Microsoft open-sources RAMPART and Clarity

Microsoft on May 20 released two open-source tools aimed at a problem many companies are only starting to confront: how to make AI agents safer before they are put into real workflows. The tools, called RAMPART and Clarity, are built for systems that do more than answer questions — agents that can read email, pull CRM records, write code, run code and take actions across connected software. Microsoft said the goal is to make safety part of day-to-day engineering work, not a final review step. The announcement came through the Microsoft Security Blog and was framed as part of the company’s broader push to secure “agentic” AI systems. ### Why is Microsoft talking about agent safety now? Microsoft said enterprise AI systems have changed materially in the past two years, moving from chat-style assistants to agents that can access business systems and act on a user’s behalf. In the company’s description, that wider access raises the stakes because mistakes are no longer limited to bad text output; they can involve data access, software actions and external tool use. (microsoft.com) Ram Shankar Siva Kumar, identified in the post as “Data Cowboy, AI Red Team,” wrote that Microsoft built the tools because “AI safety has to become a continuous engineering discipline rather than a periodic checkpoint.” That framing puts the emphasis on testing and operational controls around agents, rather than relying only on model-level fixes. (microsoft.com) ### What exactly is RAMPART? RAMPART is short for Risk Assessment and Measurement Platform for Agentic Red Teaming, according to Microsoft and The Hacker News. Microsoft described it as an open-source testing framework that brings red-teaming techniques into the development workflow, while The Hacker News said it is Pytest-native and is designed for writing and running safety and security tests for AI agents. (microsoft.com) Microsoft said RAMPART is built on top of PyRIT, the company’s existing open automation framework for red teaming generative AI systems. The company said that lets developers use prebuilt adversarial tests while also integrating safety checks into ordinary software testing practice. ### What does Clarity do that RAMPART does not? (microsoft.com) Clarity is positioned as a companion tool focused on checking software engineering assumptions around agents, rather than only stress-testing them with adversarial prompts. Microsoft’s blog said the two tools are meant to work together inside the development workflow, with RAMPART handling continuous safety testing and Clarity helping teams examine the assumptions behind how an agent is wired to tools, data and actions. (microsoft.com) The Hacker News said the tools are aimed at helping developers test and secure AI agents during development. That description aligns with Microsoft’s broader security messaging this spring around observability, governance and defense-in-depth for autonomous agents. ### What kinds of agent behavior are these tools meant to catch? Microsoft’s examples centered on agents that retrieve records, execute code and act across connected systems. (microsoft.com) Those are the kinds of capabilities that can create security and compliance problems if an agent follows the wrong instruction, is manipulated by prompt injection, or is given broad permissions without enough checks. (thehackernews.com) In a separate May 14 post, Microsoft said agentic AI systems introduce threat classes including agent hijacking, intent breaking, sensitive data leakage, supply-chain compromise and inappropriate reliance. That context helps explain why the company is emphasizing testing, tracing and constrained actions at the engineering layer. ### How does this fit into Microsoft’s broader AI security push? (microsoft.com) Microsoft has spent the past several months describing agent security as an end-to-end problem spanning identity, observability, governance and application design. On March 20, the company said agents need protection across Microsoft Entra, Defender and Purview, and on May 1 it said Agent 365 was generally available as a control plane to observe and govern agents at scale. (microsoft.com) The next public milestone in that broader push is Microsoft Build on June 2-3 in San Francisco, which Microsoft has cited in recent security updates as a venue for more product detail. For now, RAMPART and Clarity are available through the May 20 Microsoft Security Blog announcement and associated open-source releases. (microsoft.com 1) (microsoft.com 2)