Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt

Use this file to discover all available pages before exploring further.

The NIST AI Risk Management Framework (AI RMF 1.0) provides a structured, voluntary approach to managing risks arising from AI systems throughout their lifecycle. Published in January 2023, it organises AI risk management into four core functions — GOVERN, MAP, MEASURE, and MANAGE — each containing subcategories that describe specific practices organisations should implement. For AI agent deployments, where systems act autonomously with real-world consequences, the RMF’s emphasis on accountability, continuous monitoring, and incident response maps directly to the governance controls that AGT enforces in code.
This page documents an internal self-assessment mapping of AGT capabilities against NIST AI RMF 1.0 subcategories. It is not a validated certification or third-party audit. All 19 subcategories across the four functions have been assessed; 12 are fully addressed and 7 are partially addressed, with 0 gaps. Organizations must perform their own compliance assessments with qualified auditors.

Scorecard

MetricValue
Total subcategories assessed19
Fully Addressed12 (63%)
Partially Addressed7 (37%)
Gaps (Not Addressed)0 (0%)
Strongest areasGOVERN 1 (Policy), MANAGE 1 (Risk Response), MANAGE 4 (Monitoring)
Areas for improvementMAP 5 (Individual Impacts), MEASURE 4 (Measurement Feedback), MANAGE 2 (Benefit Maximization)

