MicrosoftのオープンソースAgent Governance Toolkitは、AIエージェント向けのランタイムセキュリティガバナンスを提供する。決定論的なポリシー執行、ゼロトラストアイデンティティ、実行リング、10のOWASP Agentic全リスクに渡るコンプライアンス検証。LangChain、CrewAI、AutoGen、Anthropicなど複数と連携する。
GitHub: https://github.com/microsoft/agent-governance-toolkit
License: MIT
Languages: Python, TypeScript, .NET, Rust, Go
# 全コンポーネントを含む完全インストール
pip install agent-governance-toolkit[full]
# 個別コンポーネント (オプション)
pip install agent-os-kernel # Policy engine
pip install agentmesh-platform # Zero-trust identity & trust mesh
pip install agentmesh-runtime # Runtime supervisor & privilege rings
pip install agent-sre # SRE toolkit (SLOs, error budgets)
pip install agent-governance-toolkit # Compliance & attestation
pip install agentmesh-marketplace # Plugin lifecycle management
pip install agentmesh-lightning # RL training governance
npm install @agentmesh/sdk
dotnet add package Microsoft.AgentGovernance
cargo add agentmesh
go get github.com/microsoft/agent-governance-toolkit/packages/agent-mesh/sdks/go
from agent_os.policy import PolicyEngine, CapabilityModel
# エージェント機能を定義
capabilities = CapabilityModel(
allowed_tools=["web_search", "read_file", "send_email"],
denied_tools=["delete_file", "execute_shell"],
blocked_patterns=[r"\b\d{3}-\d{2}-\d{4}\b"], # Block SSN
max_tool_calls=10,
max_tokens_per_call=4096,
require_human_approval=True
)
# ポリシーエンジンを作成
engine = PolicyEngine(capabilities=capabilities)
# アクションを評価
result = engine.evaluate(
agent_id="researcher-1",
action="web_search",
input_text="latest security news"
)
print(f"Allowed: {result.allowed}")
print(f"Reason: {result.reason}")
import { PolicyEngine, AgentIdentity, AuditLogger } from "@agentmesh/sdk";
// 暗号化IDを生成
const identity = AgentIdentity.generate("my-agent", ["web_search", "read_file"]);
// ポリシーエンジンを作成
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "read_file", effect: "allow" },
{ action: "delete_file", effect: "deny" },
{ action: "shell_exec", effect: "deny" },
]);
const decision = engine.evaluate("web_search"); // "allow"
const denied = engine.evaluate("delete_file"); // "deny"
| Component | Purpose | Key Features |
|---|
| Agent OS | ポリシーエンジン & フレームワークアダプタ | Sub-millisecond evaluation, regex/semantic detection |
| Agent Mesh | ゼロトラストID & 信頼スコアリング | Ed25519 signatures, SPIFFE/SVID, 0–1000 trust scale |
| Agent Runtime | 実行監視と サンドボックス | 4-tier privilege rings, kill switch, saga orchestration |
| Agent SRE | 信頼性エンジニアリング | SLOs, error budgets, circuit breakers, replay debugging |
| Agent Compliance | OWASP検証 & 証明 | Badge generation, JSON audit trails, integrity checks |
| Agent Marketplace | プラグインライフサイクル管理 | MCP security scanning, rug-pull detection |
| Agent Lightning | RL訓練ガバナンス | Training data validation, model drift detection |
policies:
researcher_agent:
allowed_tools:
- web_search
- read_file
- database_query
denied_tools:
- execute_code
- delete_database
- modify_system
# 機密パターンを ブロック (SSN, API keys, emails)
blocked_patterns:
- "\\b\\d{3}-\\d{2}-\\d{4}\\b" # SSN
- "[Aa][Pp][Ii][_-]?[Kk][Ee][Yy]" # API key
- "\\S+@\\S+\\.\\S+" # Email (PII)
# リソース制限
max_tool_calls: 20
max_tokens_per_call: 8192
max_concurrent_calls: 5
# 権限リング割り当て
execution_ring: 2 # 0=kernel, 1=system, 2=user, 3=sandbox
# 特定アクションに承認が必要
require_human_approval_for:
- send_email
- modify_database
- external_api_call
# 信頼閾値
min_trust_score: 500 # 0–1000 scale
# 出力検証
enable_prompt_injection_detection: true
enable_sensitive_data_detection: true
enable_code_validation: true
from agent_os.policy import PolicyEngine, CapabilityModel
# YAMLからポリシーをロード
engine = PolicyEngine.from_yaml("policies.yaml")
# ツール呼び出しを評価
decision = engine.evaluate(
agent_id="researcher-1",
action="tool_call",
tool="web_search",
params={"query": "security trends"}
)
if not decision.allowed:
print(f"Blocked: {decision.reason}")
else:
print("Proceeding with tool call...")
