microsoft

microsoft/agent-governance-toolkit

Python MIT AI & ML

AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.

4.7k stars
720 forks
active
GitHub +128 / week

4.7k

Stars

720

Forks

104

Open issues

30

Contributors

v4.1.0 09 Jun 2026

AI Analysis

The Agent Governance Toolkit is a Python library providing policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents in production. It specifically addresses the OWASP Agentic Top 10 security concerns and is designed for teams deploying multi-agent systems that need compliance, auditability, and control—not a general-purpose framework, but a specialized governance layer for organizations concerned with agent safety and regulatory requi...

AI & ML Security Tool Discovery value: 6/10
Documentation 9/10
Activity 10/10
Community 8/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

agent-security policy-enforcement governance zero-trust compliance
Actively maintained Well documented MIT licensed Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
2w ago

Microsoft's policy engine for autonomous AI agents ships with OWASP compliance coverage and sandbox enforcement

Agent Governance Toolkit (AGT) addresses a specific and urgent problem: enforcing deterministic policy on tool calls made by autonomous AI agents before they reach external systems. Built by Microsoft and released in public preview (March 2026), it covers the OWASP Agentic Top 10 threat model and provides policy-as-code, identity isolation, and audit logging. Target audience is production deployment teams and enterprises running multi-agent systems. Adoption is not yet verified at scale, but rapid early GitHub growth (4.5k stars in 4 months, 109 in last week) and multi-language SDK availability suggest institutional interest.

Origin

Created March 2026 as Microsoft responded to published research on prompt injection resilience and the emergence of OWASP Agentic Top 10 framework. Explicitly positions itself against prompt-level mitigations, citing ICLR 2025 jailbreak studies and red-teaming findings. Builds on governance patterns from Azure ecosystem and complements AutoGen and Agent Framework projects within Microsoft's agent portfolio.

Growth

Strong initial adoption velocity in first 4 months (4.5k stars): likely driven by Microsoft's distribution channels, timeliness relative to OWASP Agentic Top 10 publication, and explicit positioning on deterministic enforcement (a gap in existing tooling). Recent spike (109 stars last 7 days) suggests sustained interest or recent announcement/integration event. Multi-language SDK releases (Python, npm, NuGet) indicate Microsoft is treating this as a platform investment, not experimental research.

In production

Adoption not verified from public sources. No case studies, customer names, or deployment scale metrics in README. However: (1) Microsoft Azure integration pathway implied by compliance badges and partnership references (AARM, ATF ecosystems); (2) Multi-language SDK availability (npm, NuGet, PyPI) suggests internal Microsoft products may be early users; (3) Public preview designation with OpenSSF certification suggests preparation for production use, not hobbyist release. Real enterprise deployment numbers remain opaque.

Code analysis
Architecture

Based on README: decorator-based policy interception (`govern()` wrapper on tool functions), YAML-based policy engine with condition evaluation, role-based access control, and structured logging. Appears to use a denial-by-default or policy-first execution model. Likely implements sandboxed execution context for agent tool calls. Architecture supports multi-language bindings (Python primary, with npm and NuGet packages).

Tests

Not documented in README. CI badge present (github.com workflow), indicating some test automation, but scope and coverage not specified.

Maintenance

Last push 2026-06-26 (3 days before analysis date), active CI workflows, OpenSSF Best Practices badge awarded (project 12085), Scorecard evaluation present. Maintenance appears current and actively managed. Public preview status suggests intentional staging before GA rather than stagnation.

Honest verdict

ADOPT IF: you are deploying multi-agent systems in regulated or high-security environments where tool call authorization must be deterministic and auditable, compliance with OWASP Agentic Top 10 is required, and you need policy-as-code enforcement before external systems are reached. AVOID IF: your agents are single-user, low-stakes, or you are still in early experimentation phases (adoption overhead may not justify ROI yet); or if you require production-grade documentation and case studies before committing to a public preview project. MONITOR IF: you are building agent platforms or frameworks and considering governance as a built-in layer; AGT's maturity trajectory and enterprise adoption signals over the next 6–12 months will clarify whether it becomes a de facto standard or remains a specialized tool.

Independent dimensions

Mainstream potential

5/10

Technical importance

7/10

Adoption evidence

2/10

Risks
  • Public preview status: backward compatibility not guaranteed before GA; teams adopting now may face migration work.
  • Adoption not yet verified at production scale; no published case studies or customer references; real-world resilience under load/adversarial conditions unknown.
  • Policy engine expressiveness unclear from README; complex authorization rules may require low-level extensions not yet documented.
  • Sandbox execution model details not specified; actual isolation guarantees (breakout resistance, resource limits) cannot be assessed from README alone.
  • Dependency on YAML policy syntax and condition language; potential for configuration errors, drift, or policy interpretation bugs that are hard to audit retroactively.
Prediction

AGT will likely mature from public preview to GA within 12 months, with enterprise adoption clustering in regulated sectors (finance, healthcare, government) where OWASP compliance is mandated. Growth may plateau if positioned only as Microsoft-specific; broader success depends on adoption outside Redmond ecosystem and integration with third-party agent frameworks. Risk: if OWASP Agentic Top 10 evolves rapidly or if better-integrated alternatives emerge from competitor platforms, AGT's relevance could narrow.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Python
73.2%
TypeScript
9.1%
Rust
7.2%
C#
4.4%
JavaScript
2.2%
Go
1.6%
Jupyter Notebook
0.8%
Open Policy Agent
0.6%

Information

Language
Python
License
MIT
Last updated
1d ago
Created
4mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

microsoft

microsoft/autogen

AutoGen is a Python framework for building multi-agent AI applications where...

59.6k Python AI & ML
microsoft

microsoft/agent-framework

Microsoft Agent Framework is a production-grade, multi-language framework for...

12k Python AI & ML
teaql

teaql/teaql-agent-kit

TEAQL Agent Kit is an evaluation environment for observing how coding agents...

2.8k Python AI & ML
google

google/adk-python

ADK 2.0 is a code-first Python framework for building, evaluating, and...

20.6k Python AI & ML
superagent-ai

superagent-ai/superagent

Superagent is an open-source SDK that protects AI applications against prompt...

6.7k TypeScript Security
vs. alternatives
microsoft/autogen

Autogen (59k stars) is a multi-agent orchestration framework. AGT is a governance and policy enforcement layer that can wrap Autogen agents; they address different layers (agent interaction vs. action authorization).

microsoft/agent-framework

Agent Framework (11.7k stars) provides scaffolding for building agents. AGT is orthogonal: a policy control plane for any framework's tool calls. Not a replacement; likely complementary within Microsoft ecosystem.

google/adk-python

Google ADK (20.3k stars) is a framework for agent development. AGT is governance middleware. Different positioning: ADK builds agents, AGT constrains what they can do once built.

superagent-ai/superagent

Superagent (6.6k stars) is a full-stack agent deployment platform. AGT is a narrower governance layer. Superagent may incorporate AGT-like policies, but AGT is not a direct competitor—it's a specialized policy enforcement tool.

Prompt-based safety mechanisms

AGT explicitly rejects prompt-level controls as insufficient (citing ICLR 2025 research), positioning deterministic execution-layer enforcement as the control surface. Does not compete with LLM jailbreak defenses; orthogonal to them.