GOVERN — Policies, Processes, and Procedures

The GOVERN function establishes the organisational foundation for AI risk management: policies, accountability structures, and alignment with applicable legal and regulatory requirements.
AGT implements a multi-layered, declarative policy system with schema validation, versioning, conflict resolution, and support for multiple policy backends.
ComponentLocationKey Capability
Core policy evaluatoragent-os/src/agent_os/policies/evaluator.pyPolicyEvaluator
Async policy evaluatoragent-os/src/agent_os/policies/async_evaluator.pyAsyncPolicyEvaluator
Shared/cross-project policiesagent-os/src/agent_os/policies/shared.pySharedPolicyEvaluator
AgentMesh policy engineagent-mesh/src/agentmesh/governance/policy.py:317PolicyEngine
Conflict resolutionagent-os/src/agent_os/policies/conflict_resolution.pyResolutionResult
OPA integrationagent-mesh/src/agentmesh/governance/opa.pyOPA/Rego backend
Cedar integrationagent-mesh/src/agentmesh/governance/cedar.pyCedar backend
Policy templatesagent-os/templates/policies/*.yamlGDPR, production, enterprise, data-protection, content-safety
Policy-as-code with YAML templates supports declarative governance across environments. Multiple backend engines (native, OPA Rego, Cedar) allow organizations to use existing policy infrastructure. Schema validation, versioning (PolicyVersion), diff tracking, and conflict detection provide lifecycle management. Three enforcement modes (strict, permissive, audit) enable progressive policy rollout.
AGT provides cryptographic audit trails, Merkle hash chains, Shapley-value fault attribution, and joint liability tracking — a set of accountability capabilities that is rare in governance toolkits.
ComponentLocationKey Capability
Merkle audit chainagent-mesh/src/agentmesh/governance/audit.py:153MerkleAuditChain
Flight recorderagent-os/modules/control-plane/src/agent_control_plane/flight_recorder.py:33FlightRecorder
Shapley attributionagent-hypervisor/src/hypervisor/liability/attribution.pyMathematical fault attribution
Joint liabilityagent-hypervisor/src/hypervisor/liability/__init__.pyLiability module
Liability ledgeragent-hypervisor/src/hypervisor/liability/ledger.pyLiability tracking
RBACagent-os/src/agent_os/integrations/rbac.py4 roles: READER, WRITER, ADMIN, AUDITOR
DID-based attributionagent-mesh/src/agentmesh/governance/audit.pyagent_did field per entry
Merkle hash chains provide tamper-evident audit trails where each entry is cryptographically linked to its predecessor. Shapley-value attribution enables mathematical fault attribution across multi-agent systems. DID-based agent identity ensures every action is traceable to a specific agent.
AGT has community governance documentation but no code-level enforcement of diversity requirements or contributor roles.
ComponentLocation
Contributing guideCONTRIBUTING.md
Code of conductCODE_OF_CONDUCT.md — Microsoft Open Source
Community guideCOMMUNITY.md
Security policySECURITY.md
Gap: No machine-readable role definitions, no expertise verification mechanisms, no diversity tracking. This is primarily an organisational obligation typically outside the scope of a governance toolkit.
AGT implements comprehensive supply chain security including plugin signing, trust tiers, MCP gateway controls, AI-BOM, and dependency confusion protection.
ComponentLocationKey Capability
MCP security scanneragent-os/src/agent_os/mcp_security.py:324MCPSecurityScanner
MCP gatewayagent-os/src/agent_os/mcp_gateway.py:99MCPGateway — allowlist/blocklist
Plugin signingagent-marketplace/src/agent_marketplace/signing.py:22PluginSigner (Ed25519)
Trust tiersagent-marketplace/src/agent_marketplace/trust_tiers.pyfilter_capabilities() — 5 tiers (0–1000)
Egress policyagent-os/src/agent_os/egress_policy.py:50EgressPolicy
AI-BOMagent-mesh/docs/RFC_AGENT_SBOM.mdAI Bill of Materials v2.0
Ed25519-signed plugins and manifest validation ensure supply chain integrity. The five-tier trust scoring system (0–1000) restricts third-party agents to appropriate privilege levels. AI-BOM v2.0 provides model provenance, dataset lineage, and weights versioning.
ComponentLocationKey Capability
EU AI Act risk classifieragent-mesh/src/agentmesh/governance/eu_ai_act.pyRiskLevel, RiskClassifier, AgentRiskProfile
Compliance frameworkagent-mesh/src/agentmesh/governance/compliance.pyMulti-framework compliance
Rogue agent detectoragent-sre/src/agent_sre/anomaly/rogue_detector.py:304RogueAgentDetector
EU AI Act four-tier risk classification (UNACCEPTABLE, HIGH, LIMITED, MINIMAL) provides structured risk assessment. AgentRiskProfile aggregates risk signals per agent. The compliance engine supports multi-framework verification, allowing organisations to define and enforce risk management processes declaratively.
AGT maintains dedicated compliance mapping documents for seven major frameworks.
FrameworkDocumentStatus
OWASP Agentic Top 10docs/compliance/owasp-agentic-top10-architecture.mdAll ASI risk categories mapped
EU AI Actdocs/compliance/eu-ai-act-checklist.md9/11 articles addressed
SOC 2 Type IIdocs/compliance/soc2-mapping.md4/5 criteria addressed
ATF Conformancedocs/compliance/atf-conformance-assessment.md25/25 requirements (7 partial)
OWASP LLM Top 10docs/compliance/owasp-llm-top10-mapping.mdFull mapping
NIST RFI 2026docs/compliance/nist-rfi-2026-00206.mdQuestion-by-question mapping
South Korea AI Framework Actagent-compliance/docs/compliance/south-korea-ai-framework-act.mdMapped

