s zero-trust identity model means that every single action an agent takes – from reading a file to calling an API – is individually authenticated and authorized, eliminating the “trusted session” vulnerability that plagues traditional agent architectures.
OWASP Agentic Top 10 Coverage
The OWASP Agentic Top 10 (ASI 2026) defines 10 security risks specific to autonomous AI agent systems. The Agent Governance Toolkit addresses all 10 risks with 7 receiving full coverage and 3 receiving partial coverage, with zero gaps.
ASI01 – Agent Goal Hijack (Full Coverage)
The governanceMiddleware applies blockedPatterns (regex) to every inbound message before it reaches the LLM. Patterns are loaded from the policy YAML at runtime, not hardcoded in source. This deterministic interception prevents adversarial inputs from overriding an agent’s intended goal.
ASI02 – Tool Misuse and Exploitation (Full Coverage)
createGovernedTool wraps every tool with allow-list and deny-list enforcement and per-tool rate limits. The static reviewer flags unguarded .execute() calls, ensuring no tool can be invoked without governance.
ASI03 – Identity and Privilege Abuse (Full Coverage)
PII redaction middleware strips sensitive fields before forwarding. Policy YAML supports field-level pii_fields configuration. RBAC in policy YAML ensures agents cannot escalate permissions beyond their defined scope.
ASI04 – Agentic Supply Chain Vulnerabilities (Partial Coverage)
Policy YAML allowed_tools pins the exact set of permitted tool IDs. The static reviewer detects hardcoded deny-lists. However, no SBOM generation or dependency vulnerability scanning is built into AGT – the team recommends integrating with GitHub Advanced Security and Dependabot for dependency-level supply-chain coverage.
ASI05 – Unexpected Code Execution (Full Coverage)
The static reviewer detects pickle.loads() without HMAC verification and flags it as critical. The governance policy blocks eval() and exec() in agent code via lint rules. The sandbox subprocess code scanner inspects code execution paths before launch.
ASI06 – Memory and Context Poisoning (Partial Coverage)
The audit hash-chain provides tamper detection for any persisted state. However, AGT does not yet sandbox agent memory stores or provide memory integrity checksums at the application layer. The team recommends adding a ContextValidator that hashes memory snapshots.
ASI07 – Insecure Inter-Agent Communication (Full Coverage)
The trust-gate requires DID-based identity verification before any agent-to-agent handoff. The static reviewer detects missing trust verification in multi-agent orchestration code. Entra-signed JWT verification validates identity on WebSocket connect frames.
ASI08 – Cascading Agent Failures (Full Coverage)
The circuit-breaker pattern opens after N consecutive failures, preventing cascade. Rate limiting caps per-minute tool invocations. The AgentBehaviorMonitor quarantines agents that exceed failure thresholds.
ASI09 – Human-Agent Trust Exploitation (Partial Coverage)
Tamper-evident audit logs let reviewers verify what the agent actually did. The static reviewer flags code with no audit logging. However, no UI-level confirmation dialogs or “human-in-the-loop” approval workflows are built into AGT yet.
ASI10 – Rogue Agents (Full Coverage)
AgentBehaviorMonitor tracks per-agent metrics including tool call rate, failure rate, and privilege escalation attempts. Agents that exceed thresholds are quarantined automatically, preventing rogue behavior from propagating.
