Microsoft Agent Governance Toolkit: Runtime Security
Microsoft shipped the Agent Governance Toolkit April 2, 2026 — open-source runtime security for AI agents. Covers OWASP Agentic Top 10 + EU AI Act.
OWASP Top 10 Coverage
p99 Latency
Packages
Languages
Key Takeaways
On April 2, 2026 Microsoft shipped the Agent Governance Toolkit — an open-source, MIT-licensed project that is the first to deliver runtime security governance covering all ten OWASP Agentic AI Top 10 risks with deterministic sub-millisecond policy enforcement. The timing is no accident: the Colorado AI Act becomes enforceable in June 2026, and the EU AI Act's high-risk AI obligations take effect in August 2026. Organizations running autonomous agents for regulated workloads need a runtime governance story this quarter — and this toolkit is the fastest path to producing the compliance evidence those regulations require.
This post is the enterprise-decision-maker's reference: what the toolkit covers (and doesn't), the seven packages, how framework-agnostic adapters plug into LangChain, CrewAI, Google ADK, and Microsoft Agent Framework, the 10/10 OWASP Agentic Top 10 mapping, and how to map adoption onto the regulatory calendar so you have evidence in hand before the enforcement dates hit.
Why now: before April 2026 there was no open-source option with 10/10 OWASP Agentic coverage. Agencies and enterprises were stitching guardrails libraries together and documenting gaps. The toolkit collapses that into one adoption project and one compliance evidence trail.
Release Facts and Scope
| Fact | Detail |
|---|---|
| Release date | April 2, 2026 |
| License | MIT |
| Repo | github.com/microsoft/agent-governance-toolkit |
| Languages | Python, Rust, TypeScript, Go, .NET |
| OWASP Top 10 coverage | 10 / 10 |
| p99 policy-engine latency | <0.1 ms |
| Packages | 7 (Agent OS, Mesh, Runtime, SRE, Compliance, Marketplace, Lightning) |
OWASP Agentic Top 10 Coverage
The OWASP Agentic AI Top 10 is the canonical threat list for autonomous agents. Microsoft's toolkit ships enforcement for all ten:
| Risk category | Primary toolkit package |
|---|---|
| Prompt injection / manipulated instructions | Agent OS |
| Tool misuse / unintended actions | Agent OS + Agent Runtime |
| Supply-chain (plugin) compromise | Agent Marketplace |
| Identity spoofing between agents | Agent Mesh |
| Excessive agency / unauthorized autonomy | Agent OS policy |
| Data leakage through memory | Agent OS + Agent Compliance |
| Resource exhaustion / runaway loops | Agent Runtime + SRE |
| Training-time compromise (RL / fine-tuning) | Agent Lightning |
| Insufficient observability / auditability | Agent SRE |
| Non-compliance with regulatory frameworks | Agent Compliance |
The Seven Packages
Stateless policy engine that intercepts every agent action before execution. p99 latency under 0.1ms. Deterministic, declarative rules.
Identity framework and secure communication between agents. Ed25519 signing, mutual auth, short-lived capabilities.
Execution control environment. Resource caps, network egress filters, timeouts, crash-safe rollback.
Reliability engineering: telemetry, tracing, health probes, SLO tracking for agent workloads.
Compliance grading with regulatory framework mapping — EU AI Act, HIPAA, SOC 2 — plus OWASP evidence collection.
Plugin lifecycle governance: Ed25519 signing, verification, trust-tier capability gating, supply-chain security.
Reinforcement learning training governance with policy-enforced runners and reward shaping that ensures zero policy violations during RL training.
Agent OS: The Policy Engine
Agent OS is the heart of the toolkit. Stateless. Deterministic. Hooks into every agent action — tool call, memory write, inter-agent message, plugin invocation, outbound network request — and decides allow/deny/transform before execution. Policy decisions are sub-millisecond at p99, so the latency impact on the agent is invisible.
Policy shape
# policy.yaml — illustrative shape
rules:
- id: block-external-email
when:
action: tool_call
tool: send_email
to_domain: "!=company.com"
decision: deny
reason: "External email sending is not permitted from this agent."
- id: mask-pii-in-memory-writes
when:
action: memory_write
contains_pii: true
decision: transform
transform: mask_pii
- id: rate-limit-outbound-http
when:
action: outbound_http
decision: allow
limit:
max_per_minute: 60
action_on_exceed: denyRules are declarative. Violations are logged automatically to Agent Compliance for audit trails. The evidence is the same structure the EU AI Act asks for — a running record of what the agent attempted and what the policy allowed.
