Important
Community Preview — Not Official Microsoft-Signed Releases
All packages currently published from this repository (PyPI, npm, NuGet) are community preview
releases for testing and evaluation purposes only. They are not official Microsoft-signed
releases. Official Microsoft-signed packages published via ESRP Release will be available in a
future release. Package names under the @microsoft scope have been registered proactively.
Runtimegovernance for AI agents — the only toolkit covering all 10 OWASP Agentic risks with 6,100+ tests. Governs what agents do, not just what they say — deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE — Python · TypeScript · .NET
Works with any stack — AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, and more. Pure
pip installwith zero vendor lock-in.
Python (PyPI)
pip install agent-governance-toolkit[full]TypeScript / Node.js (npm)
npm install @agentmesh/sdk.NET (NuGet)
dotnet add package Microsoft.AgentGovernanceInstall individual Python packages
pip install agent-os-kernel # Policy engine
pip install agentmesh-platform # Trust mesh
pip install agent-runtime # Runtime supervisor
pip install agent-sre # SRE toolkit
pip install agent-governance-toolkit # Compliance & attestation
pip install agent-marketplace # Plugin marketplace
pip install agent-lightning # RL training governance- Quick Start — Get from zero to governed agents in 10 minutes (Python · TypeScript · .NET)
- TypeScript SDK — npm package with identity, trust, policy, and audit
- .NET SDK — NuGet package with full OWASP coverage
- Tutorials — Step-by-step guides for policy, identity, integrations, compliance, SRE, and sandboxing
- Azure Deployment — AKS, Azure AI Foundry, Container Apps, OpenClaw sidecar
- NVIDIA OpenShell Integration — Combine sandbox isolation with governance intelligence
- OWASP Compliance — Full ASI-01 through ASI-10 mapping
- Architecture — System design, security model, trust scoring
- NIST RFI Mapping — Mapping to NIST AI Agent Security RFI (2026-00206)
Still have questions? File a GitHub issue or see our Community page.
- Deterministic Policy Enforcement: Every agent action evaluated against policy before execution at sub-millisecond latency (<0.1 ms)
- Zero-Trust Agent Identity: Ed25519 cryptographic credentials, SPIFFE/SVID support, trust scoring on a 0–1000 scale
- Execution Sandboxing: 4-tier privilege rings, saga orchestration, termination control, kill switch
- Agent SRE: SLOs, error budgets, replay debugging, chaos engineering, circuit breakers, progressive delivery
- 12+ Framework Integrations: Microsoft Agent Framework, LangChain, CrewAI, AutoGen, Dify, LlamaIndex, OpenAI Agents, Google ADK, and more
- Full OWASP Coverage: 10/10 Agentic Top 10 risks addressed with dedicated controls for each ASI category
- For bugs, please file a GitHub issue.
from agent_os import PolicyEngine, CapabilityModel
# Define what this agent is allowed to do
capabilities = CapabilityModel(
allowed_tools=["web_search", "file_read"],
denied_tools=["file_write", "shell_exec"],
max_tokens_per_call=4096
)
# Enforce policy before every action
engine = PolicyEngine(capabilities=capabilities)
decision = engine.evaluate(agent_id="researcher-1", action="tool_call", tool="web_search")
if decision.allowed:
# proceed with tool call
...import { PolicyEngine } from "@agentmesh/sdk";
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "shell_exec", effect: "deny" },
]);
const decision = engine.evaluate("web_search"); // "allow"using AgentGovernance;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall(
agentId: "did:mesh:researcher-1",
toolName: "web_search",
args: new() { ["query"] = "latest AI news" }
);
if (result.Allowed) { /* proceed */ }- Framework Quickstarts — One-file governed agents for LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK
- Tutorial 1: Policy Engine — Define and enforce governance policies
- Tutorial 2: Trust & Identity — Zero-trust agent credentials
- Tutorial 3: Framework Integrations — Add governance to any framework
- Tutorial 4: Audit & Compliance — OWASP compliance and attestation
- Tutorial 5: Agent Reliability — SLOs, error budgets, chaos testing
- Tutorial 6: Execution Sandboxing — Privilege rings and termination
Bring your existing infrastructure policies to agent governance — no new policy DSL required.
