Forem: Kanish Tyagi The latest articles on Forem by Kanish Tyagi (@kanishtyagii). https://forem.com/kanishtyagii https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3858655%2Fbb046de4-4496-4a7f-9db5-c1187159439d.jpg Forem: Kanish Tyagi https://forem.com/kanishtyagii en Building Trust Between AI Agents — DIDs, Signatures, and Zero-Trust Mesh Kanish Tyagi Wed, 08 Apr 2026 18:39:54 +0000 https://forem.com/kanishtyagii/building-trust-between-ai-agents-dids-signatures-and-zero-trust-mesh-4m3j https://forem.com/kanishtyagii/building-trust-between-ai-agents-dids-signatures-and-zero-trust-mesh-4m3j <p>Imagine you walk into a room full of strangers. Everyone is wearing a mask. Someone hands you a document and says "sign this — it's from the CEO." How do you know it's actually from the CEO? You don't. You have no way to verify identity.</p> <p>This is the trust problem in multi-agent AI systems. And it's more serious than most teams realize.</p> <h2> Why Agents Need Identity </h2> <p>When a single AI agent operates in isolation, trust is simple — you trust it or you don't. But modern AI systems are increasingly multi-agent. A research agent delegates to a writing agent. A planning agent spawns execution sub-agents. An orchestrator coordinates dozens of specialized agents in parallel.</p> <p>In these systems, every interaction between agents is a potential attack surface.</p> <p>Consider this scenario: Agent A receives a message claiming to be from Agent B, instructing it to delete a set of records. How does Agent A verify that:</p> <ol> <li>The message actually came from Agent B</li> <li>Agent B is authorized to make that request</li> <li>Agent B hasn't been compromised and is acting within its intended scope</li> </ol> <p>Without cryptographic identity, the answer to all three is: it can't.</p> <h2> The Solution: Cryptographic Agent Identity </h2> <p>The <code>agent-governance-toolkit</code> solves this with a trust mesh — a framework where every agent has a verifiable cryptographic identity, and every inter-agent interaction is validated before execution.</p> <p>Here's how it works.</p> <h3> Ed25519 Key Pairs </h3> <p>Each agent gets an Ed25519 key pair at creation time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">AgentIdentity</span> <span class="c1"># Each agent gets a unique cryptographic identity </span><span class="n">identity</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">identity</span><span class="p">.</span><span class="n">did</span><span class="p">)</span> <span class="c1"># did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK </span> <span class="nf">print</span><span class="p">(</span><span class="n">identity</span><span class="p">.</span><span class="n">public_key_hex</span><span class="p">)</span> <span class="c1"># ed25519 public key </span></code></pre> </div> <p>The DID (Decentralized Identifier) is a self-describing, globally unique identifier derived from the public key. No central registry required.</p> <h3> Signed Messages </h3> <p>When Agent A sends a message to Agent B, it signs it with its private key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">message</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">from</span><span class="sh">"</span><span class="p">:</span> <span class="n">identity</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">did:key:z6Mk...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">analyze_dataset</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">payload</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">dataset_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ds_001</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-05T10:00:00Z</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">signed_message</span> <span class="o">=</span> <span class="n">identity</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> <span class="c1"># Includes: message + signature + public key </span></code></pre> </div> <p>Agent B verifies the signature before acting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">verify_message</span> <span class="n">is_valid</span> <span class="o">=</span> <span class="nf">verify_message</span><span class="p">(</span><span class="n">signed_message</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_valid</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">SecurityError</span><span class="p">(</span><span class="sh">"</span><span class="s">Message signature invalid — rejecting</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>If the message was tampered with in transit, the signature check fails. The action is rejected before execution.</p> <h2> Trust Scoring: Agents Earn and Lose Trust </h2> <p>Identity verification tells you <em>who</em> sent a message. Trust scoring tells you <em>whether to act on it</em>.</p> <p>The toolkit maintains a trust score (0-1000) for each agent in the mesh:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustEngine</span> <span class="n">trust</span> <span class="o">=</span> <span class="nc">TrustEngine</span><span class="p">()</span> <span class="c1"># New agent starts with baseline trust </span><span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 500 (baseline) </span> <span class="c1"># Trust increases with successful verified interactions </span><span class="n">trust</span><span class="p">.</span><span class="nf">record_success</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 510 </span> <span class="c1"># Trust decreases with policy violations </span><span class="n">trust</span><span class="p">.