Key Features
| Feature | Description |
|---|---|
| Policy Engine | Define, evaluate, and enforce rules that govern agent behavior using YAML, OPA, or Cedar policy languages – what actions are allowed, under what conditions, and with what constraints |
| Zero-Trust Identity | Every agent action is individually authenticated and authorized using SPIFFE/DID/mTLS, eliminating trusted session vulnerabilities |
| Execution Sandboxing | Isolate agent actions in controlled runtime environments with four privilege rings, limiting resource consumption and containing blast radius |
| Reliability Engineering | Circuit breakers, SLO monitoring, error budgets, chaos testing, and output validation ensure predictable agent behavior |
| OWASP Agentic Top 10 | 7/10 Full coverage and 3/10 Partial coverage of all OWASP ASI 2026 security risks with zero gaps |
| Multi-Language SDKs | Python, TypeScript, .NET, Rust, and Go SDKs with Python having the full stack |
| Framework-Agnostic | Works with LangChain, AutoGen, CrewAI, Semantic Kernel, OpenAI Agents SDK, Google ADK, and 14+ other frameworks |
| Audit Logging | Tamper-evident hash-chain audit log of all agent actions, policy decisions, and security events |
| CLI Tools | agt doctor for installation checks, agt verify for OWASP compliance, agt red-team scan for prompt injection audit, agt lint-policy for policy validation |
| Open Source | MIT license, community-driven, Microsoft-backed maintenance, 992 conformance tests |
Installation and Setup
Prerequisites: Python 3.10+
# Install the full toolkit
pip install agent-governance-toolkit[full]
For other languages:
# TypeScript
npm install @microsoft/agent-governance-sdk
# .NET
dotnet add package Microsoft.AgentGovernance
# Rust
cargo add agent-governance
# Go
go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang
For Claude Code, add AGT as a plugin:
/plugin marketplace add microsoft/agent-governance-toolkit
/plugin install agt-governance@agent-governance-toolkit
CLI verification:
agt doctor # check installation
agt verify # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B # prompt injection audit
agt lint-policy policies/ # validate policy files
Usage Examples
Basic governance in two lines:
from agentmesh.governance import govern
safe_tool = govern(my_tool, policy="policy.yaml") # every call checked, logged, enforced
>>> safe_tool(action="read", table="users")
{'table': 'users', 'rows': 42}
>>> safe_tool(action="drop", table="users")
GovernanceDenied: Action denied by policy rule 'block-destructive':
Destructive operations require human approval
Policy definition (YAML):
# policy.yaml
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
- name: block-destructive
condition: "action.type in ['drop', 'delete', 'truncate']"
action: deny
description: "Destructive operations require human approval"
- name: require-approval-for-send
condition: "action.type == 'send_email'"
action: require_approval
approvers: ["security-team"]
Programmatic PolicyEvaluator:
from agent_os.policies import (
PolicyEvaluator, PolicyDocument, PolicyRule,
PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)
evaluator = PolicyEvaluator(policies=[PolicyDocument(
name="my-policy", version="1.0",
defaults=PolicyDefaults(action=PolicyAction.ALLOW),
rules=[PolicyRule(
name="block-dangerous-tools",
condition=PolicyCondition(
field="tool_name",
operator=PolicyOperator.IN,
value=["execute_code", "delete_file"]
),
action=PolicyAction.DENY, priority=100,
)],
)])
result = evaluator.evaluate({"tool_name": "web_search"}) # Allowed
result = evaluator.evaluate({"tool_name": "delete_file"}) # Blocked
TypeScript usage:
import { PolicyEngine } from "@microsoft/agent-governance-sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"
Policy Enforcement Flow
The policy enforcement flow diagram shows how the Agent Governance Toolkit processes every agent action through a multi-stage governance pipeline.
Stage 1: Policy Evaluation
When an agent requests to perform an action, the request first enters the Policy Evaluation stage. The Policy Engine retrieves all applicable policies from the Policy Store and evaluates the request against each policy. Policies are evaluated in priority order, with more specific policies taking precedence over general ones. The engine supports three policy languages: YAML for simple declarative rules, OPA (Open Policy Agent) for complex Rego-based policies, and Cedar for fine-grained authorization.
Stage 2: Decision
Based on policy evaluation, the engine makes one of three decisions: Allow (the action complies with all policies), Deny (the action violates one or more policies), or Modify (the action can proceed but with modifications, such as redacting sensitive data or adding rate limits). Denied actions raise a GovernanceDenied exception with the specific policy rule that triggered the block.
Stage 3: Identity Verification
For allowed or modified actions, the Zero-Trust Identity layer verifies the agent’s identity and permissions for this specific action. This is not a session-level check – it is an action-level verification that ensures the agent is authorized to perform this particular action at this particular time. The trust-gate uses DID-based identity verification with SPIFFE/DID/mTLS protocols.
Stage 4: Sandbox Execution
The action is then executed within the Execution Sandbox, which isolates the action from the host system and limits its resource consumption. The sandbox provides a controlled environment where the action can be monitored and contained. Four privilege rings define what resources the agent can access at each level.
Stage 5: Output Validation
After execution, the Reliability Layer validates the output before it is returned to the agent or external system. This includes checking for hallucinated content, verifying data integrity, and ensuring the output complies with policies. The circuit breaker monitors for repeated failures or policy violations, tripping and preventing further actions if an agent consistently violates policies.
Comparison with Alternatives
The governance workflow comparison diagram provides a clear visual comparison of the Agent Governance Toolkit against four alternative approaches to securing AI agents.
Agent Governance Toolkit vs API Gateways
API gateways like Kong and Ambassador protect network endpoints with rate limiting, authentication, and request routing. However, they operate at the network layer and cannot understand agent behavior, enforce behavioral policies, or sandbox execution. They provide partial policy enforcement through rate limiting and access control but no zero-trust identity, no sandboxing, and no reliability engineering for agents.