from agent_os.policies import PolicyEvaluator
evaluator = PolicyEvaluator()
evaluator.load_rego(rego_content="""
package agentos
default allow = false
allow { input.tool_name == "web_search" }
allow { input.role == "admin" }
""")
decision = evaluator.evaluate({"tool_name": "web_search", "role": "analyst"})
# decision.allowed == Truefrom agent_os.policies import PolicyEvaluator
evaluator = PolicyEvaluator()
evaluator.load_cedar(policy_content="""
permit(principal, action == Action::"ReadData", resource);
forbid(principal, action == Action::"DeleteFile", resource);
""")
decision = evaluator.evaluate({"tool_name": "read_data", "agent_id": "agent-1"})
# decision.allowed == Truefrom agentmesh.governance import PolicyEngine
engine = PolicyEngine()
engine.load_rego("policies/mesh.rego", package="agentmesh")
engine.load_cedar(cedar_content='permit(principal, action == Action::"Analyze", resource);')
decision = engine.evaluate("did:mesh:agent-1", {"tool_name": "analyze"})Three evaluation modes per backend: embedded engine (cedarpy/opa CLI), remote server, or built-in fallback (zero external deps).
| Language | Package | Install |
|---|---|---|
| Python | agent-governance-toolkit[full] |
pip install agent-governance-toolkit[full] |
| TypeScript | @agentmesh/sdk |
npm install @agentmesh/sdk |
| .NET | Microsoft.AgentGovernance |
dotnet add package Microsoft.AgentGovernance |
| Package | PyPI | Description |
|---|---|---|
| Agent OS | agent-os-kernel |
Policy engine — deterministic action evaluation, capability model, audit logging, action interception, MCP gateway |
| AgentMesh | agentmesh-platform |
Inter-agent trust — Ed25519 identity, SPIFFE/SVID credentials, trust scoring, A2A/MCP/IATP protocol bridges |
| Agent Runtime | agent-runtime |
Execution supervisor — 4-tier privilege rings, saga orchestration, termination control, joint liability, append-only audit log |
| Agent SRE | agent-sre |
Reliability engineering — SLOs, error budgets, replay debugging, chaos engineering, progressive delivery |
| Agent Compliance | agent-governance-toolkit |
Runtime policy enforcement — OWASP ASI 2026 controls, governance attestation, integrity verification |
| Agent Marketplace | agent-marketplace |
Plugin lifecycle — discover, install, verify, and sign plugins |
| Agent Lightning | agent-lightning |
RL training governance — governed runners, policy rewards |
Works with 12+ agent frameworks including:
| Framework | Stars | Integration |
|---|---|---|
| Microsoft Agent Framework | 7.6K+ ⭐ | Native Middleware |
| Semantic Kernel | 24K+ ⭐ | Native (.NET + Python) |
| Dify | 65K+ ⭐ | Plugin |
| LlamaIndex | 47K+ ⭐ | Middleware |
| LangGraph | 24K+ ⭐ | Adapter |
| Microsoft AutoGen | 42K+ ⭐ | Adapter |
| CrewAI | 28K+ ⭐ | Adapter |
| Azure AI Foundry | — | Deployment Guide |
| OpenAI Agents SDK | — | Middleware |
| Google ADK | — | Adapter |
| Haystack | 22K+ ⭐ | Pipeline |
| Risk | ID | Status |
|---|---|---|
| Agent Goal Hijacking | ASI-01 | ✅ Policy engine blocks unauthorized goal changes |
| Excessive Capabilities | ASI-02 | ✅ Capability model enforces least-privilege |
| Identity & Privilege Abuse | ASI-03 | ✅ Zero-trust identity with Ed25519 certs |
| Uncontrolled Code Execution | ASI-04 | ✅ Agent Runtime execution rings + sandboxing |
| Insecure Output Handling | ASI-05 | ✅ Content policies validate all outputs |
| Memory Poisoning | ASI-06 | ✅ Episodic memory with integrity checks |
| Unsafe Inter-Agent Communication | ASI-07 | ✅ AgentMesh encrypted channels + trust gates |
| Cascading Failures | ASI-08 | ✅ Circuit breakers + SLO enforcement |
| Human-Agent Trust Deficit | ASI-09 | ✅ Full audit trails + flight recorder |
| Rogue Agents | ASI-10 | ✅ Kill switch + ring isolation + behavioral anomaly detection |
Governance adds < 0.1 ms per action — roughly 10,000× faster than an LLM API call.
| Metric | Latency (p50) | Throughput |
|---|---|---|
| Policy evaluation (1 rule) | 0.012 ms | 72K ops/sec |
| Policy evaluation (100 rules) | 0.029 ms | 31K ops/sec |
| Kernel enforcement | 0.091 ms | 9.3K ops/sec |
| Adapter overhead | 0.004–0.006 ms | 130K–230K ops/sec |
| Concurrent throughput (50 agents) | — | 35,481 ops/sec |
Full methodology and per-adapter breakdowns: BENCHMARKS.md
If you use the Agent Governance Toolkit to build applications that operate with third-party agent frameworks or services, you do so at your own risk. We recommend reviewing all data being shared with third-party services and being cognizant of third-party practices for retention and location of data. It is your responsibility to manage whether your data will flow outside of your organization's compliance and geographic boundaries and any related implications.
This project is licensed under the MIT License.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.