📖 Docs · 🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog
Important
Public Preview -- production-quality, Microsoft-signed releases. May have breaking changes before GA.
Runtime governance for AI agents. Every tool call, resource access, and inter-agent message is evaluated against policy before execution -- deterministic, sub-millisecond, and auditable.
Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log (< 0.1 ms)
Prompt-based safety ("please follow the rules") has a 26.67% policy violation rate in red-team testing. AGT's application-layer enforcement: 0.00%.
Python · TypeScript · .NET · Rust · Go. Works with LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK, Semantic Kernel, AWS Bedrock, and 20+ more.
pip install agent-governance-toolkit[full]from agent_os.policies import (
PolicyEvaluator, PolicyDocument, PolicyRule,
PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)
evaluator = PolicyEvaluator(policies=[PolicyDocument(
name="my-policy", version="1.0",
defaults=PolicyDefaults(action=PolicyAction.ALLOW),
rules=[PolicyRule(
name="block-dangerous-tools",
condition=PolicyCondition(
field="tool_name",
operator=PolicyOperator.IN,
value=["execute_code", "delete_file"]
),
action=PolicyAction.DENY, priority=100,
)],
)])
result = evaluator.evaluate({"tool_name": "web_search"}) # ✅ Allowed
result = evaluator.evaluate({"tool_name": "delete_file"}) # ❌ BlockedTypeScript / .NET / Rust / Go examples
TypeScript
import { PolicyEngine } from "@microsoft/agent-governance-sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny".NET
using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
new() { ["query"] = "latest AI news" });
// MCP server integration
builder.Services.AddMcpServer()
.WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));Rust
use agent_governance::{AgentMeshClient, ClientOptions};
let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);Go
import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"
client, _ := agentmesh.NewClient("my-agent",
agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
{Action: "data.read", Effect: agentmesh.Allow},
{Action: "*", Effect: agentmesh.Deny},
}),
)
result := client.ExecuteWithGovernance("data.read", nil)CLI tools:
agt doctor # check installation
agt verify # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B # prompt injection audit
agt lint-policy policies/ # validate policy filesFull walkthrough: quickstart.md -- zero to governed agents in 10 minutes with YAML, OPA/Rego, and Cedar policies. 🌍 Also in: 日本語 | 简体中文 | 한국어
Deterministic allow/deny evaluation for every agent action. Sub-millisecond latency (0.012ms p50 for single rule, 35K ops/sec concurrent). Supports YAML, OPA/Rego, and Cedar policy languages. Fail-closed by default -- if the engine errors, the action is denied.
Agent OS · Benchmarks · Spec
Ed25519 + quantum-safe ML-DSA-65 agent credentials. Behavioral trust scoring (0--1000) that decays when agents act outside expected patterns. SPIFFE/SVID compatible. Trust ceilings propagate through delegation chains -- a delegated agent can never exceed its parent's trust level.
Four privilege rings (kernel, supervisor, user, untrusted) with hardware-style isolation semantics. Saga orchestration for multi-step workflows with automatic compensation on failure. Kill switch for immediate agent termination.
Runtime · Hypervisor · Spec
SLOs, error budgets, replay debugging, chaos engineering, and circuit breakers for agent fleets. OTel-native observability with structured governance events.
Tamper-evident Merkle-chained audit logs. Reconstructible Decision BOMs from observability signals. Automated compliance mapping for EU AI Act, SOC 2, HIPAA, and GDPR. CloudEvents export for SIEM integration.
Tool poisoning detection, description drift monitoring, typosquatting checks, and hidden instruction scanning for MCP tool definitions.
| Capability | Description |
|---|---|
| Inter-Agent Trust | Mesh-wide trust negotiation, peer signature verification, coordinated policy enforcement (Spec) |
| RL Training Governance | Violation penalties in reward signals, episode termination on critical violations (Spec) |
| Framework Adapters | 10 adapters with unified governance interceptor chain (Spec) |
| Shadow AI Discovery | Find unregistered agents across processes, configs, and repos (Discovery) |
| Agent Lifecycle | Provisioning, credential rotation, orphan detection, decommissioning (Lifecycle) |
| Governance Dashboard | Real-time fleet visibility for health, trust, and compliance (Dashboard) |
| PromptDefense Evaluator | 12-vector prompt injection audit (Evaluator) |
| Contributor Reputation | PR/issue author screening for social engineering. Reusable GitHub Action (Action) |
Every major component has a formal RFC 2119 specification with conformance tests. These specs define the behavioral contract -- what implementations MUST, SHOULD, and MAY do.
| Specification | Scope | Tests |
|---|---|---|
| Agent OS Policy Engine | Policy evaluation, rule merging, fail-closed semantics | 68 |
| AgentMesh Identity and Trust | Credentials, trust scoring, delegation chains | 135 |
| Agent Hypervisor Execution Control | Privilege rings, saga orchestration, kill switch | 80 |
| AgentMesh Trust and Coordination | Peer trust negotiation, mesh-wide policy | 62 |
| Agent SRE Governance | SLOs, error budgets, chaos, circuit breakers | 111 |
| MCP Security Gateway | Tool poisoning, drift detection, hidden instructions | 127 |
| Agent Lightning Fast-Path | RL training governance, violation penalties | 100 |
| Framework Adapter Contract | 10 adapter integrations, interceptor chain | 152 |
| Audit and Compliance | Merkle audit, compliance mapping, Decision BOM | 157 |
| AgentMesh Wire Protocol | Message format, routing, serialization | -- |
992 conformance tests ensure code stays aligned to specs. 25 Architecture Decision Records document why.
