Proposal: Governance Policy Schema for Agent Spec

[imran-siddique]

Proposal: Governance Policy Schema for Agent Spec

Problem

Oracle's Agent Spec provides a powerful declarative format for defining agents, flows, and their compositions. However, the current specification doesn't include a standard way to express governance policies - the safety constraints, resource limits, and trust requirements that agents must operate within.

As Agent Spec aims to be the universal agent configuration format, governance should be a first-class schema component.

Proposed addition

A governance section in the Agent Spec schema:

yaml kind: agent apiVersion: v1 metadata: name: researcher spec: model: gpt-4o governance: policy: name: production-safety version: "1.0" max_tokens_per_request: 4096 max_tool_calls_per_request: 10 blocked_patterns: - pattern: "rm -rf" type: substring - pattern: ".*password.*=.*" type: regex trust: min_delegation_score: 0.7 require_identity_verification: true audit: level: full merkle_chain: true

Why this matters

1. Portable governance - Policies travel with the agent spec, not buried in framework-specific config
2. Cross-framework enforcement - Any runtime that reads Agent Spec can enforce the same policies
3. Schema-validated - Governance constraints are validated at spec parse time, not runtime
4. Composable - Flow-level policies can tighten (never loosen) agent-level policies

Reference implementation

We've built a working governance engine in Agent-OS:

• GovernancePolicy with YAML import/export
• PatternType enum (substring, regex, glob)
• Policy diff/comparison (is_stricter_than)
• 700+ tests

Happy to contribute a governance schema section and reference validator.

[dhilloulinoracle]

Hi @imran-siddique ,

Thank you for the ticket!
That's indeed something we could look into.
We will check your project to get a better idea of the space.

So far in Agent Spec we have been including controls down to the components that might be problematic.
For example, tools can be required to have confirmations by users before use to avoid rm -rf / kinf of issues.

[imran-siddique]

Thanks for the quick response @dhilloulinoracle, and great call on requires_confirmation -- that's exactly the right approach at the tool level.

What we're proposing is complementary: a spec-level governance layer that sits above individual tool controls and applies policies across the full agent/flow composition. Think of it as:

• Tool-level (what you have): requires_confirmation: true on individual tools
• Agent-level (what we're proposing): Token limits, blocked patterns, trust score thresholds that apply to all tools/actions an agent can take
• Flow-level: Policies that compose across agents in a flow -- a flow can tighten (never loosen) its agents' policies

A concrete example -- in an Agent Spec flow with 3 agents, you'd want to say no agent in this flow can exceed 4096 tokens per request or all agents must have identity verification without annotating every tool individually.

We've built this in Agent-OS with:

• GovernancePolicy with YAML import/export (maps cleanly to Agent Spec's YAML structure)
• Policy composition with is_stricter_than validation
• Pattern matching (substring, regex, glob) for blocked content
• 700+ tests covering the policy engine

Happy to put together a minimal schema extension draft that shows how spec.governance would work alongside your existing tool-level controls. Would that be useful?

[imran-siddique]

@dhilloulinoracle Here's a minimal schema extension draft for spec.governance that complements your existing tool-level requires_confirmation. The idea is three layers of governance that align with Agent Spec's Component hierarchy:

Proposed GovernancePolicy as a Component

# GovernancePolicy extends Component — can be referenced by agents and flows
governance_policy:
  id: "governance-policy-production"
  type: "GovernancePolicy"
  name: "Production Safety Policy"
  description: "Enterprise governance policy for production agent deployments"
  metadata:
    version: "1.0.0"
    author: "security-team"

  # --- Execution Limits ---
  max_tokens_per_request: 4096
  max_tool_calls_per_request: 10
  timeout_seconds: 300

  # --- Content Filtering (complements tool-level requires_confirmation) ---
  blocked_patterns:
    - pattern: "rm -rf"
      type: substring    # substring | regex | glob
    - pattern: ".*password.*=.*"
      type: regex
    - pattern: "*.exe"
      type: glob

  # --- Tool Governance (extends existing tool controls) ---
  allowed_tools: ["search", "read_file", "query_db"]
  # ↑ Agent-level allowlist, complements tool-level requires_confirmation

  # --- Safety Thresholds ---
  confidence_threshold: 0.8   # Minimum confidence to trigger policy action
  require_human_approval: false

  # --- Trust Requirements ---
  min_trust_score: 0.7
  require_identity_verification: true

Agent-Level: Reference a GovernancePolicy

agent:
  id: "agent-researcher"
  type: "Agent"
  name: "Researcher"
  governance:
    $component_ref: "governance-policy-production"
  # Agent inherits policy constraints — all tool calls checked
  tools:
    - $component_ref: "tool-search"      # allowed by policy
    - $component_ref: "tool-read-file"   # allowed by policy

Flow-Level: Policies compose (most-restrictive-wins)

flow:
  id: "flow-research-pipeline"
  type: "Flow"
  name: "Research Pipeline"
  governance:
    $component_ref: "governance-policy-production"
    # Flow policy composes with agent policies:
    # - Numeric limits: min(flow, agent) wins
    # - Blocked patterns: union of both
    # - Allowed tools: intersection of both
    # - Boolean flags: OR (any true wins)
    composition_mode: "most_restrictive"  # default

How this complements requires_confirmation

Layer	Scope	Mechanism	Example
Tool (existing)	Single tool	requires_confirmation: true	"Confirm before running shell command"
Agent (proposed)	All tools on agent	GovernancePolicy ref	"Max 10 tool calls, block rm -rf"
Flow (proposed)	All agents in flow	Composed GovernancePolicy	"No agent exceeds 4096 tokens"

The key principle: a flow can tighten but never loosen its agents' policies. This is enforced via is_stricter_than() validation.

We've implemented this in Agent-OS with YAML import/export, policy composition, and is_stricter_than() comparison — all Pydantic-based. Also just published a working governance package with 57 tests covering the policy engine.

Happy to refine this into a proper PR against the spec if the team finds it useful.

[imran-siddique]

Update: The governance patterns from this proposal just got merged into github/awesome-copilot (21.6K stars):

• PR #755 — 6 governance patterns including policy composition
• PR #756 — Threat detection with 5 categories
• PR #757 — Safety instructions + reviewer agent

The 3-layer governance model (tool → agent → flow) we proposed for Agent Spec is now validated in production across GitHub Copilot. Happy to formalize the schema extension draft into a proper PR against the spec if the team finds value in adding GovernancePolicy as a first-class Component.

[imran-siddique]

Closing - project moved to microsoft/agent-governance-toolkit. Will re-submit fresh proposals from the Microsoft repo. Thank you!