Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt

Use this file to discover all available pages before exploring further.

This specification defines the execution control model for the Agent Hypervisor — the component that provides hardware-inspired execution isolation for AI agents. Just as an OS kernel uses privilege rings to separate user processes from kernel operations, the Agent Hypervisor assigns agents to execution rings based on their trust scores and enforces resource boundaries at each ring level. All SDK implementations MUST conform to this specification. The key words are interpreted as described in RFC 2119.

Status

Draft

Date

2026-05-17

Conformance Tests

80 tests

Design Principles

  1. Least privilege by default. Unknown agents start at Ring 3 (Sandbox) with minimal resource access.
  2. Ring 0 is system-only. No agent, regardless of trust score, can execute Ring 0 actions without SRE Witness attestation.
  3. Elevation is temporary. Privilege elevation is always time-bounded and automatically expires.
  4. Fail closed. Any enforcement check failure MUST result in denial, never silent permission.
  5. Append-only audit. Session operations form a hash chain that detects tampering.

Execution Ring Definitions

The hypervisor MUST implement exactly four execution rings:
RingValueNameDescription
Ring 00RootHypervisor configuration and penalty. System-only.
Ring 11PrivilegedNon-reversible actions with full resource access.
Ring 22StandardReversible actions with scoped resource access.
Ring 33SandboxRead-only actions with minimal resource access. Default.
Ring ordering: Lower value = higher privilege. Ring A is more privileged than Ring B if A.value < B.value. Agents without a computed ring assignment MUST be assigned Ring 3 (Sandbox).

Ring Assignment

Score-Based Assignment

Ring assignment from an effective score (0.0–1.0) MUST follow:
ConditionAssigned Ring
eff_score > 0.95 AND has_consensus == trueRing 1 (Privileged)
eff_score > 0.60Ring 2 (Standard)
OtherwiseRing 3 (Sandbox)
Ring 0 is NEVER assigned through score-based computation.

Trust Score Thresholds

ThresholdValuePurpose
RING_1_TRUST_THRESHOLD0.95Score-based Ring 1 assignment
RING_2_TRUST_THRESHOLD0.60Score-based Ring 2 assignment
RING_1_ENFORCER_THRESHOLD0.70Ring enforcer Ring 1 access

Ring Demotion

An agent SHOULD be demoted when their effective score drops below the threshold for their current ring. The should_demote() check MUST compare the agent’s current ring against the ring that would be computed from their current score.

Action Classification

Required Ring Derivation

The required ring for an action MUST be computed as: 
if is_admin:
    → Ring 0 (Root)
elif reversibility == NONE and not is_read_only:
    → Ring 1 (Privileged)
elif is_read_only:
    → Ring 3 (Sandbox)
else:
    → Ring 2 (Standard)

ActionDescriptor Fields

FieldTypeDescription
action_idstringUnique identifier (validated format)
namestringHuman-readable name (non-empty, max 256 chars)
execute_apistringAPI path for execution (non-empty, max 2048 chars)
undo_apistring or nullAPI path for undo (if reversible)
reversibilityenumFULL, PARTIAL, or NONE
undo_window_secondsintWindow for undo (0–86400, default 0)
is_read_onlyboolWhether the action only reads data
is_adminboolWhether this is an administrative action

Ring Enforcement

Access Check Algorithm

The ring enforcer MUST perform the following checks in order:
  1. Ring 0 denial: If the action requires Ring 0, the check MUST deny access with requires_sre_witness = true. Ring 0 actions are never available to agents through the standard API.
  2. Ring comparison: If agent_ring.value > required_ring.value (agent has less privilege than required), the check MUST deny access.
  3. Grant: If neither condition above applies, access MUST be granted.

RingCheckResult

FieldTypeDescription
allowedboolWhether access is granted
required_ringExecutionRingRing the action requires
agent_ringExecutionRingAgent’s current ring
eff_scorefloatAgent’s effective score
reasonstringHuman-readable explanation
requires_consensusboolWhether consensus is needed
requires_sre_witnessboolWhether SRE attestation is needed
denied_resourceslistResource types that were denied
If a ring is not found in the constraint mapping, Ring 3 (Sandbox) constraints MUST be used as fallback.

Resource Limits Per Ring

Each ring has associated resource constraints:
RingNetworkFilesystem ScopeSubprocessMax Concurrent Tools
Ring 0 (Root)✅ (all)full32
Ring 1 (Privileged)✅ (all)full16
Ring 2 (Standard)✅ (allowlisted)scoped8
Ring 3 (Sandbox)none4

Resource Constraint Fields

FieldDescription
network_allowedWhether network access is permitted
network_allowlistAllowed network destinations (empty = all if network_allowed)
filesystem_writableWhether filesystem writes are permitted
filesystem_scopeOne of: "none", "session", "scoped", "full"
subprocess_allowedWhether subprocess creation is permitted
max_concurrent_toolsMaximum concurrent tool executions

Privilege Elevation

Privilege elevation is a time-bounded promotion from a lower ring to a higher ring.

Elevation Rules

  1. Elevation to Ring 0 MUST always be denied via the standard API (reason: "ring_0_forbidden").
  2. Elevation to Ring 1 requires trust_score >= 0.85 AND has_consensus == true.
  3. Elevation durations MUST be time-bounded. The default maximum elevation duration is 3600 seconds.
  4. Elevations MUST expire automatically. The tick() function MUST be called periodically to expire stale elevations.
Given: agent at Ring 2, requests Ring 1, trust_score=0.60
Result: DENIED, reason="insufficient_trust" (Ring 1 requires ≥ 0.85)

Given: agent at Ring 2, requests Ring 0
Result: DENIED, reason="ring_0_forbidden"

Rate Limiting

Rate limiting uses a token bucket algorithm scaled by ring.
RingRefill RateBurst Capacity
Ring 0UnlimitedUnlimited
Ring 150.0 req/s100.0
Ring 220.0 req/s40.0
Ring 35.0 req/s10.0
When the token bucket is exhausted, the implementation MUST raise RateLimitExceeded. The maximum bucket count MUST be enforced to prevent memory exhaustion from many agent identifiers.

