<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Imran Siddique</title>
    <description>The latest articles on DEV Community by Imran Siddique (@mosiddi).</description>
    <link>https://dev.to/mosiddi</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3672280%2F7ad22e95-3054-4afd-ba09-0fdc0e9cf836.jpg</url>
      <title>DEV Community: Imran Siddique</title>
      <link>https://dev.to/mosiddi</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/mosiddi"/>
    <language>en</language>
    <item>
      <title>A signed JWT proves who called your API. It proves nothing about the agent that made the call. Not which system prompt...</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Mon, 29 Jun 2026 21:20:55 +0000</pubDate>
      <link>https://dev.to/mosiddi/a-signed-jwt-proves-who-called-your-api-it-proves-nothing-about-the-agent-that-made-the-call-not-7lm</link>
      <guid>https://dev.to/mosiddi/a-signed-jwt-proves-who-called-your-api-it-proves-nothing-about-the-agent-that-made-the-call-not-7lm</guid>
      <description>&lt;p&gt;A signed JWT proves who called your API. It proves nothing about the agent that made the call.  &lt;/p&gt;

&lt;p&gt;Not which system prompt defined its behavior. Not which model version ran. Not which tools were authorized. Not whether the policy bundle in memory matches what your security team reviewed. Not whether a human approved the configuration before it shipped.  &lt;/p&gt;

&lt;p&gt;Authentication answers "who is calling." Attestation answers "is the thing running right now the thing we approved." In regulated environments, it is the second question that gets your deployment signed off, and today almost nobody can answer it with anything stronger than operator documentation.&lt;br&gt;&lt;br&gt;
Every AI agent has ten surfaces that define its full trust boundary: system prompt, policy bundle, tool manifest, model identity, RAG corpus, memory baseline, decision trace, delegation, supply chain, and human approvals. None of them have a standard attestation mechanism. Each one is an unguarded door.  &lt;/p&gt;

&lt;p&gt;Agent Manifest binds all ten into one signed, hardware-attestable record, so a third party who does not trust the operator can still prove what actually ran. Open spec, on track for the Linux Foundation, shipped last week at the Confidential Computing Summit. Full breakdown in my newsletter, Proof, Not Promises.  &lt;/p&gt;

&lt;p&gt;If you are deploying agents against regulated data: which of those ten surfaces can you prove today, and which are still running on trust?  &lt;/p&gt;

&lt;h1&gt;
  
  
  AIGovernance #AgentSecurity #ConfidentialComputing #OpenStandards #AgentManifest
&lt;/h1&gt;

</description>
      <category>agents</category>
      <category>ai</category>
      <category>api</category>
      <category>security</category>
    </item>
    <item>
      <title>New edition of Proof, Not Promises is live.</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Mon, 29 Jun 2026 15:11:58 +0000</pubDate>
      <link>https://dev.to/mosiddi/new-edition-of-proof-not-promises-is-live-4l5h</link>
      <guid>https://dev.to/mosiddi/new-edition-of-proof-not-promises-is-live-4l5h</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia.licdn.com%2Fdms%2Fimage%2Fv2%2FD5612AQE_i4CxsrZxUw%2Farticle-cover_image-shrink_720_1280%2FB56Z8T5fO6GsAQ-%2F0%2F1782745265413%3Fe%3D2147483647%26v%3Dbeta%26t%3DVg_FEXz36gNhhtkMP9QgbhKk4z0vR-ATVqtunuhFRZU" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia.licdn.com%2Fdms%2Fimage%2Fv2%2FD5612AQE_i4CxsrZxUw%2Farticle-cover_image-shrink_720_1280%2FB56Z8T5fO6GsAQ-%2F0%2F1782745265413%3Fe%3D2147483647%26v%3Dbeta%26t%3DVg_FEXz36gNhhtkMP9QgbhKk4z0vR-ATVqtunuhFRZU" width="1280" height="720"&gt;&lt;/a&gt;&lt;br&gt;
New edition of Proof, Not Promises is live.  &lt;/p&gt;

&lt;p&gt;Here: &lt;a href="https://www.linkedin.com/pulse/prove-what-your-agent-just-who-called-imran-siddique-xtyuc/?trackingId=0NWBZruyTrSojWvmpDzYLw%3D%3D" rel="noopener noreferrer"&gt;https://www.linkedin.com/pulse/prove-what-your-agent-just-who-called-imran-siddique-xtyuc/?trackingId=0NWBZruyTrSojWvmpDzYLw%3D%3D&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  AIGovernance #AgentSecurity #ConfidentialComputing #OpenStandards #AgentManifest
&lt;/h1&gt;

</description>
    </item>
    <item>
      <title>[Part 5] 20 Hard Questions About AI Agent Governance That Nobody Is Asking</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Fri, 26 Jun 2026 20:36:44 +0000</pubDate>
      <link>https://dev.to/mosiddi/part-5-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-13b3</link>
      <guid>https://dev.to/mosiddi/part-5-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-13b3</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AbJ_xu2rti_yjL074" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AbJ_xu2rti_yjL074" width="760" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If your agent processes data in Region A, reasons using a model in Region B, calls a tool in Region C, and stores results in Region D, whose laws apply?&lt;/p&gt;

&lt;p&gt;As we move toward a global Agent OS, we have to face the fact that “Sovereignty” is actually two distinct problems stacked on top of each other.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. The Sovereignty Stack
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Deployment Jurisdiction:&lt;/strong&gt; This is the physical reality of where your bits live. It’s about data residency, server location, and the local laws governing the hardware.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Operating-Model Jurisdiction:&lt;/strong&gt; This is the governance framework that travels with the agent, regardless of where it’s hosted. It’s the set of rules that must apply even if the agent is operating in a “neutral” or cross-border environment.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Separating these is critical. You can have a sovereign deployment but a failed governance model, or a strict framework operating on insecure residency. To solve both, I built the &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit (AGT)&lt;/a&gt; with a zero-vendor-dependency architecture. It allows for air-gapped deployments while maintaining a consistent governance layer that doesn’t drift when the agent crosses digital borders.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. The Illusion Delta and the Non-Deterministic OS
&lt;/h3&gt;

&lt;p&gt;In &lt;a href="https://dev.to/mosiddi/20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-1gbe"&gt;Part 1&lt;/a&gt;, I introduced the &lt;strong&gt;Illusion Delta&lt;/strong&gt; , the gap between an agent’s perceived safety and its actual behavior over time. This is why the traditional OS metaphor is breaking.&lt;/p&gt;

&lt;p&gt;Traditional operating systems assume deterministic processes where functional correctness is a guarantee. &lt;strong&gt;LLM-powered agents are fundamentally non-deterministic.&lt;/strong&gt; Because an agent can declare one intent and perform another, pre-action policy gates are no longer enough. The “Illusion Delta” exists precisely because agents can deviate after the gate has opened.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. The Unified Architecture of Governance
&lt;/h3&gt;

&lt;p&gt;To bridge this gap, we need a unified architectural stance rather than a list of parallel features. My philosophy for the future of Agent OS is built on three legs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Continuous Observability&lt;/strong&gt; fills the determinism gap by monitoring behavior in real-time.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Adaptive Trust&lt;/strong&gt; solves the time-decay problem, adjusting permissions as observed behavior diverges from intent.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Human Authority&lt;/strong&gt; is the load-bearing constraint that makes the other two viable.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without human authority as the ultimate root of trust, observability and trust scoring have no baseline for “correctness.”&lt;/p&gt;

&lt;h3&gt;
  
  
  4. The Non-Negotiable Principle
&lt;/h3&gt;

&lt;p&gt;In the future, agents will consume governance. They will read policies, suggest optimizations, and draft new rules. But the &lt;strong&gt;super-control&lt;/strong&gt; , the ultimate authority to approve those rules, must never transfer to the agent.&lt;/p&gt;

&lt;p&gt;This is the core of the AGT project: humans set the rules, agents follow them, and no amount of agent capability should change that hierarchy.&lt;/p&gt;

&lt;h3&gt;
  
  
  Series Wrap-Up
&lt;/h3&gt;

&lt;p&gt;These 20 questions are the roadmap for the next generation of large-scale system design.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Observability&lt;/strong&gt; is the new security.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Trust&lt;/strong&gt; is earned and adaptive, never static.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Scale by Subtraction&lt;/strong&gt; remains the goal: removing the complexity of manual oversight to make room for governed autonomy.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’re building with AI agents, these questions will find you. Better to answer them now.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at&lt;/em&gt; &lt;a href="https://www.linkedin.com/pulse/part-5-20-hard-questions-ai-agent-governance-nobody-asking-siddique-peiqc/?trackingId=1UF3iT4PpKUOpuFIYAUH9A%3D%3D" rel="noopener noreferrer"&gt;&lt;em&gt;https://www.linkedin.com&lt;/em&gt;&lt;/a&gt;&lt;em&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>architecture</category>
      <category>humanintheloop</category>
      <category>artificialgeneralint</category>
      <category>aiethics</category>
    </item>
    <item>
      <title>If you want to understand what Agent Governance Toolkit actually does, this is the best place to start. This video explains...</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Thu, 25 Jun 2026 20:26:09 +0000</pubDate>
      <link>https://dev.to/mosiddi/if-you-want-to-understand-what-agent-governance-toolkit-actually-does-this-is-the-best-place-to-365a</link>
      <guid>https://dev.to/mosiddi/if-you-want-to-understand-what-agent-governance-toolkit-actually-does-this-is-the-best-place-to-365a</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia.licdn.com%2Fdms%2Fimage%2Fsync%2Fv2%2FD5627AQHgWYao6VM_ww%2Farticleshare-shrink_800%2FB56Z72MWztGcAY-%2F0%2F1782246895504%3Fe%3D2147483647%26v%3Dbeta%26t%3D-zjegD7soiW4zlwPBlh5WFUtyjnrn92F8d855xqG814" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia.licdn.com%2Fdms%2Fimage%2Fsync%2Fv2%2FD5627AQHgWYao6VM_ww%2Farticleshare-shrink_800%2FB56Z72MWztGcAY-%2F0%2F1782246895504%3Fe%3D2147483647%26v%3Dbeta%26t%3D-zjegD7soiW4zlwPBlh5WFUtyjnrn92F8d855xqG814" width="640" height="480"&gt;&lt;/a&gt;&lt;br&gt;
If you want to understand what Agent Governance Toolkit actually does, this is the best place to start. This video explains the thinking behind it better than most of what I've written.  &lt;/p&gt;

