Proposal: Governance Middleware for PydanticAI

[imran-siddique]

Proposal: Governance Middleware for PydanticAI

Problem

PydanticAI brings type safety and structured outputs to agent development, but currently lacks a built-in governance layer for enforcing safety policies on agent tool use and actions. Given that PydanticAI is Pydantic-native, governance policies expressed as Pydantic models would be a natural, type-safe extension.

What we've built (Apache-2.0)

Agent-OS governance is already Pydantic-based:

1. GovernancePolicy (Pydantic dataclass) - max_tokens, max_tool_calls, blocked_patterns with PatternType enum
2. PatternType - Substrate/regex/glob pattern matching with pre-compilation
3. Semantic intent classifier - 9 threat categories, deterministic, no LLM dependency
4. Event hooks - POLICY_CHECK, POLICY_VIOLATION, TOOL_CALL_BLOCKED
5. YAML import/export - Policies as YAML files alongside code
6. Policy diff/comparison - is_stricter_than(), format_diff()

Proposed integration

A PydanticAI middleware that wraps tool execution with governance checks:

`python
from pydantic_ai import Agent
from pydantic_ai_governance import GovernancePolicy, govern

policy = GovernancePolicy(
max_tokens_per_request=4096,
max_tool_calls_per_request=10,
blocked_patterns=[
("rm -rf", PatternType.SUBSTRING),
(r".password.=.*", PatternType.REGEX),
],
)

agent = Agent("openai:gpt-4o", deps_type=MyDeps)

@agent.tool
@govern(policy) # Decorator-based governance
async def dangerous_tool(ctx, query: str) -> str:
...
`

Why this is a natural fit

• Pydantic-native - Our GovernancePolicy is already a Pydantic model; zero impedance mismatch
• Type-safe - PatternType enum, GovernanceEventType enum, structured validation
• Composable - Works as a decorator, middleware, or dependency injection
• Logfire integration - Our OTEL conventions align with Pydantic's Logfire observability
• 700+ tests backing the engine

Ask

Is there interest in governance middleware for PydanticAI? Options:

1. Standalone pydantic-ai-governance package
2. PR to core adding optional governance hooks in tool execution
3. Cookbook/example showing the pattern

Happy to discuss the best approach.

[DouweM]

@imran-siddique Have you seen the various middleware/guardrails packages mentioned in #2885 and #1197? Would be good to understand how this differs from that.

[imran-siddique]

@DouweM Thanks for the pointer — yes, I've reviewed both threads. Here's how this differs:

#1197 (Guardrails) and packages like pydantic-ai-guardrails focus on input/output validation — checking what goes into and comes out of the LLM (topic restrictions, content safety, PII detection). PR #3938 adds this pattern natively.

#2885 (Middleware/Hooks) and #4303 (Traits) focus on request/response transformation — modifying message history, tool outputs, instructions. General-purpose hooks for the agent lifecycle.

Agent-OS governance operates at a different layer: tool execution policy enforcement with semantic intent classification. The key differences:

1. Semantic intent, not pattern matching — Instead of blocking keywords, a weighted signal classifier categorizes tool call intent into 9 threat categories (DESTRUCTIVE_DATA, DATA_EXFILTRATION, PRIVILEGE_ESCALATION, etc.) with confidence scores. This catches wipe all records the same as DROP TABLE without an LLM call.

2. Policy composition — Hierarchical policies with most-restrictive-wins merging semantics, is_stricter_than() comparison, version tracking, and diff() for audit trails. Designed for multi-tenant/enterprise deployments where policies cascade.

3. Policy-as-code — Governance policies are Pydantic models that serialize to/from YAML, live alongside code, and ship with templates (secure-coding, rate-limiting, data-protection, cost-controls).

4. Multi-agent awareness — Emergence detection for swarm topologies: cycle detection, goal drift, echo chambers, escalation spirals. This only matters in multi-agent graphs, which single-request guardrails can't observe.

5. Deterministic, zero LLM dependency — Sub-millisecond enforcement, no additional API calls.

Think of it as complementary layers: guardrails (#1197) validate LLM I/O, hooks (#2885/#4303) transform the agent lifecycle, and governance enforces what tools are allowed to do based on semantic policy.

Given the active work on traits (#4303), I think Option 1 (standalone pydantic-ai-governance package) makes the most sense — it could hook into the traits system once that lands, without coupling to core. Happy to start with a cookbook example showing the pattern against the current API if that's more useful as a first step.

[imran-siddique]

Following up with working code: I've published pydantic-ai-governance — a standalone governance package for PydanticAI.

What's in the package (57 tests passing):

• *\GovernancePolicy* — Pydantic-native policy with blocked patterns (substring/regex/glob), tool allowlists, call limits, confidence thresholds. Serializes to/from YAML.
• \govern()\ decorator — Wrap any PydanticAI tool with policy enforcement:
  \\python
  @agent.tool
  @govern(policy)
  async def dangerous_tool(ctx, query: str) -> str:
  ... # blocked patterns + semantic intent checked before execution
  \\
• *\GovernanceToolset* — Apply governance to all tools (designed for PydanticAI's \WrapperToolset\ pattern)
• Semantic intent classifier — 9 threat categories (DESTRUCTIVE_DATA, DATA_EXFILTRATION, PRIVILEGE_ESCALATION, etc.), weighted signals, zero LLM dependency, <1ms
• *\TrustScorer* — Multi-dimensional trust tracking (reliability, capability, security, compliance, history) with decay/reward
• *\AuditTrail* — Append-only governance decision log

Designed for compatibility with #4303 (Traits) — the \GovernanceToolset\ can hook into the traits system once it lands. No coupling to core required.

Zero external dependencies beyond Python stdlib. Happy to build a cookbook example if that would be helpful.

[imran-siddique]

Update: Our governance patterns just got merged into github/awesome-copilot (21.6K stars) — 3 PRs accepted:

• PR #755 — agent-governance skill (6 patterns, framework examples)
• PR #756 — governance-audit hook (threat detection, 5 categories)
• PR #757 — Safety instructions + governance reviewer agent

This validates the governance patterns we proposed here. The same policy enforcement, threat detection, and audit trail patterns from our pydantic-ai-governance package are now shipping in GitHub Copilot ecosystem.

Still very interested in landing PydanticAI-native governance — the standalone package approach via traits (#4303) seems like the cleanest path. Happy to build a cookbook example whenever the team is ready.

[imran-siddique]

Closing - project moved to microsoft/agent-governance-toolkit. Will re-submit fresh proposals from the Microsoft repo. Thank you!