Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt

Use this file to discover all available pages before exploring further.

This guide takes you from zero to a governed AI agent in under 5 minutes. You will install the toolkit, write a policy file, wrap a tool function, and verify that destructive actions are blocked deterministically — not probabilistically filtered, but structurally prevented by the governance gate.
1

Install AGT

The fastest path is the Python meta-package, which installs the full governance stack in a single command.
pip install agent-governance-toolkit[full]

pip install agent-governance-toolkit[full]
Verify the installation with the AGT CLI health check:
agt doctor
The agt CLI is included with agent-governance-toolkit-cli and with the [full] extra. It requires Python 3.10+.
2

Write a Policy

Create a policy.yaml file in your project root. The policy below blocks destructive operations outright and routes email sends through a human approval gate.
policy.yaml
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
  - name: block-destructive
    condition: "action.type in ['drop', 'delete', 'truncate']"
    action: deny
    description: "Destructive operations require human approval"

  - name: require-approval-for-send
    condition: "action.type == 'send_email'"
    action: require_approval
    approvers: ["security-team"]
The default_action: allow means anything not matched by a rule is permitted. Flip it to deny for a strict allowlist model. Rules are evaluated in priority order; the first match wins.
Use agt lint-policy policies/ to validate your policy files for syntax errors and unreachable rules before deploying.
3

Wrap a Tool

Import govern from agentmesh.governance and wrap any callable in two lines. Every call to safe_tool is now evaluated against your policy, logged to an append-only audit trail, and blocked with a GovernanceDenied exception if a deny rule matches.
from agentmesh.governance import govern

safe_tool = govern(my_tool, policy="policy.yaml")   # every call checked, logged, enforced
For framework-specific adapters that integrate more deeply into your execution graph, use the LangChainKernel or equivalent for your framework:
# Option A: wrap any tool function (works everywhere)
from agentmesh.governance import govern
safe_tool = govern(my_langchain_tool.run, policy="policy.yaml")

# Option B: use a framework adapter (deeper integration)
from agent_os.integrations import LangChainKernel
kernel = LangChainKernel(policy_directory="policies/")
4

Test It

Run the following in a Python REPL or script to see both outcomes — a passing call and a blocked one:
from agentmesh.governance import govern

def web_search(query: str) -> str:
    return f"Results for: {query}"

def delete_file(path: str) -> str:
    return f"Deleted: {path}"

safe_search = govern(web_search, policy="policy.yaml")
safe_delete = govern(delete_file, policy="policy.yaml")

# This works — no rule matches 'web_search'
print(safe_search(query="AI governance news"))

# This raises GovernanceDenied — matches 'block-dangerous-tools'
print(safe_delete(path="/etc/passwd"))
Expected output:
Results for: AI governance news

GovernanceDenied: Action denied by policy rule 'block-dangerous-tools':
  Destructive operations are blocked
The GovernanceDenied exception is raised before delete_file is ever invoked. The destructive action never reaches execution.
5

Run the CLI Health Check

Use the agt CLI to confirm your installation is healthy and check OWASP coverage:
# Check installation health
agt doctor

# Verify OWASP Agentic Top 10 coverage
agt verify

# Strict check — fail CI if evidence is weak
agt verify --evidence ./agt-evidence.json --strict

# Prompt injection audit on your prompt directory
agt red-team scan ./prompts/ --min-grade B

# Validate all policy files in a directory
agt lint-policy policies/
The agt verify command produces a compliance report against the OWASP Agentic Security Initiative (ASI) 2026 risk categories:
Agent Governance Toolkit — OWASP ASI 2026 Compliance
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  ASI-01 Agent Goal Hijack             ✅ Covered
  ASI-02 Tool Misuse & Exploitation    ✅ Covered
  ASI-03 Identity & Privilege Abuse    ✅ Covered
  ...
  10/10 risks covered

Programmatic Policy Control

For teams that need fine-grained control beyond YAML files, the PolicyEvaluator API lets you construct and evaluate policies programmatically: 
from agent_os.policies import PolicyEvaluator
from agent_os.policies.schema import (
    PolicyDocument, PolicyRule, PolicyCondition,
    PolicyAction, PolicyOperator, PolicyDefaults,
)

policy = PolicyDocument(
    name="agent-safety",
    version="1.0",
    description="Safety policy for the research agent",
    defaults=PolicyDefaults(action=PolicyAction.ALLOW),
    rules=[
        PolicyRule(
            name="block-dangerous-tools",
            condition=PolicyCondition(
                field="tool_name",
                operator=PolicyOperator.IN,
                value=["delete_file", "shell_exec", "execute_code"],
            ),
            action=PolicyAction.DENY,
            message="Tool is blocked by safety policy",
            priority=100,
        ),
    ],
)

evaluator = PolicyEvaluator(policies=[policy])
decision = evaluator.evaluate({"tool_name": "delete_file", "agent_id": "my-agent"})
print(f"Allowed: {decision.allowed}")  # False
print(f"Reason: {decision.reason}")    # Tool is blocked by safety policy
The PolicyEvaluator is the same engine that powers govern() — you get the same deterministic enforcement, just with programmatic rule construction instead of YAML.

Same Pattern in Other Languages

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([
  { action: "web_search", effect: "allow" },
  { action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"

Next Steps

WhatWhere
Learn policy writing in depthPolicy Engine Basics
Add zero-trust identity & trust scoringTrust & Identity
Integrate your agent frameworkFramework Integrations
Govern MCP serversMCP Security Gateway
Add SLOs and reliability monitoringAgent Reliability
Framework adapters are available for LangChain, OpenAI Agents SDK, CrewAI, Google ADK, AutoGen, Semantic Kernel, LlamaIndex, smolagents, and more. See the Framework Integrations guide for adapter-specific setup.

Build docs developers (and LLMs) love

Get started for freeTalk to us