&lt;p&gt;Worth watching if you're building with agents, evaluating governance tools, or just trying to understand what responsible deployment actually looks like at the infrastructure level.  &lt;/p&gt;

&lt;p&gt;&lt;a href="https://lnkd.in/gvYHDhqy" rel="noopener noreferrer"&gt;https://lnkd.in/gvYHDhqy&lt;/a&gt;  &lt;/p&gt;

&lt;p&gt;A few things you'll see covered:  &lt;/p&gt;

&lt;p&gt;🔒 Policy evaluation at the agent boundary, not the app layer&lt;br&gt;&lt;br&gt;
📋 Audit trails that work without touching your agent code&lt;br&gt;&lt;br&gt;
⚖️ Human-in-the-loop escalation chains&lt;br&gt;&lt;br&gt;
🛡️ Sandbox enforcement with command denylists&lt;br&gt;&lt;br&gt;
🌐 Python, TypeScript, .NET, Rust, Go — all supported  &lt;/p&gt;

&lt;p&gt;Open source, MIT licensed.  &lt;/p&gt;

&lt;h1&gt;
  
  
  AgentGovernance #AIAgents #ResponsibleAI #OpenSource #AIInfrastructure #MultiAgentSystems #LLMOps #AICompliance #AgentGovernanceToolkit #AIEngineering
&lt;/h1&gt;

</description>
    </item>
    <item>
      <title>[Part 4] 20 Hard Questions About AI Agent Governance That Nobody Is Asking</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Tue, 02 Jun 2026 20:02:34 +0000</pubDate>
      <link>https://dev.to/mosiddi/part-4-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-2l90</link>
      <guid>https://dev.to/mosiddi/part-4-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-2l90</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AQdlHMAJT7PnZULSL" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AQdlHMAJT7PnZULSL" width="760" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Part 4: The Next SolarWinds Will Be an MCP Server
&lt;/h3&gt;

&lt;p&gt;The agent supply chain is currently in a “pre-SolarWinds” era. While we are seeing an explosion in agentic capabilities, the security infrastructure is lagging behind.&lt;/p&gt;

&lt;p&gt;The early telemetry from 2026 is a wake-up call:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;492&lt;/strong&gt; exposed Model Context Protocol (MCP) servers have been discovered in recent scans.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;1,184+&lt;/strong&gt; malicious skill packages are already circulating in open repositories.&lt;/li&gt;
&lt;li&gt;Remote code execution (RCE) via tool metadata is no longer a theoretical risk; it’s a verified vulnerability.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We are currently doing “trust-on-first-use” for many agentic tools. That is the equivalent of running npm packages without checking signatures. It isn’t a matter of if a major supply chain attack happens through an agent tool, but when.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Governing the Supply Chain
&lt;/h3&gt;

&lt;p&gt;In building the &lt;strong&gt;Agent Governance Toolkit (AGT),&lt;/strong&gt; I’ve focused on a tiered defense strategy to secure this “negative space”:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Shift-Left Governance:&lt;/strong&gt; We must validate tool definitions and MCP server configurations during the CI/CD process, catching violations before they ever reach production.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The MCP Governance Proxy:&lt;/strong&gt; A deterministic enforcement layer that intercepts every tools/call. If the call doesn’t match a pre-approved signature or violates a safety constraint, the execution is blocked instantly.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Zero-Trust for Tools:&lt;/strong&gt; Treat every third-party MCP server as untrusted by default. Governance must sit as a kernel-level layer between the reasoning model and the tool execution environment.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2. We Need a “Decision BOM”
&lt;/h3&gt;

&lt;p&gt;Software has SBOMs (Software Bill of Materials) to track dependencies. Autonomous systems need a Decision BOM, a verifiable, immutable record that traces a decision back to its root signals.&lt;/p&gt;

&lt;p&gt;A Decision BOM allows you to audit the entire chain of thought:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The Model:&lt;/strong&gt; Which version and reasoning trace was used?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Retrieved Context:&lt;/strong&gt; What specific data (RAG) grounded the decision?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Tool Outputs:&lt;/strong&gt; Which external data points influenced the next step?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Policies:&lt;/strong&gt; Which specific rules were active at the millisecond of execution?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is the foundation of root cause analysis. When an agent fails, you shouldn’t be guessing why; you should be auditing the Decision BOM.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Debugging Architectures, Not Just Prompts
&lt;/h3&gt;

&lt;p&gt;Today, when an agent makes a mistake, the reflex is to “fix the prompt.” But in a complex supply chain, the failure is often architectural, a poisoned context, a compromised tool, or a logic collision between agents.&lt;/p&gt;

&lt;p&gt;By implementing a Decision BOM, we move from reactive prompt engineering to proactive &lt;strong&gt;Forensic Engineering&lt;/strong&gt;. This is the next frontier for AGT: making the “why” behind every agent action transparent, deterministic, and tamper-proof.&lt;/p&gt;

&lt;h3&gt;
  
  
  What’s Next?
&lt;/h3&gt;

&lt;p&gt;In Part 5, we look at the map: &lt;strong&gt;Sovereignty and Jurisdiction&lt;/strong&gt;. Where does “reasoning” actually happen, and whose laws apply when an agent processes data across digital borders?&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at&lt;/em&gt; &lt;a href="https://www.linkedin.com/pulse/part-4-20-hard-questions-ai-agent-governance-nobody-asking-siddique-difkc/?trackingId=xR6cgolXIsdcAXblfioHLA%3D%3D" rel="noopener noreferrer"&gt;&lt;em&gt;https://www.linkedin.com&lt;/em&gt;&lt;/a&gt;&lt;em&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>decisionbom</category>
      <category>agentgovernancetoolk</category>
      <category>agentos</category>
      <category>agt</category>
    </item>
    <item>
      <title>[Part 3] 20 Hard Questions About AI Agent Governance That Nobody Is Asking</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Tue, 02 Jun 2026 19:59:44 +0000</pubDate>
      <link>https://dev.to/mosiddi/part-3-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-3meb</link>
      <guid>https://dev.to/mosiddi/part-3-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-3meb</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2A6FsvoF-sTGisZjU9" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2A6FsvoF-sTGisZjU9" width="760" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Part 3: Who Controls the Money (And Who Is Liable)?
&lt;/h3&gt;

&lt;p&gt;Agents are no longer just “chatting.” They are transacting. Stripe payments, autonomous procurement, and automated cloud resource allocation are the new baseline. But the industry’s financial governance for agents is currently a blank page.&lt;/p&gt;

&lt;p&gt;It is not enough to ask, “Can this agent call the payment API?” We’ve solved that. The real question is: “ &lt;strong&gt;Should this agent spend $50,000 on cloud compute at 2 AM without human escalation?&lt;/strong&gt; ”&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Financial Governance is Tool Call Parameter Governance
&lt;/h3&gt;

&lt;p&gt;We must move beyond binary tool permissions toward parameter-level policies.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The Old Way:&lt;/strong&gt; “The agent has permission to use the Stripe Tool.”&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The AGT Way:&lt;/strong&gt; “The agent can call the Stripe Tool, but the amount parameter cannot exceed $X, and the recipient must be on a pre-approved whitelist. Anything else triggers a hard block.”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In the &lt;strong&gt;Agent Governance Toolkit (AGT),&lt;/strong&gt; cost is a first-class citizen. We prioritize deterministic caps (hard budget limits) first, using non-deterministic anomaly detection only as a secondary fallback.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Human-in-the-loop is a 2026 Fiction
&lt;/h3&gt;

&lt;p&gt;The EU AI Act and global safety standards often mandate “human oversight.” But let’s look at the &lt;strong&gt;Manager’s Math:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;AGT benchmarks show &lt;strong&gt;47,000 governed actions per second&lt;/strong&gt; across 1,000 concurrent agents. No human, no matter the team size, can “oversee” that in real-time. If you put a human in the hot path of an autonomous system, you aren’t governing; you’re bottlenecking.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Evolution:&lt;/strong&gt; We must move from Human-in-the-loop to &lt;strong&gt;Human-over-the-loop:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Humans define the boundaries:&lt;/strong&gt; We set the policies and constraints.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Humans monitor the health:&lt;/strong&gt; We build dashboards for system-wide SLOs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Humans investigate the anomalies:&lt;/strong&gt; We respond to alerts, not individual actions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is the same maturation process we saw in infrastructure. We don’t approve every packet in a firewall; we set the rules and monitor the telemetry. Agent governance must follow the same path.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. AGT as the Underwriting Layer for AI Insurance
&lt;/h3&gt;

&lt;p&gt;Insurance giants like &lt;strong&gt;Munich Re, Armilla AI,&lt;/strong&gt; and &lt;strong&gt;Coalition&lt;/strong&gt; are entering the AI liability space. However, premiums remain volatile because they lack standardized governance telemetry.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AGT produces exactly what they need:&lt;/strong&gt; Append-only, hash-chained, tamper-evident audit trails with full action attribution.&lt;/p&gt;

&lt;p&gt;This isn’t just a log; it’s &lt;strong&gt;Underwriting Data&lt;/strong&gt;. By showing insurance companies exactly how policies were enforced and how trust scores evolved over time, we build the necessary bridge between technical telemetry and actuarial models.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Who is Liable for the “Bug”?
&lt;/h3&gt;

