Microsoft Agent Governance Toolkit: Open-Source Runtime Security for AI Agents

Autonomous AI agents are multiplying across enterprises. They send emails, manipulate data, execute code, and make decisions without human supervision. The problem: until now, no unified standard existed to control what they do in real time.

Microsoft just changed that with the Agent Governance Toolkit, an open-source project under the MIT license published on April 2, 2026. Seven packages, five supported languages, over 9,500 tests — and an ambitious promise: cover all 10 risks from the OWASP Agentic AI Top 10 with latency under 0.1 milliseconds.

Why Agent Governance Became Urgent

A recent study of a popular AI agent framework (over 135,000 GitHub stars) revealed that 12% of registered skills were malicious — 341 out of 2,857. Remote code execution, data exfiltration, privilege escalation: agent plugin registries have become a full-blown attack surface.

Meanwhile, enterprises are deploying agents that access critical APIs, customer databases, and payment systems. Without a governance layer, every autonomous agent represents a legal, operational, and security risk.

The 7 Packages

Agent OS — The Policy Engine

The heart of the system. Agent OS intercepts every action from an agent before execution. It evaluates rules written in YAML, OPA Rego, or Cedar, with p99 latency under 0.1ms. Stateless by design, it scales horizontally with ease.

from agent_os import PolicyEngine
 
engine = PolicyEngine(policies_path="./policies")
result = engine.evaluate(action="send_email", context=agent_context)
 
if result.allowed:
    agent.execute(action)
else:
    logger.warning(f"Action blocked: {result.reason}")

Agent Mesh — Zero-Trust Identity

Each agent receives a cryptographic identity based on decentralized identifiers (DID) with Ed25519. The Inter-Agent Trust Protocol encrypts all agent-to-agent communications and assigns a dynamic trust score on a 0–1,000 scale.

Agent Runtime — Privilege Ring Isolation

Inspired by CPU privilege rings, this package implements four isolation tiers. High-risk agents run in restricted rings with strict resource limits. If anomalous behavior is detected, an automatic kill switch can immediately terminate execution.

Agent SRE — Production Reliability

This package brings Site Reliability Engineering practices to the agent world: Service Level Objectives (SLOs), error budgets, circuit breakers, chaos engineering, and progressive delivery.

Agent Compliance — Regulatory Compliance

Automated compliance verification with grade scoring. Compatible with the EU AI Act, HIPAA, and SOC2. Essential for enterprises subject to strict regulatory requirements.

Agent Marketplace — Software Supply Chain Security

Plugin lifecycle management with Ed25519 signing, verification, and trust-tiered capability gating. This package directly addresses the problem of malicious skills in agent registries.

Agent Lightning — RL Training Governance

For teams training their agents through reinforcement learning, this package enforces compliance policies during training via secured runners and reward shaping.

Full OWASP Agentic AI Top 10 Coverage

The toolkit addresses each of the 10 risks identified by OWASP:

OWASP Risk	Protection Mechanism
Goal hijacking	Semantic intent classifier
Tool misuse	Capability sandboxing, MCP gateway
Identity abuse	DID-based identity with trust scoring
Supply chain risks	Ed25519 plugin signing
Code execution	Execution rings with resource limits
Memory poisoning	Cross-Model Verification Kernel
Insecure communications	Encrypted Inter-Agent Trust Protocol
Cascading failures	Circuit breakers and SLOs
Human-agent trust exploitation	Approval workflows with quorum
Rogue agents	Ring isolation and kill switch

Multi-Language Installation

The toolkit is available in five languages:

# Python
pip install agent-governance-toolkit[full]
 
# TypeScript
npm install @agentmesh/sdk
 
# .NET
dotnet add package Microsoft.AgentGovernance
 
# Rust
cargo add agentmesh
 
# Go
go get github.com/microsoft/agent-governance-toolkit/sdks/go

Major Framework Compatibility

Integration works through each framework's native extension points — no need to rewrite existing agent code:

LangChain: callback handlers
CrewAI: task decorators
OpenAI Agents SDK: middleware
Google ADK: plugin system
AutoGen, Dify, LlamaIndex, Haystack, LangGraph, PydanticAI: native integrations

Practical Example: Securing an Existing Agent

Consider a LangChain agent that accesses a customer database. Without governance, it could execute destructive queries or exfiltrate sensitive data.

With the toolkit, you add a policy layer in just a few lines:

# policies/database-agent.yaml
rules:
  - name: block-destructive-queries
    effect: deny
    conditions:
      tool: database_query
      pattern: "DROP|DELETE|TRUNCATE|ALTER"
    
  - name: limit-data-export
    effect: deny
    conditions:
      tool: export_data
      row_limit_exceeded: 1000

The agent continues to function normally, but every action passes through the policy engine before execution.

What This Means for MENA Enterprises

For MENA enterprises adopting AI agents, this toolkit delivers three concrete advantages:

Easier compliance: local and international regulatory requirements can be codified into automatically verifiable policies
Risk reduction: every agent action is audited and traceable, addressing legal department concerns
Faster adoption: the governance layer removes the main barrier to autonomous agent adoption in enterprises — lack of control

What Comes Next

Microsoft plans to transfer the project to a foundation for community governance, in collaboration with the OWASP community. The project already includes 20 tutorials and deployment guides for Azure Kubernetes Service, Foundry Agent Service, and Container Apps.

The toolkit is available now on GitHub under the MIT license. For teams deploying agents in production, it is time to add governance to the tech stack — before regulators demand it.