Microsoft Releases Agent Governance Toolkit — Policy Enforcement for AI Agents
AI relevance: As autonomous AI agents proliferate across enterprises with access to databases, email, and external services, application-layer policy enforcement is needed to answer "is this action allowed?" and "which agent did this?" — Microsoft's new toolkit provides exactly that, covering all 10 OWASP Agentic Top 10 risks.
Microsoft has released the Agent Governance Toolkit (AGT) as an open-source project on GitHub. It ships across Python (PyPI), TypeScript/Node (npm), .NET (NuGet), Rust, and Go, making it framework-agnostic.
What it does
- Policy enforcement at the tool-call layer. Wrap any tool function in
govern(my_tool, policy="policy.yaml")— every call is evaluated against YAML policy rules, logged, and raisesGovernanceDeniedif blocked. - Zero-trust agent identity. Distinguishes between agents sharing the same API key, enabling proper incident response attribution.
- Tamper-evident audit logs. Records every decision: active policy, agent request, and allow/deny rationale for auditors and regulators.
- Execution sandboxing. Isolates agent actions with configurable boundaries.
- Covers all 10/10 OWASP Agentic Top 10 risks — goal hijacking, tool misuse, cascading failures, and more.
- MCP server integration. Native
AddMcpServer().WithGovernance()middleware for .NET MCP deployments. - Application-layer vs prompt-based safety. Microsoft reports a 26.67% policy violation rate with prompt-based safety in red-team testing; AGT's application-layer enforcement achieved 0.00%.
Why it matters
Most agent deployments today rely on OAuth scopes and IAM roles to control which services an agent can reach — but not what it does once connected. An agent with access to send_email and query_database should not be able to drop_table. AGT fills that gap with application-layer policy enforcement.
What to do
- If you deploy AI agents with tool access, evaluate AGT as a policy enforcement layer before they hit production.
- Define explicit YAML policies for destructive operations — the toolkit supports
deny,allow, andrequire_approvalactions. - Use the zero-trust identity features to tag individual agent instances for auditability, even when they share credentials.