Saga Orchestration

Sagas provide multi-step distributed transaction support with automatic compensation when steps fail.

Saga Defaults

ParameterDefaultDescription
max_retries2Maximum retries per step
retry_delay_seconds1.0Base delay between retries
step_timeout_seconds300Maximum duration for a single step

Saga State Machine

Pending → Executing → Committed (all steps succeed)
                    → Compensating → Aborted (compensation succeeds)
                                   → Escalated (compensation fails — manual intervention)

Step States

StateDescription
PendingNot started
ExecutingCurrently running
CommittedCompleted successfully
FailedExecution failed
CompensatedSuccessfully rolled back
CompensationFailedRollback failed

Compensation Rule

When a step fails after exhausting retries, the saga orchestrator MUST execute compensation (undo) for all previously completed steps in reverse order. If compensation itself fails, the saga MUST transition to Escalated and record which compensation steps failed.

Kill Switch

The kill switch provides emergency agent termination with step handoff and compensation support.

Kill Switch Behavior

When kill(agent_id, context) is invoked:
  1. All registered handlers for the agent are executed in registration order.
  2. All registered compensations for the agent are executed in registration order.
  3. If a substitute agent is registered, the result includes handoff_agent_id.
  4. A KillSwitchResult record MUST be appended to the kill switch history, even if callbacks fail.

KillSwitchResult Fields

FieldTypeDescription
agent_idstringThe terminated agent’s DID
actionstring or nullThe action that triggered termination
reasonstringHuman-readable reason
killed_atdatetimeISO 8601 timestamp
callbacks_executedintNumber of termination handlers executed
compensations_executedintNumber of compensation handlers executed
handoff_agent_idstring or nullSubstitute agent DID, if registered
Kill switch results MUST be recorded even when callback execution fails. The kill switch MUST NOT raise an exception that prevents the audit record from being written.

Trigger Conditions

The kill switch MUST be triggerable by:
  • Explicit operator invocation
  • Ring breach when kill_on_breach = true
  • Policy engine integration on critical violations
  • SRE circuit breaker integration

Audit and Hash Chain Integrity

Audit Hash Chain

The session audit log MUST be an append-only hash chain where each entry’s SHA-256 hash covers its content plus the previous entry’s hash: 
Entry 0            Entry 1            Entry 2
┌──────────┐       ┌──────────┐       ┌──────────┐
│ hash: A  │──────▶│ prev: A  │──────▶│ prev: B  │
│ prev: 0⁶⁴│       │ hash: B  │       │ hash: C  │
└──────────┘       └──────────┘       └──────────┘
Genesis hash = '0' × 64

What Gets Recorded at Each Ring Boundary

Event TypeRequired Audit Fields
Action attemptagent_id, action, ring, eff_score, timestamp
Ring check resultallowed, required_ring, agent_ring, reason
Rate limit eventagent_id, action, bucket_tokens, exhausted
Elevation requestagent_id, target_ring, trust_score, granted
Kill switch triggeragent_id, reason, callbacks_executed, handoff_agent_id
Saga stepsaga_id, step_id, state, attempt_count, compensated
The audit hash chain MUST be append-only. Any modification to an entry MUST invalidate all subsequent hashes, enabling tamper detection.

Session Model

Session Configuration Constraints

FieldTypeConstraints
session_idstringMUST match ^[a-zA-Z0-9_-]+$
max_participantsint1–100
consistency_modeenumeventual, strong, causal
min_participantsint1–max_participants

Session Isolation

Filesystem-level isolation MUST be fail-closed. Path checks MUST resolve to canonical paths before comparison. Path traversal (.. components) MUST be rejected. If a cross-session access request cannot be validated, it MUST be denied.

Quarantine

When an agent is quarantined:
  1. The agent’s ring is demoted to Ring 3 (Sandbox).
  2. All pending actions for the agent are denied.
  3. A quarantine audit entry MUST be appended to the hash chain.
  4. The agent MAY be released from quarantine by an operator with Ring 0 credentials.

Conformance Requirements

A conforming implementation MUST:
  1. Implement exactly four execution rings (0–3) with correct ordering.
  2. Deny Ring 0 to agents via standard enforcement.
  3. Implement score-based ring assignment following threshold rules.
  4. Derive action required-ring following the classification rules.
  5. Enforce ring checks fail-closed on all failures.
  6. Enforce resource constraints per the ring-to-constraint mapping.
  7. Implement time-bounded privilege elevation.
  8. Forbid Ring 0 elevation via the standard API.
  9. Implement token bucket rate limiting with per-ring limits.
  10. Validate session configurations.
  11. Enforce session isolation fail-closed.
  12. Record kill switch results even on callback failure.
  13. Maintain an append-only SHA-256 hash chain for audit.
  14. Validate identifiers against the allowed pattern.
Conformance tests MUST cover: ring assignment from trust scores; action classification to required rings; ring enforcement allow/deny decisions; resource constraint enforcement; elevation approval and denial; rate limiter token consumption and exhaustion; session configuration validation; session isolation path checks; kill switch operation and failure modes; and audit hash chain construction and verification.

Build docs developers (and LLMs) love

Get started for freeTalk to us