NousResearch/agent-governance-toolkit

NousResearch/agent-governance-toolkit

Description: AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.

Language: Python

License: MIT

Stars: 28

Forks: 6

Open issues: 0

Created: 2026-05-10T22:34:18Z

Pushed: 2026-05-11T23:51:16Z

Default branch: main

Fork: yes

Parent repository: microsoft/agent-governance-toolkit

Archived: no

README: 🌍 [English](/README.md) | [日本語](./docs/i18n/README.ja.md) | [简体中文](./docs/i18n/README.zh-CN.md) | [한국어](./docs/i18n/README.ko.md)


Agent Governance Toolkit

📖 Documentation Site · 🚀 Quick Start · 📦 PyPI · 📝 Changelog

   

> [!IMPORTANT] > Public Preview — Microsoft-signed, production-quality releases. May have breaking changes before GA. > Open a GitHub issue for feedback.

> [!TIP] > v3.5.0 is out! Latest stable release with Bedrock adapter, prompt defense improvements, and governance hardening. [Changelog →](CHANGELOG.md)

Runtime governance for AI agents -- deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE for autonomous agents. Covers all 10 OWASP Agentic risks with 13,000+ tests.

Works with any stack — AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents, and 20+ more. Python · TypeScript · .NET · Rust · Go.

---

What This Is (and Isn't)

What it does: Sits between your agent framework and the actions agents take. Every tool call, resource access, and inter-agent message is evaluated against policy *before* execution. Deterministic — not probabilistic.

What it doesn't do: This is not a prompt guardrail or content moderation tool. It governs agent *actions*, not LLM inputs/outputs. For model-level safety, see Azure AI Content Safety.

Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log (
TypeScript

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([ { action: "web_search", effect: "allow" }, { action: "shell_exec", effect: "deny" }, ]); engine.evaluate("web_search"); // "allow" engine.evaluate("shell_exec"); // "deny"

.NET

using AgentGovernance; using AgentGovernance.Extensions.ModelContextProtocol; using AgentGovernance.Policy;

var kernel = new GovernanceKernel(new GovernanceOptions { PolicyPaths = new() { "policies/default.yaml" }, });

var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search", new() { ["query"] = "latest AI news" }); // result.Allowed == true

builder.Services .AddMcpServer() .WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));

Rust

use agent_governance::{AgentMeshClient, ClientOptions};

let client = AgentMeshClient::new("my-agent").unwrap(); let result = client.execute_with_governance("data.read", None); assert!(result.allowed);

Go

import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"

client, _ := agentmesh.NewClient("my-agent", agentmesh.WithPolicyRules([]agentmesh.PolicyRule{ {Action: "data.read", Effect: agentmesh.Allow}, {Action: "*", Effect: agentmesh.Deny}, }), ) result := client.ExecuteWithGovernance("data.read", nil) // result.Allowed == true

> **Full walkthrough:** [quickstart.md](docs/quickstart.md) — zero to governed agents in 10 minutes with YAML policies, OPA/Rego, and Cedar support.
> 🌍 Also available in: [日本語](docs/i18n/quickstart.ja.md) | [简体中文](docs/i18n/quickstart.zh-CN.md) | [한국어](docs/i18n/quickstart.ko.md)]

---

## What You Get

| Capability | What It Does | Links |
|---|---|---|
| **Policy Engine** | Every action evaluated before execution — sub-millisecond, deterministic. Supports YAML, OPA/Rego, and Cedar policies | [Agent OS](agent-governance-python/agent-os/) · [Benchmarks](docs/BENCHMARKS.md) |
| **Contributor Reputation** | Screens PR/issue authors for social engineering: credential laundering, spray patterns, network coordination. Reusable GitHub Action for any repo | [Action](.github/actions/contributor-check/) · [Scripts](scripts/) |
| **Zero-Trust Identity** | Ed25519 + quantum-safe ML-DSA-65 credentials, trust scoring (0–1000), SPIFFE/SVID | [AgentMesh](agent-governance-python/agent-mesh/) |
| **Execution Sandboxing** | 4-tier privilege rings, saga orchestration, kill switch | [Runtime](agent-governance-python/agent-runtime/) · [Hypervisor](agent-governance-python/agent-hypervisor/) |
| **Agent SRE** | SLOs, error budgets, replay debugging, chaos engineering, circuit breakers | [Agent SRE](agent-governance-python/agent-sre/) |
| **MCP Security Scanner** | Detect tool poisoning, typosquatting, hidden instructions in MCP definitions | [MCP Scanner](agent-governance-python/agent-os/src/agent_os/mcp_security.py) |
| **Shadow AI Discovery** | Find unregistered agents across processes, configs, and repos | [Agent Discovery](agent-governance-python/agent-discovery/) |
| **Agent Lifecycle** | Provisioning → credential rotation → orphan detection → decommissioning | [Lifecycle](agent-governance-python/agent-mesh/src/agentmesh/lifecycle/) |
| **Governance Dashboard** | Real-time fleet visibility — health, trust, compliance, audit events | [Dashboard](examples/demos/governance-dashboard/) |
| **Unified CLI** | `agt verify`, `agt red-team`, `agt doctor`, `agt lint-policy` — one command for everything | [CLI](agent-governance-python/agent-compliance/src/agent_compliance/cli/agt.py) |
| **PromptDefense Evaluator** | 12-vector prompt injection audit for compliance testing | [Evaluator](agent-governance-python/agent-compliance/src/agent_compliance/prompt_defense.py) |

---

## Works With Your…