</span><span class="nf">record_violation</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">,</span> <span class="n">severity</span><span class="o">=</span><span class="sh">"</span><span class="s">high</span><span class="sh">"</span><span class="p">)</span> <span class="n">score</span> <span class="o">=</span> <span class="n">trust</span><span class="p">.</span><span class="nf">get_score</span><span class="p">(</span><span class="sh">"</span><span class="s">research-agent-001</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">score</span><span class="p">)</span> <span class="c1"># 460 </span></code></pre> </div> <p>Agents with low trust scores get restricted automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustPolicy</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">TrustPolicy</span><span class="p">(</span> <span class="n">minimum_score</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="c1"># below this, agent is quarantined </span> <span class="n">require_human_approval</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="c1"># below this, human must approve actions </span> <span class="n">full_autonomy</span><span class="o">=</span><span class="mi">800</span><span class="p">,</span> <span class="c1"># above this, agent operates freely </span><span class="p">)</span> </code></pre> </div> <p>This is how the system handles compromised agents gracefully. An agent that starts behaving badly loses trust, gets restricted, and eventually gets quarantined — automatically, without human intervention.</p> <h2> Delegation Chains: Limited Capability Grants </h2> <p>In multi-agent systems, parent agents often spawn child agents to handle subtasks. The challenge: how do you give a child agent enough capability to do its job without giving it unlimited power?</p> <p>The answer is delegation chains — cryptographically signed capability grants with explicit limits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.delegation</span> <span class="kn">import</span> <span class="n">DelegationChain</span> <span class="c1"># Parent agent creates a limited delegation for child </span><span class="n">delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator_identity</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="sh">"</span><span class="s">did:key:z6Mk...</span><span class="sh">"</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># subset of parent's capabilities </span> <span class="n">excluded_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">delete_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="c1"># child cannot further delegate more than 2 levels </span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">300</span><span class="p">,</span> <span class="c1"># delegation expires in 5 minutes </span><span class="p">)</span> </code></pre> </div> <p>The child agent presents this delegation when making requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Child agent acts with delegated authority </span><span class="n">result</span> <span class="o">=</span> <span class="n">child_agent</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">/data/analysis.csv</span><span class="sh">"</span><span class="p">},</span> <span class="n">delegation</span><span class="o">=</span><span class="n">delegation</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>The toolkit verifies the entire delegation chain before execution:</p> <ul> <li>Is the delegation cryptographically valid?</li> <li>Is the requested capability within the granted scope?</li> <li>Has the delegation expired?</li> <li>Is the delegation depth within limits?</li> </ul> <p>If any check fails, the action is rejected. A compromised child agent cannot exceed the capabilities its parent explicitly granted.</p> <h2> A Practical Example: 3 Agents Collaborating </h2> <p>Here's how trust verification plays out in a real multi-agent workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.identity</span> <span class="kn">import</span> <span class="n">AgentIdentity</span> <span class="kn">from</span> <span class="n">agent_os.trust</span> <span class="kn">import</span> <span class="n">TrustEngine</span> <span class="kn">from</span> <span class="n">agent_os.delegation</span> <span class="kn">import</span> <span class="n">DelegationChain</span> <span class="c1"># Agent 1: Orchestrator (high trust, broad capabilities) </span><span class="n">orchestrator</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Agent 2: Researcher (medium trust, search only) </span><span class="n">researcher</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Agent 3: Writer (medium trust, write only) </span><span class="n">writer</span> <span class="o">=</span> <span class="n">AgentIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">trust</span> <span class="o">=</span> <span class="nc">TrustEngine</span><span class="p">()</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="mi">900</span><span class="p">)</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">researcher</span><span class="sh">"</span><span class="p">,</span> <span class="mi">700</span><span class="p">)</span> <span class="n">trust</span><span class="p">.