// the find
microsoft/agent-governance-toolkit
AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.
Microsoft's framework-agnostic governance layer for autonomous AI agents, providing policy enforcement, identity management, audit logging, and execution sandboxing. Targets teams shipping agents to production who need deterministic controls rather than probabilistic prompt-level safety. Supports Python, TypeScript, .NET, Go, and Rust with adapters for most major agent frameworks.
- The core design philosophy is sound: intercept tool calls in deterministic application code before they execute, rather than relying on model behavior. GovernanceDenied is a real exception, not a suggestion.
- Unusually thorough supply chain posture for an early-stage project: CodeQL, Gitleaks, ClusterFuzzLite with 7 fuzz targets, Dependabot across 13 ecosystems, and OpenSSF Scorecard—this is more than most production services bother with.
- Formal RFC 2119 specifications with 992 conformance tests across 10 components means the behavioral contracts are actually written down, which matters a lot when you're building compliance evidence for auditors.
- Multi-language SDK coverage (Python/TS/dotnet/Go/Rust) with a clear feature matrix is genuinely useful—most governance tooling is Python-only and forces you to run a sidecar for everything else.
- Still in Public Preview with a breaking-changes warning, but the README claims 'production-quality' in the same breath. The BREAKING_CHANGES.md file existing at the repo root suggests this has bitten people already; v4.0.0 consolidated 45 packages into 5, which is a significant churn event.
- The sandboxing story has a critical caveat buried in the security section: 'The policy engine and agents share the same process boundary.' This means a compromised agent can bypass the governance layer entirely—container isolation is punted to the operator. For a project marketing zero-trust and privilege rings, this is a substantial gap.
- The YAML policy condition syntax (e.g., `action.type in ['drop', 'delete']`) appears to be a custom expression language, but there's no documented grammar, operator precedence rules, or escaping behavior. This will cause subtle policy mismatches in production.
- Non-Python SDKs appear much thinner in practice than the README implies—the Go and Rust examples are trivial wrappers, and it's unclear whether they implement the full policy engine or just call out to a Python/HTTP backend. The 'Language Package Matrix' doc is referenced but not visible in the tree.