MAP — Context and Risk Identification

The MAP function establishes context for AI risk decisions — categorising systems, identifying impacts, and systematically discovering risks before deployment.
ComponentLocationKey Capability
Execution contextagent-os/src/agent_os/execution_context_policy.py:62ContextualPolicyEngine
Stateless kernel contextagent-os/src/agent_os/stateless.pyExecutionContext
Governance tiersagent-hypervisor/src/hypervisor/models.pyRing 0–3 privilege separation
Policy modesagent-os/src/agent_os/policies/schema.py:34-41strict, permissive, audit
Context budgetagent-os/src/agent_os/context_budget.pyContextScheduler
ContextualPolicyEngine binds policy evaluation to rich execution context including governance tiers, environment type, and operational mode. The four-ring privilege model (Ring 0: kernel through Ring 3: untrusted) establishes operational boundaries for each agent.
ComponentLocationKey Capability
EU AI Act risk classifieragent-mesh/src/agentmesh/governance/eu_ai_act.pyRiskLevel enum — 4 tiers
Agent risk profileagent-mesh/src/agentmesh/governance/eu_ai_act.pyAgentRiskProfile dataclass
Trust tiers (5-tier)docs/ARCHITECTURE.md0–1000 scale: Untrusted → Verified Partner
Execution rings (4-tier)agent-hypervisor/src/hypervisor/models.pyRing 0 (kernel) → Ring 3 (untrusted)
Dual categorisation systems — EU AI Act risk levels and the five-tier trust score — enable AI systems to be categorised by both regulatory risk and behavioural trust.
AGT provides comprehensive performance benchmarks quantifying governance overhead but lacks formal cost-benefit frameworks.
Measurementops/secp50 latency
Policy evaluation (single rule)84,4890.011 ms
Policy evaluation (100 rules)32,0250.030 ms
Kernel enforcement (allow)9,6680.103 ms
Circuit breaker check1,828,8450.001 ms
Audit entry write285,2020.002 ms
Concurrent (1,000 agents)47,085
Gap: No formal ROI model or cost-benefit analysis framework. Overhead is quantified in technical terms (latency/throughput) but not in business value terms (risk reduction, compliance cost savings).
ComponentLocationKey Capability
STRIDE threat modeldocs/security/threat-model.md4 trust boundaries, 6 attack surfaces
OWASP Agentic Top 10docs/compliance/owasp-agentic-top10-architecture.mdAll ASI risks mapped with mitigations
Prompt injection detectoragent-os/src/agent_os/prompt_injection.py:357PromptInjectionDetector — 12+ patterns
Memory guardagent-os/src/agent_os/memory_guard.py:170MemoryGuard — memory poisoning defense
Adversarial evaluatoragent-sre/src/agent_sre/chaos/adversarial.pyAdversarial testing library
Chaos testingagent-sre/src/agent_sre/chaos/engine.pyChaos engineering framework
STRIDE-based threat modelling systematically identifies risks across four trust boundaries and six attack surfaces. Prompt injection detection (12+ pattern families), memory poisoning defence, and cascade detection provide defence-in-depth. Chaos engineering proactively discovers risks before production deployment.
AGT has PII/PHI protection via regex patterns and GDPR policy templates but lacks ML-based bias detection or fairness evaluation.
ComponentLocationKey Capability
GDPR policy templateagent-os/templates/policies/gdpr.yaml10+ PII pattern categories, data minimisation
PII detection policyagent-os/examples/shared-policies/no-pii.yamlShareable PII blocking policy
Memory guard PII redactionagent-os/src/agent_os/memory_guard.pyPII redaction in context
HIPAA exampleagent-os/tutorials/hipaa-compliant-agent/demo.pyHealthcare compliance demo
Gap: No ML-based NER (e.g., Presidio) for PII/PHI (regex-only detection), no bias detection algorithms, no fairness metrics, no consent management system, and no Data Subject Access Request (DSAR) workflow automation.

MEASURE — Assessment, Analysis, and Tracking

The MEASURE function covers how AI risks are quantified, how systems are evaluated, and how measurement results feed back into governance decisions.
ComponentLocationKey Capability
SLO engineagent-sre/src/agent_sre/slo/objectives.py:167SLO, ErrorBudget, SLOStatus
SLO dashboardagent-sre/src/agent_sre/slo/dashboard.py:73SLODashboard, SLOSnapshot
Trust scoreagent-mesh/src/agentmesh/governance/0–1000 scale, 5 tiers
Shift-left metricsagent-os/src/agent_os/shift_left_metrics.pyShiftLeftTracker — violations by lifecycle stage
OTel metricsagent-sre/src/agent_sre/integrations/otel/metrics.pyOpenTelemetry export
from agent_sre import SLO, ErrorBudget
from agent_sre.slo.indicators import TaskSuccessRate, HallucinationRate