</span><span class="nf">set_score</span><span class="p">(</span><span class="sh">"</span><span class="s">writer</span><span class="sh">"</span><span class="p">,</span> <span class="mi">700</span><span class="p">)</span> <span class="c1"># Orchestrator delegates research task to researcher </span><span class="n">research_delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="n">researcher</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Researcher executes with verified delegation # Toolkit checks: valid signature + sufficient trust + within capability scope </span><span class="n">result</span> <span class="o">=</span> <span class="n">researcher</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="n">query</span><span class="o">=</span><span class="sh">"</span><span class="s">latest AI governance frameworks</span><span class="sh">"</span><span class="p">,</span> <span class="n">delegation</span><span class="o">=</span><span class="n">research_delegation</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Orchestrator delegates writing task to writer </span><span class="n">write_delegation</span> <span class="o">=</span> <span class="n">DelegationChain</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">parent_identity</span><span class="o">=</span><span class="n">orchestrator</span><span class="p">,</span> <span class="n">child_did</span><span class="o">=</span><span class="n">writer</span><span class="p">.</span><span class="n">did</span><span class="p">,</span> <span class="n">granted_capabilities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">write_file</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_depth</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">expires_in_seconds</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Writer cannot exceed delegated scope # This would be rejected — send_email not in delegation </span><span class="n">writer</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">action</span><span class="o">=</span><span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">,</span> <span class="n">delegation</span><span class="o">=</span><span class="n">write_delegation</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># SecurityError: capability 'send_email' not in delegation scope </span></code></pre> </div> <p>Every interaction is verified. Every capability grant is explicit and time-limited. No agent can exceed what it was explicitly authorized to do.</p> <h2> Comparison With Human Trust Models </h2> <p>The cryptographic trust model mirrors how humans establish trust in high-stakes environments:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Human World</th> <th>Agent Mesh</th> </tr> </thead> <tbody> <tr> <td>Government-issued ID</td> <td>Ed25519 key pair + DID</td> </tr> <tr> <td>Signed contract</td> <td>Signed message</td> </tr> <tr> <td>Professional reputation</td> <td>Trust score</td> </tr> <tr> <td>Power of attorney</td> <td>Delegation chain</td> </tr> <tr> <td>Expiry date on credentials</td> <td>TTL on delegations</td> </tr> <tr> <td>Revocation list</td> <td>Trust score below threshold</td> </tr> </tbody> </table></div> <p>The difference: human trust systems have gaps. IDs can be forged. Signatures can be disputed. Reputation takes months to establish. The cryptographic model is mathematically verifiable — either the signature is valid or it isn't. Either the capability was granted or it wasn't.</p> <h2> Why This Matters for Production Systems </h2> <p>Most teams building multi-agent systems today are operating on implicit trust — agents interact freely, permissions are not enforced, and there's no audit trail of inter-agent communication.</p> <p>This works fine in development. It becomes a serious problem in production, where:</p> <ul> <li>Agents interact at scale across organizational boundaries</li> <li>Compromised agents can propagate bad behavior to other agents</li> <li>Regulatory requirements demand audit trails of automated decisions</li> <li>A single rogue agent in a mesh can corrupt the entire workflow</li> </ul> <p>The zero-trust mesh approach — verify every identity, validate every capability, audit every interaction — is how you build multi-agent systems that are safe to run in production.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>Full source code and documentation:<br> 👉 <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> agents ai security systemdesign I Added Governance to My AI Agent in 30 Minutes — Here's How Kanish Tyagi Wed, 08 Apr 2026 18:33:51 +0000 https://forem.com/kanishtyagii/i-added-governance-to-my-ai-agent-in-30-minutes-heres-how-54k6 https://forem.com/kanishtyagii/i-added-governance-to-my-ai-agent-in-30-minutes-heres-how-54k6 <p>A few weeks ago I was building a LangChain agent and realized I had no idea what it was actually doing. It could call any tool, write anything to memory, make unlimited API calls. It was essentially unsupervised.</p> <p>Then I found Microsoft's <code>agent-governance-toolkit</code>. I added governance to my agent in about 30 minutes. Here's exactly how.</p> <h2> What We're Building </h2> <p>A LangChain agent that:</p> <ul> <li>Can only use approved tools</li> <li>Blocks dangerous patterns (SQL injection, destructive commands, PII)</li> <li>Logs every action for audit</li> <li>Stops itself when it hits a call budget</li> </ul> <p>No rewrites. Just a governance wrapper around your existing agent.</p> <h2> Step 1: Install (2 minutes) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>Verify it works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agent-governance verify </code></pre> </div> <p>You should see a green checkmark. You're ready.