from agent_os import PolicyEngine, CapabilityModel
from agent_os.integrations import LangChainIntegration
# 機能を定義
capabilities = CapabilityModel(
allowed_tools=["web_search", "calculator"],
max_tool_calls=10
)
# ポリシーエンジンを作成
engine = PolicyEngine(capabilities=capabilities)
# LangChainエージェント用
from langchain.agents import initialize_agent
governed_agent = LangChainIntegration(
agent=your_langchain_agent,
policy_engine=engine,
audit_log=True
)
# すべてのツール呼び出しが傍受され評価される
result = governed_agent.run("What is 2+2?")
# 1. ツール許可リスト/ブロックリスト確認
✓ Is tool in allowed_tools list?
✓ Is tool NOT in denied_tools list?
# 2. パターンマッチング (注入、PII、シークレット)
✓ No prompt injection patterns detected
✓ No SSN, API keys, or PII in parameters
✓ No SQL injection or code execution payloads
# 3. リソース制約
✓ Token usage within limits
✓ Concurrent call limit not exceeded
✓ Rate limiting not triggered
# 4. 権限リング検証
✓ Agent has required privilege level
✓ Tool operates within agent's ring tier
# 5. 信頼スコアリング
✓ Agent meets minimum trust score
✓ No anomalous behavior detected
# 6. 人間による承認 (必要な場合)
✓ Sensitive action approved by human
import { AgentIdentity, TrustCard } from "@agentmesh/sdk";
// 暗号化IDを生成
const identity = AgentIdentity.generate(
"researcher-agent",
["web_search", "read_file"]
);
console.log(identity.did); // did:mesh:agent-xxxxx
console.log(identity.publicKeyPEM); // Ed25519 public key
console.log(identity.allowedCapabilities); // ["web_search", "read_file"]
// アウトバウンド通信に署名
const signature = identity.sign("outgoing message");
// ピアエージェントIDを検証
const isValid = identity.verify(peerPublicKey, message, signature);
from agentmesh.trust import TrustScorer
scorer = TrustScorer()
# 信頼スコアの構成要素:
trust_score = scorer.compute(
agent_id="agent-1",
factors={
"success_rate": 0.95, # 95% of tasks succeed
"error_budget_remaining": 0.8, # 80% error budget left
"last_violation_age_hours": 72, # Last violation 3 days ago
"api_key_rotation_days_ago": 30, # Keys rotated 30 days ago
"audit_log_completeness": 1.0, # Full audit trail
}
)
print(f"Trust score: {trust_score} / 1000")
# 信頼層
# 0–200: Untrusted (sandbox only)
# 200–400: Low trust (limited tools)
# 400–600: Medium trust (standard tools)
# 600–800: High trust (privileged tools)
# 800–1000: Maximum trust (admin capabilities)
┌─────────────────────────────────┐
│ Ring 0: Kernel │ Filesystem, system calls, process control
├─────────────────────────────────┤
│ Ring 1: System │ Database, API gateways, secrets manager
├─────────────────────────────────┤
│ Ring 2: User │ Web search, internal APIs, file read
├─────────────────────────────────┤
│ Ring 3: Sandbox │ No outbound access, isolated execution
└─────────────────────────────────┘
from agent_os.runtime import ExecutionRing, AgentRuntime
runtime = AgentRuntime()
# 信頼度に基づいてエージェントをリングに割り当て
runtime.assign_ring(agent_id="trusted-agent", ring=ExecutionRing.SYSTEM)
runtime.assign_ring(agent_id="untrusted-agent", ring=ExecutionRing.SANDBOX)
# 実行時にリングを適用
@runtime.enforce_ring
def execute_tool(agent_id, tool_name, params):
# この関数は、エージェントがリングの権限を持つ場合のみ実行される
return tool_name(params)
# 悪意あるエージェント用のキルスイッチ
runtime.terminate_agent("agent-123", reason="Excessive tool calls")
# 検証レポートを生成
agent-compliance verify
# JSONとして出力 (CI/CD用)
agent-compliance verify --json
# READMEバッジを生成
agent-compliance verify --badge
# モジュール整合性を検証 (Ed25519 signatures)
agent-compliance integrity --verify
{
"version": "1.0",
"timestamp": "2026-04-04T12:00:00Z",
"coverage": {
"ASI-01": {"status": "covered", "mechanism": "PolicyEngine"},
"ASI-02": {"status": "covered", "mechanism": "MCPGateway"},
"ASI-03": {"status": "covered", "mechanism": "MemoryGuard"},
"ASI-04": {"status": "covered", "mechanism": "RateLimiter"},
"ASI-05": {"status": "covered", "mechanism": "SupplyChainGuard"},
"ASI-06": {"status": "covered", "mechanism": "PII Detection"},
"ASI-07": {"status": "covered", "mechanism": "MCPSecurityScanner"},
"ASI-08": {"status": "covered", "mechanism": "ExecutionRings"},
"ASI-09": {"status": "covered", "mechanism": "DriftDetector"},
"ASI-10": {"status": "out_of_scope", "reason": "Model-level, not agent-level"}
},
"overall_score": "9/10"
}
# モジュールの整合性ハッシュを生成
agent-compliance integrity --generate
# 改ざんが検出されていないことを確認
agent-compliance integrity --verify
# バッジとして出力
agent-compliance integrity --badge
from agent_os.integrations import LangChainIntegration
from agent_os.policy import PolicyEngine, CapabilityModel
from langchain.agents import initialize_agent
from langchain.tools import Tool
# ツールを作成
tools = [
Tool(name="web_search", func=search_fn, description="Search web"),
Tool(name="calculator", func=calc_fn, description="Calculate"),
]
# ガバナンスエージェントを初期化
agent = initialize_agent(tools, llm, agent="zero-shot-react-description")
# ガバナンスでラップ
capabilities = CapabilityModel(allowed_tools=["web_search"])
governed = LangChainIntegration(agent, PolicyEngine(capabilities))
# ツール呼び出しが施行される
result = governed.run("What is 2+2?")
from crewai import Agent, Task, Crew
from agent_os.integrations import CrewAIDecorator
from agent_os.policy import PolicyEngine, CapabilityModel
@CrewAIDecorator(
policy_engine=PolicyEngine(
CapabilityModel(allowed_tools=["web_search", "file_read"])
)
)
def create_crew():
agent = Agent(
role="Researcher",
tools=[web_search_tool, file_read_tool],
)
task = Task(description="Research AI trends", agent=agent)
return Crew(agents=[agent], tasks=[task])
crew = create_crew()
crew.kickoff()
using Microsoft.Agent.Framework;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
EnablePromptInjectionDetection = true,
EnableSensitiveDataDetection = true,
});
var middleware = new FunctionMiddleware(kernel);
// Semantic Kernelに登録
kernel.ImportPlugin(middleware);
// すべての関数呼び出しがガバナンスを通過する
var result = await kernel.InvokeAsync("web_search", "AI trends");
name: Agent Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install governance toolkit
run: pip install agent-governance-toolkit[full]
- name: Scan agent code
run: |
agent-compliance verify --json > report.json
- name: Generate badge
run: agent-compliance verify --badge > GOVERNANCE_BADGE.md
- name: Check OWASP coverage
run: |
COVERAGE=$(jq '.overall_score' report.json)
if [[ "$COVERAGE" != "10/10" && "$COVERAGE" != "9/10" ]]; then
echo "OWASP coverage below threshold: $COVERAGE"
exit 1
fi
- name: Upload artifact
uses: actions/upload-artifact@v3
with:
name: governance-report
path: report.json
#!/bin/bash
# .git/hooks/pre-commit
FILES=$(git diff --cached --name-only | grep -E "\.yaml$")
for file in $FILES; do
echo "Validating policy: $file"
agent-compliance verify "$file" || exit 1
done
exit 0
| # | Risk | Mechanism | Status |
|---|
