Microsoft Agent Governance Toolkit: Open-Source Runtime Security for All OWASP Agentic AI Risks

With 88% of organizations reporting confirmed or suspected AI agent security incidents in the past year, the pressure to govern agentic AI behavior has reached a breaking point. Microsoft launched the Agent Governance Toolkit on April 2, 2026 as a direct response to this crisis — an open-source framework released under the MIT license that intercepts every agent action before execution and evaluates it against a configurable policy ruleset. The toolkit integrates natively with the four most widely deployed agent frameworks: LangChain, AutoGen, Semantic Kernel, and the OpenAI Agents SDK. This means teams can add governance without rewriting existing agent code — a practical necessity given that most enterprise agent deployments are already in production. The toolkit’s architecture is modular: the core policy engine, called Agent OS, can be deployed independently, and additional modules for identity management, reliability engineering, and regulatory compliance can be layered in as operational requirements grow. Most significantly, the toolkit is the first open-source project to explicitly demonstrate coverage of all ten OWASP Agentic AI Top 10 risks with deterministic controls, making it the only framework where a security team can trace every item on the published threat taxonomy to a specific, testable enforcement mechanism.

Why Runtime Enforcement Is Different from Prompt-Level Safety

Prompt-level safety instructions — telling the model what not to do inside the system prompt — remain the most common approach to agent safety, but they have measurable failure rates under adversarial conditions. Runtime enforcement operates at the code layer, outside the model’s reasoning process, which means a policy blocking unauthorized external writes will block them regardless of what the model was instructed or what it decides to attempt. That architectural separation is the core distinction between the Agent Governance Toolkit and prompt-engineering-based safety approaches.

The OWASP Agentic AI Top 10: The Risks the Toolkit Addresses

The OWASP Agentic AI Top 10 is the published industry taxonomy of AI agent security risks, and 80% of organizations have already encountered at least one of these risks through unauthorized data exposure or other dangerous agent behaviors observed in the past year. The Microsoft Agent Governance Toolkit was architected with this list as its primary specification: every design decision traces back to a named OWASP risk, and every OWASP risk maps to at least one concrete enforcement control inside the toolkit. This bidirectional traceability matters enormously for security teams, because it allows compliance posture to be audited against a recognized external standard rather than informally asserted. The ten risks span the full lifecycle of an agent deployment — from what the agent is prompted to do, through how it uses its tools and memory, all the way to how it interacts with other agents and external systems.

The structured mapping in the table above is not just documentation — it is operationalized. Each row corresponds to one or more policy rules that can be loaded into the Agent OS engine, evaluated in real time against every agent action, and audited by name in the toolkit’s logs. For organizations required to demonstrate OWASP alignment to a board, regulator, or enterprise customer, this traceability is a meaningful differentiator from toolkits that address security in general terms.

Agent OS: The Stateless Policy Engine at the Core

The most important architectural decision in the entire toolkit is that Agent OS, the core policy engine, is stateless. Every agent action is evaluated independently against the configured ruleset, with no session context or accumulated state that an adversary could manipulate over time to relax future policy decisions. This stateless design is precisely why the toolkit achieves less than 5ms overhead per evaluated action — there is no shared state to synchronize, no distributed cache to invalidate, and no coordination overhead that would create bottlenecks in concurrent multi-agent deployments. Agent OS positions itself in the execution path between an agent’s decision to perform an action and the actual execution of that action against an external system. If the policy evaluation returns DENY, the action is blocked before it touches any file, API, database, or downstream agent. If evaluation returns ALLOW, execution proceeds immediately. The entire interception and evaluation cycle adds less than 5ms to the agent’s action latency — a rounding error compared to the hundreds of milliseconds typically consumed by LLM inference or external API calls.

The stateless architecture has a second important implication: horizontal scalability. Because each policy evaluation is entirely self-contained, Agent OS instances can be replicated across as many nodes as needed without any coordination overhead whatsoever. For enterprises running large fleets of AI agents distributed across multiple cloud regions and availability zones, governance does not become a bottleneck as the agent footprint scales. The same policy file that governs a single development agent governs thousands of production agents identically, with no additional operational complexity introduced by the governance layer itself.

