DEV Community: Kanish Tyagi The latest articles on DEV Community by Kanish Tyagi (@kanishtyagii). https://dev.to/kanishtyagii https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3858655%2Fbb046de4-4496-4a7f-9db5-c1187159439d.jpg DEV Community: Kanish Tyagi https://dev.to/kanishtyagii en Agent SRE — SLOs, Error Budgets, and Circuit Breakers for AI Agents Kanish Tyagi Fri, 10 Apr 2026 21:30:57 +0000 https://dev.to/kanishtyagii/agent-sre-slos-error-budgets-and-circuit-breakers-for-ai-agents-1d1d https://dev.to/kanishtyagii/agent-sre-slos-error-budgets-and-circuit-breakers-for-ai-agents-1d1d <p>When a traditional web service goes down, you get a 500 error. You check the logs, find the exception, fix it, deploy. The failure is deterministic and reproducible.</p> <p>When an AI agent degrades, it's different. It doesn't crash — it just starts giving worse answers. It calls tools more times than it should. It hallucinates details it used to get right. It slows down under load in ways that are hard to measure. By the time you notice, it's been quietly failing for hours.</p> <p>This is why AI agents need Site Reliability Engineering. Not the same SRE you apply to APIs and databases — a version adapted to the specific ways agents fail.</p> <h2> How Agents Fail Differently </h2> <p>Traditional services fail in discrete, measurable ways: error rate goes up, latency goes up, availability goes down. You set thresholds, you get paged, you fix it.</p> <p>Agents fail on a spectrum:</p> <ul> <li> <strong>Accuracy degradation</strong> — outputs become less correct over time as context accumulates</li> <li> <strong>Tool call inflation</strong> — agent starts using 15 tool calls for tasks that used to take 3</li> <li> <strong>Hallucination rate increase</strong> — factual errors appear more frequently</li> <li> <strong>Task completion drift</strong> — agent completes the literal request but misses the intent</li> <li> <strong>Delegation loops</strong> — agent spawns sub-agents that spawn more sub-agents recursively</li> </ul> <p>None of these show up as a 500 error. They require different observability, different thresholds, and different response strategies.</p> <h2> Defining SLOs for Agents </h2> <p>A Service Level Objective is a target for how well your service should perform. For a web API, it's usually availability (99.9%) and latency (p99 &lt; 200ms).</p> <p>For an agent, you need different dimensions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">AgentSLO</span> <span class="n">slo</span> <span class="o">=</span> <span class="nc">AgentSLO</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># How often should the agent successfully complete its task? </span> <span class="n">task_success_rate</span><span class="o">=</span><span class="mf">0.95</span><span class="p">,</span> <span class="c1"># 95% of tasks complete successfully </span> <span class="c1"># How many tool calls is reasonable per task? </span> <span class="n">max_tool_calls_per_task</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="c1"># alert if average exceeds this </span> <span class="c1"># How long should a task take? </span> <span class="n">max_latency_ms</span><span class="o">=</span><span class="mi">30000</span><span class="p">,</span> <span class="c1"># 30 seconds max </span> <span class="c1"># How often can the agent violate policy? </span> <span class="n">max_error_rate</span><span class="o">=</span><span class="mf">0.02</span><span class="p">,</span> <span class="c1"># 2% error rate maximum </span> <span class="c1"># How available should the agent be? </span> <span class="n">min_availability</span><span class="o">=</span><span class="mf">0.99</span><span class="p">,</span> <span class="c1"># 99% uptime </span><span class="p">)</span> </code></pre> </div> <p>These numbers come from your domain. A research agent doing deep analysis might reasonably use 20 tool calls. A customer service agent answering simple questions should never need more than 3. Define SLOs based on what good behavior looks like for your specific use case.</p> <h2> Error Budgets: When to Throttle vs Keep Running </h2> <p>An error budget is the inverse of your SLO. If your task success SLO is 95%, your error budget is 5% — that's how much failure you can tolerate before taking action.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">ErrorBudget</span> <span class="n">budget</span> <span class="o">=</span> <span class="nc">ErrorBudget</span><span class="p">(</span><span class="n">slo</span><span class="o">=</span><span class="n">slo</span><span class="p">,</span> <span class="n">window_hours</span><span class="o">=</span><span class="mi">24</span><span class="p">)</span> <span class="c1"># After 1000 tasks with 60 failures (6% error rate) </span><span class="n">budget</span><span class="p">.</span><span class="nf">record_tasks</span><span class="p">(</span><span class="n">total</span><span class="o">=</span><span class="mi">1000</span><span class="p">,</span> <span class="n">failed</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">budget</span><span class="p">.</span><span class="n">remaining_percent</span><span class="p">)</span> <span class="c1"># -20% — budget exhausted </span><span class="nf">print</span><span class="p">(</span><span class="n">budget</span><span class="p">.</span><span class="n">status</span><span class="p">)</span> <span class="c1"># "EXHAUSTED" </span><span class="nf">print</span><span class="p">(</span><span class="n">budget</span><span class="p">.</span><span class="n">recommendation</span><span class="p">)</span> <span class="c1"># "Throttle agent — error budget depleted" </span></code></pre> </div> <p>When the error budget is exhausted, you have three options:</p> <ol> <li> <strong>Throttle</strong> — reduce the agent's call rate, buy time to investigate</li> <li> <strong>Degrade gracefully</strong> — switch to a simpler, more reliable mode</li> <li> <strong>Circuit break</strong> — stop the agent entirely until the issue is resolved</li> </ol> <p>The right choice depends on the stakes. A research agent exhausting its budget? Throttle it. A financial agent exhausting its budget? Circuit break immediately.</p> <h2> Circuit Breakers: Automatically Stopping Degraded Agents </h2> <p>I built a circuit breaker simulation in the Colab notebook I contributed to this repo. Here's the core concept translated to production code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">CircuitBreaker</span> <span class="n">breaker</span> <span class="o">=</span> <span class="nc">CircuitBreaker</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">failure_threshold</span><span class="o">=</span><span class="mf">0.05</span><span class="p">,</span> <span class="c1"># open circuit at 5% error rate </span> <span class="n">latency_threshold_ms</span><span class="o">=</span><span class="mi">30000</span><span class="p">,</span> <span class="c1"># open circuit if avg latency exceeds 30s </span> <span class="n">cooldown_seconds</span><span class="o">=</span><span class="mi">300</span><span class="p">,</span> <span class="c1"># try again after 5 minutes </span><span class="p">)</span> <span class="c1"># Before each agent call </span><span class="k">if</span> <span class="n">breaker</span><span class="p">.