Important
Public Preview — All packages published from this repository are Microsoft-signed public preview releases. They are production-quality but may have breaking changes before GA. For feedback, please open a GitHub issue.
What this toolkit is: Runtime governance infrastructure — deterministic policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering that sits between your agent framework and the actions agents take.
What this toolkit is not: This is not a model safety or prompt guardrails tool. It does not filter LLM inputs/outputs or perform content moderation. It governs agent actions (tool calls, resource access, inter-agent communication) at the application layer. For model-level safety, see Azure AI Content Safety.
Runtimegovernance for AI agents — the only toolkit covering all 10 OWASP Agentic risks with 9,500+ tests. Governs what agents do, not just what they say — deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE — Python · TypeScript · .NET
Works with any stack — AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, and more. Pure
pip installwith zero vendor lock-in.
Python (PyPI)
pip install agent-governance-toolkit[full]TypeScript / Node.js (npm)
npm install @agentmesh/sdk.NET (NuGet)
dotnet add package Microsoft.AgentGovernanceInstall individual Python packages
pip install agent-os-kernel # Policy engine
pip install agentmesh-platform # Trust mesh
pip install agentmesh-runtime # Runtime supervisor
pip install agent-sre # SRE toolkit
pip install agent-governance-toolkit # Compliance & attestation
pip install agentmesh-marketplace # Plugin marketplace
pip install agentmesh-lightning # RL training governance- Quick Start — Get from zero to governed agents in 10 minutes (Python · TypeScript · .NET)
- TypeScript SDK — npm package with identity, trust, policy, and audit
- .NET SDK — NuGet package with full OWASP coverage
- Tutorials — Step-by-step guides for policy, identity, integrations, compliance, SRE, and sandboxing
- Azure Deployment — AKS, Azure AI Foundry, Container Apps, OpenClaw sidecar
- NVIDIA OpenShell Integration — Combine sandbox isolation with governance intelligence
- OWASP Compliance — Full ASI-01 through ASI-10 mapping
- Threat Model — Trust boundaries, attack surfaces, and STRIDE analysis
- Architecture — System design, security model, trust scoring
- Architecture Decisions — ADR log for key identity, runtime, and policy choices
- NIST RFI Mapping — Mapping to NIST AI Agent Security RFI (2026-00206)
Still have questions? File a GitHub issue or see our Community page.
- Deterministic Policy Enforcement: Every agent action evaluated against policy before execution at sub-millisecond latency (<0.1 ms)
- Zero-Trust Agent Identity: Ed25519 cryptographic credentials, SPIFFE/SVID support, trust scoring on a 0–1000 scale
- Execution Sandboxing: 4-tier privilege rings, saga orchestration, termination control, kill switch
- Agent SRE: SLOs, error budgets, replay debugging, chaos engineering, circuit breakers, progressive delivery
- 12+ Framework Integrations: Microsoft Agent Framework, LangChain, CrewAI, AutoGen, Dify, LlamaIndex, OpenAI Agents, Google ADK, and more
- Full OWASP Coverage: 10/10 Agentic Top 10 risks addressed with dedicated controls for each ASI category
- GitHub Actions for CI/CD: Automated security scanning and governance attestation for PR workflows
- For bugs, please file a GitHub issue.
from agent_os import PolicyEngine, CapabilityModel
# Define what this agent is allowed to do
capabilities = CapabilityModel(
allowed_tools=["web_search", "file_read"],
denied_tools=["file_write", "shell_exec"],
max_tokens_per_call=4096
)
# Enforce policy before every action
engine = PolicyEngine(capabilities=capabilities)
decision = engine.evaluate(agent_id="researcher-1", action="tool_call", tool="web_search")
if decision.allowed:
# proceed with tool call
...import { PolicyEngine } from "@agentmesh/sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
const decision = engine.evaluate("web_search"); // "allow"using AgentGovernance;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall(
agentId: "did:mesh:researcher-1",
toolName: "web_search",
args: new() { ["query"] = "latest AI news" }
);
if (result.Allowed) { /* proceed */ }# Full governance demo (policy enforcement, audit, trust, cost, reliability)
python demo/maf_governance_demo.py
# Run with adversarial attack scenarios
python demo/maf_governance_demo.py --include-attacks- Framework Quickstarts — One-file governed agents for LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK
- Tutorial 1: Policy Engine — Define and enforce governance policies
- Tutorial 2: Trust & Identity — Zero-trust agent credentials
- Tutorial 3: Framework Integrations — Add governance to any framework
- Tutorial 4: Audit & Compliance — OWASP compliance and attestation
- Tutorial 5: Agent Reliability — SLOs, error budgets, chaos testing
- Tutorial 6: Execution Sandboxing — Privilege rings and termination
Bring your existing infrastructure policies to agent governance — no new policy DSL required.
from agent_os.policies import PolicyEvaluator
evaluator = PolicyEvaluator()
evaluator.load_rego(rego_content="""
package agentos
default allow = false
allow { input.tool_name == "web_search" }
allow { input.role == "admin" }
""")
decision = evaluator.evaluate({"tool_name": "web_search", "role": "analyst"})
# decision.allowed == Truefrom agent_os.policies import PolicyEvaluator
evaluator = PolicyEvaluator()
evaluator.load_cedar(policy_content="""
permit(principal, action == Action::"ReadData", resource);
forbid(principal, action == Action::"DeleteFile", resource);
""")
decision = evaluator.evaluate({"tool_name": "read_data", "agent_id": "agent-1"})
# decision.allowed == Truefrom agentmesh.governance import PolicyEngine
engine = PolicyEngine()
engine.load_rego("policies/mesh.rego", package="agentmesh")
engine.load_cedar(cedar_content='permit(principal, action == Action::"Analyze", resource);')
decision = engine.evaluate("did:mesh:agent-1", {"tool_name": "analyze"})Three evaluation modes per backend: embedded engine (cedarpy/opa CLI), remote server, or built-in fallback (zero external deps).
| Language | Package | Install |
|---|---|---|
| Python | agent-governance-toolkit[full] |
pip install agent-governance-toolkit[full] |
| TypeScript | @agentmesh/sdk |
npm install @agentmesh/sdk |
| .NET | Microsoft.AgentGovernance |
dotnet add package Microsoft.AgentGovernance |
| Package | PyPI | Description |
|---|---|---|
| Agent OS | agent-os-kernel |
Policy engine — deterministic action evaluation, capability model, audit logging, action interception, MCP gateway |
| AgentMesh | agentmesh-platform |
Inter-agent trust — Ed25519 identity, SPIFFE/SVID credentials, trust scoring, A2A/MCP/IATP protocol bridges |
| Agent Runtime | agentmesh-runtime |
Execution supervisor — 4-tier privilege rings, saga orchestration, termination control, joint liability, append-only audit log |
| Agent SRE | agent-sre |
Reliability engineering — SLOs, error budgets, replay debugging, chaos engineering, progressive delivery |
| Agent Compliance | agent-governance-toolkit |
Runtime policy enforcement — OWASP ASI 2026 controls, governance attestation, integrity verification |
| Agent Marketplace | agentmesh-marketplace |
Plugin lifecycle — discover, install, verify, and sign plugins |
| Agent Lightning | agentmesh-lightning |
RL training governance — governed runners, policy rewards |