How Agent OS Intercepts Agent Actions in Practice

Agent OS inserts itself into the agent’s execution path as a middleware layer. When an agent decides to call a tool, write a file, make an HTTP request, or invoke a downstream agent, that intent is passed to Agent OS as a structured action object containing the action type, target, parameters, and the cryptographic identity of the requesting agent. The policy engine evaluates this object against the loaded ruleset and returns a permit or deny decision — along with any conditions, rate-limit directives, or audit flags specified in the matching policy — before the action is dispatched to the target system.

Policy Languages: YAML, OPA Rego, and Cedar for Agent Rules

Support for three distinct policy languages — YAML for human-readable rules, OPA Rego for complex conditional logic, and Cedar for formally verifiable authorization semantics — is one of the toolkit’s most deliberate design decisions, and it reflects the reality that different organizations have fundamentally different requirements for how they express and validate security policy. A startup shipping its first governed agent can start with a few lines of YAML and achieve meaningful protection on day one. A financial services firm deploying agents in a strictly regulated environment may require Cedar’s formal verification properties to satisfy an auditor that certain high-risk actions are provably impossible regardless of model behavior. An infrastructure team already using Open Policy Agent for Kubernetes and cloud resource governance can reuse their existing Rego expertise to write agent policies without learning a new language. All three policy formats coexist within the same Agent OS deployment, evaluated by the same engine against the same agent action stream, which means organizations can adopt incrementally and mix policy languages as their needs dictate.

YAML policies are the lowest-friction entry point. A minimal policy file defining a handful of DENY rules for the most common attack vectors — unauthorized outbound HTTP calls, writes outside approved directories, privilege escalation attempts — can be authored by any engineer familiar with YAML in under an hour. OPA Rego unlocks the full expressive power of a purpose-built policy query language, including complex joins, aggregations, and recursive rules that are difficult or impossible to express in YAML. Cedar, originally developed by AWS for its Verified Permissions authorization service, brings the property of formal analyzability: a static analysis tool can examine a Cedar policy and mathematically prove what action classes it will and will not permit, without executing it against live traffic. That formal verification capability moves agent governance from “we believe this policy works” to “we have proven this policy is correct,” which is a qualitatively different level of assurance for high-stakes deployments.

# Example YAML policy: block writes outside approved paths, rate-limit API calls
policies:
  - id: block-external-write
    condition:
      action.type == "file_write" AND
      action.target NOT IN allowed_paths
    effect: DENY

  - id: rate-limit-api-calls
    condition:
      action.type == "api_call"
    rate_limit:
      requests: 10
      window: "1s"
    effect: ALLOW_WITH_LIMIT

Policies are loaded from files at startup and can be hot-reloaded without restarting the agent runtime, giving operators the ability to respond to newly identified attack patterns or policy violations by pushing a policy update through their standard CI/CD pipeline.

Integration: LangChain, AutoGen, Semantic Kernel, and OpenAI Agents SDK

The toolkit was designed from the start for zero-rewrite integration with existing agent frameworks, and the four primary supported integrations — LangChain, AutoGen, Semantic Kernel, and the OpenAI Agents SDK — cover the dominant share of enterprise agent deployments in production as of mid-2026. Each integration uses that framework’s own native extension points: LangChain callbacks, AutoGen middleware hooks, Semantic Kernel plugins, and the OpenAI Agents SDK’s tool execution pipeline. The consequence is that an engineering team running an existing LangChain agent can add governance in a few lines of configuration, without modifying agent logic, tool definitions, prompt templates, or any other aspect of the existing application. This “no rewrite” principle is not merely a developer convenience — it is a deployment risk reduction strategy, because the governed agent behaves identically to the ungoverned agent for all permitted actions, and only prohibited actions are affected by the governance layer.