</span><span class="nf">is_open</span><span class="p">():</span> <span class="c1"># Circuit is open — agent is degraded </span> <span class="k">raise</span> <span class="nc">AgentUnavailableError</span><span class="p">(</span><span class="sh">"</span><span class="s">Circuit breaker open — agent degraded</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">task</span><span class="p">)</span> <span class="n">breaker</span><span class="p">.</span><span class="nf">record_success</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">breaker</span><span class="p">.</span><span class="nf">record_failure</span><span class="p">()</span> <span class="k">raise</span> </code></pre> </div> <p>The circuit has three states:</p> <ul> <li> <strong>Closed</strong> — normal operation, all calls go through</li> <li> <strong>Open</strong> — agent is degraded, calls are rejected immediately</li> <li> <strong>Half-open</strong> — cooldown expired, testing if agent has recovered </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">print</span><span class="p">(</span><span class="n">breaker</span><span class="p">.</span><span class="n">state</span><span class="p">)</span> <span class="c1"># "CLOSED", "OPEN", or "HALF_OPEN" </span><span class="nf">print</span><span class="p">(</span><span class="n">breaker</span><span class="p">.</span><span class="n">failure_rate</span><span class="p">)</span> <span class="c1"># current failure rate </span><span class="nf">print</span><span class="p">(</span><span class="n">breaker</span><span class="p">.</span><span class="n">time_until_retry</span><span class="p">)</span> <span class="c1"># seconds until half-open </span></code></pre> </div> <p>This prevents a degraded agent from silently producing bad outputs at scale. Instead of hoping someone notices the quality drop, the circuit breaker makes the degradation explicit and stops it automatically.</p> <h2> Chaos Testing: Breaking Your Agent on Purpose </h2> <p>The best time to discover how your agent fails is before it fails in production. Chaos testing deliberately introduces failures to find weaknesses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">ChaosEngine</span> <span class="n">chaos</span> <span class="o">=</span> <span class="nc">ChaosEngine</span><span class="p">(</span><span class="n">agent</span><span class="o">=</span><span class="n">governed_agent</span><span class="p">)</span> <span class="c1"># Inject 50% tool failure rate </span><span class="k">with</span> <span class="n">chaos</span><span class="p">.</span><span class="nf">inject_tool_failures</span><span class="p">(</span><span class="n">rate</span><span class="o">=</span><span class="mf">0.5</span><span class="p">):</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[</span><span class="n">governed_agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">task</span><span class="p">)</span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">test_tasks</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Success rate under chaos: </span><span class="si">{</span><span class="nf">sum</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">success</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">)</span><span class="o">/</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span><span class="si">:</span><span class="p">.</span><span class="mi">1</span><span class="o">%</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Inject high latency </span><span class="k">with</span> <span class="n">chaos</span><span class="p">.</span><span class="nf">inject_latency</span><span class="p">(</span><span class="n">ms</span><span class="o">=</span><span class="mi">5000</span><span class="p">):</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[</span><span class="n">governed_agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">task</span><span class="p">)</span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">test_tasks</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Timeout rate under latency: </span><span class="si">{</span><span class="nf">sum</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">timed_out</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">)</span><span class="o">/</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span><span class="si">:</span><span class="p">.</span><span class="mi">1</span><span class="o">%</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Inject policy violations </span><span class="k">with</span> <span class="n">chaos</span><span class="p">.</span><span class="nf">inject_policy_violations</span><span class="p">(</span><span class="n">rate</span><span class="o">=</span><span class="mf">0.3</span><span class="p">):</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[</span><span class="n">governed_agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">task</span><span class="p">)</span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">test_tasks</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Violation detection rate: </span><span class="si">{</span><span class="nf">sum</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">violation_caught</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">)</span><span class="o">/</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span><span class="si">:</span><span class="p">.</span><span class="mi">1</span><span class="o">%</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Run chaos tests before deploying. The questions you're answering:</p> <ul> <li>Does the circuit breaker actually trip when it should?</li> <li>Does the agent degrade gracefully or fail catastrophically?</li> <li>Are error budgets calculated correctly under real failure conditions?</li> <li>Does the governance layer catch violations during chaos?</li> </ul> <h2> What to Monitor and Alert On </h2> <p>Traditional monitoring: CPU, memory, error rate, latency.</p> <p>Agent monitoring adds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">AgentMetrics</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nc">AgentMetrics</span><span class="p">(</span><span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Core reliability metrics </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">task_success_rate</span><span class="p">)</span> <span class="c1"># % of tasks completed successfully </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">avg_tool_calls</span><span class="p">)</span> <span class="c1"># average tool calls per task </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">p99_latency_ms</span><span class="p">)</span> <span class="c1"># 99th percentile task latency </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">error_budget_remaining</span><span class="p">)</span> <span class="c1"># % of error budget left </span> <span class="c1"># Agent-specific metrics </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">hallucination_rate</span><span class="p">)</span> <span class="c1"># estimated factual error rate </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">policy_violation_rate</span><span class="p">)</span> <span class="c1"># % of calls blocked by governance </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">delegation_depth_avg</span><span class="p">)</span> <span class="c1"># average sub-agent spawn depth </span> <span class="c1"># Circuit breaker state </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">circuit_state</span><span class="p">)</span> <span class="c1"># CLOSED / OPEN / HALF_OPEN </span><span class="nf">print</span><span class="p">(</span><span class="n">metrics</span><span class="p">.