</p> <h2> Step 2: Your First Policy (5 minutes) </h2> <p>Before governance, your agent looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.chat_models</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span> <span class="kn">from</span> <span class="n">langchain.agents</span> <span class="kn">import</span> <span class="n">initialize_agent</span><span class="p">,</span> <span class="n">AgentType</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">)</span> <span class="n">agent</span> <span class="o">=</span> <span class="nf">initialize_agent</span><span class="p">(</span><span class="n">tools</span><span class="p">,</span> <span class="n">llm</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">AgentType</span><span class="p">.</span><span class="n">ZERO_SHOT_REACT_DESCRIPTION</span><span class="p">)</span> <span class="c1"># No limits. No logging. No audit trail. </span><span class="n">agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sh">"</span><span class="s">Do whatever the user asks</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>After governance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.chat_models</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span> <span class="kn">from</span> <span class="n">langchain.agents</span> <span class="kn">import</span> <span class="n">initialize_agent</span><span class="p">,</span> <span class="n">AgentType</span> <span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">)</span> <span class="n">base_agent</span> <span class="o">=</span> <span class="nf">initialize_agent</span><span class="p">(</span><span class="n">tools</span><span class="p">,</span> <span class="n">llm</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">AgentType</span><span class="p">.</span><span class="n">ZERO_SHOT_REACT_DESCRIPTION</span><span class="p">)</span> <span class="c1"># Define what your agent is allowed to do </span><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">my-first-policy</span><span class="sh">"</span><span class="p">,</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">log_all_calls</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Wrap your existing agent — no rewrite needed </span><span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">base_agent</span><span class="p">)</span> <span class="c1"># Same interface, now governed </span><span class="n">governed_agent</span><span class="p">.</span><span class="nf">invoke</span><span class="p">({</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Help me analyze this dataset</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <p>That's it. Your agent now has a policy layer.</p> <h2> Step 3: Add Tool Restrictions (5 minutes) </h2> <p>You probably don't want your agent to be able to delete files or execute arbitrary shell commands. Add an allowlist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">restricted-policy</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Only these tools are allowed </span> <span class="n">allowed_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send_email</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># These are always blocked regardless </span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># destructive shell </span> <span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># SQL injection </span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># SSN pattern </span> <span class="sa">r</span><span class="sh">"</span><span class="s">password\s*[:=]</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># credential leak </span> <span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This gets blocked before reaching the LLM </span><span class="n">allowed</span><span class="p">,</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">pre_execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="sh">"</span><span class="s">Execute: DROP TABLE users</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">allowed</span><span class="p">)</span> <span class="c1"># False </span><span class="nf">print</span><span class="p">(</span><span class="n">reason</span><span class="p">)</span> <span class="c1"># "Blocked pattern 'DROP TABLE' detected" </span> <span class="c1"># This passes through </span><span class="n">allowed</span><span class="p">,</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">pre_execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="sh">"</span><span class="s">Search for recent AI papers</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">allowed</span><span class="p">)</span> <span class="c1"># True </span></code></pre> </div> <p>The rejection happens at the code layer — the model never sees the blocked input.</p> <h2> Step 4: Add Audit Logging (5 minutes) </h2> <p>Every action your agent takes is now logged automatically when <code>log_all_calls=True</code>. But you can also inspect the audit trail directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="n">audit_log</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">on_action</span><span class="p">(</span><span class="n">event</span><span class="p">):</span> <span class="n">audit_log</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">),</span> <span class="p">})</span> <span class="c1"># Check what happened </span><span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">audit_log</span><span class="p">:</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">✅ ALLOWED</span><span class="sh">"</span> <span class="k">if</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">]</span> <span class="k">else</span> <span class="sh">"</span><span class="s">🚫 BLOCKED</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> — </span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">input</span><span class="sh">'</span><span class="p">][</span><span class="si">:</span><span class="mi">50</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>In production, this goes to your observability stack. During development, it tells you exactly what your agent tried to do.