# LangChain integration: governance added as a callback, zero code changes to the agent
from langchain.agents import AgentExecutor
from agent_governance import GovernanceMiddleware

agent = AgentExecutor(
    agent=my_agent,
    tools=my_tools,
    callbacks=[
        GovernanceMiddleware(
            policy_path="./policies/production.yaml"
        )
    ]
)

For AutoGen multi-agent workflows, the middleware intercepts both inbound and outbound agent messages, which means policy rules can govern not only what an agent does in the external world but also what instructions one agent sends to another. This is directly relevant to the OWASP Agentic AI risks around trust propagation and prompt injection delivered via inter-agent communication channels, which are attack surfaces that single-agent governance tools cannot address.

The OpenAI Agents SDK integration is significant because it means the governance layer is not tied to any specific model provider. Organizations building on OpenAI’s infrastructure can apply toolkit policies to agents using OpenAI models, while organizations using Azure OpenAI or other providers use the same policy files with the same enforcement semantics. Semantic Kernel integration makes the toolkit immediately applicable to Microsoft’s enterprise customer base already building production agents with that framework, and it enables natural federation with Azure AI and Entra ID for organizations that want to express agent permissions in terms of existing enterprise identity structures.

Azure AI and Microsoft Entra ID Integration

For organizations on the Microsoft cloud stack, the optional integration with Azure AI services and Microsoft Entra ID allows agent identities to be mapped to enterprise directory objects. Access policies can then be written in terms of organizational roles, department memberships, and security group assignments — the same constructs already governing human user access — rather than requiring a separate identity management infrastructure maintained exclusively for AI agents.

Performance: Sub-5ms Policy Evaluation in Production

The most persistent objection to runtime security enforcement is the assumption that it adds unacceptable latency to agent operations. The Agent Governance Toolkit addresses this directly with a design target of less than 5ms overhead per action evaluated by Agent OS, and this performance level is achievable in production at scale, not just in laboratory benchmarks. To contextualize that number: a typical LLM inference call for a mid-sized model running at production load takes between 500ms and several seconds. A tool invocation triggering an external API call adds 100ms to 2 seconds depending on network conditions. Against this backdrop, a 5ms governance overhead is a rounding error in the overall agent response time — it does not perceptibly slow agent workflows, and it does not force engineering teams into tradeoffs between security coverage and application responsiveness. The practical implication is significant: governance can be applied universally, to every agent action without exception, rather than to a sampled or heuristically selected subset. A governance layer that evaluates only some actions provides the appearance of control without its substance, and the sub-5ms overhead removes any engineering incentive to skip evaluations for performance reasons.

This performance level is achievable because of the stateless, in-process design of Agent OS. Policy evaluation requires no network calls, no database round-trips, and no distributed coordination. The policy ruleset is compiled to an internal representation at startup and evaluated entirely in memory for each action object. YAML and OPA Rego policies are compiled at load time so that evaluation is fast even for rules with complex boolean logic. Cedar policies run through Cedar’s own purpose-built, formally optimized evaluation engine. The combination produces an enforcement system that is fast enough to be deployed unconditionally without architectural compromises.

Benchmarking Against Specific Workloads

Published performance figures reflect benchmark conditions that may differ from production environments with very high action throughput or unusually complex OPA Rego rulesets involving large data joins or recursive rules. Teams with latency-sensitive workflows should benchmark against their specific policy configuration in a staging environment before relying on the headline figure. The toolkit’s documentation provides optimization guidance for reducing evaluation latency in complex policy scenarios, including techniques for pre-compiling frequently evaluated rules and structuring policy files for faster pattern matching.