</span><span class="n">circuit_opens_24h</span><span class="p">)</span> <span class="c1"># how many times circuit opened today </span></code></pre> </div> <p>Alert thresholds I'd recommend starting with:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Warning</th> <th>Critical</th> </tr> </thead> <tbody> <tr> <td>Task success rate</td> <td>&lt; 95%</td> <td>&lt; 90%</td> </tr> <tr> <td>Avg tool calls</td> <td>&gt; 15</td> <td>&gt; 25</td> </tr> <tr> <td>Error budget remaining</td> <td>&lt; 25%</td> <td>&lt; 10%</td> </tr> <tr> <td>Circuit opens (24h)</td> <td>&gt; 3</td> <td>&gt; 10</td> </tr> <tr> <td>Policy violation rate</td> <td>&gt; 5%</td> <td>&gt; 15%</td> </tr> </tbody> </table></div> <h2> AccuracyDeclaration: Formally Declaring Agent Accuracy </h2> <p>One underused feature of the toolkit is <code>AccuracyDeclaration</code> — a formal, versioned statement of what accuracy levels your agent guarantees:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.sre</span> <span class="kn">import</span> <span class="n">AccuracyDeclaration</span> <span class="n">declaration</span> <span class="o">=</span> <span class="nc">AccuracyDeclaration</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1.2.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">declared_accuracy</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">factual_retrieval</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.94</span><span class="p">,</span> <span class="c1"># 94% accuracy on factual questions </span> <span class="sh">"</span><span class="s">task_completion</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.97</span><span class="p">,</span> <span class="c1"># 97% of tasks complete successfully </span> <span class="sh">"</span><span class="s">policy_compliance</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.999</span><span class="p">,</span> <span class="c1"># 99.9% policy compliance </span> <span class="p">},</span> <span class="n">measurement_method</span><span class="o">=</span><span class="sh">"</span><span class="s">automated_eval_suite_v3</span><span class="sh">"</span><span class="p">,</span> <span class="n">valid_for_days</span><span class="o">=</span><span class="mi">90</span><span class="p">,</span> <span class="n">supersedes</span><span class="o">=</span><span class="sh">"</span><span class="s">1.1.0</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">declaration</span><span class="p">.</span><span class="nf">publish</span><span class="p">()</span> </code></pre> </div> <p>This serves two purposes. First, it creates accountability — you've formally stated what your agent guarantees, and you're tracking against it. Second, it enables automated degradation detection — if current metrics fall below declared accuracy, alert immediately.</p> <h2> The SRE Mindset for Agent Teams </h2> <p>Traditional SRE asks: "How do we keep this service running?"</p> <p>Agent SRE asks: "How do we keep this agent <em>correct</em>?"</p> <p>Running and correct are different things for AI systems. An agent can be running — responding to every request, returning outputs — while being completely wrong. That's the failure mode traditional SRE doesn't catch.</p> <p>The principles are the same: define what good looks like (SLOs), measure continuously (metrics), respond automatically to degradation (circuit breakers), and test your failure modes before they happen (chaos testing). The implementation is different because the failure modes are different.</p> <p>If you're deploying agents in production and you don't have SLOs defined for them, you don't actually know if they're working. You just know they're running.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>The interactive Colab notebook I built for this repo walks through SLOs, circuit breakers, and chaos testing with live code:</p> <p>👉 <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> ai sre machinelearning opensource Building Trust Between AI Agents — DIDs, Signatures, and Zero-Trust Mesh Kanish Tyagi Wed, 08 Apr 2026 18:39:54 +0000 https://dev.to/kanishtyagii/building-trust-between-ai-agents-dids-signatures-and-zero-trust-mesh-4m3j https://dev.to/kanishtyagii/building-trust-between-ai-agents-dids-signatures-and-zero-trust-mesh-4m3j <p>Imagine you walk into a room full of strangers. Everyone is wearing a mask. Someone hands you a document and says "sign this — it's from the CEO." How do you know it's actually from the CEO? You don't. You have no way to verify identity.</p> <p>This is the trust problem in multi-agent AI systems. And it's more serious than most teams realize.</p> <h2> Why Agents Need Identity </h2> <p>When a single AI agent operates in isolation, trust is simple — you trust it or you don't. But modern AI systems are increasingly multi-agent. A research agent delegates to a writing agent. A planning agent spawns execution sub-agents. An orchestrator coordinates dozens of specialized agents in parallel.</p> <p>In these systems, every interaction between agents is a potential attack surface.</p> <p>Consider this scenario: Agent A receives a message claiming to be from Agent B, instructing it to delete a set of records. How does Agent A verify that:</p> <ol> <li>The message actually came from Agent B</li> <li>Agent B is authorized to make that request</li> <li>Agent B hasn't been compromised and is acting within its intended scope</li> </ol> <p>Without cryptographic identity, the answer to all three is: it can't.</p> <h2> The Solution: Cryptographic Agent Identity </h2> <p>The <code>agent-governance-toolkit</code> solves this with a trust mesh — a framework where every agent has a verifiable cryptographic identity, and every inter-agent interaction is validated before execution.</p> <p>Here's how it works.</p> <h3> Ed25519 Key Pairs </h3> <p>Each agent gets an Ed25519 key pair at creation time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">AgentIdentity</span> <span class="c1"># Each agent gets a unique cryptographic identity </span><span class="n">identity</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">identity</span><span class="p">.</span><span class="n">did</span><span class="p">)</span> <span class="c1"># did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK </span> <span class="nf">print</span><span class="p">(</span><span class="n">identity</span><span class="p">.</span><span class="n">public_key_hex</span><span class="p">)</span> <span class="c1"># ed25519 public key </span></code></pre> </div> <p>The DID (Decentralized Identifier) is a self-describing, globally unique identifier derived from the public key. No central registry required.</p> <h3> Signed Messages </h3> <p>When Agent A sends a message to Agent B, it signs it with its private key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">message</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">from</span><span class="sh">"</span><span class="p">:</span> <span class="n">identity</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">did:key:z6Mk...