Works with 12+ agent frameworks including:
| Framework | Stars | Integration |
|---|---|---|
| Microsoft Agent Framework | 8K+ ⭐ | Native Middleware |
| Semantic Kernel | 27K+ ⭐ | Native (.NET + Python) |
| Dify | 133K+ ⭐ | Plugin |
| Microsoft AutoGen | 55K+ ⭐ | Adapter |
| LlamaIndex | 47K+ ⭐ | Middleware |
| CrewAI | 46K+ ⭐ | Adapter |
| LangGraph | 27K+ ⭐ | Adapter |
| Haystack | 24K+ ⭐ | Pipeline |
| OpenAI Agents SDK | 20K+ ⭐ | Middleware |
| Google ADK | 18K+ ⭐ | Adapter |
| Azure AI Foundry | — | Deployment Guide |
| Risk | ID | Status |
|---|---|---|
| Agent Goal Hijacking | ASI-01 | ✅ Policy engine blocks unauthorized goal changes |
| Excessive Capabilities | ASI-02 | ✅ Capability model enforces least-privilege |
| Identity & Privilege Abuse | ASI-03 | ✅ Zero-trust identity with Ed25519 certs |
| Uncontrolled Code Execution | ASI-04 | ✅ Agent Runtime execution rings + sandboxing |
| Insecure Output Handling | ASI-05 | ✅ Content policies validate all outputs |
| Memory Poisoning | ASI-06 | ✅ Episodic memory with integrity checks |
| Unsafe Inter-Agent Communication | ASI-07 | ✅ AgentMesh encrypted channels + trust gates |
| Cascading Failures | ASI-08 | ✅ Circuit breakers + SLO enforcement |
| Human-Agent Trust Deficit | ASI-09 | ✅ Full audit trails + flight recorder |
| Rogue Agents | ASI-10 | ✅ Kill switch + ring isolation + behavioral anomaly detection |
Full mapping with implementation details and test evidence: OWASP-COMPLIANCE.md
| Regulation | Deadline | AGT Coverage |
|---|---|---|
| EU AI Act — High-Risk AI (Annex III) | August 2, 2026 | Audit trails (Art. 12), risk management (Art. 9), human oversight (Art. 14) |
| Colorado AI Act (SB 24-205) | June 30, 2026 | Risk assessments, human oversight mechanisms, consumer disclosures |
| EU AI Act — GPAI Obligations | Active | Transparency, copyright policies, systemic risk assessment |
AGT provides runtime governance — what agents are allowed to do. For data governance and regulator-facing evidence export, see Microsoft Purview DSPM for AI as a complementary layer.
Governance adds < 0.1 ms per action — roughly 10,000× faster than an LLM API call.
| Metric | Latency (p50) | Throughput |
|---|---|---|
| Policy evaluation (1 rule) | 0.012 ms | 72K ops/sec |
| Policy evaluation (100 rules) | 0.029 ms | 31K ops/sec |
| Kernel enforcement | 0.091 ms | 9.3K ops/sec |
| Adapter overhead | 0.004–0.006 ms | 130K–230K ops/sec |
| Concurrent throughput (50 agents) | — | 35,481 ops/sec |
Full methodology and per-adapter breakdowns: BENCHMARKS.md
This toolkit provides application-level (Python middleware) governance, not OS kernel-level isolation. The policy engine and the agents it governs run in the same Python process. This is the same trust boundary used by every Python-based agent framework (LangChain, CrewAI, AutoGen, etc.).
| Layer | What It Provides | What It Does NOT Provide |
|---|---|---|
| Policy Engine | Deterministic action interception, deny-list enforcement | Hardware-level memory isolation |
| Identity (IATP) | Ed25519 cryptographic agent credentials, trust scoring | OS-level process separation |
| Execution Rings | Logical privilege tiers with resource limits | CPU ring-level enforcement |
| Bootstrap Integrity | SHA-256 tamper detection of governance modules at startup | Hardware root-of-trust (TPM/Secure Boot) |
Production recommendations:
- Run each agent in a separate container for OS-level isolation
- All security policy rules ship as configurable sample configurations — review and customize for your environment (see
examples/policies/) - No built-in rule set should be considered exhaustive
- For details see Architecture — Security Model & Boundaries
If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data. It is your responsibility to manage whether your data will flow outside of your organization's compliance and geographic boundaries and any related implications.
This project is licensed under the MIT License.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.