| ASI-01 | プロンプト注入 | PolicyEngine + PromptInjectionDetector + MCP scanning | 9/10 |
| ASI-02 | 安全でない出力処理 | CodeValidator + DriftDetector | 9/10 |
| ASI-03 | 訓練データポイズニング | MemoryGuard + ContentHashInterceptor | 9/10 |
| ASI-04 | モデルサービス拒否 | TokenBudgetTracker + RateLimiter + circuit breakers | 9/10 |
| ASI-05 | サプライチェーン脆弱性 | SBOM + Ed25519 signing + MCPFingerprinting | 9/10 |
| ASI-06 | 機密情報開示 | PII patterns + secret detection + egress policy | 9/10 |
| ASI-07 | 安全でないプラグイン設計 | MCPGateway + schema validation + rug-pull detection | 9/10 |
| ASI-08 | エージェント機能過剰 | ExecutionRings + kill switch + rogue detection | 9/10 |
| ASI-09 | エージェント出力への過度な依存 | DriftDetector + confidence threshold | 9/10 |
| ASI-10 | モデル盗難 | スコープ外 (model-level, not agent-level) | 0/10 |
| TOTAL | | 10のOWASPリスク中9をカバー | 9/10 |
from agent_os.marketplace import MCPSecurityScanner
scanner = MCPSecurityScanner()
# 脅威のためにツール定義をスキャン
findings = scanner.scan(
tool_name="suspicious_tool",
schema={
"type": "object",
"properties": {
"command": {"type": "string"},
"api_key": {"type": "string", "description": "Never ask for this"}
}
}
)
if findings.has_rug_pull_patterns:
print("WARNING: Rug-pull detection triggered!")
print(f"Issues: {findings.issues}")
if findings.has_typosquatting:
print("Tool name matches known typosquat target")
if findings.has_hidden_instructions:
print("Detected hidden instructions in schema")
# 複数の制御を層化
governance = PolicyEngine(
capabilities=CapabilityModel(
allowed_tools=["web_search"],
blocked_patterns=[r"password", r"api.?key"],
max_tool_calls=10,
require_human_approval=True,
),
enable_injection_detection=True,
enable_pii_detection=True,
enable_code_validation=True,
)
# エージェントを必要最小限のリングに割り当て
policies:
untrusted_agent:
execution_ring: 3 # Sandbox: no filesystem, no network
allowed_tools: [] # No tools
researcher_agent:
execution_ring: 2 # User: limited tools
allowed_tools: [web_search, read_file]
system_agent:
execution_ring: 1 # System: database, APIs
allowed_tools: [database_query, api_call]
from agent_os.audit import AuditLogger
audit = AuditLogger(
storage="elasticsearch", # Persistent audit trail
include_params=False, # Don't log sensitive data
structured_logging=True,
)
engine = PolicyEngine(
capabilities=capabilities,
audit_logger=audit,
)
# すべての決定がタイムスタンプ、エージェントID、アクションでログされる
from agentmesh.trust import TrustMonitor
monitor = TrustMonitor()
# エージェントの信頼度が低下したら警告
monitor.watch(
agent_id="researcher-1",
min_trust_score=400,
alert_webhook="https://slack.com/hooks/...",
)
# 自動修復: 信頼度 < 200の場合サンドボックスに降格
@monitor.on_low_trust
def demote_to_sandbox(agent_id):
runtime.assign_ring(agent_id, ExecutionRing.SANDBOX)
# 週次整合性検証をスケジュール
0 0 * * 0 agent-compliance integrity --verify
# 月次エージェント認証情報ローテーション
0 0 1 * * for agent in $(agent-mesh list --all); do
agentmesh rotate-credentials "$agent"
done
# 月次ガバナンスレポート生成
0 0 1 * * agent-compliance verify --json > reports/$(date +%Y-%m).json
| Issue | Solution |
|---|
| ポリシーが施行されない | フレームワーク統合にPolicyEngineが接続されているか確認 (LangChainコールバック、CrewAIデコレータ) |
| ツール呼び出しがタイムアウト | max_tokens_per_callおよびrate_limiterの設定を確認; 必要に応じて制限を増やす |
| PII上の高い誤検知 | blocked_patternsで正規表現をチューニング; 既知の安全なパターンにホワイトリストを使用 |
| エージェントがサンドボックスに降格 | 信頼スコアを確認: agentmesh trust report ; 有効期限が切れている場合は認証情報を復元 |
| モジュール整合性失敗 | Pythonバージョンを確認 (3.10+); Astroビルドを使用している場合はscripts/patch-datastore.mjsを再実行 |