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">analyze_dataset</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">payload</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">dataset_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ds_001</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-05T10:00:00Z</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">signed_message</span> <span class="o">=</span> <span class="n">identity</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> <span class="c1"># Includes: message + signature + public key </span></code></pre> </div> <p>Agent B verifies the signature before acting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">verify_message</span> <span class="n">is_valid</span> <span class="o">=</span> <span class="nf">verify_message</span><span class="p">(</span><span class="n">signed_message</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_valid</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">SecurityError</span><span class="p">(</span><span class="sh">"</span><span class="s">Message signature invalid — rejecting</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>If the message was tampered with in transit, the signature check fails. The action is rejected before execution.</p> <h2> Trust Scoring: Agents Earn and Lose Trust </h2> <p>Identity verification tells you <em>who</em> sent a message. Trust scoring tells you <em>whether to act on it</em>.</p> <p>The toolkit maintains a trust score (0-1000) for each agent in the mesh:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustEngine</span> <span class="n">trust</span> <span class="o">=</span> <span class="nc">TrustEngine</span><span class="p">()</span> <span class="c1"># New agent starts with baseline trust </span><span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 500 (baseline) </span> <span class="c1"># Trust increases with successful verified interactions </span><span class="n">trust</span><span class="p">.</span><span class="nf">record_success</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 510 </span> <span class="c1"># Trust decreases with policy violations </span><span class="n">trust</span><span class="p">.</span><span class="nf">record_violation</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">,</span> <span class="n">severity</span><span class="o">=</span><span class="sh">"</span><span class="s">high</span><span class="sh">"</span><span class="p">)</span> <span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 460 </span></code></pre> </div> <p>Agents with low trust scores get restricted automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustPolicy</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">TrustPolicy</span><span class="p">(</span> <span class="n">minimum_score</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="c1"># below this, agent is quarantined </span> <span class="n">require_human_approval</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="c1"># below this, human must approve actions </span> <span class="n">full_autonomy</span><span class="o">=</span><span class="mi">800</span><span class="p">,</span> <span class="c1"># above this, agent operates freely </span><span class="p">)</span> </code></pre> </div> <p>This is how the system handles compromised agents gracefully. An agent that starts behaving badly loses trust, gets restricted, and eventually gets quarantined — automatically, without human intervention.</p> <h2> Delegation Chains: Limited Capability Grants </h2> <p>In multi-agent systems, parent agents often spawn child agents to handle subtasks. The challenge: how do you give a child agent enough capability to do its job without giving it unlimited power?</p> <p>The answer is delegation chains — cryptographically signed capability grants with explicit limits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.delegation</span> <span class="kn">import</span> <span class="n">DelegationChain</span> <span class="c1"># Parent agent creates a limited delegation for child </span><span class="n">delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator_identity</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="sh">"</span><span class="s">did:key:z6Mk...</span><span class="sh">"</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># subset of parent's capabilities </span> <span class="n">excluded_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">delete_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="c1"># child cannot further delegate more than 2 levels </span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">300</span><span class="p">,</span> <span class="c1"># delegation expires in 5 minutes </span><span class="p">)</span> </code></pre> </div> <p>The child agent presents this delegation when making requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Child agent acts with delegated authority </span><span class="n">result</span> <span class="o">=</span> <span class="n">child_agent</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">/data/analysis.csv</span><span class="sh">"</span><span class="p">},</span> <span class="n">delegation</span><span class="o">=</span><span class="n">delegation</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>The toolkit verifies the entire delegation chain before execution:</p> <ul> <li>Is the delegation cryptographically valid?</li> <li>Is the requested capability within the granted scope?</li> <li>Has the delegation expired?</li> <li>Is the delegation depth within limits?</li> </ul> <p>If any check fails, the action is rejected. A compromised child agent cannot exceed the capabilities its parent explicitly granted.</p> <h2> A Practical Example: 3 Agents Collaborating </h2> <p>Here's how trust verification plays out in a real multi-agent workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">AgentIdentity</span> <span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustEngine</span> <span class="kn">from</span> <span class="n">agent_os.delegation</span> <span class="kn">import</span> <span class="n">DelegationChain</span> <span class="c1"># Agent 1: Orchestrator (high trust, broad capabilities) </span><span class="n">orchestrator</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Agent 2: Researcher (medium trust, search only) </span><span class="n">researcher</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Agent 3: Writer (medium trust, write only) </span><span class="n">writer</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">trust</span> <span class="o">=</span> <span class="nc">TrustEngine</span><span class="p">()</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="mi">900</span><span class="p">)</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="mi">700</span><span class="p">)</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="mi">700</span><span class="p">)</span> <span class="c1"># Orchestrator delegates research task to researcher </span><span class="n">research_delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="n">researcher</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Researcher executes with verified delegation # Toolkit checks: valid signature + sufficient trust + within capability scope </span><span class="n">result</span> <span class="o">=</span> <span class="n">researcher</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="n">query</span><span class="o">=</span><span class="sh">"</span><span class="s">latest AI governance frameworks</span><span class="sh">"</span><span class="p">,</span> <span class="n">delegation</span><span class="o">=</span><span class="n">research_delegation</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Orchestrator delegates writing task to writer </span><span class="n">write_delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="n">writer</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Writer cannot exceed delegated scope # This would be rejected — send_email not in delegation </span><span class="n">writer</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">,</span> <span class="n">delegation</span><span class="o">=</span><span class="n">write_delegation</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># SecurityError: capability 'send_email' not in delegation scope </span></code></pre> </div> <p>Every interaction is verified. Every capability grant is explicit and time-limited. No agent can exceed what it was explicitly authorized to do.