Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt

Use this file to discover all available pages before exploring further.

This specification defines the behavioral contract for the Agent OS policy engine: the single enforcement point through which all governed agent actions flow. All SDK implementations — Python, TypeScript, Rust, .NET, and Go — MUST conform to this specification. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHOULD”, “RECOMMENDED”, and “MAY” are interpreted as described in RFC 2119 and RFC 8174.

Status

Draft

Date

2026-05-16

Conformance Tests

68 tests

Policy Document Schema

A PolicyDocument encodes declarative governance rules in YAML or JSON. Implementations MUST support loading from YAML; SHOULD also support JSON.

Required and Optional Fields

FieldTypeRequiredDefaultDescription
versionstringNo"1.0"Schema version identifier.
namestringNo"unnamed"Human-readable name for audit logs.
descriptionstringNo""Free-form description.
rulesarrayNo[]Ordered list of PolicyRule objects.
defaultsobjectNoSee belowDefault settings when no rule matches.
inheritbooleanNotrueWhether parent policies are loaded during discovery.
scopestring or nullNonullGlob pattern restricting which action paths this policy applies to.

Defaults Object

FieldTypeDefaultDescription
actionPolicyAction"allow"Default action when no rule matches.
max_tokensinteger4096Maximum tokens per request.
max_tool_callsinteger10Maximum tool invocations per request.
confidence_thresholdfloat0.8Minimum confidence score (0.0–1.0).

Policy Rule Schema

Each PolicyRule MUST contain:
FieldTypeRequiredDefaultDescription
namestringYesUnique rule identifier within the document.
conditionPolicyConditionYesThe matching condition.
actionPolicyActionYesAction taken when condition matches.
priorityintegerNo0Higher values are evaluated first.
messagestringNo""Human-readable explanation in decisions and audit entries.
overridebooleanNofalseIf true, replaces a parent rule with the same name during folder-level merge.
A PolicyCondition MUST contain exactly three fields:
FieldTypeDescription
fieldstringDot-path into the execution context ("tool_name", "token_count").
operatorPolicyOperatorComparison operator (see table below).
valueanyTarget value for comparison.

Condition Operators

Conforming implementations MUST support all nine operators:
OperatorSemanticsExample
eqContext value equals target value.tool_name eq "execute_code"
neContext value does not equal target value.agent_id ne "admin"
gtContext value is greater than target.token_count gt 4096
ltContext value is less than target.priority lt 5
gteContext value is greater than or equal to target.confidence gte 0.8
lteContext value is less than or equal to target.retries lte 3
inContext value is a member of target collection.tool_name in ["read", "write"]
containsTarget value is contained within context value.arguments contains "password"
matchesContext value matches target regex pattern.tool_name matches "^exec_.*"
Missing field behavior: If the condition references a context field that does not exist, the condition MUST evaluate to false. A missing field MUST NOT cause an error or exception.
For the matches operator, both values MUST be coerced to strings before regex evaluation. For all other operators, no implicit type coercion is performed.

Policy Actions

ActionAllowedSemantics
allowYesThe action is permitted.
denyNoThe action is blocked. The agent MUST NOT proceed.
auditYesThe action is permitted but MUST be logged for review.
blockNoAlias for deny. The action is blocked.
An action is considered “allowing” if it is allow or audit. An action is considered “denying” if it is deny or block.

Evaluation Semantics

Evaluation Order

When evaluating a set of rules against an execution context:
  1. Rules MUST be sorted by priority in descending order (highest priority first).
  2. Rules MUST be evaluated in sorted order.
  3. The first rule whose condition matches determines the decision. Subsequent rules are NOT evaluated.
  4. If no rule matches and external backends are registered, backends MUST be consulted in registration order. The first backend returning a non-error result determines the decision.
  5. If no rule matches and no backend produces a result, the default action from the policy’s defaults object is applied.

Scoped vs. Flat Evaluation

When a root_dir is configured and the execution context contains a path field, the evaluator MUST use folder-scoped evaluation (governance files discovered from the action path up to the root, loaded, filtered by scope, and merged before evaluation). When no root_dir is configured or the context lacks a path field, the evaluator MUST use flat evaluation against the loaded policy list.

Default Action Determination

ModeDefault Action Source
Flat evaluationFirst loaded PolicyDocument’s defaults.action; allow if none loaded
Scoped evaluationMost specific (last) PolicyDocument in the merged chain

Fail-Closed Behavior

Security boundary: Fail-closed behavior is a deliberate security design. Systems that default to allow on error create exploitable failure modes. Never change the default to fail-open.
If any unhandled exception occurs during policy evaluation, the implementation MUST:
  1. Return a deny decision (allowed: false, action: "deny").
  2. Include reason: "Policy evaluation error — access denied (fail closed)".
  3. Include error: true in the audit entry.
  4. Log the exception at ERROR level.
The deny decision MUST be produced even if the exception occurs in an external backend, a condition evaluator, or the conflict resolver.

Conflict Resolution

When multiple policy candidates conflict, the PolicyConflictResolver determines which rule wins using one of four strategies:
StrategyEnum ValueBehaviour
Deny Overridesdeny_overridesAny deny rule wins over any allow, regardless of priority.
Allow Overridesallow_overridesAny allow rule wins over any deny, regardless of priority.
Priority First Matchpriority_first_matchHighest priority value wins regardless of action. Default.
Most Specific Winsmost_specific_winsAgent scope > Tenant scope > Global scope; ties broken by priority.
Scope specificity order: Agent > Tenant > Global. Conforming implementations MUST support all four strategies. The strategy MUST be configurable at engine construction time.