20+ Framework Adapters
Framework-agnostic is the toolkit's most important architectural decision. Each adapter hooks into the framework's native extension point instead of requiring a rewrite:
- LangChain — callback handlers
- CrewAI — task decorators
- Google ADK — plugin system
- Microsoft Agent Framework — middleware pipeline
- Hermes Agent — skill hooks
- AutoGen (legacy) — message interceptors
- LlamaIndex — query/response callbacks
- Semantic Kernel — plugin filters
- n8n / Zapier / custom — generic HTTP adapter
Adding governance to an existing agent is typically three to five lines of configuration — declare the adapter, point it at your policy file, enable compliance evidence collection, done.
The 2026 Regulatory Timeline
| Date | Event | Who is affected |
|---|---|---|
| Apr 2, 2026 | Agent Governance Toolkit released | All agent developers |
| Jun 2026 | Colorado AI Act becomes enforceable | Developers + deployers of high-risk AI in Colorado |
| Aug 2026 | EU AI Act high-risk obligations take effect | EU-operating high-risk AI systems |
EU AI Act / Colorado / HIPAA Mapping
Agent Compliance ships regulatory-framework mappings out of the box. The evidence collected at runtime maps directly to the documentation these frameworks require:
- EU AI Act. Risk management, data governance, logging, human oversight, accuracy and cybersecurity evidence.
- Colorado AI Act. Risk-management programs, impact assessments, consumer notification records.
- HIPAA. Access controls, audit logs, breach- notification evidence for health-data agents.
- SOC 2. Change management, monitoring, incident-response evidence.
Need help mapping your agent workloads to the regulatory timeline? Our AI digital transformation team adopts the Agent Governance Toolkit, writes the policy library for your vertical, and produces the compliance evidence packages the EU AI Act and Colorado AI Act require.
Deployment Patterns
Three patterns we see working in production:
1. Sidecar policy engine
Agent OS runs as a sidecar alongside the agent process. Framework adapter calls out via localhost IPC. Minimal deployment complexity, sub-millisecond policy decisions. Default for most agency deploys.
2. In-process library
Agent OS embedded as a library inside the agent process. Best for single-language deploys, especially .NET + Microsoft Agent Framework on Azure App Service.
3. Centralized policy gateway
Agent OS runs as a shared service; all agents across the organization call out to it over mTLS. Adds a network hop but centralizes policy updates. Preferred for large enterprises with dozens of agent workloads.
Agent Marketplace and Signing
Plugin supply-chain is the OWASP Agentic risk most agencies overlook. Agent Marketplace solves it three ways:
- Ed25519 signing. Every plugin ships signed. Unsigned or invalidly-signed plugins refuse to load.
- Trust tiers. Plugins can be classified (first- party, partner, community). Trust tier gates which capabilities the plugin can request.
- Capability manifests. Plugins declare up-front what they need — network egress hosts, memory access, tools — and the policy engine denies anything outside the declared manifest.
The Adoption Checklist
- Inventory agent workloads. Which frameworks, which providers, which regulatory regimes touch each?
- Start with Agent OS. Wire the adapter for your primary framework. Ship a minimal policy (e.g. block external tool calls, rate-limit outbound HTTP).
- Layer Agent Compliance. Enable evidence collection against the regulatory frameworks that apply to your workloads.
- Add Agent Mesh if multi-agent. Identity and inter-agent trust become mandatory once agents start talking to each other.
- Add Agent Marketplace before accepting community plugins. Signing + trust tiers stop supply-chain incidents before they happen.
- Operate Agent SRE. Telemetry, tracing, health probes — the same maturity level your other production services get.
- Revisit quarterly. Policy rules evolve. New OWASP guidance evolves. Schedule a quarterly policy review.
Conclusion
Before April 2026, building governed autonomous agents meant stitching guardrails libraries together and documenting the gaps yourself. The Agent Governance Toolkit collapses that into a single MIT-licensed project with 10/10 OWASP coverage, sub- millisecond policy enforcement, and regulatory-framework evidence collection. With Colorado and the EU AI Act enforcement dates hitting this summer, this toolkit is the fastest legitimate compliance path available.
Govern Your Agent Workloads Before Enforcement Hits
We audit existing agent deployments, adopt the Agent Governance Toolkit, author the policy library for your vertical, and produce the compliance evidence packages.
Frequently Asked Questions
Related Guides
More on AI governance, agent security, and 2026 compliance.