The Agent Governance Toolkit (AGT) solves the hardest unsolved problem in production AI: how do you make an autonomous agent incapable of misbehaving? When agents call tools, browse the web, query databases, and delegate to other agents, prompt-level safety instructions are not a control surface — they are polite requests to a stochastic system. OWASP LLM01:2025 states this explicitly, and published research (Andriushchenko et al., ICLR 2025) reports a 100% attack success rate against GPT-4o, GPT-3.5, Claude 3, and Llama-3 under adaptive attacks. AGT does not try to win that fight inside the prompt. Every tool call, message send, and agent delegation is intercepted in deterministic application code before the model’s intent reaches the wire. Actions the AGT policy engine denies are not “unlikely.” They are structurally impossible.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt
Use this file to discover all available pages before exploring further.
AGT is currently in Public Preview — production-quality releases with possible breaking changes before GA.
The Core Architecture
AGT inserts a mandatory governance gate between your agent and the outside world. The flow is:govern() and add layers as your risk profile grows. Most teams run policy enforcement plus audit logging and never need the full stack.
Policy Engine evaluates every action against your YAML, OPA/Rego, or Cedar rules before execution — in under 0.1 ms. Identity assigns each agent a cryptographic credential (Ed25519 / SPIFFE / DID) and a 0–1000 trust score so you always know which agent acted. Audit Log writes a tamper-evident, Merkle-chained decision record for every allow and deny — what policy was active, what was requested, and why.
The Key Differentiator
Probabilistic Filtering
Model-layer safety relies on the LLM choosing to follow rules. Adversarial inputs can circumvent it. Attack Success Rate (ASR) is the canonical metric for this class of failure — and it is non-zero by construction.
Deterministic Interception
AGT intercepts at the application middleware layer. A denied action never reaches the wire. There is no probability involved — the governance gate either allows or it doesn’t.
When AGT denies an action, that denial is enforced in deterministic application code — the same trust boundary used by every Python-based agent framework. It is not a recommendation to the model; it is a hard stop in the execution path.
Supported Languages
AGT ships first-class governance packages in five languages. All five implement the core governance primitives: policy evaluation, agent identity, trust scoring, and audit logging.| Language | Package | Install |
|---|---|---|
| Python | agent-governance-toolkit | pip install agent-governance-toolkit[full] |
| TypeScript | @microsoft/agent-governance-sdk | npm install @microsoft/agent-governance-sdk |
| .NET | Microsoft.AgentGovernance | dotnet add package Microsoft.AgentGovernance |
| Rust | agent-governance | cargo add agent-governance |
| Go | agent-governance-toolkit | go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang |
Package Overview
AGT is structured as a set of composable packages. Each addresses a distinct governance concern.| Package | Description |
|---|---|
| Agent OS | Policy engine, agent lifecycle, governance gate |
| Agent Control Specification | Stateless, deterministic, fail-closed policy decision runtime (Rust core) |
| Agent Mesh | Agent discovery, routing, and trust mesh |
| Agent Runtime | Execution sandboxing with four privilege rings |
| Agent SRE | Kill switch, SLO monitoring, chaos testing |
| Agent Compliance | OWASP verification, policy linting, integrity checks |
| Agent Marketplace | Plugin governance and trust scoring |
| Agent Lightning | RL training governance with violation penalties |
| Agent Hypervisor | Execution audit, delta engine, commitment anchoring, command denylist enforcement |
Additional Capabilities
| Capability | Description |
|---|---|
| MCP Security Gateway | Tool poisoning detection, drift monitoring, typosquatting, hidden instruction scanning |
| Shadow AI Discovery | Find unregistered agents across processes, configs, and repos |
| Governance Dashboard | Real-time fleet visibility for health, trust, and compliance |
| PromptDefense Evaluator | 12-vector prompt injection audit |
| Contributor Reputation | PR/issue author screening for social engineering |
Framework Support
AGT integrates with every major agent framework through middleware adapters. You can wrap any tool function in two lines, or use a framework-specific adapter for deeper integration.Microsoft Agent Framework
Native Middleware
Semantic Kernel
Native (.NET + Python)
AutoGen
Adapter
LangChain / LangGraph
Adapter
CrewAI
Adapter
OpenAI Agents SDK
Middleware
Google ADK
Adapter
LlamaIndex
Middleware
Claude Code
Governance plugin package
Standards Compliance
AGT is built to satisfy real-world compliance requirements, not just check boxes:| Standard | Coverage |
|---|---|
| OWASP Agentic AI Top 10 | All 10 ASI risk categories with deterministic controls |
| NIST AI RMF 1.0 | Full GOVERN, MAP, MEASURE, MANAGE alignment |
| EU AI Act | Compliance mapping with automated evidence |
| SOC 2 | Control mapping with audit trail export |
| AARM Extended | All R1–R9 requirements satisfied |
| ATF | All five elements mapped |
Next Steps
Quickstart
Govern your first agent tool call in under 5 minutes with a YAML policy and the
govern() wrapper.How It Works
Deep dive into AGT’s deterministic interception architecture, trust scoring, and security model.