</p> <h2> Comparison With Human Trust Models </h2> <p>The cryptographic trust model mirrors how humans establish trust in high-stakes environments:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Human World</th> <th>Agent Mesh</th> </tr> </thead> <tbody> <tr> <td>Government-issued ID</td> <td>Ed25519 key pair + DID</td> </tr> <tr> <td>Signed contract</td> <td>Signed message</td> </tr> <tr> <td>Professional reputation</td> <td>Trust score</td> </tr> <tr> <td>Power of attorney</td> <td>Delegation chain</td> </tr> <tr> <td>Expiry date on credentials</td> <td>TTL on delegations</td> </tr> <tr> <td>Revocation list</td> <td>Trust score below threshold</td> </tr> </tbody> </table></div> <p>The difference: human trust systems have gaps. IDs can be forged. Signatures can be disputed. Reputation takes months to establish. The cryptographic model is mathematically verifiable — either the signature is valid or it isn't. Either the capability was granted or it wasn't.</p> <h2> Why This Matters for Production Systems </h2> <p>Most teams building multi-agent systems today are operating on implicit trust — agents interact freely, permissions are not enforced, and there's no audit trail of inter-agent communication.</p> <p>This works fine in development. It becomes a serious problem in production, where:</p> <ul> <li>Agents interact at scale across organizational boundaries</li> <li>Compromised agents can propagate bad behavior to other agents</li> <li>Regulatory requirements demand audit trails of automated decisions</li> <li>A single rogue agent in a mesh can corrupt the entire workflow</li> </ul> <p>The zero-trust mesh approach — verify every identity, validate every capability, audit every interaction — is how you build multi-agent systems that are safe to run in production.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>Full source code and documentation:<br> 👉 <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> agents ai security systemdesign I Added Governance to My AI Agent in 30 Minutes — Here's How Kanish Tyagi Wed, 08 Apr 2026 18:33:51 +0000 https://dev.to/kanishtyagii/i-added-governance-to-my-ai-agent-in-30-minutes-heres-how-54k6 https://dev.to/kanishtyagii/i-added-governance-to-my-ai-agent-in-30-minutes-heres-how-54k6 <p>A few weeks ago I was building a LangChain agent and realized I had no idea what it was actually doing. It could call any tool, write anything to memory, make unlimited API calls. It was essentially unsupervised.</p> <p>Then I found Microsoft's <code>agent-governance-toolkit</code>. I added governance to my agent in about 30 minutes. Here's exactly how.</p> <h2> What We're Building </h2> <p>A LangChain agent that:</p> <ul> <li>Can only use approved tools</li> <li>Blocks dangerous patterns (SQL injection, destructive commands, PII)</li> <li>Logs every action for audit</li> <li>Stops itself when it hits a call budget</li> </ul> <p>No rewrites. Just a governance wrapper around your existing agent.</p> <h2> Step 1: Install (2 minutes) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>Verify it works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agent-governance verify </code></pre> </div> <p>You should see a green checkmark. You're ready.</p> <h2> Step 2: Your First Policy (5 minutes) </h2> <p>Before governance, your agent looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.chat_models</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span> <span class="kn">from</span> <span class="n">langchain.agents</span> <span class="kn">import</span> <span class="n">initialize_agent</span><span class="p">,</span> <span class="n">AgentType</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">)</span> <span class="n">agent</span> <span class="o">=</span> <span class="nf">initialize_agent</span><span class="p">(</span><span class="n">tools</span><span class="p">,</span> <span class="n">llm</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">AgentType</span><span class="p">.</span><span class="n">ZERO_SHOT_REACT_DESCRIPTION</span><span class="p">)</span> <span class="c1"># No limits. No logging. No audit trail. </span><span class="n">agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sh">"</span><span class="s">Do whatever the user asks</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>After governance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.chat_models</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span> <span class="kn">from</span> <span class="n">langchain.agents</span> <span class="kn">import</span> <span class="n">initialize_agent</span><span class="p">,</span> <span class="n">AgentType</span> <span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">)</span> <span class="n">base_agent</span> <span class="o">=</span> <span class="nf">initialize_agent</span><span class="p">(</span><span class="n">tools</span><span class="p">,</span> <span class="n">llm</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">AgentType</span><span class="p">.</span><span class="n">ZERO_SHOT_REACT_DESCRIPTION</span><span class="p">)</span> <span class="c1"># Define what your agent is allowed to do </span><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">my-first-policy</span><span class="sh">"</span><span class="p">,</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">log_all_calls</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Wrap your existing agent — no rewrite needed </span><span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">base_agent</span><span class="p">)</span> <span class="c1"># Same interface, now governed </span><span class="n">governed_agent</span><span class="p">.</span><span class="nf">invoke</span><span class="p">({</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Help me analyze this dataset</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <p>That's it. Your agent now has a policy layer.</p> <h2> Step 3: Add Tool Restrictions (5 minutes) </h2> <p>You probably don't want your agent to be able to delete files or execute arbitrary shell commands. Add an allowlist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">restricted-policy</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Only these tools are allowed </span> <span class="n">allowed_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># These are always blocked regardless </span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># destructive shell </span> <span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># SQL injection </span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># SSN pattern </span> <span class="sa">r</span><span class="sh">"</span><span class="s">password\s*[:=]</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># credential leak </span> <span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This gets blocked before reaching the LLM </span><span class="n">allowed</span><span class="p">,</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">pre_execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="sh">"</span><span class="s">Execute: DROP TABLE users</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">allowed</span><span class="p">)</span> <span class="c1"># False </span><span class="nf">print</span><span class="p">(</span><span class="n">reason</span><span class="p">)</span> <span class="c1"># "Blocked pattern 'DROP TABLE' detected" </span> <span class="c1"># This passes through </span><span class="n">allowed</span><span class="p">,</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">pre_execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="sh">"</span><span class="s">Search for recent AI papers</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">allowed</span><span class="p">)</span> <span class="c1"># True </span></code></pre> </div> <p>The rejection happens at the code layer — the model never sees the blocked input.