the five layers of agent governance — and where managed SaaS fits

digitalapplied's analysis of microsoft's agent governance toolkit maps the five runtime security layers: policy, identity, execution, reliability, compliance. the april 2 release claims sub-millisecond deterministic policy enforcement in production. it's the most complete open-source agent governance framework shipping right now.

here's the honest framing: the toolkit is built for teams with 20+ engineers who can run, maintain, and extend it. those teams exist at microsoft, stripe, and a handful of AI-native companies. they don't describe most of the market.

the median company deploying agents in 2026 has 2–5 engineers, some combination of cloud providers, and an august 2 deadline for EU AI Act compliance. for them, the DIY toolkit creates more surface area to maintain, not less.

the five layers are still right. the question is which layer needs to be DIY and which needs to be managed.

policy and identity are strong DIY candidates — they're company-specific by nature. your data classification policy can't be outsourced. your identity graph is yours.

the execution sandboxing layer is a good DIY candidate if you're already cloud-native. the toolkit's container isolation and network controls are generic enough to run without customization.

where managed SaaS earns its keep is the compliance layer — specifically, evidence collection, audit trail immutability, framework mapping, and report generation. this is the layer where "deployed it on my infra" and "can prove it to an auditor" are farthest apart.

61% of organizations have fragmented audit logs right now (digitalapplied's own may 2026 data). the toolkit adds a structured governance layer, but it doesn't unify existing log fragmentation across cloudwatch, datadog, and whatever the legacy team deployed in 2023.

BizSuite AI Audit sits at the compliance layer. it ingests from your existing controls — including the microsoft toolkit if you're running it — and produces the structured audit evidence that maps to EU AI Act articles 8–17, NIST AI RMF 1.1, and SOC 2. august 2 deadline, 48-hour delivery, $997 initial audit: https://getbizsuite.com/ai-audit