Deploy Agent Governance Toolkit on Azure, AWS, and GCP

AGT runs as in-process middleware or as a sidecar container alongside your agent. In-process middleware is ideal when you’re using a managed agent framework (Azure AI Foundry, AWS Bedrock, Vertex AI) and want zero sidecar overhead. The sidecar pattern — running governance in a separate container that shares a network namespace with your agent — is the production recommendation because it provides OS-level isolation between the governance layer and the agent code. AGT has zero cloud-vendor dependencies. It is pure Python/TypeScript/.NET/Rust/Go and runs anywhere containers run: Azure, AWS, GCP, on-premises, or your laptop.

# Local development
pip install agent-governance-toolkit[full]

Deployment Patterns

┌────────────────────────────────────────────────────────────────────────┐
│  Any Cloud (Azure / AWS / GCP / On-Prem)                              │
│                                                                        │
│  ┌──────────────────┐  ┌──────────────────┐  ┌─────────────────────┐  │
│  │ Kubernetes (AKS/ │  │ Serverless (ACA/ │  │ Agent Framework     │  │
│  │ EKS/GKE)         │  │ Fargate/CloudRun)│  │ (Foundry/Bedrock/   │  │
│  │                  │  │                  │  │  Vertex)            │  │
│  │ ┌─────┐┌─────┐  │  │ ┌─────┐┌──────┐ │  │                     │  │
│  │ │Agent││Gov  │  │  │ │Agent││Gov   │ │  │  ┌─────────────┐   │  │
│  │ │     ││Side-│  │  │ │     ││Side- │ │  │  │ Governance  │   │  │
│  │ │     ││car  │  │  │ │     ││car   │ │  │  │ Middleware   │   │  │
│  │ └─────┘└─────┘  │  │ └─────┘└──────┘ │  │  └─────────────┘   │  │
│  │  Pod / Task      │  │  Container Group │  │   In-Process       │  │
│  └──────────────────┘  └──────────────────┘  └─────────────────────┘  │
└────────────────────────────────────────────────────────────────────────┘

Pattern	Best For
Kubernetes (AKS/EKS/GKE)	Production multi-agent systems, enterprise HA, full AgentMesh mesh
Serverless (Container Apps/Fargate/Cloud Run)	Scale-to-zero, prototyping, single-agent scenarios
In-Process Middleware	Managed frameworks (Foundry, Bedrock, Vertex), zero-sidecar overhead

Deployment Targets

Azure Container Apps
AWS ECS / Fargate
GCP GKE
Docker Compose (Local/Dev)

Azure Container Apps runs the governance toolkit as a sidecar container within a Container Apps Environment. Both containers share a network namespace and communicate over localhost.Prerequisites: Azure CLI 2.60+ with the containerapp extension.

# Install/update the Container Apps extension
az extension add --name containerapp --upgrade
az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.OperationalInsights

Environment setup:

RESOURCE_GROUP="rg-agent-governance"
LOCATION="eastus"
ENVIRONMENT="agent-gov-env"
REGISTRY="agentgovregistry"

az group create --name $RESOURCE_GROUP --location $LOCATION
az acr create --name $REGISTRY --resource-group $RESOURCE_GROUP \
  --sku Basic --admin-enabled true

az containerapp env create \
  --name $ENVIRONMENT \
  --resource-group $RESOURCE_GROUP \
  --location $LOCATION

Container App with governance sidecar (container-app.yaml):

properties:
  configuration:
    ingress:
      external: true
      targetPort: 8080
    registries:
      - server: agentgovregistry.azurecr.io
        identity: system
  template:
    containers:
      # Primary: Your AI agent
      - name: agent
        image: agentgovregistry.azurecr.io/your-agent:latest
        resources:
          cpu: 1.0
          memory: 2Gi
        env:
          - name: GOVERNANCE_ENDPOINT
            value: http://localhost:8081
          - name: AGENT_ID
            value: my-agent-001
          - name: AZURE_CLIENT_ID
            secretRef: azure-client-id
          - name: AZURE_TENANT_ID
            secretRef: azure-tenant-id

      # Sidecar: Governance toolkit
      - name: governance-sidecar
        image: agentgovregistry.azurecr.io/agent-governance-sidecar:latest
        resources:
          cpu: 0.25
          memory: 0.5Gi
        env:
          - name: POLICY_DIR
            value: /policies
          - name: TRUST_SCORE_THRESHOLD
            value: "0.6"
          - name: RATE_LIMIT_PER_MINUTE
            value: "100"
        volumeMounts:
          - volumeName: policy-volume
            mountPath: /policies

    scale:
      minReplicas: 0   # 0 for dev, 2 for prod
      maxReplicas: 10
      rules:
        - name: http-rule
          http:
            metadata:
              concurrentRequests: "50"

    volumes:
      - name: policy-volume
        storageType: AzureFile
        storageName: policy-share