Microsoft Agent Governance Toolkit vs Lakera Guard vs CalypsoAI

The AI agent security tooling landscape has expanded rapidly alongside the market’s projected growth from $1.65 billion in 2026 to $13.52 billion by 2032, and the Microsoft Agent Governance Toolkit occupies a distinct position relative to the two most commonly evaluated alternatives: Lakera Guard and CalypsoAI. Understanding those differences clearly is essential for teams making adoption decisions under budget and timeline pressure. Lakera Guard is a focused and well-regarded solution for prompt injection detection and LLM input/output safety filtering. It executes its defined scope effectively, but that scope covers primarily one item from the OWASP Agentic AI Top 10 — prompt injection — rather than the full ten-item risk surface. CalypsoAI offers a broader enterprise governance platform with meaningful capabilities, but it operates under a proprietary license and enterprise pricing model that introduces vendor dependency and prevents the community code audits that security-conscious organizations increasingly require. The Microsoft Agent Governance Toolkit is the only open-source option in this field that explicitly targets and demonstrates coverage of all ten OWASP Agentic AI Top 10 risks.

The decision between these tools comes down to three factors: scope of required coverage, licensing constraints, and ecosystem fit. Organizations that need only prompt injection protection, operate on a tight budget for security tooling, and have no requirement for open-source auditability may find Lakera Guard’s focused capability sufficient. Organizations in regulated industries that need full OWASP coverage, reproducible compliance evidence, and source code access for security audits will find the Microsoft toolkit is currently the only option satisfying all three constraints simultaneously. CalypsoAI occupies an enterprise segment where vendor support contracts and managed deployment are priorities above open-source availability.

When Lakera Guard Remains the Appropriate Choice

Teams whose primary concern is LLM input and output safety — preventing harmful content generation, detecting prompt injection in consumer-facing applications, or filtering model outputs before they reach end users — may find Lakera Guard’s focused capability operationally simpler and sufficient for their threat model. The two tools are not mutually exclusive: a defense-in-depth architecture could deploy both, with Lakera Guard handling LLM I/O safety and the Microsoft toolkit governing runtime agent action policies.

Getting Started: Installing and Configuring the Toolkit

The fastest path to meaningful governance with the Microsoft Agent Governance Toolkit starts with installing only Agent OS — there is no requirement to adopt the full toolkit at once, and incremental adoption is the explicitly recommended path for most teams. The core Agent OS package is available for Python and TypeScript, with the full toolkit also supporting Rust, Go, and .NET. Installation is a single command, and the minimum viable configuration to achieve runtime policy enforcement is a YAML policy file and a one-line addition to the existing agent code. Teams can then layer in additional modules — enterprise identity integration via Entra ID, reliability engineering controls, regulatory compliance framework mappings — as operational requirements evolve and the team gains confidence in the governance model.

# Start with Agent OS only — the recommended incremental approach
pip install agent-os

# Install the full toolkit when ready for identity, SRE, and compliance modules
pip install agent-governance[all]

# TypeScript installation
npm install @microsoft/agent-governance

With Agent OS installed, adding enforcement to an existing agent requires a policy file and a decorator or callback addition. The following minimal example enforces a starter policy on every action the agent takes:

from agent_os import PolicyEngine

engine = PolicyEngine.from_file("./policies/starter.yaml")

@engine.enforce
def my_agent_action(action, context):
    return execute_action(action, context)

A starter policy addressing the highest-priority OWASP risks requires only a few rules. The following file blocks unauthorized outbound HTTP requests, prevents writes to unapproved filesystem paths, and generates an audit record for every access to sensitive data — covering three distinct OWASP Agentic AI Top 10 risks in under twenty lines:

# starter.yaml: a minimal production-ready starting policy
policies:
  - id: deny-unauthorized-external-calls
    condition: action.type == "http_request" AND action.domain NOT IN allowlist
    effect: DENY

  - id: block-external-write
    condition: action.type == "file_write" AND action.target NOT IN allowed_paths
    effect: DENY

  - id: log-all-sensitive-reads
    condition: action.type == "data_read" AND action.classification == "sensitive"
    effect: ALLOW
    audit: true

Production Deployment Checklist

Before moving a governed agent to production, treat the policy file as code: include it in the same version control repository as the agent, require pull request review for all policy changes, and run the toolkit’s built-in test suite against every policy modification to confirm that previously permitted behaviors remain permitted. Connect the audit log output to the organization’s existing SIEM or observability platform so that policy DENY events generate alerts through established incident response channels rather than accumulating silently in a log file. Start with the three starter rules above, validate in staging that they do not block legitimate agent operations, and then progressively narrow scope by adding more specific rules as operational patterns are understood. The toolkit’s modular architecture ensures that adding more advanced modules — Entra ID identity federation, regulatory compliance mappings, circuit breaker reliability controls — does not require changes to policies already deployed and validated.