slo = SLO(
    name="production-agent",
    indicators=[
        TaskSuccessRate(target=0.95, window="24h"),
        HallucinationRate(target=0.05, window="24h"),
    ],
    error_budget=ErrorBudget(total=0.05),
)
SLI/SLO/error budget engine provides structured quantitative metrics with dashboard visualisation. Seven SLI types are defined: TaskSuccessRate, ToolCallAccuracy, ResponseLatency, CostPerTask, PolicyComplianceRate, HallucinationRate, CalibrationDelta.
ComponentLocationKey Capability
Content quality evaluatoragent-os/src/agent_os/content_governance.py:78ContentQualityEvaluator
Plugin quality assessoragent-marketplace/src/agent_marketplace/quality_assessment.py:120QualityAssessor
Red team datasetagent-os/modules/control-plane/benchmark/red_team_dataset.pyRed-team benchmark data
Policy benchmark suiteagent-os/benchmarks/bench_policy.py30-scenario OWASP benchmark
CMVK verificationagent-os/modules/cmvk/src/cmvk/constitutional.pyCross-Model Verification Kernel
Gap: No formal model accuracy or correctness evaluation pipeline. Quality assessment focuses on governance and content safety rather than model performance metrics (accuracy, calibration, hallucination rate).
ComponentLocationKey Capability
Behavioural baselineagent-sre/src/agent_sre/anomaly/detector.py:68BehaviorBaseline
Rogue agent detectoragent-sre/src/agent_sre/anomaly/rogue_detector.py:304RogueAgentDetector
Drift detectoragent-os/src/agent_os/integrations/drift_detector.py:93DriftDetector, DriftType enum
Flight recorderagent-os/modules/control-plane/src/agent_control_plane/flight_recorder.py:33FlightRecorder
Ring breach detectionagent-hypervisor/rings/breach_detector.pySliding-window anomaly detection
Fleet monitoringagent-sre/src/agent_sre/fleet/__init__.pyFleet-wide health with AgentState.DEGRADED
Behavioural baselines establish normal operating patterns per agent. Drift detectors identify deviations from expected behaviour. The rogue agent detector classifies agents exhibiting anomalous patterns. Flight recorders provide forensic-grade telemetry for post-incident analysis.Limitation: Behavioural baselines are in-memory only — no durable cross-session persistence. Baselines are lost when agent sessions terminate.
ComponentLocationKey Capability
Shift-left trackeragent-os/src/agent_os/shift_left_metrics.pyViolations by lifecycle stage
SLO dashboardagent-sre/src/agent_sre/slo/dashboard.py:73Point-in-time SLO snapshots
OTel governance exportagent-mesh/src/agentmesh/observability/otel_governance.pyGovernance telemetry
Langfuse exporteragent-sre/src/agent_sre/integrations/langfuse/exporter.pySLO scores to Langfuse
Gap: No time-series compliance trend analysis, no measurement-of-measurement loops. The toolkit provides raw measurement capabilities but does not yet evaluate whether those measurements are themselves effective over time.