Deny Immutability Invariant

During folder-level policy merge, a child policy MUST NOT override a parent deny rule with an allow rule, even if override: true is set. A child that attempts to override a parent deny MUST have its override dropped silently. 
# Root governance.yaml (parent)
rules:
  - name: no-delete
    condition: { field: tool_name, operator: eq, value: delete_resource }
    action: deny
    priority: 200

# Subfolder governance.yaml (child — override MUST be dropped)
rules:
  - name: no-delete
    action: allow
    override: true   # ← IGNORED: parent deny is immutable

External Policy Backends

Implementations MUST support pluggable external policy backends for OPA/Rego and Cedar evaluation.

Backend Protocol

An external backend MUST implement: 
evaluate(action: string, context: dict) → BackendDecision
where BackendDecision is one of "allow", "deny", or "review". Backends MUST be consulted only after local rules fail to match. If a backend returns an error, the engine MUST treat it as a deny (fail closed). Multiple backends are consulted in registration order; the first non-error result wins. 
// TypeScript example
import { OPABackend, PolicyEngine } from '@microsoft/agent-governance-sdk';

const engine = new PolicyEngine([{ action: 'data.read', effect: 'allow' }]);
engine.registerBackend(
  new OPABackend({
    endpoint:   'https://opa.internal.example',
    policyPath: 'agentmesh/allow',
  }),
);

const result = await engine.evaluateWithBackends('data.read', { actor: 'alice' });
console.log(result.effectiveDecision);  // 'allow' | 'deny' | 'review'
console.log(result.backendResults);     // per-backend outcomes

Audit and Observability

Every policy evaluation MUST produce a structured audit entry containing:
FieldTypeDescription
timestampdatetimeUTC time of evaluation.
agent_idstringAgent DID or identifier.
actionstringAction that was evaluated.
decisionstringFinal decision: allow, deny, audit, block.
matched_rulestring or nullName of the rule that matched, if any.
policy_namestring or nullName of the policy document that matched.
reasonstringHuman-readable explanation.
evaluation_msfloatDuration of the evaluation in milliseconds.
backendstring or nullName of the external backend consulted, if any.
errorbooleantrue if the evaluation ended in a fail-closed error.
Audit entries MUST be emitted for every evaluation, including fail-closed error decisions.

Policy Composability

Folder-Level Hierarchy

When root_dir is configured, the engine discovers governance.yaml files from the action path up to the root directory. Policies are merged with the following rules:
  1. Root policies apply to all paths (lowest specificity).
  2. Subfolder policies apply only to their subtree (higher specificity).
  3. Child policies MAY override parent rules with override: true, except parent deny rules (immutability invariant).
  4. The inherit: false field stops the merge at that level.

Path Traversal Protection

Policy discovery MUST validate that action paths are within the configured root to prevent loading policies from arbitrary filesystem locations. Any path containing .. components MUST be rejected.

Conformance Requirements

A conforming implementation MUST:
  1. Support the full PolicyDocument schema (fields, defaults, serialization).
  2. Support all nine condition operators.
  3. Support all four policy actions.
  4. Implement priority-ordered, first-match evaluation.
  5. Implement folder-level policy discovery and merge.
  6. Enforce the deny immutability invariant.
  7. Implement path traversal protection.
  8. Support all four conflict resolution strategies.
  9. Support the ExternalPolicyBackend protocol.
  10. Enforce fail-closed semantics on all evaluation errors.
  11. Produce structured audit entries for every decision.
  12. Support YAML serialization for PolicyDocument.
Framework adapters using GovernancePolicy MUST additionally:
  1. Validate policies at construction time.
  2. Support exact, glob, and regex pattern types.
  3. Enforce the tool call interception order.
  4. Enforce concurrency limits.
The reference conformance test suite contains 68 tests covering all MUST requirements. Cross-language SDK compatibility is verified by running the same YAML policy files against each SDK’s evaluator.

Worked Examples

Basic Tool Blocking

version: "1.0"
name: "no-code-execution"
rules:
  - name: block-execute
    condition:
      field: tool_name
      operator: eq
      value: execute_code
    action: deny
    priority: 100
    message: "Code execution is not permitted in this environment"
defaults:
  action: allow
Context: {"tool_name": "execute_code", "agent_id": "assistant-1"} Expected: allowed: false, matched_rule: "block-execute", reason: "Code execution is not permitted in this environment"

Conflict Resolution — DENY_OVERRIDES

Candidates:
  • Rule “allow-read” from agent-scope policy: action: allow, priority: 50
  • Rule “block-all” from global policy: action: deny, priority: 10
Strategy: DENY_OVERRIDES Expected: Winner is “block-all” (deny overrides regardless of priority), conflict_detected: true

Fail-Closed on Exception

A malformed regex pattern at evaluation time MUST produce:
  • allowed: false, action: "deny"
  • reason: "Policy evaluation error — access denied (fail closed)"
  • error: true in the audit entry

Build docs developers (and LLMs) love

Get started for freeTalk to us