Deploy:

az containerapp create \
  --name my-governed-agent \
  --resource-group $RESOURCE_GROUP \
  --environment $ENVIRONMENT \
  --yaml container-app.yaml

Mount policies via Azure Files:

az storage account create \
  --name agentgovpolicies \
  --resource-group $RESOURCE_GROUP \
  --sku Standard_LRS

az storage share create --name policies --account-name agentgovpolicies
az storage file upload-batch \
  --destination policies \
  --source ./policies/ \
  --account-name agentgovpolicies

Query governance events in Log Analytics:

ContainerAppConsoleLogs_CL
| where ContainerName_s == "governance-sidecar"
| where Log_s contains "DENIED"
| summarize ViolationCount = count() by bin(TimeGenerated, 1h)
| render timechart

AGT runs on AWS ECS/Fargate with no Azure dependency. It is pure Python — no cloud SDK required at runtime.Prerequisites: AWS CLI configured with ECS permissions, Docker, an ECR repository.Dockerfile:

FROM python:3.12-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8080
CMD ["python", "-m", "agent_os.server", "--port", "8080"]

Build and push to ECR:

aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS --password-stdin <ACCOUNT>.dkr.ecr.us-east-1.amazonaws.com

docker build -t agt-governance .
docker tag agt-governance:latest \
  <ACCOUNT>.dkr.ecr.us-east-1.amazonaws.com/agt-governance:latest
docker push <ACCOUNT>.dkr.ecr.us-east-1.amazonaws.com/agt-governance:latest

ECS Task Definition:

{
  "family": "agt-governance",
  "networkMode": "awsvpc",
  "requiresCompatibilities": ["FARGATE"],
  "cpu": "512",
  "memory": "1024",
  "containerDefinitions": [
    {
      "name": "agt",
      "image": "<ACCOUNT>.dkr.ecr.us-east-1.amazonaws.com/agt-governance:latest",
      "portMappings": [{ "containerPort": 8080, "protocol": "tcp" }],
      "environment": [
        { "name": "AGT_POLICY_PATH", "value": "/app/policies/" },
        { "name": "AGT_LOG_LEVEL", "value": "audit" }
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/agt-governance",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "agt"
        }
      }
    }
  ]
}

Create Fargate Service:

aws ecs create-service \
  --cluster my-cluster \
  --service-name agt-governance \
  --task-definition agt-governance \
  --desired-count 2 \
  --launch-type FARGATE \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx],assignPublicIp=ENABLED}"

AGT runs on GCP GKE with no cloud-vendor dependencies.Prerequisites: gcloud CLI, a GKE cluster.Build and push to Artifact Registry:

gcloud auth configure-docker us-central1-docker.pkg.dev

docker build -t agt-governance .
docker tag agt-governance:latest \
  us-central1-docker.pkg.dev/<PROJECT>/agt/agt-governance:latest
docker push us-central1-docker.pkg.dev/<PROJECT>/agt/agt-governance:latest

GKE Deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: agt-governance
spec:
  replicas: 2
  selector:
    matchLabels:
      app: agt-governance
  template:
    metadata:
      labels:
        app: agt-governance
    spec:
      containers:
        - name: agt
          image: us-central1-docker.pkg.dev/<PROJECT>/agt/agt-governance:latest
          ports:
            - containerPort: 8080
          env:
            - name: AGT_POLICY_PATH
              value: /app/policies/
            - name: AGT_LOG_LEVEL
              value: audit
          resources:
            requests:
              cpu: 250m
              memory: 512Mi
            limits:
              cpu: 500m
              memory: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: agt-governance
spec:
  type: ClusterIP
  selector:
    app: agt-governance
  ports:
    - port: 80
      targetPort: 8080

kubectl apply -f agt-deployment.yaml
kubectl rollout status deployment/agt-governance

Use Docker Compose for local development and testing. The repository’s docker-compose.yml defines three service profiles: dev (interactive workspace), test (runs the full test suite), and dashboard (Streamlit governance dashboard, opt-in via --profile dashboard).

# docker-compose.yml (from the repository root)
services:
  dev:
    build:
      context: .
      target: dev
    command: ["sleep", "infinity"]
    init: true
    stdin_open: true
    tty: true
    user: "${HOST_UID:-1000}:${HOST_GID:-1000}"
    working_dir: /workspace
    volumes:
      - .:/workspace
      - typescript_node_modules:/workspace/agent-governance-typescript/node_modules

  test:
    build:
      context: .
      target: test
    command: ["bash", "/workspace/scripts/docker/run-tests.sh"]
    init: true
    user: "${HOST_UID:-1000}:${HOST_GID:-1000}"
    working_dir: /workspace
    volumes:
      - .:/workspace
      - typescript_node_modules:/workspace/agent-governance-typescript/node_modules

  dashboard:
    profiles: ["dashboard"]
    build:
      context: .
      target: dev
    command:
      - streamlit
      - run
      - agent-governance-python/agent-hypervisor/examples/dashboard/app.py
      - --server.address=0.0.0.0
      - --server.port=8501
    init: true
    user: "${HOST_UID:-1000}:${HOST_GID:-1000}"
    ports:
      - "8501:8501"
    working_dir: /workspace
    volumes:
      - .:/workspace
      - typescript_node_modules:/workspace/agent-governance-typescript/node_modules

volumes:
  typescript_node_modules:

Start the development environment:

# Interactive dev workspace
docker compose up dev

# Run the full test suite
docker compose up test

# Launch the governance dashboard (opt-in profile)
docker compose --profile dashboard up dashboard

The Streamlit dashboard is available at http://localhost:8501 when the dashboard service is running.

Environment Variables

Variable	Purpose	Required For
`AZURE_CLIENT_ID`	Service principal / managed identity client ID	Azure-integrated features (Key Vault, Monitor)
`AZURE_TENANT_ID`	Azure Active Directory tenant ID	Azure-integrated features
`AZURE_CLIENT_SECRET`	Service principal secret	Service principal auth (use managed identity in prod)
`AGT_POLICY_PATH`	Path to the policies directory	All deployments
`AGT_LOG_LEVEL`	Log verbosity: `debug`, `info`, `audit`	All deployments
`TRUST_SCORE_THRESHOLD`	Minimum trust score for tool access	Trust-gated deployments
`RATE_LIMIT_PER_MINUTE`	Global rate limit cap	Rate-limited deployments

Production Recommendations

Container-per-Agent

Run each agent in a separate container. AGT enforces governance at the application middleware layer — the policy engine and agents share the same process boundary. OS-level isolation requires separate containers.

Policy File Mounts

Store policy YAML files in your secret store or a read-only volume mount. Version-control policies alongside your agent code so every deployment has an auditable policy history.

Audit Log Sinks

Route the AGT audit log to a tamper-evident sink (Azure Monitor, CloudWatch, SIEM). The Merkle-chained audit trail is only useful if it’s forwarded somewhere you control.

Managed Identity

Use workload identity / managed identity instead of static secrets for Azure-integrated features. Never store AZURE_CLIENT_SECRET in environment variables in production containers.

Sidecar Resource Sizing

Setting	Recommendation	Notes
Sidecar CPU	`0.25` cores	Governance adds < 0.1ms p99 latency
Sidecar Memory	`512Mi`	Sufficient for policy engine + trust scoring
`minReplicas`	`0` for dev, `2` for prod	Scale-to-zero saves cost in dev

Example Policy for Production

# policies/default.yaml
version: "1.0"
policies:
  - name: rate-limit
    type: rate_limit
    max_calls: 100
    window: 1m

  - name: read-only
    type: capability
    allowed_actions:
      - "read_*"
      - "search_*"
      - "list_*"
    denied_actions:
      - "delete_*"
      - "write_production_*"

  - name: content-safety
    type: pattern
    blocked_patterns:
      - "ignore previous instructions"
      - "DROP TABLE"
      - "rm -rf"

Security Boundaries

AGT enforces governance at the application middleware layer. It is not an OS-level security boundary.

Layer	What It Enforces
AGT (application layer)	Policy rules, tool allow/deny, rate limits, audit logging, trust scoring, prompt injection detection
OS / Container	Process isolation, network namespace, filesystem permissions, kernel-level syscall filtering
Cloud IAM	Which cloud services the container identity can reach

The policy engine and agents share the same process boundary when running in-process. For strong isolation — where a compromised agent cannot tamper with the governance layer — run governance and the agent in separate containers with no shared writable filesystem. See Architecture: Security Boundaries and Known Limitations for a complete description of design boundaries and recommended layered defense.

Get Started

Core Concepts

Guides

Compliance

Reference

Deploy Agent Governance Toolkit on Azure, AWS, and GCP

Deployment Patterns

Deployment Targets

Environment Variables

Production Recommendations

Container-per-Agent

Policy File Mounts

Audit Log Sinks

Managed Identity

Sidecar Resource Sizing

Example Policy for Production

Security Boundaries

Build docs developers (and LLMs) love

Get Started

Core Concepts

Guides

Compliance

Reference

Documentation Index

​Deployment Patterns

​Deployment Targets

​Environment Variables

​Production Recommendations

Container-per-Agent

Policy File Mounts

Audit Log Sinks

Managed Identity

​Sidecar Resource Sizing

​Example Policy for Production

​Security Boundaries

Build docs developers (and LLMs) love

Deployment Patterns

Deployment Targets

Environment Variables

Production Recommendations

Sidecar Resource Sizing

Example Policy for Production

Security Boundaries