| Framework | Integration |
|---|---|
| Microsoft Agent Framework | Native Middleware |
| Semantic Kernel | Native (.NET + Python) |
| AutoGen | Adapter |
| LangGraph / LangChain | Adapter |
| CrewAI | Adapter |
| OpenAI Agents SDK | Middleware |
| Google ADK | Adapter |
| LlamaIndex | Middleware |
| Haystack | Pipeline |
| Dify | Plugin |
| Azure AI Foundry | Deployment Guide |
| GitHub Copilot CLI | Governance installer |
Full list: Framework Integrations · Quickstart Examples
AGT covers all 10 risks identified in the OWASP Agentic Security Top 10:
| Risk | AGT Control |
|---|---|
| ASI-01 Agent Goal Hijacking | Policy engine blocks unauthorized goal changes |
| ASI-02 Excessive Capabilities | Capability model enforces least-privilege |
| ASI-03 Identity & Privilege Abuse | Zero-trust identity with Ed25519 + ML-DSA-65 |
| ASI-04 Uncontrolled Code Execution | Execution rings + sandboxing |
| ASI-05 Insecure Output Handling | Content policies validate all outputs |
| ASI-06 Memory Poisoning | Episodic memory with integrity checks |
| ASI-07 Unsafe Inter-Agent Comms | Encrypted channels + trust gates |
| ASI-08 Cascading Failures | Circuit breakers + SLO enforcement |
| ASI-09 Human-Agent Trust Deficit | Full audit trails + flight recorder |
| ASI-10 Rogue Agents | Kill switch + ring isolation + anomaly detection |
Regulatory alignment: EU AI Act · NIST AI RMF · SOC 2
| Language | Command |
|---|---|
| Python | pip install agent-governance-toolkit[full] |
| TypeScript | npm install @microsoft/agent-governance-sdk |
| Copilot CLI | npx @microsoft/agent-governance-copilot-cli install |
| .NET | dotnet add package Microsoft.AgentGovernance |
| Rust | cargo add agent-governance |
| Go | go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang |
All five languages implement core governance (policy, identity, trust, audit). Python has the full stack. See Language Package Matrix for per-language coverage.
Individual Python packages
| Package | PyPI | Description |
|---|---|---|
| Agent OS | agent-os-kernel |
Policy engine, capability model, audit logging, MCP gateway |
| AgentMesh | agentmesh-platform |
Zero-trust identity, trust scoring, A2A/MCP/IATP bridges |
| Agent Runtime | agentmesh-runtime |
Privilege rings, saga orchestration, termination control |
| Agent SRE | agent-sre |
SLOs, error budgets, chaos engineering, circuit breakers |
| Agent Compliance | agent-governance-toolkit |
OWASP verification, integrity checks, policy linting |
| Agent Discovery | agent-discovery |
Shadow AI discovery, inventory, risk scoring |
| Agent Hypervisor | agent-hypervisor |
Execution plan validation, reversibility verification |
| Agent Marketplace | agentmesh-marketplace |
Plugin lifecycle management |
| Agent Lightning | agentmesh-lightning |
RL training governance |
AGT enforces governance at the Python middleware layer, not at the OS kernel level. The policy engine and agents share the same process boundary.
Production recommendation: Run each agent in a separate container for OS-level isolation. See Architecture -- Security Boundaries.
| Tool | Coverage |
|---|---|
| CodeQL | Python + TypeScript SAST |
| Gitleaks | Secret scanning on PR/push/weekly |
| ClusterFuzzLite | 7 fuzz targets (policy, injection, MCP, sandbox, trust) |
| Dependabot | 13 ecosystems |
| OpenSSF Scorecard | Weekly scoring + SARIF upload |
See Known Limitations for honest design boundaries and recommended layered defense.
| Category | Links |
|---|---|
| Getting Started | Quick Start · Tutorials (40+) · FAQ |
| Architecture | System Design · Threat Model · ADRs (25) |
| Specifications | All Specs (10 formal specs, 992 conformance tests) |
| API Reference | Agent OS · AgentMesh · Agent SRE |
| Compliance | OWASP · EU AI Act · NIST AI RMF · SOC 2 |
| Deployment | Azure · AWS · GCP · Docker Compose |
| Extensions | VS Code · Framework Integrations |
Contributing Guide · Community · Security Policy · Changelog
Using AGT? Add your organization to ADOPTERS.md.
| Document | Purpose |
|---|---|
| GOVERNANCE.md | Decision-making, roles, contributor ladder |
| CHARTER.md | Technical charter (LF Projects format) |
| MAINTAINERS.md | Maintainers and organizations |
| SECURITY.md | Vulnerability reporting and response SLAs |
| CODE_OF_CONDUCT.md | Microsoft Open Source Code of Conduct |
If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data.
This project is licensed under the MIT License.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.