&lt;p&gt;When a coding agent ships a vulnerability, where does the buck stop?&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;*&lt;em&gt;The Developer who approved the PR? *&lt;/em&gt; Yes.&lt;/li&gt;
&lt;li&gt;*&lt;em&gt;The Company that deployed the agent? *&lt;/em&gt; Yes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Agent Framework?&lt;/strong&gt; No. They provide tools, not decisions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Toolkit?&lt;/strong&gt; Only if the engine failed to enforce a set policy.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Liability follows the decision-maker, not the enforcement mechanism. This is why AGT puts policies &lt;strong&gt;outside&lt;/strong&gt; the toolkit. The toolkit is the enforcement engine; the user is the policy author. Liability stays with the human who defines what “Safe” looks like.&lt;/p&gt;

&lt;h3&gt;
  
  
  What’s Next?
&lt;/h3&gt;

&lt;p&gt;In Part 4, we face the supply chain. The next SolarWinds won’t be a library; it will be a malicious &lt;strong&gt;MCP Server.&lt;/strong&gt; We’ll talk about the “Decision BOM” and how to trace the root cause of a failed agent decision.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at&lt;/em&gt; &lt;a href="https://www.linkedin.com/pulse/part-3-20-hard-questions-ai-agent-governance-nobody-asking-siddique-oacgc/?trackingId=fIff%2BYPStJoFIci2g%2FVV3w%3D%3D" rel="noopener noreferrer"&gt;&lt;em&gt;https://www.linkedin.com&lt;/em&gt;&lt;/a&gt;&lt;em&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>decisionbom</category>
      <category>agentmesh</category>
      <category>agentos</category>
      <category>agt</category>
    </item>
    <item>
      <title>[Part 2] 20 Hard Questions About AI Agent Governance That Nobody Is Asking</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Sun, 10 May 2026 00:10:28 +0000</pubDate>
      <link>https://dev.to/mosiddi/part-2-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-2b2a</link>
      <guid>https://dev.to/mosiddi/part-2-20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-2b2a</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohvbl5io4tlc9328q2j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohvbl5io4tlc9328q2j.png" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Part 2: Governing the Flock, Not Just the Bird
&lt;/h3&gt;

&lt;p&gt;Current agent governance, including the initial versions of &lt;strong&gt;AGT&lt;/strong&gt; , was built for a world of single-agent actions. But the scariest risks we are seeing in 2026 are &lt;strong&gt;emergent&lt;/strong&gt; : swarms of individually compliant agents producing collectively dangerous behavior.&lt;/p&gt;

&lt;p&gt;Collusion. Feedback loops. Race dynamics.&lt;/p&gt;

&lt;p&gt;These don’t happen in a sandbox; they happen when “safe” agents interact in production. New research, like the &lt;strong&gt;SWARM framework&lt;/strong&gt; and the &lt;strong&gt;Multi-Agent System Safety Standard (MASSS)&lt;/strong&gt;, is finally catching up. But the industry still lacks a runtime enforcement mechanism for collective behavior.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Solution: Two Critical Architectural Moves
&lt;/h3&gt;

&lt;h4&gt;
  
  
  1. Policies Must Become Multi-Agent Aware
&lt;/h4&gt;

&lt;p&gt;Today, a policy evaluates one agent’s one action. Tomorrow, it needs to evaluate across agents: &lt;em&gt;“What are all agents doing collectively? Does this pattern, though individually permitted, look like a coordinated attack or market manipulation?”&lt;/em&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  2. Agent Mesh Needs Its Own Policy Layer
&lt;/h4&gt;

&lt;p&gt;Agent OS governs individual actions. &lt;strong&gt;Agent Mesh&lt;/strong&gt; needs policies governing &lt;strong&gt;inter-agent behavior&lt;/strong&gt;. This is a distinct policy surface that handles the “handshake” between agents, ensuring that the intent of the sender matches the capability of the receiver.&lt;/p&gt;

&lt;h3&gt;
  
  
  Who is accountable in a delegation chain?
&lt;/h3&gt;

&lt;p&gt;If Agent A delegates to Agent B, who delegates to Agent C, and Agent C causes harm, who do you fire? More importantly, who does the governance layer penalize?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;My Principle: Accountability flows upward.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent B is responsible because B trusted C.&lt;/li&gt;
&lt;li&gt;Agent A is responsible because A trusted B.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;While &lt;strong&gt;Accountability&lt;/strong&gt; flows upward, &lt;strong&gt;Harm Impac&lt;/strong&gt; t flows downward: it’s highest at the point of execution (Agent C). To bridge this, delegating agents must inherit &lt;strong&gt;partial accountability&lt;/strong&gt; for their delegates. If your delegate misbehaves, your trust score should decay alongside theirs.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can agents from different organizations ever truly trust each other?
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;No. And they shouldn’t.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Agents should never fully trust each other, just like humans don’t. We need to move away from binary “Trust/No-Trust” states toward a &lt;strong&gt;Human Interaction Model&lt;/strong&gt; :&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Verify Identity&lt;/strong&gt; : Is this agent who it says it is?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Verify Capability&lt;/strong&gt; : Does it actually do what it claims?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Experience-Based Trust&lt;/strong&gt; : Trust is earned through repeated, successful interactions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Bounded Autonomy&lt;/strong&gt; : Never give full trust; give only enough to get the specific task done.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Cross-org trust is not a shared global score. It is experiential and local. Each organization must build and maintain its own trust profile for external agents.&lt;/p&gt;

&lt;h3&gt;
  
  
  The “Illusion Delta”
&lt;/h3&gt;

&lt;p&gt;The biggest trap of 2026 is the &lt;strong&gt;Illusion Delta&lt;/strong&gt; , the gap between how safe an agent &lt;em&gt;looks&lt;/em&gt; in a short-horizon interaction and how unstable it &lt;em&gt;actually is&lt;/em&gt; when replayed at scale. Governance that doesn’t account for this delta isn’t governance; it’s a false sense of security.&lt;/p&gt;

&lt;h3&gt;
  
  
  What’s Next?
&lt;/h3&gt;

&lt;p&gt;In Part 3, we move into the “Money” phase: &lt;strong&gt;Financial Governance&lt;/strong&gt;. Your agents might be building a pricing cartel or spending $50K while you sleep. How do we govern the wallet?&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at&lt;/em&gt; &lt;a href="https://www.linkedin.com/pulse/20-hard-questions-ai-agent-governance-nobody-asking-imran-siddique-0rupc/?trackingId=lVmeBg5WTe%2BnKZOj0%2FQKgA%3D%3D" rel="noopener noreferrer"&gt;&lt;em&gt;https://www.linkedin.com&lt;/em&gt;&lt;/a&gt;&lt;em&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>agentos</category>
      <category>aigovernance</category>
      <category>agenticai</category>
      <category>scalebysubtraction</category>
    </item>
    <item>
      <title>20 Hard Questions About AI Agent Governance That Nobody Is Asking</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Mon, 04 May 2026 23:19:56 +0000</pubDate>
      <link>https://dev.to/mosiddi/20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-1gbe</link>
      <guid>https://dev.to/mosiddi/20-hard-questions-about-ai-agent-governance-that-nobody-is-asking-1gbe</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AM1XHRfuZej9E0N5y" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1024%2F0%2AM1XHRfuZej9E0N5y" width="760" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Part 1: Can You Actually Prove an Agent Is Safe?
&lt;/h3&gt;

&lt;p&gt;I’ve spent the last year building the Agent Governance Toolkit (AGT), an open-source runtime governance layer for AI agents.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;13,000+ tests&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;5 SDK languages&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;19+ framework integrations&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Coverage for all 10 OWASP Agentic Top 10 risks&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But the more I build, the more I realize: the hardest problems in agent governance aren’t the ones we’ve solved. They’re the ones nobody is even asking about yet.&lt;/p&gt;

&lt;p&gt;Here are the questions I think the industry needs to wrestle with.&lt;/p&gt;

&lt;h3&gt;
  
  
  “You’re measuring the wrong thing.”
&lt;/h3&gt;

&lt;p&gt;AGT enforces policy with a &lt;strong&gt;0.00% violation rate&lt;/strong&gt; in red-team testing. Sounds impressive, right?&lt;/p&gt;

&lt;p&gt;But here’s the uncomfortable truth: &lt;strong&gt;we’re proving the policy layer works, not that the agent is safe.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When an agent says, “I want to do a file operation,” we check the policy and say yes or no. But what happens after we say yes? Did the agent actually do what it claimed?&lt;/p&gt;

&lt;p&gt;Maybe it asked for a file read but triggered a secondary, unauthorized tool call. We have audit logs, but by the time you read them, the damage is done.&lt;/p&gt;

&lt;h3&gt;
  
  
  My Answer: The Continuous Loop
&lt;/h3&gt;

&lt;p&gt;Governance can’t be a one-time gate check. It has to be a dynamic, multi-stage architecture:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Pre-action:&lt;/strong&gt; Deterministic policy enforcement (The “Fast Gate” — we’ve solved this).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Post-action:&lt;/strong&gt; Continuous validation of what the agent actually did vs. what it asked permission to do.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Adaptive Trust:&lt;/strong&gt; If observed behavior diverges from declared intent, the agent’s trust score decays in real time.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;We already use trust scoring for agent-to-agent communication in &lt;strong&gt;Agent Mesh.&lt;/strong&gt; That same mechanism must apply to standalone single agent runs. An agent that asks for permission to do A but ends up doing B should see its trust erode until the governance layer intervenes.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can formal verification work for non-deterministic systems?
&lt;/h3&gt;

&lt;p&gt;Short answer: Yes, but it has to be a hybrid.&lt;/p&gt;

&lt;p&gt;You need &lt;strong&gt;deterministic checks&lt;/strong&gt; (policy enforcement, capability constraints) combined with &lt;strong&gt;non-deterministic checks&lt;/strong&gt; (behavioral anomaly detection, pattern analysis). Pre-execution and post-execution. Not one or the other.&lt;/p&gt;