</p> <h2> Step 5: Run the OWASP Compliance Check (3 minutes) </h2> <p>The toolkit includes a built-in compliance checker against the OWASP Agentic Top 10:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agent-governance verify <span class="nt">--badge</span> </code></pre> </div> <p>This checks your configuration against known attack vectors:</p> <ul> <li>Prompt injection resistance</li> <li>Tool poisoning detection </li> <li>Data exfiltration patterns</li> <li>Privilege escalation blocks</li> </ul> <p>You get a pass/fail report with specific recommendations.</p> <h2> Before vs After </h2> <p>Here's what changed in 30 minutes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Tool calls</td> <td>Unlimited</td> <td>Max 10 per session</td> </tr> <tr> <td>Dangerous inputs</td> <td>Passed to LLM</td> <td>Blocked before LLM</td> </tr> <tr> <td>PII handling</td> <td>Unvalidated</td> <td>Checked on every write</td> </tr> <tr> <td>Audit trail</td> <td>None</td> <td>Every action logged</td> </tr> <tr> <td>OWASP compliance</td> <td>Unknown</td> <td>Verified</td> </tr> <tr> <td>Performance overhead</td> <td>—</td> <td>&lt;0.1ms per action check</td> </tr> </tbody> </table></div> <p>The last point matters: governance doesn't slow your agent down in any meaningful way. The policy checks are in-process Python, not network calls.</p> <h2> What I Learned Contributing to This Repo </h2> <p>I spent the past week contributing code to this toolkit — fixing bugs, adding docstrings, building Colab notebooks. Here's what surprised me:</p> <p><strong>The attack surface is bigger than you think.</strong> I saw how MCP tool poisoning works, how PII leaks into memory writes, how delegation chains can be exploited. None of these are theoretical. They're patterns security researchers are actively demonstrating.</p> <p><strong>Wrapping is better than rewriting.</strong> The governance layer wraps your existing agent. You don't throw away your prompts or your framework. You add a code layer underneath them. That's the right architecture.</p> <p><strong>Auditability is the real value.</strong> The blocked requests matter less than the audit trail. Knowing what your agent <em>tried</em> to do — even when it was allowed — is how you understand and improve agent behavior in production.</p> <h2> Try It Yourself </h2> <p>The full toolkit is open source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>There are also interactive Colab notebooks (which I built!) that let you explore policy enforcement, MCP security scanning, and multi-agent governance without any local setup:</p> <p>👉 <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <p>The quickstart takes 10 minutes. The governance layer takes 5 more.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> ai python tutorial opensource Policy-as-Code vs Prompt Engineering — When Guardrails Need Governance Kanish Tyagi Sun, 05 Apr 2026 12:20:44 +0000 https://forem.com/kanishtyagii/policy-as-code-vs-prompt-engineering-when-guardrails-need-governance-23pi https://forem.com/kanishtyagii/policy-as-code-vs-prompt-engineering-when-guardrails-need-governance-23pi <p>I've been contributing to Microsoft's <code>agent-governance-toolkit</code> for the past few weeks — fixing bugs, writing docstrings, building Colab notebooks. And the more I dug into the codebase, the more one question kept coming up: <em>why can't you just use a well-crafted system prompt to keep your agent safe?</em></p> <p>The short answer: you can. Until you can't.</p> <h2> The Prompt Engineering Approach </h2> <p>Prompt-level guardrails look like this:</p> <blockquote> <p>"You are a helpful assistant. Never recommend illegal activities. Never share personal user data. Always stay within budget constraints."</p> </blockquote> <p>This works remarkably well — right up until it doesn't. The problem is structural: your guardrail lives inside the model's context window, which means it's subject to the same probabilistic reasoning as everything else the model does.</p> <p>Three things consistently break prompt-only guardrails:</p> <p><strong>Jailbreak attacks.</strong> Users have discovered that framing requests differently — roleplay scenarios, "hypothetical" framings, multi-step manipulations — can cause models to comply with things they were explicitly told not to do. This isn't a bug in the model. It's a feature of how language models work. They follow the most compelling framing of the current context.</p> <p><strong>Context window exhaustion.</strong> A long conversation eventually pushes your system prompt out of the context window. Your "never exceed budget" guardrail disappears after message 40. The model doesn't know what it forgot.</p> <p><strong>Model dependency.</strong> A guardrail tuned for GPT-4 behaves differently on Claude, which behaves differently on Llama. Every model swap means re-testing every prompt. At scale, that's not sustainable.</p> <h2> The Policy-as-Code Approach </h2> <p>Policy-as-code doesn't ask the model to follow rules. It enforces rules in code, before and after the model is ever called.