🌍 English | 日本語 | 简体中文 | 한국어
Agent Governance Toolkit
Ship agents to production without losing sleep
🚀 Quick Start ·
📋 Specifications ·
📦 PyPI ·
📝 Changelog
[!IMPORTANT]
Public Preview -- production-quality, Microsoft-signed releases. May have breaking changes before GA.
Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install, any framework.
The Problem
Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:
1. Is this action allowed? An agent with access to send_email and query_database should not be able to drop_table. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.
2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, "an agent did it" is not an incident response.
3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.
Prompt-level safety ("please follow the rules") is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 states this explicitly: "it is unclear if there are fool-proof methods of prevention for prompt injection." The published numbers back this up. On JailbreakBench (Chao et al., NeurIPS 2024), the standard open robustness benchmark for LLM jailbreaks, adaptive attacks reach near-100% attack success rates against frontier safety-aligned models. Andriushchenko et al., 2024 report 100% ASR on GPT-4, GPT-3.5, Claude 3, and Llama-3 using simple prompt-only attacks, and even the strongest published prompt-layer defenses leak double-digit residual ASR. Microsoft's own AI Red Teaming Agent formalizes Attack Success Rate (ASR), the rate of policy violations under adversarial input, as the canonical metric for this class of failure, and Lessons from Red Teaming 100 Generative AI Products concludes that "AI red teaming is never complete" because model-layer defenses are probabilistic by construction.
AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely." They are structurally impossible. That is the difference between asking an agent to behave and making it incapable of misbehaving.
Quick Start
Prerequisites: Python 3.10+
pip install agent-governance-toolkit[full]
For Claude Code, add AGT as a plugin marketplace and install the governance plugin:
