# Microsoft AI Agent Governance Toolkit The Microsoft AI Agent Governance Toolkit is an open-source ([[MIT License|MIT]]-licensed) framework from Microsoft for **policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous [[AI Agents]]**. It is a serious, opinionated take on the missing infrastructure layer between "agents that work" and "agents that are safe to run in production". It claims **10/10 coverage of the OWASP Agentic Top 10**, alignment with NIST AI RMF, and integrates Sigstore provenance, TEE keystores, EU AI Act compliance templates, and 287 community rules. As of v3.3.0 (2026-04-27) it ships SDKs in **.NET, TypeScript, Rust, Go, and Python** — moved fast (v1.0.0 was 2026-03-04). This is the kind of stack that does *not* exist anywhere else at this scope yet: most teams reinvent governance ad-hoc on top of [[Model Context Protocol (MCP)|MCP]] / [[Claude Code]] / custom orchestrators. This bundles it. ## What it includes (v3.3, 11 packages) | Package | Role | | ---------------------- | ---------------------------------------------------------- | | **Agent OS Kernel** | Policy engine, agent lifecycle management | | **Agent Mesh** | Discovery, routing, zero-trust inter-agent identity | | **Agent Runtime** | Execution sandboxing with privilege rings | | **Agent SRE** | Reliability, kill switches, monitoring, observability | | **Agent Compliance** | Audit logging, mapping to compliance frameworks | | **Agent Marketplace** | Plugin governance | | **Agent Lightning** | Orchestration | | **Agent Hypervisor** | Hardware-level isolation | | **SDKs** | .NET, TypeScript, Rust, Go, Python | | **Sentry integration** | Observability + incident management | | **Sigstore provenance**| Signed, verifiable artifacts | ## How it works - **Policy-gated execution.** Every agent action passes through a deterministic policy evaluator before running. - **Zero-trust identity.** Inter-agent trust uses **Ed25519 cryptography (RFC 8032)** — agents authenticate each other rather than trusting the runtime. - **Sandboxed runtime.** Agents run with privilege rings, hardware isolation via the hypervisor, and TEE-backed key storage. - **Reliability primitives.** Kill switches, rate limits, monitoring, and SRE-style runbooks built in. - **Multi-framework integrations.** Works with OpenAI, CrewAI, HuggingFace, [[Model Context Protocol (MCP)|MCP]] — the policy layer sits in front of the framework, not inside it. ## Standards alignment | Standard | Covered | | ---------------------------------- | ------------------------------------------------------------------------------------------ | | **OWASP Agentic Top 10** | 10/10 | | **NIST AI RMF** | Yes | | **EU AI Act** | Compliance templates included | | **RFC 8032 (Ed25519)** | Identity layer | | **RFC 9334 (Remote Attestation)** | Trust verification | | **CIS Controls v8.1** | Operational security baseline | ## Why it matters - **Agents are the new attack surface.** The OWASP Agentic Top 10 is real: prompt injection, tool poisoning, identity spoofing, runaway loops, data exfiltration via tool calls. Hand-rolling governance for each agent is the equivalent of hand-rolling auth — the industry has to converge on a stack. - **Microsoft is the right vendor to ship this.** It has the enterprise distribution, the Azure-native deployment story, the security org, and the lawyers to align with EU AI Act / NIST. - **Policy + identity + sandbox + observability in one place.** Most agent frameworks ship the *runtime*; this ships the *governance plane*. - **Multi-language SDKs from day one.** .NET, TS, Rust, Go, Python — meets enterprise teams where they actually are. - **Move fast, be loud about reputation.** v3.3's Contributor Reputation Check (screening for follow-farming, cross-repo spray, credential laundering) is a sign the project takes supply-chain hygiene seriously — relevant for a governance project. ## Use cases | Scenario | What the toolkit gives you | | -------------------------------------------- | ------------------------------------------------------------------- | | **Enterprise multi-agent deployment** | Identity, policy, audit logs, kill switches by default | | **Building an agent marketplace** | Plugin governance, signed artifacts, sandboxed execution | | **Compliance-bound industries** | Pre-built templates for EU AI Act, NIST AI RMF, CIS Controls | | **Replacing ad-hoc agent guardrails** | Standard primitives instead of ad-hoc try/except patterns | | **Pre-production safety review of an agent** | OWASP Agentic Top 10 mapping done for you | ## Status - **v3.3.0** (2026-04-27), evolving rapidly from v1.0.0 (2026-03-04). - **MIT** licensed, ~1.3k stars at time of capture. - Backed by Microsoft, signed via ESRP, multi-language SDKs at parity. - Cloud-agnostic with Azure-native deployment options. ## Caveats - Heavy framework — not "drop in for a single agent". Designed for orgs running fleets. - Microsoft-shaped: Azure-first deployment patterns will feel natural, others will need adaptation. - Moving target. v1.0 → v3.3 in under two months means breaking changes are likely; pin versions. ## References - https://github.com/microsoft/agent-governance-toolkit - https://microsoft.github.io/agent-governance-toolkit/ - Changelog: https://github.com/microsoft/agent-governance-toolkit/blob/main/CHANGELOG.md ## Related - [[AI Agents]] - [[AI Governance]] - [[AI Safety]] - [[Model Context Protocol (MCP)]] - [[Claude Code]] - [[Large Language Models (LLMs)]] - [[MIT License]] - [[Open Source]]