</p> <p>Here's what that looks like with the agent-governance-toolkit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">require_human_approval</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">my_chain</span><span class="p">)</span> </code></pre> </div> <p>Every call to <code>governed_agent.invoke()</code> now goes through a policy check <em>before</em> it reaches the model. If the input matches a blocked pattern — SQL injection, destructive command, SSN pattern — the call is rejected. The model never sees it.</p> <p>This is a fundamentally different architecture. The guardrail isn't in the model's context. It's in your infrastructure.</p> <h2> Where Each Approach Fails </h2> <p>Neither approach is complete on its own.</p> <p><strong>Where prompt engineering fails:</strong></p> <ul> <li>Adversarial users who iterate on jailbreaks</li> <li>Long-running agents where context window limits apply</li> <li>Multi-model deployments where you can't tune per model</li> <li>Compliance scenarios where you need an audit trail</li> </ul> <p><strong>Where policy-as-code falls short:</strong></p> <ul> <li>Creative tasks where rules can't capture nuance</li> <li>Behavioral style (tone, personality, format)</li> <li>Rapid iteration — changing a policy requires a code deploy</li> <li>User experience — prompts understand context, rules do not</li> </ul> <p>A guardrail that says <code>blocked_patterns=["inappropriate content"]</code> can't capture the infinite ways "inappropriate" manifests in natural language. A prompt can. But a prompt can't guarantee that a rule is never violated. Code can.</p> <h2> Real Example: PII in Memory Writes </h2> <p>Here's a concrete failure mode I saw while contributing to this toolkit.</p> <p>An agent with memory capabilities might inadvertently write a user's SSN into its long-term memory during a conversation about financial planning. A prompt guardrail saying "never store sensitive data" relies on the model recognizing what counts as sensitive — and recognizing it every single time, across thousands of conversations.</p> <p>The toolkit handles this differently. Memory writes are intercepted at the code layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">_PII_PATTERNS</span> <span class="o">=</span> <span class="p">[</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># SSN </span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># email </span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">\b(?:password|secret|token)\s*[:=]\s*\S+</span><span class="sh">"</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">IGNORECASE</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>Before anything is written to memory, it's checked against these patterns. If a match is found, the write is blocked and a <code>PolicyViolationError</code> is raised. The model's cooperation is irrelevant — the rule is enforced in code.</p> <h2> The Layered Model That Actually Works </h2> <p>The right answer isn't "choose one." It's to use both at the right layer.</p> <p><strong>Use policy-as-code for:</strong></p> <ul> <li>Hard constraints that must never be violated (safety, compliance, budget)</li> <li>Anything that needs an audit trail</li> <li>Rules that apply regardless of model behavior</li> <li>Security boundaries (tool allowlists, blocked patterns, call budgets)</li> </ul> <p><strong>Use prompt engineering for:</strong></p> <ul> <li>Behavioral style and tone</li> <li>Output formatting</li> <li>Persona and creative direction</li> <li>User experience nuances</li> </ul> <p><strong>Use human-in-the-loop for:</strong></p> <ul> <li>High-stakes decisions that exceed both layers</li> <li>Ambiguous cases the policy engine flags as uncertain</li> <li>Exception handling with accountability</li> </ul> <p>Think of it as defense in depth. Prompts guide behavior. Policies enforce limits. Humans handle edge cases. No single layer carries all the weight.</p> <h2> A Concrete Starting Point </h2> <p>If you're building agents today without a policy layer, here's the minimum viable governance setup using the toolkit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="c1"># Start with just these three </span><span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># safety </span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="c1"># budget </span> <span class="n">log_all_calls</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># audit trail </span><span class="p">)</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">your_existing_agent</span><span class="p">)</span> </code></pre> </div> <p>You don't need to rewrite your agent. You wrap it. Your existing prompts stay. You've added a code-layer enforcement layer underneath them.</p> <h2> The Bigger Picture </h2> <p>The shift from prompt-only to policy + prompt is the maturation of agent governance. It's the difference between "I hope my agent behaves" and "I can prove my agent behaves."</p> <p>Prompt engineering got us to where we are. It's powerful and flexible and necessary. But as agents move into production — taking real actions, handling real data, running autonomously at scale — "I told it not to" is no longer sufficient as a governance strategy.</p> <p>Policy-as-code is how you make agent behavior auditable, testable, and enforceable. Not instead of good prompts. On top of them.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington, open source contributor to Microsoft's agent-governance-toolkit. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> <p><em>Source code and docs: <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></em></p> ai opensource security machinelearning Why AI Agent Governance Matters in 2026 Kanish Tyagi Fri, 03 Apr 2026 03:53:48 +0000 https://forem.com/kanishtyagii/why-ai-agent-governance-matters-in-2026-4mnk https://forem.com/kanishtyagii/why-ai-agent-governance-matters-in-2026-4mnk <p>A few weeks ago I was browsing GitHub looking for open source projects to contribute to. I stumbled on Microsoft's <code>agent-governance-toolkit</code> and decided to dig in. What I found surprised me — not because the code was impressive (it was), but because the <em>problem</em> it solved was one I hadn't thought seriously about before.</p> <p>We talk a lot about building AI agents. We don't talk nearly enough about what happens when they go wrong.</p> <h2> The Rise of Autonomous AI Agents </h2> <p>In 2026, AI agents aren't a research curiosity anymore. They're running in production. Companies are deploying agents that browse the web, write and execute code, query databases, send emails, and call external APIs — all without a human in the loop for each step.</p> <p>This is genuinely powerful. An agent that can autonomously research, analyze, and act can compress hours of work into minutes. But there's a problem that comes with that power that most teams are only starting to reckon with: <strong>an agent that can do anything, will eventually do the wrong thing.</strong></p> <p>Not out of malice. Out of ambiguity, edge cases, and the fundamental unpredictability of systems built on probabilistic models.</p> <h2> What Can Go Wrong — And Does </h2> <p>Let me give you concrete examples from patterns I saw while contributing to this toolkit.</p> <p><strong>Data exfiltration via MCP tool poisoning.</strong> MCP (Model Context Protocol) is a standard for giving agents access to tools. What most teams don't realize is that an attacker can embed hidden instructions directly in a tool's description. The agent reads the description, interprets it as instructions, and suddenly a "read file" tool is quietly sending your data to an external endpoint. The attack is invisible at the UI level. It lives in the metadata.</p> <p><strong>Runaway tool calls.</strong> An agent that's allowed to call tools indefinitely will sometimes loop. A bug in the task framing, an ambiguous goal, or an unexpected API response can send an agent into a cycle that burns through API credits, hits rate limits, or worse — makes irreversible changes at scale.</p> <p><strong>PII in memory writes.</strong> Agents with memory capabilities can inadvertently store sensitive user data — SSNs, emails, API keys embedded in text — in their long-term memory. Without validation at the write layer, that data persists and propagates.</p> <p><strong>Prompt injection across delegation chains.</strong> When agents spawn sub-agents (which is increasingly common in multi-agent architectures), each handoff is an attack surface. A malicious instruction injected early in a chain can propagate through multiple agents before anyone realizes something is wrong.</p> <p>These aren't theoretical. Security researchers are actively demonstrating all of these attack patterns in the wild right now.</p> <h2> What Governance Actually Means </h2> <p>"Governance" is one of those words that sounds bureaucratic until you see what the absence of it costs.</p> <p>In practical terms, governance for AI agents means three things:</p> <p><strong>1. Policy enforcement before execution.</strong> Every tool call, every action an agent wants to take, gets checked against a set of rules <em>before</em> it happens. Not after. Not logged for review later. Before. If the action matches a blocked pattern — a SQL injection attempt, a destructive shell command, a PII pattern — it's stopped. The agent gets a policy violation error. The action doesn't execute.</p> <p><strong>2. Audit logging you can actually use.</strong> Every action an agent takes, whether allowed or blocked, gets recorded with enough context to understand what happened. Not just "agent called tool X" but which agent, which context, what the input was, what the policy decision was, and why.</p> <p><strong>3. Budget and circuit breaker enforcement.</strong> Agents need hard limits — on the number of tool calls per session, on the delegation depth between agents, on execution time. When those limits are hit, the agent stops. Not degrades gracefully. Stops.</p> <h2> How agent-governance-toolkit Implements This </h2> <p>This is where it gets concrete. The toolkit wraps your existing agent frameworks — LangChain, CrewAI, AutoGen, PydanticAI, smolagents, Google ADK — with a governance layer that sits between your agent and the outside world.</p> <p>You define a policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations.base</span> <span class="kn">import</span> <span class="n">GovernancePolicy</span> <span class="n">policy</span> <span class="o">=</span> <span class="nc">GovernancePolicy</span><span class="p">(</span> <span class="n">blocked_patterns</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP TABLE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\b\d{3}-\d{2}-\d{4}\b</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_tool_calls</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">require_human_approval</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Then you wrap your agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agent_os.integrations</span> <span class="kn">import</span> <span class="n">LangChainKernel</span> <span class="n">kernel</span> <span class="o">=</span> <span class="nc">LangChainKernel</span><span class="p">(</span><span class="n">policy</span><span class="o">=</span><span class="n">policy</span><span class="p">)</span> <span class="n">governed_agent</span> <span class="o">=</span> <span class="n">kernel</span><span class="p">.