</p> <h2> Step 4: Add Audit Logging (5 minutes) </h2> <p>Every action your agent takes is now logged automatically when <code>log_all_calls=True</code>. But you can also inspect the audit trail directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="n">audit_log</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">on_action</span><span class="p">(</span><span class="n">event</span><span class="p">):</span> <span class="n">audit_log</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">),</span> <span class="p">})</span> <span class="c1"># Check what happened </span><span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">audit_log</span><span class="p">:</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">✅ ALLOWED</span><span class="sh">"</span> <span class="k">if</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">]</span> <span class="k">else</span> <span class="sh">"</span><span class="s">🚫 BLOCKED</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> — </span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">input</span><span class="sh">'</span><span class="p">][</span><span class="si">:</span><span class="mi">50</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>In production, this goes to your observability stack. During development, it tells you exactly what your agent tried to do.</p> <h2> Step 5: Run the OWASP Compliance Check (3 minutes) </h2> <p>The toolkit includes a built-in compliance checker against the OWASP Agentic Top 10:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agent-governance verify <span class="nt">--badge</span> </code></pre> </div> <p>This checks your configuration against known attack vectors:</p> <ul> <li>Prompt injection resistance</li> <li>Tool poisoning detection </li> <li>Data exfiltration patterns</li> <li>Privilege escalation blocks</li> </ul> <p>You get a pass/fail report with specific recommendations.</p> <h2> Before vs After </h2> <p>Here's what changed in 30 minutes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Tool calls</td> <td>Unlimited</td> <td>Max 10 per session</td> </tr> <tr> <td>Dangerous inputs</td> <td>Passed to LLM</td> <td>Blocked before LLM</td> </tr> <tr> <td>PII handling</td> <td>Unvalidated</td> <td>Checked on every write</td> </tr> <tr> <td>Audit trail</td> <td>None</td> <td>Every action logged</td> </tr> <tr> <td>OWASP compliance</td> <td>Unknown</td> <td>Verified</td> </tr> <tr> <td>Performance overhead</td> <td>—</td> <td>&lt;0.1ms per action check</td> </tr> </tbody> </table></div> <p>The last point matters: governance doesn't slow your agent down in any meaningful way. The policy checks are in-process Python, not network calls.</p> <h2> What I Learned Contributing to This Repo </h2> <p>I spent the past week contributing code to this toolkit — fixing bugs, adding docstrings, building Colab notebooks. Here's what surprised me:</p> <p><strong>The attack surface is bigger than you think.</strong> I saw how MCP tool poisoning works, how PII leaks into memory writes, how delegation chains can be exploited. None of these are theoretical. They're patterns security researchers are actively demonstrating.</p> <p><strong>Wrapping is better than rewriting.</strong> The governance layer wraps your existing agent. You don't throw away your prompts or your framework. You add a code layer underneath them. That's the right architecture.</p> <p><strong>Auditability is the real value.</strong> The blocked requests matter less than the audit trail. Knowing what your agent <em>tried</em> to do — even when it was allowed — is how you understand and improve agent behavior in production.</p> <h2> Try It Yourself </h2> <p>The full toolkit is open source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>There are also interactive Colab notebooks (which I built!) that let you explore policy enforcement, MCP security scanning, and multi-agent governance without any local setup:</p> <p>👉 <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <p>The quickstart takes 10 minutes. The governance layer takes 5 more.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> ai python tutorial opensource Policy-as-Code vs Prompt Engineering — When Guardrails Need Governance Kanish Tyagi Sun, 05 Apr 2026 12:20:44 +0000 https://dev.to/kanishtyagii/policy-as-code-vs-prompt-engineering-when-guardrails-need-governance-23pi https://dev.to/kanishtyagii/policy-as-code-vs-prompt-engineering-when-guardrails-need-governance-23pi <p>I've been contributing to Microsoft's <code>agent-governance-toolkit</code> for the past few weeks — fixing bugs, writing docstrings, building Colab notebooks. And the more I dug into the codebase, the more one question kept coming up: <em>why can't you just use a well-crafted system prompt to keep your agent safe?</em></p> <p>The short answer: you can. Until you can't.</p> <h2> The Prompt Engineering Approach </h2> <p>Prompt-level guardrails look like this:</p> <blockquote> <p>"You are a helpful assistant. Never recommend illegal activities. Never share personal user data. Always stay within budget constraints."</p> </blockquote> <p>This works remarkably well — right up until it doesn't. The problem is structural: your guardrail lives inside the model's context window, which means it's subject to the same probabilistic reasoning as everything else the model does.</p> <p>Three things consistently break prompt-only guardrails:</p> <p><strong>Jailbreak attacks.</strong> Users have discovered that framing requests differently — roleplay scenarios, "hypothetical" framings, multi-step manipulations — can cause models to comply with things they were explicitly told not to do. This isn't a bug in the model. It's a feature of how language models work. They follow the most compelling framing of the current context.</p> <p><strong>Context window exhaustion.</strong> A long conversation eventually pushes your system prompt out of the context window. Your "never exceed budget" guardrail disappears after message 40. The model doesn't know what it forgot.</p> <p><strong>Model dependency.</strong> A guardrail tuned for GPT-4 behaves differently on Claude, which behaves differently on Llama. Every model swap means re-testing every prompt. At scale, that's not sustainable.</p> <h2> The Policy-as-Code Approach </h2> <p>Policy-as-code doesn't ask the model to follow rules. It enforces rules in code, before and after the model is ever called.