&lt;h3&gt;
  
  
  The “Illusion Delta”:
&lt;/h3&gt;

&lt;p&gt;In 2026, the industry is falling into a trap, agents perform safely in short-horizon tests but exhibit deviant emergent behavior in long-running production environments.&lt;/p&gt;

&lt;p&gt;The missing piece? The &lt;strong&gt;Observability Layer&lt;/strong&gt;. We need checks that observe how agents behave in real time, not just what they asked to do. This is the bridge between verifying policy and verifying behavior.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Intent Problem
&lt;/h3&gt;

&lt;p&gt;An agent reads your customer database (allowed). Then sends a Slack message (also allowed). But was it exfiltrating data?&lt;/p&gt;

&lt;p&gt;You can’t govern intent by reading the agent’s “mind.” But you can govern it through &lt;strong&gt;Sequence Analysis&lt;/strong&gt; : a sequence of individually allowed actions that looks like exfiltration is a signal.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Thesis&lt;/strong&gt; : The future of agent governance is not just pre-action policy gates. Its &lt;strong&gt;continuous behavioral observability&lt;/strong&gt; combined with &lt;strong&gt;adaptive trust scoring&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  What’s Next?
&lt;/h3&gt;

&lt;p&gt;In Part 2, I’ll dive into “ &lt;strong&gt;Governing the Flock, Not Just the Bird&lt;/strong&gt; ”, how to handle multi-agent swarms and delegation chains where accountability gets messy.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at&lt;/em&gt; &lt;a href="https://www.linkedin.com/pulse/20-hard-questions-ai-agent-governance-nobody-asking-imran-siddique-zfcrc/" rel="noopener noreferrer"&gt;&lt;em&gt;https://www.linkedin.com&lt;/em&gt;&lt;/a&gt;&lt;em&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>agentos</category>
      <category>aigovernance</category>
      <category>scalebysubtraction</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Governing Google ADK Agents with Microsoft’s Open-Source Toolkit: A GCP-Native Guide</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Wed, 22 Apr 2026 00:33:23 +0000</pubDate>
      <link>https://dev.to/mosiddi/governing-google-adk-agents-with-microsofts-open-source-toolkit-a-gcp-native-guide-1g7h</link>
      <guid>https://dev.to/mosiddi/governing-google-adk-agents-with-microsofts-open-source-toolkit-a-gcp-native-guide-1g7h</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kgnmtatojyqu11apb79.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kgnmtatojyqu11apb79.png" width="800" height="437"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;How to add deterministic policy enforcement to your Google ADK agents on GKE&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;I’m going to share a combination that might initially seem counterintuitive: &lt;strong&gt;Microsoft’s best open-source security toolkit runs natively on Google Cloud, securing Google ADK agents.&lt;/strong&gt; No Azure subscription is required. No vendor lock-in exists. It is a simple pip install away.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit&lt;/a&gt; (AGT) is an MIT-licensed runtime governance layer for AI agents. It is cloud-agnostic and framework-agnostic. It functions as a Python middleware layer that intercepts agent actions, tool calls, API requests, and inter-agent messages, enforcing policies &lt;em&gt;before&lt;/em&gt; execution occurs.&lt;/p&gt;

&lt;p&gt;If you are building agents with &lt;a href="https://adk.dev/" rel="noopener noreferrer"&gt;Google ADK&lt;/a&gt; and deploying on &lt;strong&gt;Google Kubernetes Engine (GKE)&lt;/strong&gt;, this guide provides a path to a governed production environment in under 10 minutes.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Problem AGT Solves
&lt;/h3&gt;

&lt;p&gt;Google ADK provides a high-performance framework for agent construction, but it is not a deterministic security engine. To move beyond “vibe-based” security to a system that meets the requirements of a CISO or the &lt;strong&gt;EU AI Act (August 2, 2026)&lt;/strong&gt;, you need more than system prompts.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Runtime Action Control:&lt;/strong&gt; Hard-coded blocking of dangerous calls like execute_code or modify_iam.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit Trails:&lt;/strong&gt; A forensic record of why an action was permitted or denied, stored outside the LLM context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Content Filtering:&lt;/strong&gt; Preventing agents from leaking PII (SSNs, passwords) in tool arguments or model responses.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Deterministic Latency:&lt;/strong&gt; Governance that runs in-process to avoid adding network hops to already latent LLM calls.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Architecture: Scale by Subtraction on GCP
&lt;/h3&gt;

&lt;p&gt;Deploying AGT within your GKE cluster follows the principle of &lt;strong&gt;Scale by Subtraction&lt;/strong&gt;. By integrating governance at the kernel level within your existing Python process, you subtract the complexity of managing external security proxies or cross-cloud dependencies.&lt;/p&gt;

&lt;h4&gt;
  
  
  Step 1: The 5-Line Quick Start
&lt;/h4&gt;

&lt;p&gt;Govern your tool calls locally before containerization. Note that this logic is deterministic, not probabilistic.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent_os.lite&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;govern&lt;/span&gt;

&lt;span class="c1"&gt;# Define governance policy: Deterministic, not prompt-based
&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;govern&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;allow&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;google_search&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;summarize&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;deny&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;execute_code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;modify_database&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;blocked_content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sa"&gt;r&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;\b\d{3}-\d{2}-\d{4}\b&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="c1"&gt;# Block SSN patterns
&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# Wrap your tool calls
&lt;/span&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;governed_tool_call&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;dict&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="c1"&gt;# Intercepts and validates before the tool executes
&lt;/span&gt;    &lt;span class="nf"&gt;check&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nf"&gt;str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt; 
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="nf"&gt;call_original_tool&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 2: Full Google ADK &amp;amp; Vertex AI Integration
&lt;/h4&gt;

&lt;p&gt;In this updated example, we use &lt;strong&gt;Gemini 2.0 Flash&lt;/strong&gt;. Because AGT runs in-process, it adds sub-0.1ms overhead, preserving the low-latency benefits of the Flash model.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;google.adk.agents&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Agent&lt;/span&gt;
&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;google.adk.tools&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Tool&lt;/span&gt;
&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent_os.lite&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;govern&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;GovernanceViolation&lt;/span&gt;

&lt;span class="c1"&gt;# Governance Layer: Configured for Enterprise Standards
&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;govern&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;allow&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;google_search&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read_gcs&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;summarize&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;deny&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_gcs&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;modify_iam&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;blocked_content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sa"&gt;r&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;\b(?:\d[-]*?){13,16}\b&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="c1"&gt;# Credit Card patterns
&lt;/span&gt;    &lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="bp"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;governed_read_gcs&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;A tool that requires verified governance before access.&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt;
    &lt;span class="nf"&gt;check&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read_gcs&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; 
    &lt;span class="c1"&gt;# Logic to interface with GCS via Workload Identity
&lt;/span&gt;    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Contents of gs://&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;/&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
&lt;span class="n"&gt;agent&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Agent&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;model&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;gemini-2.0-flash&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;governed-researcher&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;
        &lt;span class="nc"&gt;Tool&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;func&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;governed_read_gcs&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;description&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Read data from GCS&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
    &lt;span class="p"&gt;],&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 3: Containerize and Deploy to GKE
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Dockerfile&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="s"&gt; python:3.12-slim&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="c"&gt;# Install core dependencies and GCP logging&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--no-cache-dir&lt;/span&gt; agent-os-kernel google-adk google-cloud-logging
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; agent.py .&lt;/span&gt;
&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["python", "agent.py"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;GKE Deployment Configuration&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Deploying to GKE allows governance to scale horizontally with your agent replicas.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;apps/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Deployment&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;governed-adk-agent&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;agent&lt;/span&gt;
          &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;gcr.io/YOUR_PROJECT/governed-adk-agent:latest&lt;/span&gt;
          &lt;span class="na"&gt;env&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;GOOGLE_CLOUD_PROJECT&lt;/span&gt;
              &lt;span class="na"&gt;value&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;your-project-id"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 4: Observability and Compliance
&lt;/h4&gt;

&lt;p&gt;Don’t just block actions; record them for the auditors. AGT’s audit trail integrates with &lt;strong&gt;Google Cloud Logging&lt;/strong&gt; , which can then be exported to &lt;strong&gt;BigQuery&lt;/strong&gt; for automated compliance reporting.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;google.cloud.logging&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;logging&lt;/span&gt;