</span><span class="nf">wrap</span><span class="p">(</span><span class="n">my_langchain_chain</span><span class="p">)</span> </code></pre> </div> <p>Every call to <code>governed_agent.invoke()</code> now goes through a pre-execution check. If the input matches a blocked pattern, the call is rejected before reaching the LLM or any external service. If the agent has exceeded its tool call budget, the call is rejected. If the output contains something problematic, the post-execution check catches it.</p> <p>The interception happens at multiple levels. Deep hooks intercept individual tool calls within the agent, memory writes are validated for PII before they're saved, and delegation chains between sub-agents are tracked and depth-limited.</p> <p>For MCP specifically, the toolkit includes a security scanner that checks tool definitions for poisoning patterns — hidden instructions, exfiltration attempts, privilege escalation, role overrides — before those tools are registered with the agent.</p> <h2> Key Concepts Worth Understanding </h2> <p><strong>The trust mesh.</strong> In a multi-agent system, trust isn't binary. Different agents should have different permission levels based on their role, their source, and the context they're operating in. The toolkit models this through trust cards and identity verification — each agent has a verifiable identity, and policies can be scoped to specific agents or roles.</p> <p><strong>Policy as code.</strong> Governance policies are defined as YAML files that can be version-controlled, reviewed, and deployed like any other configuration. They have a schema, they can be validated before deployment (<code>agentos policy validate</code>), and they can be diffed between versions. You don't want to be manually updating code every time a new blocked pattern needs to be added.</p> <p><strong>SLOs for agents.</strong> Just like you set service level objectives for APIs and infrastructure, you can set them for agents. Error rate thresholds, latency limits, availability targets. When an agent breaches its SLO, a circuit breaker trips and the agent is taken out of service. This prevents a degraded agent from silently producing bad outputs at scale.</p> <p><strong>Audit logging as a first-class concern.</strong> Every governance decision — allow or block — is recorded with full context. This isn't just for debugging. It's for compliance, incident response, and understanding actual agent behavior in production over time.</p> <h2> Why This Matters Now </h2> <p>The timing matters. We're at an inflection point.</p> <p>Most teams deploying AI agents today are doing so without any governance layer. They're moving fast, the agents are working well enough in testing, and governance feels like a problem for later. But "later" in AI agent deployments often means "after the first serious incident."</p> <p>The cost of retrofitting governance onto an existing agent system is much higher than building it in from the start. The audit trail doesn't exist yet, the policy boundaries haven't been defined, and the agents have already been granted permissions that are difficult to revoke without breaking workflows.</p> <p>This isn't just a security problem either. It's a reliability problem and a trust problem. If your agents take actions that users or customers didn't expect and can't explain, trust in the system erodes quickly. Governance is what makes agent behavior predictable and explainable — not just safe.</p> <h2> Getting Started </h2> <p>The quickstart takes about 10 minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agent-governance-toolkit[full] </code></pre> </div> <p>There are also three interactive Google Colab notebooks that let you explore the toolkit without setting anything up locally:</p> <ul> <li> <strong>Policy Enforcement 101</strong> — define a policy, see violations blocked in real time</li> <li> <strong>MCP Security Proxy</strong> — scan tool definitions for poisoning patterns</li> <li> <strong>Multi-Agent Governance</strong> — SLOs, circuit breakers, chaos testing</li> </ul> <p>Full source code and docs: <a href="https://github.com/microsoft/agent-governance-toolkit" rel="noopener noreferrer">github.com/microsoft/agent-governance-toolkit</a></p> <h2> A Note From a Contributor </h2> <p>I came to this project as someone who builds ML models and data pipelines — not a security engineer. But contributing to this codebase changed how I think about agent design. The attack surfaces are real, the failure modes are unintuitive, and the tooling to address them is still early.</p> <p>If you're building agents in production, governance isn't optional. It's the difference between a system you can operate confidently and one you're constantly firefighting.</p> <p><em>I'm Kanish Tyagi — MS Data Science student at UT Arlington and open source contributor. Find me on <a href="https://github.com/kanish5" rel="noopener noreferrer">GitHub</a> and <a href="https://www.linkedin.com/in/kanishtyagi123/" rel="noopener noreferrer">LinkedIn</a>.</em></p> ai opensource security machinelearning