Microsoft’s Agent Governance toolkit

An artificial intelligence agent is a chatbot with hands: it can read files, call tools, send messages, and keep going without waiting for a human after every step. That extra freedom is why a bad prompt can turn into a real action, like querying a database or calling an external service. (github.com) The weak spot is often prompt injection, which is when hidden text inside an email, document, or webpage tricks the agent into ignoring its original instructions. The Open Worldwide Application Security Project now treats that as one of the main risks in systems built around large language models and autonomous agents. (owasp.org) The second weak spot is runtime misuse, which means the agent behaves dangerously after it is already running. That can look like using the wrong tool, spending too many tokens, touching the wrong tenant’s data, or chaining actions farther than a human expected. (opensource.microsoft.com) Microsoft’s answer is an open-source Agent Governance Toolkit released under the Massachusetts Institute of Technology license on April 2, 2026. Microsoft says the project is a public preview, with Microsoft-signed packages that are meant to be production-quality but may still change before general availability. (opensource.microsoft.com, github.com) The toolkit is not a new model. It is a control layer that sits around an agent and checks identity, policies, logs, and execution rules before the agent is allowed to do something risky. (github.com, helpnetsecurity.com) Microsoft built it as a seven-package system and ships software development kits in Python, TypeScript, Rust, Go, and.NET. The GitHub project says it also plugs into agent frameworks such as LangChain, AutoGen, CrewAI, and Azure AI Foundry Agent Service. (helpnetsecurity.com, github.com) One piece is policy enforcement, which works like a bouncer checking a guest list before an action happens. Another is zero-trust identity, which means each agent and tool call has to prove who it is instead of being trusted just because it is inside the system. (github.com, opensource.microsoft.com) Another piece is execution sandboxing, which is the software version of letting a contractor work in one locked room instead of the whole building. Microsoft also includes audit trails, kill switches, rate limits, budget controls, and observability tools so a company can see what an agent did and stop it fast. (github.com, github.com) Microsoft says the project covers 10 out of 10 items in the Open Worldwide Application Security Project’s Agentic Top 10. InfoWorld reported that Microsoft is pitching it as a starting point for enterprises that need policy and enforcement primitives rather than a finished compliance box. (github.com, infoworld.com) The timing is not random. Microsoft’s open-source team pointed to the European Union Artificial Intelligence Act, whose high-risk obligations take effect in August 2026, and the Colorado Artificial Intelligence Act, which becomes enforceable in June 2026. (opensource.microsoft.com) The bigger shift is that companies are moving from “can this model answer a question” to “can this agent take actions safely at 2 a.m. without a human watching.” Microsoft is betting that the market now needs guardrails around the worker, not just a smarter worker. (opensource.microsoft.com, owasp.org)