MANAGE — Risk Response and Monitoring

The MANAGE function covers how identified AI risks are prioritised, responded to, and continuously monitored in production.
ComponentLocationKey Capability
Circuit breaker (SRE)agent-sre/src/agent_sre/cascade/circuit_breaker.py:90CircuitBreaker — trip/open/half-open
Kill switchagent-hypervisor/src/hypervisor/security/kill_switch.py:69KillSwitch.kill() — 6 kill reasons
Rate limiteragent-hypervisor/src/hypervisor/security/rate_limiter.py:86AgentRateLimiter
Approval workflowagent-os/extensions/mcp-server/src/services/approval-workflow.ts:18ApprovalWorkflow — quorum, expiration
Saga orchestratoragent-hypervisor/saga/orchestrator.pySagaOrchestrator — rollback compensation
Reversibility registryagent-hypervisor/reversibility/registry.pyUndo/rollback registry
Multi-tier risk response: circuit breakers prevent cascade failures; kill switches provide immediate agent termination for six enumerated risk categories; rate limiters control throughput across all language packages. Approval workflows with quorum requirements add human oversight. Saga orchestrators enable compensating transactions to roll back multi-step operations upon failure.
ComponentLocationKey Capability
Trust scoring (0–1000)agent-mesh/src/agentmesh/governance/5 tiers: Untrusted → Verified Partner
Trust decayagent-mesh/Scores degrade without positive signals
Capability delegationagent-mesh/identity/agent_id.pydelegate(), capability narrowing
Graduated ringsagent-hypervisor/src/hypervisor/models.pyRing 0–3 privilege escalation/demotion
Progressive deliveryagent-sre/src/agent_sre/delivery/Canary deploys, GitOps
Gap: No formal benefit-maximisation framework. Trust-based capability delegation exists but is framed as a security control rather than a benefit optimisation mechanism.
ComponentLocationKey Capability
MCP security scanneragent-os/src/agent_os/mcp_security.py:324Tool poisoning, injection detection
MCP gatewayagent-os/src/agent_os/mcp_gateway.py:99MCPGateway — allowlist/blocklist
Plugin signingagent-marketplace/src/agent_marketplace/signing.py:22PluginSigner — Ed25519
AI-BOM v2.0agent-mesh/docs/RFC_AGENT_SBOM.mdModel provenance, dataset lineage
Egress policyagent-os/src/agent_os/egress_policy.py:50EgressPolicy — domain allow/deny
Defence-in-depth for third-party risks: MCP security scanner detects tool poisoning and injection; gateway enforces allowlist/blocklist policies; plugin signing (Ed25519) and manifest validation prevent supply chain attacks. Egress policies control outbound data flows to authorised domains only.
ComponentLocationKey Capability
Rogue agent detectoragent-sre/src/agent_sre/anomaly/rogue_detector.py:304Scoring, classification
Fleet monitoringagent-sre/src/agent_sre/fleet/__init__.pyFleet-wide health, AgentState enum
OTel tracingagent-sre/src/agent_sre/tracing/spans.pyDistributed tracing spans
OTel exportersagent-sre/src/agent_sre/tracing/exporters.pyOTLP/Jaeger/Zipkin
OTel governance enrichmentagent-mesh/src/agentmesh/observability/otel_governance.pyPolicy events as OTel spans
Cascade detectoragent-sre/src/agent_sre/cascade/circuit_breaker.py:223CascadeDetector
Deep observability stack: OpenTelemetry integration across all packages (spans, metrics, events) exports to OTLP/Jaeger/Zipkin. Rogue agent detector uses behavioural scoring to classify anomalous agents. Fleet monitoring provides population-level health dashboards. Governance-enriched OTel spans embed policy evaluation results directly into distributed traces, enabling governance-aware debugging.