&lt;span class="c1"&gt;# Initialize GCP Logging
&lt;/span&gt;&lt;span class="n"&gt;client&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;google&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;cloud&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;logging&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;Client&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;setup_logging&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="n"&gt;logger&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;logging&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;getLogger&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;agt.governance&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# After agent execution, flush the audit trail to GCP
&lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;check&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;audit_trail&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;logger&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;info&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;governance_decision&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;extra&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;json_fields&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;to_dict&lt;/span&gt;&lt;span class="p"&gt;()})&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Manager’s Math: The Trade-off Analysis
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz9jx8av85v4maaflywj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz9jx8av85v4maaflywj.png" width="730" height="276"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Strategic Considerations for 2026
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Workload Identity &amp;amp; OIDC:&lt;/strong&gt; AGT’s &lt;strong&gt;AgentMesh&lt;/strong&gt; identity layer can map directly to GCP’s Workload Identity. This allows you to verify that the “Agent” calling a GCS bucket is not just authenticated via a service account but authorized via a governance policy.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The 2026 Compliance Window:&lt;/strong&gt; With the &lt;strong&gt;EU AI Act&lt;/strong&gt; becoming enforceable, “best effort” security is no longer a legal defense. Moving policy enforcement from the prompt to the execution kernel is a prerequisite for high-risk AI deployment.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Vertex AI Extensions:&lt;/strong&gt; While Vertex AI Extensions handle authorization, AGT handles &lt;strong&gt;interception and inspection&lt;/strong&gt;. They are complementary, not competitive.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Links
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit on GitHub&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://adk.dev/" rel="noopener noreferrer"&gt;Google ADK Documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/microsoft/agent-governance-toolkit/tree/main/examples/policies/production" rel="noopener noreferrer"&gt;Production Policy Library (YAML)&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;The Agent Governance Toolkit is MIT-licensed and functions across all major cloud providers. Star it on GitHub if it provides value to your engineering stack.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>aiarchitecture</category>
      <category>agenticai</category>
      <category>googlecloud</category>
    </item>
    <item>
      <title>Running AI Agent Governance on AWS, No Azure Required</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Tue, 14 Apr 2026 04:41:20 +0000</pubDate>
      <link>https://dev.to/mosiddi/running-ai-agent-governance-on-aws-no-azure-required-m5m</link>
      <guid>https://dev.to/mosiddi/running-ai-agent-governance-on-aws-no-azure-required-m5m</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7gki8gubqsoumfjsie09.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7gki8gubqsoumfjsie09.png" width="800" height="437"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;How to deploy Microsoft’s Agent Governance Toolkit on ECS/Fargate and govern your Bedrock agents&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;I’m going to say something that might surprise you: &lt;strong&gt;Microsoft’s best open-source security toolkit runs perfectly on AWS.&lt;/strong&gt; No Azure subscription. No vendor lock-in. Just pip install and go.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit&lt;/a&gt; (AGT) is an MIT-licensed runtime governance layer for AI agents. It intercepts every tool call, API request, and inter-agent message &lt;em&gt;before&lt;/em&gt; execution — enforcing policies at sub-millisecond latency. It covers all 10 OWASP Agentic AI risks, and it works with &lt;strong&gt;LangChain&lt;/strong&gt; , &lt;strong&gt;CrewAI&lt;/strong&gt; , &lt;strong&gt;AutoGen&lt;/strong&gt; , &lt;strong&gt;Bedrock&lt;/strong&gt; agents, and anything else you’re building on AWS.&lt;/p&gt;

&lt;p&gt;Here’s how to get it running on your AWS infrastructure in under 30 minutes.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why You Need This
&lt;/h3&gt;

&lt;p&gt;If you’re running AI agents on Bedrock, Lambda, or ECS, you probably already know the problem:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Unpredictable Tool Calls:&lt;/strong&gt; Your agents can call tools or parameters you didn’t anticipate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Invisible Audit Trails:&lt;/strong&gt; There’s no deterministic record of what actions agents took and why.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Least-Privilege Enforcement:&lt;/strong&gt; You can’t easily prove to your CISO that agents follow security best practices.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Compliance Deadlines:&lt;/strong&gt; The &lt;strong&gt;EU AI Act (August 2026)&lt;/strong&gt; requires demonstrable human oversight and risk management for high-risk AI systems.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;AGT solves this by placing a deterministic safety kernel between agent “thought” and system “action.” Everything gets logged, dangerous actions get blocked, and your compliance team gets the evidence they need.&lt;/p&gt;

&lt;h3&gt;
  
  
  Architecture
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;┌─────────────────────────────────────────────┐
│ Your AWS Account │
│ │
│ ┌──────────┐ ┌──────────────────────┐ │
│ │ Bedrock │───▶│ AGT Policy Engine │ │
│ │ Agent │ │ (ECS/Fargate) │ │
│ └──────────┘ │ │ │
│ │ ✓ Policy check │ │
│ ┌──────────┐ │ ✓ Identity verify │ │
│ │ Lambda │───▶│ ✓ Audit log │ │
│ │ Agent │ │ ✓ Rate limit │ │
│ └──────────┘ └──────────┬───────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ CloudWatch / │ │
│ │ S3 Audit Logs │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────┘
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Zero Azure dependencies. Pure Python containers.&lt;/strong&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: The 3-Line Quick Start
&lt;/h3&gt;

&lt;p&gt;Before we containerize, let’s prove it works locally:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;pip&lt;/span&gt; &lt;span class="n"&gt;install&lt;/span&gt; &lt;span class="n"&gt;agent&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;kernel&lt;/span&gt;

&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent_os.lite&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;govern&lt;/span&gt;

&lt;span class="c1"&gt;# One line: define what's allowed and what's blocked
&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;govern&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;allow&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;web_search&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;query_database&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;deny&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;execute_code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ssh_connect&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="c1"&gt;# One line: check any agent action
&lt;/span&gt;&lt;span class="nf"&gt;check&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;web_search&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="c1"&gt;# ✅ Allowed
&lt;/span&gt;&lt;span class="nf"&gt;check&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;execute_code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="c1"&gt;# 💥 GovernanceViolation raised
&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;is_allowed&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="c1"&gt;# False (non-raising)
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That’s it. Three lines. Sub-millisecond. No complex YAML, no config files, no trust mesh. Just a fast allow/deny gate.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 2: Create the Dockerfile
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="s"&gt; python:3.12-slim&lt;/span&gt;

&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;

&lt;span class="c"&gt;# Install AGT&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--no-cache-dir&lt;/span&gt; agent-os-kernel[full]

&lt;span class="c"&gt;# Copy your policies and agent code&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; policies/ ./policies/&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; app.py .&lt;/span&gt;

&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["python", "app.py"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 3: Write Your Governed Agent
&lt;/h3&gt;

&lt;p&gt;Here’s a real agent wrapper that works with any Bedrock model:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# app.py — Governed agent on AWS
&lt;/span&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;boto3&lt;/span&gt;
&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent_os.lite&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;govern&lt;/span&gt;

&lt;span class="c1"&gt;# --- Governance setup ---
&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;govern&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;allow&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;invoke_model&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read_s3&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;query_dynamodb&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;send_sns&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;deny&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_s3&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;modify_iam&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;execute_code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;create_ec2&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;blocked_content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;
        &lt;span class="sa"&gt;r&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;\b\d{3}-\d{2}-\d{4}\b&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;# SSN
&lt;/span&gt;        &lt;span class="sa"&gt;r&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;\b(?:\d[-]*?){13,16}\b&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;# Credit cards
&lt;/span&gt;    &lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;max_calls&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="bp"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;bedrock&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;boto3&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;client&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bedrock-runtime&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;region_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;us-east-1&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;governed_invoke&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;payload&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;dict&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="nb"&gt;dict&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;Every action goes through governance first.&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt;
    &lt;span class="c1"&gt;# Check the action
&lt;/span&gt;    &lt;span class="nf"&gt;check&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="c1"&gt;# Check the content for PII
&lt;/span&gt;    &lt;span class="n"&gt;content&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;dumps&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;payload&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;check&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;is_allowed&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;content&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Blocked: content contains sensitive data&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

    &lt;span class="c1"&gt;# Execute the actual action
&lt;/span&gt;    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;action&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;invoke_model&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;response&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;bedrock&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;invoke_model&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;modelId&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;payload&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;model&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
            &lt;span class="n"&gt;body&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;dumps&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;payload&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;body&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]),&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;loads&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;body&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="nf"&gt;read&lt;/span&gt;&lt;span class="p"&gt;())&lt;/span&gt;

    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unknown action: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# --- Your agent loop ---
&lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;__name__&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt; __main__&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="c1"&gt;# This will work
&lt;/span&gt;    &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;governed_invoke&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;invoke_model&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;model&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;anthropic.claude-sonnet-4-20250514&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;body&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;prompt&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Summarize Q4 earnings&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;})&lt;/span&gt;
    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;✅ Model response received&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="c1"&gt;# This will be blocked
&lt;/span&gt;    &lt;span class="k"&gt;try&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="nf"&gt;governed_invoke&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_s3&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bucket&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;production-data&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;})&lt;/span&gt;
    &lt;span class="k"&gt;except&lt;/span&gt; &lt;span class="nb"&gt;Exception&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="n"&gt;e&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;🚫 Blocked: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;e&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="c1"&gt;# Print governance stats
&lt;/span&gt;    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s"&gt;📊 &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;dumps&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;check&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;stats&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;indent&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 4: Deploy to ECS/Fargate
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Create the ECR repository and push:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aws ecr create-repository &lt;span class="nt"&gt;--repository-name&lt;/span&gt; agt-governed-agent
aws ecr get-login-password | docker login &lt;span class="nt"&gt;--username&lt;/span&gt; AWS &lt;span class="nt"&gt;--password-stdin&lt;/span&gt; &lt;span class="nv"&gt;$ACCOUNT&lt;/span&gt;.dkr.ecr.us-east-1.amazonaws.com

docker build &lt;span class="nt"&gt;-t&lt;/span&gt; agt-governed-agent &lt;span class="nb"&gt;.&lt;/span&gt;
docker tag agt-governed-agent:latest &lt;span class="nv"&gt;$ACCOUNT&lt;/span&gt;.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest
docker push &lt;span class="nv"&gt;$ACCOUNT&lt;/span&gt;.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  ECS Task Definition:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"family"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"agt-governed-agent"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"networkMode"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"awsvpc"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"requiresCompatibilities"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"FARGATE"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"cpu"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"512"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"memory"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"1024"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"containerDefinitions"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"governed-agent"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"image"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"${ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"essential"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"environment"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="nl"&gt;"name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"AWS_DEFAULT_REGION"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"value"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"us-east-1"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"logConfiguration"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"logDriver"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"awslogs"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"options"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
          &lt;/span&gt;&lt;span class="nl"&gt;"awslogs-group"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/ecs/agt-governed-agent"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
          &lt;/span&gt;&lt;span class="nl"&gt;"awslogs-region"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"us-east-1"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
          &lt;/span&gt;&lt;span class="nl"&gt;"awslogs-stream-prefix"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"agt"&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"executionRoleArn"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"arn:aws:iam::${ACCOUNT}:role/ecsTaskExecutionRole"&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Create the service:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aws ecs create-service &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--cluster&lt;/span&gt; default &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--service-name&lt;/span&gt; agt-governed-agent &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--task-definition&lt;/span&gt; agt-governed-agent &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--desired-count&lt;/span&gt; 1 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--launch-type&lt;/span&gt; FARGATE &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--network-configuration&lt;/span&gt; &lt;span class="s2"&gt;"awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx],assignPublicIp=ENABLED}"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Your governed agent is now running on AWS. Every action is policy-checked and audit-logged.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 5: Production Policy (Optional Upgrade)
&lt;/h3&gt;