FAQ

Q1: Does the Agent Governance Toolkit work with agent frameworks beyond the four primary integrations?

LangChain, AutoGen, Semantic Kernel, and the OpenAI Agents SDK are the four frameworks with official, maintained integration adapters. However, Agent OS can be applied to any Python or TypeScript agent code using its decorator and middleware APIs directly, independent of any specific framework. Teams using frameworks not yet covered by an official adapter can implement the integration using the core Agent OS API, which is well-documented and designed to be framework-agnostic at its lowest abstraction level. The open-source MIT license also means community-contributed adapters for additional frameworks are possible and welcome.

Q2: How does the sub-5ms policy evaluation performance hold up as policy complexity increases?

Simple YAML policies with straightforward conditional rules evaluate well under 1ms in normal production conditions. Complex OPA Rego policies — particularly those involving recursive rules, large data joins, or many policy conditions evaluated in sequence — may push evaluation time toward the 5ms boundary. Cedar policies run through Cedar’s formally optimized evaluator and tend to maintain fast evaluation even for sophisticated authorization logic. Teams with high-throughput agent action streams and complex rulesets should benchmark their specific policy configuration against representative production load in a staging environment before drawing conclusions from the headline figure. The toolkit’s documentation provides structured guidance on policy optimization techniques for latency-sensitive deployments.

Q3: Should the toolkit be used alongside prompt-level safety instructions, or does it replace them?

The two approaches address different layers of the agent security stack and are most effective in combination. Prompt-level safety instructions shape the model’s general behavior and serve as the first line of defense for a well-aligned agent in normal operating conditions. The Agent Governance Toolkit operates at the code layer and enforces hard limits on what actions can actually be executed, regardless of what the model decides to attempt. Using both layers together produces substantially better outcomes than either approach alone: well-crafted prompt instructions reduce the frequency with which the policy engine sees prohibited action attempts, while the runtime policy enforcement provides a reliable backstop for the violations that occur despite good prompt design.

Q4: How does the toolkit support regulatory compliance requirements such as the EU AI Act?

The toolkit provides the technical foundation for compliance evidence across several dimensions. The policy language and audit logging capabilities allow organizations to demonstrate human oversight, transparency, and risk management controls that regulatory frameworks require for high-risk AI system deployments. By mapping OWASP Agentic AI Top 10 risks to configured policy rules, organizations can trace their compliance posture to a published external standard. The structured audit logs generated for every agent action and policy decision produce the kind of evidence-based documentation that regulators increasingly expect to see. Teams in regulated industries should work with their legal and compliance functions to translate specific regulatory requirements into policy rules, using Cedar’s formal verification properties where mathematical proof of policy correctness is required to satisfy an auditor.

Q5: Does the open-source MIT license mean Microsoft could change the terms or direction of the project in ways that create risk for adopters?

The MIT license itself is irrevocable — code already released under MIT remains under MIT regardless of what Microsoft does with the project going forward. Additionally, Microsoft has announced plans to donate the project to a neutral open-source foundation, which would transfer governance of the project’s direction to a community body rather than a single corporate sponsor. This mirrors the trajectory of projects like Kubernetes, which moved from Google to the Cloud Native Computing Foundation and subsequently became a de facto industry standard with broad multi-vendor contribution. Until the foundation donation occurs, the open-source codebase can be forked by any organization that needs to maintain an independent version, which is a meaningful risk mitigation for organizations concerned about long-term stewardship.