Agent Governance Toolkit vs Guardrails Frameworks
Guardrails frameworks like NVIDIA NeMo Guardrails and Guardrails AI focus on output filtering – ensuring that agent responses are safe, accurate, and compliant. While valuable, guardrails only address the output side of agent behavior. They do not enforce policies on what actions agents can take, verify agent identity, sandbox execution, or provide reliability engineering. They cover approximately 3 of the 10 OWASP Agentic risks.
Agent Governance Toolkit vs Custom Middleware
Many organizations build custom middleware to address specific agent security concerns. While this can be effective for individual use cases, custom solutions are typically ad-hoc, unmaintainable, and do not provide comprehensive coverage. They also lack the community review and continuous improvement that open-source frameworks benefit from. The 992 conformance tests in AGT ensure that the governance behavior stays aligned with specifications.
Agent Governance Toolkit vs Agent Frameworks
Popular agent frameworks like LangChain, AutoGen, and CrewAI provide basic safety features such as output parsing and error handling, but they do not include comprehensive governance capabilities. They focus on agent capability and orchestration, not security and governance. The Agent Governance Toolkit is designed to work alongside these frameworks, adding the governance layer they lack through adapter integrations.
Important: The Agent Governance Toolkit is not just another guardrails library – it is a comprehensive governance framework that addresses the full lifecycle of autonomous AI agent security, from identity verification through execution sandboxing to reliability engineering, covering every OWASP Agentic Top 10 risk.
Troubleshooting
Policy conflicts when multiple policies apply to the same action
When multiple policies apply to the same action, the Policy Engine evaluates them in priority order. More specific policies take precedence over general ones. Use the priority field in PolicyRule to control evaluation order. The agt lint-policy CLI command validates policy files and detects conflicts before deployment.
Performance overhead from zero-trust verification
Zero-trust verification adds latency to each action. For high-throughput scenarios, use caching strategies to avoid re-verifying the same identity on every call within a short time window. The toolkit supports selective verification where you can configure which actions require full verification and which can use cached credentials.
Sandbox escape attempts by sophisticated agents
The Execution Sandbox provides defense-in-depth with four privilege rings. If an agent attempts to escape its sandbox, the AgentBehaviorMonitor detects the anomaly and quarantines the agent. For production deployments, run each agent in a separate container for OS-level isolation as recommended in the AGT architecture documentation.
False positives in policy enforcement blocking legitimate actions
Tune policies using the require_approval action type instead of deny for actions that need human review rather than outright blocking. Use the condition field with context-aware rules to reduce false positives. The agt verify --evidence command generates compliance evidence to help identify over-restrictive policies.
Integration issues with specific agent frameworks
AGT provides adapter integrations for 14+ frameworks including LangChain, AutoGen, CrewAI, Semantic Kernel, and OpenAI Agents SDK. If you encounter integration issues, check the framework-specific adapter documentation in agentmesh-integrations/. The agt doctor CLI command verifies your installation and identifies missing dependencies.
Conclusion
The Microsoft Agent Governance Toolkit is the first comprehensive open-source framework to address all 10 OWASP Agentic Top 10 security risks, providing 7 with full coverage and 3 with partial coverage through its four pillars: policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering. As autonomous AI agents become more capable and more widely deployed, the need for deterministic governance controls becomes critical – not as a polite request to the model, but as application-layer enforcement that makes denied actions structurally impossible.
With multi-language SDKs (Python, TypeScript, .NET, Rust, Go), 14+ framework integrations, 992 conformance tests, and 10 formal specifications, AGT provides enterprise-grade governance that is both comprehensive and practical to adopt. The govern() function lets you wrap any tool in a single line, and the CLI tools provide verification, auditing, and red-teaming capabilities out of the box.
Whether you are building a single agent or orchestrating a multi-agent mesh, the Agent Governance Toolkit provides the security governance layer that autonomous AI agents require.
Links
- GitHub Repository: https://github.com/microsoft/agent-governance-toolkit
- Documentation: https://microsoft.github.io/agent-governance-toolkit
- PyPI Package: https://pypi.org/project/agent-governance-toolkit/
- OWASP Agentic Top 10: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- NIST AI RMF Alignment: https://microsoft.github.io/agent-governance-toolkit/docs/compliance/nist-ai-rmf-alignment.html
Enjoyed this post? Never miss out on future posts by following us