&lt;p&gt;When you outgrow the 3-line govern() call, AGT has production-ready policy files:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Copy the enterprise policy template&lt;/span&gt;
&lt;span class="nb"&gt;cp &lt;/span&gt;examples/policies/production/enterprise.yaml policies/

&lt;span class="c"&gt;# Or for financial services:&lt;/span&gt;
&lt;span class="nb"&gt;cp &lt;/span&gt;examples/policies/production/financial.yaml policies/
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;These include action rules, content filters (PII/PCI), escalation triggers, and retention settings — all in YAML. No OPA or Rego required unless you want it.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 6: Ship Audit Logs to S3
&lt;/h3&gt;

&lt;p&gt;AGT’s audit trail integrates with CloudWatch. For compliance archival:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Send governance stats to CloudWatch
&lt;/span&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;boto3&lt;/span&gt;

&lt;span class="n"&gt;cloudwatch&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;boto3&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;client&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;cloudwatch&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="n"&gt;stats&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;check&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;stats&lt;/span&gt;

&lt;span class="n"&gt;cloudwatch&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;put_metric_data&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;Namespace&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;AGT/Governance&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;MetricData&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;MetricName&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;TotalDecisions&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Value&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;stats&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;total&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unit&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Count&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;MetricName&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Denied&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Value&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;stats&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;denied&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unit&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Count&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
    &lt;span class="p"&gt;]&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  What You Get
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4e2oz83ygjs6mf3vm6ba.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4e2oz83ygjs6mf3vm6ba.png" width="800" height="361"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  FAQ
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Q: Does this need Azure?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Zero Azure dependencies. It’s a Python package that runs anywhere you can run Python.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Does it slow down my agents?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Policy checks take 0.003ms on average. Your Bedrock API call takes 500–2000ms. The governance overhead is invisible.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Can I use this with LangChain on AWS?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes. AGT works with LangChain, CrewAI, AutoGen, and any other Python agent framework.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: What about the full AGT stack (trust mesh, SRE, etc.)?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Start with agent_os.lite for basic governance. Add the full stack when you need cryptographic identity, lifecycle management, or execution sandboxing.&lt;/p&gt;

&lt;h3&gt;
  
  
  Links
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit on GitHub&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/deployment/aws-ecs.md" rel="noopener noreferrer"&gt;AWS Deployment Guide&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/microsoft/agent-governance-toolkit/tree/main/examples/policies/production" rel="noopener noreferrer"&gt;Production Policy Library&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;The Agent Governance Toolkit is MIT-licensed. Star it on GitHub if it’s useful to your team.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>agt</category>
      <category>agentgovernancetoolk</category>
      <category>gcp</category>
      <category>azure</category>
    </item>
    <item>
      <title>Observability for Non-Deterministic Systems: A Framework for AI Agent Reliability</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Mon, 06 Apr 2026 15:54:22 +0000</pubDate>
      <link>https://dev.to/mosiddi/observability-for-non-deterministic-systems-a-framework-for-ai-agent-reliability-3l51</link>
      <guid>https://dev.to/mosiddi/observability-for-non-deterministic-systems-a-framework-for-ai-agent-reliability-3l51</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr1bx9swvyqsajlyxtl6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr1bx9swvyqsajlyxtl6.png" width="800" height="437"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  The Observability Gap
&lt;/h3&gt;

&lt;p&gt;For fifty years, the observability stack has assumed determinism. Prometheus scrapes CPU utilization. Jaeger traces request latency. PagerDuty fires when error rates exceed thresholds. The mental model is mechanical: if the database is slow, queries are slow; if the server crashes, requests fail. The “Three Pillars”: metrics, logs, traces, capture the behavior of infrastructure.&lt;/p&gt;

&lt;p&gt;This model works because deterministic systems have a knowable correct state. A 200 OK is correct. A 500 is not. The boundaries are crisp, and deviations are bugs.&lt;/p&gt;

&lt;h4&gt;
  
  
  Why AI Agents Break This Model
&lt;/h4&gt;

&lt;p&gt;AI agents introduce properties that deterministic observability cannot capture:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Non-determinism:&lt;/strong&gt; The same prompt produces different outputs on successive calls. Traditional monitoring treats variance as noise; in agent systems, variance &lt;em&gt;is&lt;/em&gt; the signal.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Semantic correctness:&lt;/strong&gt; A 200 OK with a hallucinated answer is worse than a 500 error. HTTP status codes carry zero information about output quality. An agent that confidently produces wrong code or wrong medical advice is more dangerous than one that crashes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Progressive degradation:&lt;/strong&gt; As context windows fill, LLM output quality degrades gradually, responses get shorter, less accurate, and more repetitive. This is &lt;strong&gt;Context Rot&lt;/strong&gt;. There is no error. There is no crash. There is only a slow rot that traditional monitoring cannot see.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  The “Laziness” Problem
&lt;/h3&gt;

&lt;p&gt;During my work observing coding agents at scale, I discovered a failure mode that no existing observability tool detected: &lt;strong&gt;agent laziness&lt;/strong&gt;. The agent would produce syntactically valid but substantively empty responses, placeholder functions, TODO comments instead of implementations, or responses that technically answered the question while doing as little work as possible.&lt;/p&gt;

&lt;p&gt;This is not a hallucination. It is not an error. It is a quality degradation that only becomes visible when you measure the gap between what was asked and what was delivered. This discovery led to the development of a &lt;strong&gt;Laziness Index&lt;/strong&gt; that measures response length shrinkage, placeholder patterns, and delegation frequency. The metrics we were building for coding agents were actually capturing fundamental properties of human-agent collaboration.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Framework: Behavioral Observability
&lt;/h3&gt;

&lt;p&gt;Observability for non-deterministic systems requires a shift from &lt;strong&gt;infrastructure metrics&lt;/strong&gt; to &lt;strong&gt;behavioral metrics&lt;/strong&gt;. We must measure not what the system &lt;em&gt;is doing&lt;/em&gt; (CPU, memory, latency) but what the system &lt;em&gt;is achieving&lt;/em&gt; (correct outcomes, user satisfaction, progressive quality).&lt;/p&gt;

&lt;h4&gt;
  
  
  Core Principle: The Human as Sensor
&lt;/h4&gt;

&lt;p&gt;In human-agent collaboration, the human’s behavior is the most reliable signal of agent quality. When a developer says “that’s wrong, fix it,” they are providing a ground-truth quality signal that no automated evaluation can match.&lt;/p&gt;

&lt;p&gt;This is &lt;strong&gt;Correction-Based Observability&lt;/strong&gt; : the systematic detection and scoring of human corrections to agent outputs as a proxy for output quality.&lt;/p&gt;

&lt;h4&gt;
  
  
  Seven Behavioral Metrics
&lt;/h4&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Hallucination Index:&lt;/strong&gt; Rate of human corrections to agent outputs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Laziness Index:&lt;/strong&gt; Response quality degradation and effort avoidance.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Context Rot Index:&lt;/strong&gt; Quality degradation over session length.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Flow Score:&lt;/strong&gt; Consecutive productive interactions without correction.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Loop Rate:&lt;/strong&gt; Consecutive correction cycles without progress.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Session Health:&lt;/strong&gt; Three-tier classification (Clean, Bumpy, Troubled).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cost Per Outcome:&lt;/strong&gt; Token spend divided by tangible deliverables.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Application Across High-Stakes Domains
&lt;/h3&gt;

&lt;p&gt;The correction-based observability pattern is universally applicable to any human-agent collaboration where the human can signal dissatisfaction.&lt;/p&gt;

&lt;h4&gt;
  
  
  Healthcare: Clinical Decision Support
&lt;/h4&gt;

&lt;p&gt;A hallucinating coding agent produces a bug. A hallucinating clinical agent produces a misdiagnosis. In this domain, the framework uses tighter thresholds. A 15% hallucination rate in coding is a productivity issue; in healthcare, the threshold for a “Troubled” session is often a single override.&lt;/p&gt;

&lt;h4&gt;
  
  
  Energy and Grid Management
&lt;/h4&gt;

&lt;p&gt;In energy systems, the consequences of errors manifest in physical system behavior. The observability layer tracks &lt;strong&gt;Physical Constraint Violation Rates&lt;/strong&gt;  — recommendations that violate thermal limits or voltage bounds — which are physically impossible “hallucinations.”&lt;/p&gt;

&lt;h4&gt;
  
  
  Financial Services and Legal
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Finance:&lt;/strong&gt; Measuring the &lt;strong&gt;Fair Lending Deviation Index&lt;/strong&gt; to track if underwriter overrides vary by borrower demographics.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Legal:&lt;/strong&gt; Monitoring the &lt;strong&gt;Citation Hallucination Index&lt;/strong&gt; to detect non-existent case law before it reaches a court filing.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Architecture: Privacy-First and Local-First
&lt;/h3&gt;

&lt;p&gt;Behavioral observability data is sensitive. A correction log reveals what an expert (a doctor, an attorney, an engineer) had to fix.&lt;/p&gt;

&lt;p&gt;The proposed architecture for this framework is &lt;strong&gt;local-first&lt;/strong&gt; : all computation happens on the practitioner’s machine. No raw sessions or corrections leave the device. Team-level aggregation uses anonymized identities and transmits only aggregate metrics. This removes the primary barrier to AI observability: the fear that the tool will expose individual performance rather than system reliability.&lt;/p&gt;

