microsoft shipped the open-source agent governance toolkit. here's what it doesn't cover

on may 18 microsoft released agent-governance-toolkit v3.7.0 — open-source runtime security for autonomous agents. YAML policy enforcement, zero-trust identity, OWASP Agentic Top 10, EU AI Act mapping. if you're running agents in production, you've probably already cloned it.

it's a genuinely good foundation. but there's a gap between "toolkit that runs on your infra" and "audit evidence your compliance team can submit on august 2."

here's the thing: the EU AI Act Chapter V enforcement window opens august 2, 2026 — 66 days from today. GPAI model providers face fines up to EUR 35M or 7% of global turnover. the regulation doesn't ask you to have a governance toolkit. it asks you to have documented risk management, data governance, an audit trail, and human oversight — with evidence you can hand to an auditor.

the microsoft toolkit handles the runtime security layer. what it doesn't ship is the evidence collection and reporting layer. YAML policies on your own infra are hard to surface in an audit: you need structured logs, immutable trails, and a way to generate a compliance report that maps your controls to EU AI Act articles 8–17, 26, 27, and 73.

the 61% figure from digitalapplied's may analysis lands here: 61% of organizations have fragmented audit logs across five frameworks. the toolkit doesn't fix fragmentation — it adds another log source.

there are three things you need to close the gap before august 2:

centralized evidence collection. every agent decision — inputs, outputs, tool calls, escalations — needs to live in a single immutable store, not scattered across cloudwatch and local YAML. 6-month minimum retention is the floor for NIST AI RMF 1.1 and EU AI Act compliance.

framework-level mapping. your compliance team needs to see which agent actions map to which regulation article. "policy enforcement passed" in a YAML log is not the same as "Article 13 transparency obligation satisfied."

human oversight documentation. the regulation requires documented intervention points — not just that you can intervene, but that you did, and when, and why. this is the part that trips teams that focus only on technical controls.

i built BizSuite AI Audit to cover exactly this layer — the managed compliance platform that sits above your existing runtime controls, including the microsoft toolkit if you're running it. it ingests agent logs, maps them to EU AI Act and NIST RMF, and generates the audit report.

48-hour delivery on the initial audit, $997. if you're shipping agents that touch EU users or are running GPAI models, august 2 is real: https://getbizsuite.com/ai-audit