Coverage Summary Matrix

#SubcategoryCoverageKey Artifacts
1GOVERN 1 — Policies✅ Full10+ PolicyEngine implementations, OPA/Cedar backends
2GOVERN 2 — Accountability✅ FullMerkle audit, Shapley attribution, RBAC, DID
3GOVERN 3 — Workforce⚠️ PartialCONTRIBUTING.md, CODE_OF_CONDUCT.md
4GOVERN 4 — Third-party practices✅ FullPlugin signing, MCP scanner, AI-BOM, egress policy
5GOVERN 5 — Risk processes✅ FullEU AI Act classifier, compliance engine
6GOVERN 6 — Requirements alignment✅ Full7 framework compliance mappings
7MAP 1 — Context✅ FullExecutionContext, 4-ring model, 3 policy modes
8MAP 2 — Categorisation✅ FullRiskLevel enum, AgentRiskProfile, 5-tier trust
9MAP 3 — Benefits/costs⚠️ PartialLatency/throughput benchmarks; no ROI model
10MAP 4 — Risks identified✅ FullSTRIDE threat model, OWASP 10/10, chaos testing
11MAP 5 — Individual impacts⚠️ PartialGDPR template, PII regex; no bias/fairness
12MEASURE 1 — Metrics✅ FullSLO engine, trust scoring, shift-left, OTel
13MEASURE 2 — Evaluation⚠️ PartialContent quality, red team; no model eval pipeline
14MEASURE 3 — Risk tracking✅ FullDrift detection, baselines, flight recorder
15MEASURE 4 — Measurement feedback⚠️ PartialShift-left tracker, SLO dashboard
16MANAGE 1 — Risk response✅ FullCircuit breakers, kill switch, rate limiters, sagas
17MANAGE 2 — Maximise benefits⚠️ PartialTrust scoring, graduated autonomy
18MANAGE 3 — Third-party risks✅ FullMCP scanner, plugin signing, trust tiers, AI-BOM
19MANAGE 4 — Monitoring✅ FullOTel, rogue detector, fleet monitoring, cascade
Totals: 12 Fully Addressed · 7 Partially Addressed · 0 Gaps

Automated Evidence Generation

AGT generates audit trail evidence that can be used to demonstrate NIST AI RMF compliance to internal auditors or regulators. The evidence includes cryptographically-linked audit log entries, policy evaluation records, SLO compliance data, and compliance framework reports. 
# Generate structured evidence package
agt verify --evidence ./agt-evidence.json

# Strict mode — fails CI if high-severity controls are missing
agt verify --evidence ./agt-evidence.json --strict

# Validate policy files against AGT's JSON Schema
agt lint-policy policies/
The generated evidence JSON includes:
  • Policy documents active at time of assessment
  • Audit log entries with SHA-256 hash chain for tamper detection
  • SLO compliance snapshots across the review period
  • Compliance framework reports with control pass/fail status
Run agt verify --evidence ./agt-evidence.json --strict in your CI pipeline on every merge to main. This provides a continuous compliance check aligned to NIST AI RMF MEASURE 1 (metrics applied) and MANAGE 4 (risks monitored), and produces auditable evidence that governance controls are active.

Cross-Framework Alignment

AGT’s NIST AI RMF controls overlap with its other compliance mappings. The following table shows where RMF subcategories share evidence with other frameworks:
NIST AI RMF SubcategoryATF ReferenceOWASP ReferenceEU AI Act ReferenceSOC 2 Reference
GOVERN 1 (Policies)A-1, A-2Art. 9 (Risk management)CC6.1 (Logical access)
GOVERN 2 (Accountability)A-5 (Audit trails)Art. 12 (Record-keeping)CC4.1 (Monitoring)
GOVERN 4 (Third-party)D-1 through D-5ASI04 (Supply Chain)Art. 28 (Deployer obligations)CC9.2 (Vendor mgmt)
MAP 4 (Risks identified)B-2, B-3ASI01–ASI10 (All risks)Art. 9.2 (Risk identification)CC3.2 (Risk assessment)
MAP 5 (Individual impacts)C-1, C-2ASI09 (Trust Exploitation)Art. 10 (Data governance)P1–P8 (Privacy)
MEASURE 1 (Metrics)E-1 (SLI/SLO)Art. 9.7 (Testing/metrics)CC4.1 (Monitoring)
MANAGE 1 (Risk response)F-1, F-2ASI08 (Cascading Failures)Art. 14 (Human oversight)CC7.3 (Change mgmt)
MANAGE 4 (Monitoring)E-1, F-3ASI10 (Rogue Agents)Art. 72 (Post-market monitoring)CC7.1 (Monitoring)

Build docs developers (and LLMs) love

Get started for freeTalk to us