</p> <p>Here's what that looks like with the agent-governance-toolkit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">require_human_approval</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">my_chain</span><span class="p">)</span> </code></pre> </div> <p>Every call to <code>governed_agent.invoke()</code> now goes through a policy check <em>before</em> it reaches the model. If the input matches a blocked pattern — SQL injection, destructive command, SSN pattern — the call is rejected. The model never sees it.</p> <p>This is a fundamentally different architecture. The guardrail isn't in the model's context. It's in your infrastructure.</p> <h2> Where Each Approach Fails </h2> <p>Neither approach is complete on its own.</p> <p><strong>Where prompt engineering fails:</strong></p> <ul> <li>Adversarial users who iterate on jailbreaks</li> <li>Long-running agents where context window limits apply</li> <li>Multi-model deployments where you can't tune per model</li> <li>Compliance scenarios where you need an audit trail</li> </ul> <p><strong>Where policy-as-code falls short:</strong></p> <ul> <li>Creative tasks where rules can't capture nuance</li> <li>Behavioral style (tone, personality, format)</li> <li>Rapid iteration — changing a policy requires a code deploy</li> <li>User experience — prompts understand context, rules do not</li> </ul> <p>A guardrail that says <code>blocked_patterns=["inappropriate content"]</code> can't capture the infinite ways "inappropriate" manifests in natural language. A prompt can. But a prompt can't guarantee that a rule is never violated. Code can.</p> <h2> Real Example: PII in Memory Writes </h2> <p>Here's a concrete failure mode I saw while contributing to this toolkit.</p> <p>An agent with memory capabilities might inadvertently write a user's SSN into its long-term memory during a conversation about financial planning. A prompt guardrail saying "never store sensitive data" relies on the model recognizing what counts as sensitive — and recognizing it every single time, across thousands of conversations.</p> <p>The toolkit handles this differently. Memory writes are intercepted at the code layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">_PII_PATTERNS</span> <span class="o">=</span> <span class="p">[</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># SSN </span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># email </span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b(?:password|secret|token)\s*[:=]\s*\S+</span><span class="sh">"</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">IGNORECASE</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>Before anything is written to memory, it's checked against these patterns. If a match is found, the write is blocked and a <code>PolicyViolationError</code> is raised. The model's cooperation is irrelevant — the rule is enforced in code.</p> <h2> The Layered Model That Actually Works </h2> <p>The right answer isn't "choose one." It's to use both at the right layer.</p> <p><strong>Use policy-as-code for:</strong></p> <ul> <li>Hard constraints that must never be violated (safety, compliance, budget)</li> <li>Anything that needs an audit trail</li> <li>Rules that apply regardless of model behavior</li> <li>Security boundaries (tool allowlists, blocked patterns, call budgets)</li> </ul> <p><strong>Use prompt engineering for:</strong></p> <ul> <li>Behavioral style and tone</li> <li>Output formatting</li> <li>Persona and creative direction</li> <li>User experience nuances</li> </ul> <p><strong>Use human-in-the-loop for:</strong></p> <ul> <li>High-stakes decisions that exceed both layers</li> <li>Ambiguous cases the policy engine flags as uncertain</li> <li>Exception handling with accountability</li> </ul> <p>Think of it as defense in depth. Prompts guide behavior. Policies enforce limits. Humans handle edge cases. No single layer carries all the weight.</p> <h2> A Concrete Starting Point </h2> <p>If you're building agents today without a policy layer, here's the minimum viable governance setup using the toolkit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="c1"># Start with just these three </span><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># safety </span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="c1"># budget </span> <span class="n">log_all_calls</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># audit trail </span><span class="p">)</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">your_existing_agent</span><span class="p">)</span> </code></pre> </div> <p>You don't need to rewrite your agent. You wrap it. Your existing prompts stay. You've added a code-layer enforcement layer underneath them.</p> <h2> The Bigger Picture </h2> <p>The shift from prompt-only to policy + prompt is the maturation of agent governance. It's the difference between "I hope my agent behaves" and "I can prove my agent behaves."</p> <p>Prompt engineering got us to where we are. It's powerful and flexible and necessary. But as agents move into production — taking real actions, handling real data, running autonomously at scale — "I told it not to" is no longer sufficient as a governance strategy.</p> <p>Policy-as-code is how you make agent behavior auditable, testable, and enforceable. Not instead of good prompts. On top of them.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> <p><em>Source code and docs: <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></em></p> ai opensource security machinelearning Why AI Agent Governance Matters in 2026 Kanish Tyagi Fri, 03 Apr 2026 03:53:48 +0000 https://dev.to/kanishtyagii/why-ai-agent-governance-matters-in-2026-4mnk https://dev.to/kanishtyagii/why-ai-agent-governance-matters-in-2026-4mnk <p>A few weeks ago I was browsing GitHub looking for open source projects to contribute to. I stumbled on Microsoft's <code>agent-governance-toolkit</code> and decided to dig in. What I found surprised me — not because the code was impressive (it was), but because the <em>problem</em> it solved was one I hadn't thought seriously about before.</p> <p>We talk a lot about building AI agents. We don't talk nearly enough about what happens when they go wrong.</p> <h2> The Rise of Autonomous AI Agents </h2> <p>In 2026, AI agents aren't a research curiosity anymore. They're running in production. Companies are deploying agents that browse the web, write and execute code, query databases, send emails, and call external APIs — all without a human in the loop for each step.</p> <p>This is genuinely powerful. An agent that can autonomously research, analyze, and act can compress hours of work into minutes. But there's a problem that comes with that power that most teams are only starting to reckon with: <strong>an agent that can do anything, will eventually do the wrong thing.</strong></p> <p>Not out of malice. Out of ambiguity, edge cases, and the fundamental unpredictability of systems built on probabilistic models.</p> <h2> What Can Go Wrong — And Does </h2> <p>Let me give you concrete examples from patterns I saw while contributing to this toolkit.</p> <p><strong>Data exfiltration via MCP tool poisoning.</strong> MCP (Model Context Protocol) is a standard for giving agents access to tools. What most teams don't realize is that an attacker can embed hidden instructions directly in a tool's description. The agent reads the description, interprets it as instructions, and suddenly a "read file" tool is quietly sending your data to an external endpoint. The attack is invisible at the UI level. It lives in the metadata.</p> <p><strong>Runaway tool calls.