&lt;h3&gt;
  
  
  Conclusion
&lt;/h3&gt;

&lt;p&gt;Non-deterministic observability is not a product; it is a discipline. As we scale agentic architectures, we must stop measuring what agents consume (tokens, latency) and start measuring what they achieve.&lt;/p&gt;

&lt;p&gt;While the foundational primitives for agent tracking exist in the open-source &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;&lt;strong&gt;Agent Governance Toolkit (AGT)&lt;/strong&gt;&lt;/a&gt;, this behavioral framework represents a necessary evolution in how we ensure AI reliability at scale.&lt;/p&gt;

</description>
      <category>systemreliability</category>
      <category>llmops</category>
      <category>agenticai</category>
      <category>observability</category>
    </item>
    <item>
      <title>Securing AI agents with agent governance</title>
      <dc:creator>Imran Siddique</dc:creator>
      <pubDate>Thu, 26 Mar 2026 07:16:00 +0000</pubDate>
      <link>https://dev.to/mosiddi/securing-ai-agents-with-agent-governance-1f1i</link>
      <guid>https://dev.to/mosiddi/securing-ai-agents-with-agent-governance-1f1i</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7sugcxzmk15zubprtf2i.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7sugcxzmk15zubprtf2i.png" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
&lt;em&gt;Photo by Tekton on Unsplash.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Imagine this scenario: An AI agent is asked to “clean up old records,” and it interprets “old” as “everything older than today.” There is no policy engine to intercept the action, no approval workflow to pause and ask a human, and no kill switch to stop it mid-execution. The agent has been given unrestricted tool access — the equivalent of handing a new employee the root password on their first day and saying, “figure it out.”&lt;/p&gt;

&lt;p&gt;This hypothetical illustrates a real and growing concern. As AI agents have evolved from simple chatbots into autonomous systems that book flights, execute trades, write code, and manage infrastructure, a gap has emerged: &lt;strong&gt;Many of the popular frameworks that power these agents focus on orchestration and have not yet built in runtime security governance.&lt;/strong&gt; Frameworks like LangChain, AutoGen, and CrewAI do an excellent job of orchestrating agent behavior, but the industry as a whole is still developing answers to a fundamental question: &lt;em&gt;What happens when an agent does something it shouldn’t?&lt;/em&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Note: The Agent Governance Toolkit is currently available as a community preview release. All packages published to PyPI and npm are not official Microsoft-signed releases. Official signed packages via ESRP Release will be available in a future release. All security policy rules and detection patterns ship as configurable sample configurations that users must review and customize before production use.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That question sent me down a path that eventually became the &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;Agent Governance Toolkit&lt;/a&gt; — an open-source framework, now released by Microsoft, that brings operating system-level security concepts to the world of AI agents. In this article, I walk through the problem we set out to solve, the architectural decisions that shaped our approach, and the technical details of how we built a system that enforces policy, verifies identity, isolates execution, and engineers reliability for autonomous AI agents.&lt;/p&gt;
&lt;h3&gt;
  
  
  The problem: AI agents operate in a security vacuum
&lt;/h3&gt;

&lt;p&gt;To understand why agent governance matters, consider how a typical AI agent works today. A developer writes a prompt, connects a set of tools (database access, web browsing, file system operations), and hands control to an LLM. The agent reasons about what to do, selects tools, and executes actions — often in a loop, sometimes spawning sub-agents to handle subtasks.&lt;/p&gt;

&lt;p&gt;The challenge is that &lt;strong&gt;in many current implementations, agent actions are unmediated.&lt;/strong&gt; When an agent calls a tool, there is typically no security layer checking whether that call is within policy. There is often no identity verification when one agent communicates with another. There may be no resource limit preventing an agent from making 10,000 API calls in a minute. And there is frequently no circuit breaker to stop a failing agent from cascading failures across a system.&lt;/p&gt;

&lt;p&gt;In February 2026, OWASP published the &lt;strong&gt;Agentic AI Top 10&lt;/strong&gt; (see &lt;a href="https://owasp.org/www-project-agentic-ai-threats" rel="noopener noreferrer"&gt;owasp.org/www-project-agentic-ai-threats&lt;/a&gt;), the first formal taxonomy of risks specific to autonomous AI agents. The list highlights serious concerns for anyone running agents in production: goal hijacking through prompt injection, tool misuse, identity abuse, memory poisoning, cascading failures, and rogue agents. My team realized that addressing these risks required more than a guardrail library. It required a fundamentally new abstraction layer.&lt;/p&gt;
&lt;h3&gt;
  
  
  The insight: What if we treated AI agents like processes?
&lt;/h3&gt;

&lt;p&gt;The key insight came from an analogy that now seems obvious in hindsight, because &lt;strong&gt;operating systems solved a similar problem decades ago.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In the 1970s, when multi-user computing emerged, engineers faced a similar challenge: multiple untrusted programs sharing resources on a single machine. The solution they developed was the OS kernel — a privileged layer that mediates every interaction between a process and the outside world. Processes can’t directly access hardware; they make syscalls. They can’t read each other’s memory; they have isolated address spaces. They can’t consume unlimited resources; the scheduler enforces quotas.&lt;/p&gt;

&lt;p&gt;So, we asked ourselves: What would an “operating system for AI agents” look like?&lt;/p&gt;

&lt;p&gt;The answer became the four-layer architecture of the Agent Governance Toolkit:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Agent OS:&lt;/strong&gt; The kernel. Every agent action passes through a policy engine before execution, just as every process action passes through the OS kernel via syscalls.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AgentMesh:&lt;/strong&gt; The identity layer. Agents have cryptographic identities (DIDs with Ed25519 key pairs) and must verify each other before communicating, similar to how mTLS works in service meshes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Agent Runtime:&lt;/strong&gt; The isolation layer. Agents are assigned to execution rings based on their trust scores, with resource limits enforced per ring — inspired by CPU privilege rings.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Agent SRE:&lt;/strong&gt; The reliability layer. SLOs, error budgets, circuit breakers, and chaos testing — all the practices that keep distributed services reliable, applied to agent systems.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;
  
  
  Under the hood: How policy enforcement actually works
&lt;/h3&gt;

&lt;p&gt;Let me show you what runtime policy enforcement looks like in practice, because it’s the piece that distinguishes this toolkit from existing approaches.&lt;/p&gt;

&lt;p&gt;Most “guardrail” systems work by filtering inputs or outputs — they check the prompt before the LLM sees it, or they scan the response after the LLM generates it. The problem is that agent actions happen &lt;em&gt;between&lt;/em&gt; those two points. An agent might receive a perfectly safe prompt, reason correctly about it, and then call a tool in a way that violates policy. Input/output filtering misses this entirely.&lt;/p&gt;

&lt;p&gt;Agent OS intercepts at the action layer. When an agent calls a tool, the call passes through the policy engine before reaching the tool:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent_os&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;StatelessKernel&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ExecutionContext&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Policy&lt;/span&gt;

&lt;span class="n"&gt;kernel&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;StatelessKernel&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;

&lt;span class="c1"&gt;# Define what this agent is allowed to do
&lt;/span&gt;&lt;span class="n"&gt;ctx&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;ExecutionContext&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;agent_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;analyst-001&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;policies&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;
        &lt;span class="n"&gt;Policy&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;read_only&lt;/span&gt;&lt;span class="p"&gt;(),&lt;/span&gt; &lt;span class="c1"&gt;# Default: no writes
&lt;/span&gt;        &lt;span class="n"&gt;Policy&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;rate_limit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;1m&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="c1"&gt;# Max 100 calls/minute
&lt;/span&gt;        &lt;span class="n"&gt;Policy&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;require_approval&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;actions&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_*&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;write_production_*&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
            &lt;span class="n"&gt;min_approvals&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;approval_timeout_minutes&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;30&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="p"&gt;),&lt;/span&gt;
    &lt;span class="p"&gt;],&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="c1"&gt;# This call gets intercepted by the policy engine
&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="n"&gt;kernel&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delete_user_record&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;params&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;user_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="mi"&gt;12345&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
    &lt;span class="n"&gt;context&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# result.signal == "ESCALATE" → approval workflow initiated
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The key design decision here was to make the kernel &lt;strong&gt;stateless&lt;/strong&gt;. Each request carries its own context — policies, history, identity — rather than storing state in the kernel. We chose this pattern because it enables horizontal scaling: You can run the kernel behind a load balancer, in a serverless function, or as a sidecar container, with no shared state to manage.&lt;/p&gt;

&lt;p&gt;The policy engine itself has two layers. The first is configurable pattern matching with sample rule sets for detecting dangerous strings like “ignore previous instructions” or SQL injection patterns. The second is a semantic intent classifier that detects dangerous &lt;em&gt;goals&lt;/em&gt; even when the exact phrasing does not match a pattern. When an agent’s action is classified as DESTRUCTIVE_DATA, DATA_EXFILTRATION, or PRIVILEGE_ESCALATION, the policy engine flags it for intervention regardless of how the request was worded.&lt;/p&gt;

&lt;h3&gt;
  
  
  Zero-trust identity: TLS for AI agents
&lt;/h3&gt;

&lt;p&gt;When we started looking at multi-agent systems — scenarios where multiple agents collaborate on a task — the identity challenge became clear. In many frameworks, agents communicate as simple function calls. Agent A calls Agent B, and Agent B processes whatever it receives because identity verification has not yet been a standard feature of agent communication protocols.&lt;/p&gt;

&lt;p&gt;AgentMesh introduces a protocol we call IATP — the Inter-Agent Trust Protocol. Think of it as TLS for AI agents: encryption, authentication, and authorization in one handshake.&lt;/p&gt;

&lt;p&gt;Every agent gets a cryptographic DID (Decentralized Identifier) backed by an Ed25519 key pair:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agentmesh&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;AgentIdentity&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;TrustBridge&lt;/span&gt;