</strong> An agent that's allowed to call tools indefinitely will sometimes loop. A bug in the task framing, an ambiguous goal, or an unexpected API response can send an agent into a cycle that burns through API credits, hits rate limits, or worse — makes irreversible changes at scale.</p> <p><strong>PII in memory writes.</strong> Agents with memory capabilities can inadvertently store sensitive user data — SSNs, emails, API keys embedded in text — in their long-term memory. Without validation at the write layer, that data persists and propagates.</p> <p><strong>Prompt injection across delegation chains.</strong> When agents spawn sub-agents (which is increasingly common in multi-agent architectures), each handoff is an attack surface. A malicious instruction injected early in a chain can propagate through multiple agents before anyone realizes something is wrong.</p> <p>These aren't theoretical. Security researchers are actively demonstrating all of these attack patterns in the wild right now.</p> <h2> What Governance Actually Means </h2> <p>"Governance" is one of those words that sounds bureaucratic until you see what the absence of it costs.</p> <p>In practical terms, governance for AI agents means three things:</p> <p><strong>1. Policy enforcement before execution.</strong> Every tool call, every action an agent wants to take, gets checked against a set of rules <em>before</em> it happens. Not after. Not logged for review later. Before. If the action matches a blocked pattern — a SQL injection attempt, a destructive shell command, a PII pattern — it's stopped. The agent gets a policy violation error. The action doesn't execute.</p> <p><strong>2. Audit logging you can actually use.</strong> Every action an agent takes, whether allowed or blocked, gets recorded with enough context to understand what happened. Not just "agent called tool X" but which agent, which context, what the input was, what the policy decision was, and why.</p> <p><strong>3. Budget and circuit breaker enforcement.</strong> Agents need hard limits — on the number of tool calls per session, on the delegation depth between agents, on execution time. When those limits are hit, the agent stops. Not degrades gracefully. Stops.</p> <h2> How agent-governance-toolkit Implements This </h2> <p>This is where it gets concrete. The toolkit wraps your existing agent frameworks — LangChain, CrewAI, AutoGen, PydanticAI, smolagents, Google ADK — with a governance layer that sits between your agent and the outside world.</p> <p>You define a policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">require_human_approval</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Then you wrap your agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">my_langchain_chain</span><span class="p">)</span> </code></pre> </div> <p>Every call to <code>governed_agent.invoke()</code> now goes through a pre-execution check. If the input matches a blocked pattern, the call is rejected before reaching the LLM or any external service. If the agent has exceeded its tool call budget, the call is rejected. If the output contains something problematic, the post-execution check catches it.</p> <p>The interception happens at multiple levels. Deep hooks intercept individual tool calls within the agent, memory writes are validated for PII before they're saved, and delegation chains between sub-agents are tracked and depth-limited.</p> <p>For MCP specifically, the toolkit includes a security scanner that checks tool definitions for poisoning patterns — hidden instructions, exfiltration attempts, privilege escalation, role overrides — before those tools are registered with the agent.</p> <h2> Key Concepts Worth Understanding </h2> <p><strong>The trust mesh.</strong> In a multi-agent system, trust isn't binary. Different agents should have different permission levels based on their role, their source, and the context they're operating in. The toolkit models this through trust cards and identity verification — each agent has a verifiable identity, and policies can be scoped to specific agents or roles.</p> <p><strong>Policy as code.</strong> Governance policies are defined as YAML files that can be version-controlled, reviewed, and deployed like any other configuration. They have a schema, they can be validated before deployment (<code>agentos policy validate</code>), and they can be diffed between versions. You don't want to be manually updating code every time a new blocked pattern needs to be added.</p> <p><strong>SLOs for agents.</strong> Just like you set service level objectives for APIs and infrastructure, you can set them for agents. Error rate thresholds, latency limits, availability targets. When an agent breaches its SLO, a circuit breaker trips and the agent is taken out of service. This prevents a degraded agent from silently producing bad outputs at scale.</p> <p><strong>Audit logging as a first-class concern.</strong> Every governance decision — allow or block — is recorded with full context. This isn't just for debugging. It's for compliance, incident response, and understanding actual agent behavior in production over time.</p> <h2> Why This Matters Now </h2> <p>The timing matters. We're at an inflection point.</p> <p>Most teams deploying AI agents today are doing so without any governance layer. They're moving fast, the agents are working well enough in testing, and governance feels like a problem for later. But "later" in AI agent deployments often means "after the first serious incident."</p> <p>The cost of retrofitting governance onto an existing agent system is much higher than building it in from the start. The audit trail doesn't exist yet, the policy boundaries haven't been defined, and the agents have already been granted permissions that are difficult to revoke without breaking workflows.</p> <p>This isn't just a security problem either. It's a reliability problem and a trust problem. If your agents take actions that users or customers didn't expect and can't explain, trust in the system erodes quickly. Governance is what makes agent behavior predictable and explainable — not just safe.</p> <h2> Getting Started </h2> <p>The quickstart takes about 10 minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>There are also three interactive Google Colab notebooks that let you explore the toolkit without setting anything up locally:</p> <ul> <li> <strong>Policy Enforcement 101</strong> — define a policy, see violations blocked in real time</li> <li> <strong>MCP Security Proxy</strong> — scan tool definitions for poisoning patterns</li> <li> <strong>Multi-Agent Governance</strong> — SLOs, circuit breakers, chaos testing</li> </ul> <p>Full source code and docs: <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <h2> A Note From a Contributor </h2> <p>I came to this project as someone who builds ML models and data pipelines — not a security engineer. But contributing to this codebase changed how I think about agent design. The attack surfaces are real, the failure modes are unintuitive, and the tooling to address them is still early.</p> <p>If you're building agents in production, governance isn't optional. It's the difference between a system you can operate confidently and one you're constantly firefighting.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington and open source contributor. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> ai opensource security machinelearning