&lt;span class="c1"&gt;# Create identity with a human sponsor for accountability
&lt;/span&gt;&lt;span class="n"&gt;identity&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;AgentIdentity&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;create&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;data-analyst&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;sponsor&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;alice@company.com&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;capabilities&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;read:data&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;write:reports&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# identity.did → "did:mesh:data-analyst:a7f3b2..."
&lt;/span&gt;
&lt;span class="c1"&gt;# Before communicating, verify the peer
&lt;/span&gt;&lt;span class="n"&gt;bridge&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;TrustBridge&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="n"&gt;verification&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="n"&gt;bridge&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;verify_peer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;peer_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;did:mesh:other-agent&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;required_trust_score&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;700&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;# Must score ≥700/1000
&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;verification&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;verified&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="n"&gt;bridge&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;send_message&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;peer_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;encrypted_message&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One design choice that proved critical was &lt;strong&gt;trust decay&lt;/strong&gt;. An agent’s trust score isn’t static — it decays over time without positive signals. An agent that was trusted yesterday but has been silent for a week gradually becomes untrusted. This models reality: In the physical world, trust requires ongoing demonstration of good behavior, and our system reflects that.&lt;/p&gt;

&lt;p&gt;Delegation chains solve another real-world problem: When an orchestrator agent delegates a task to a worker agent, the worker should have only the permissions needed for that specific task. AgentMesh enforces scope narrowing — a parent with read and write capabilities can delegate only read access to a child, and that child cannot re-delegate broader permissions than it received.&lt;/p&gt;

&lt;h3&gt;
  
  
  Execution rings: Hardware security concepts for software agents
&lt;/h3&gt;

&lt;p&gt;The Agent Runtime borrows from CPU architecture. Intel processors have privilege rings (Ring 0 for the kernel, Ring 3 for user processes) that prevent unprivileged code from accessing protected resources. We applied the same concept to agents, but with a twist: &lt;strong&gt;Ring assignment is dynamic, based on behavioral trust scores.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Ring 0 (Privileged):&lt;/strong&gt; Trust score ≥ 0.95. Can modify system policies. Reserved for human-verified orchestrators.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ring 1 (Trusted):&lt;/strong&gt; Trust score ≥ 0.80. Standard operations with full tool access.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ring 2 (Standard):&lt;/strong&gt; Trust score ≥ 0.60. Limited resource access, rate-limited.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ring 3 (Sandbox):&lt;/strong&gt; Trust score &amp;lt; 0.60. Heavily restricted. New or untrusted agents start here.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each ring enforces resource limits: maximum execution time per step, memory caps, CPU throttling, and request rate limits. An agent in Ring 3 might be limited to 10 API calls per minute with a five-second execution timeout, while a Ring 0 agent has no such restrictions.&lt;/p&gt;

&lt;p&gt;The runtime also provides saga orchestration for multi-step operations. When an agent executes a sequence of actions — draft an email, send it, update the CRM — and the final step fails, the saga engine automatically calls compensating actions in reverse order. The email gets recalled, the draft gets deleted. This pattern, borrowed from distributed transaction processing, prevents the partial-completion failures that plague agentic workflows.&lt;/p&gt;

&lt;h3&gt;
  
  
  Reliability engineering for agents
&lt;/h3&gt;

&lt;p&gt;When we built the Agent SRE package, we started with a question: How do you define “reliable” for an AI agent? Traditional SRE metrics like uptime and latency matter, but agents introduce new dimensions. An agent might be fast and available but produce incorrect results. It might be accurate but cost $500 per hour in API calls. It might work perfectly in isolation but cause cascading failures when it interacts with other agents.&lt;/p&gt;

&lt;p&gt;We defined seven Service Level Indicators (SLIs) specific to AI agents: correctness, safety, latency, cost, availability, throughput, and delegation success rate. Each SLI gets a threshold, and together they form an error budget — a quantified tolerance for failure.&lt;/p&gt;

&lt;p&gt;Here’s where it gets interesting: The error budget drives automated remediation. When an agent’s safety SLI drops below 99 percent (meaning more than 1 percent of its actions violate policy), the system can automatically trigger a kill switch, downgrade the agent’s execution ring, or activate a circuit breaker that rejects new requests until the agent recovers.&lt;/p&gt;

&lt;p&gt;We also built nine chaos engineering fault injection templates — network delays, LLM provider failures, tool timeouts, trust score manipulation, memory corruption, concurrent access races — because the only way to know if your agent system is resilient is to break it on purpose in controlled conditions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Covering the OWASP Agentic AI Top 10
&lt;/h3&gt;

&lt;p&gt;When OWASP published their Agentic AI Top 10, we mapped each risk to our toolkit’s capabilities and found that the architecture provides mitigations for all ten categories:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Goal hijacking&lt;/strong&gt; is addressed by the policy engine’s semantic intent classifier.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool misuse&lt;/strong&gt; is mitigated by capability sandboxing and the MCP proxy.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Identity abuse&lt;/strong&gt; is addressed by DID-based identity and trust scoring.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Supply chain risks&lt;/strong&gt; are tracked by AI-BOM v2.0, which records model provenance, dataset lineage, and weight versioning.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Code execution&lt;/strong&gt; is constrained by execution rings and resource limits.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Memory poisoning&lt;/strong&gt; is detected by the Cross-Model Verification Kernel, which runs claims through multiple LLMs and uses majority voting to identify manipulation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Insecure communications&lt;/strong&gt; are mitigated by the IATP protocol’s encryption layer.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cascading failures&lt;/strong&gt; are addressed by circuit breakers and SLO enforcement.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Human-agent trust exploitation&lt;/strong&gt; is mitigated by approval workflows with quorum logic.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Rogue agents&lt;/strong&gt; are addressed by ring isolation, behavioral trust decay, and the kill switch.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This alignment was by design, not by accident. The OS-inspired architecture creates defense in depth — multiple independent layers that each address different threat categories. No security system can guarantee absolute protection, but by layering complementary defenses, the toolkit significantly reduces the attack surface for autonomous AI agents.&lt;/p&gt;

&lt;h3&gt;
  
  
  The interoperability challenge
&lt;/h3&gt;

&lt;p&gt;A governance toolkit is only useful if it works with the frameworks people actually use. We designed the toolkit to be framework-agnostic, with adapters that interoperate with LangChain, CrewAI, Google ADK, AutoGen, LlamaIndex, and others. Each adapter hooks into the framework’s native extension points — LangChain’s callback handlers, CrewAI’s task decorators, Google ADK’s plugin system — so that adding governance does not require rewriting existing agent code.&lt;/p&gt;

&lt;p&gt;Several of these adapters are already working with production frameworks: Dify (65K+ GitHub stars) has the governance plugin in its marketplace, LlamaIndex (47K+ stars) has a TrustedAgentWorker, and proposals are active for AutoGen, CrewAI, Google ADK, and Haystack.&lt;/p&gt;

&lt;h3&gt;
  
  
  What we learned
&lt;/h3&gt;

&lt;p&gt;Building this toolkit reinforced several lessons that apply beyond agent governance:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Borrow from solved problems.&lt;/strong&gt; The OS kernel, service mesh, and SRE playbook all addressed security and reliability challenges in other domains. Translating those patterns to AI agents was more effective than inventing from scratch.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Make security the default, not an add-on.&lt;/strong&gt; The reason we built governance into the execution path (intercepting actions) rather than as an optional wrapper is that optional security tends to go unadopted. If adding governance requires changing agent code, many teams will defer it. That said, no security layer is a silver bullet — defense in depth and ongoing monitoring remain essential.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trust is dynamic, not static.&lt;/strong&gt; A binary trusted/untrusted model doesn’t capture reality. Trust scoring with behavioral decay and ring-based privilege assignment turned out to be a much better model for systems where agents are constantly changing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Statelessness enables everything.&lt;/strong&gt; By making the kernel stateless, we got horizontal scaling, containerized deployment, and perfect auditability for free. Every decision we agonized over early in the architecture became easier once we committed to statelessness.&lt;/p&gt;

&lt;h3&gt;
  
  
  Getting started
&lt;/h3&gt;

&lt;p&gt;The Agent Governance Toolkit is now open source under the MIT license at &lt;a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer"&gt;github.com/microsoft/agent-governance-toolkit&lt;/a&gt;. You can install it with a single command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;ai-agent-compliance[full]
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This installs all four packages — Agent OS, AgentMesh, Agent Runtime, and Agent SRE — with version compatibility guaranteed. Individual packages are also available for teams that want to adopt governance incrementally.&lt;/p&gt;

&lt;p&gt;The toolkit runs at sub-millisecond governance latency (&amp;lt; 0.1ms p99), so it adds negligible overhead to agent execution. It exports metrics to OpenTelemetry-compatible platforms (Datadog, Prometheus, Grafana, Arize, Langfuse), and it works with Python 3.10+.&lt;/p&gt;

&lt;p&gt;AI agents are becoming autonomous decision-makers in high-stakes domains — finance, healthcare, infrastructure, security. The question is not whether we need governance for these systems, but whether we will build it proactively, before incidents occur, or reactively, after them. We’ve chosen to be proactive. We hope you join us.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Imran Siddique is on&lt;/em&gt; &lt;a href="https://www.linkedin.com/in/imransiddique1986/" rel="noopener noreferrer"&gt;&lt;em&gt;LinkedIn&lt;/em&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;The Agent Governance Toolkit is open source under the MIT license. Contributions welcome at github.com/microsoft/agent-governance-toolkit.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;The author used AI-assisted tools during the drafting of this article. All technical content, code examples, and architectural descriptions reflect the actual capabilities of the Agent Governance Toolkit and have been reviewed for accuracy.&lt;/em&gt;&lt;/p&gt;




</description>
      <category>opensource</category>
      <category>artificialintelligen</category>
      <category>agentmesh</category>
      <category>aiagentgovernance</category>
    </item>
  </channel>
</rss>
