Microsoft의 오픈 소스 Agent Governance Toolkit은 AI 에이전트를 위한 런타임 보안 거버넌스를 제공한다. 결정론적 정책 집행, 제로-트러스트 ID, 실행 링, 모든 10가지 OWASP Agentic 위험에 걸친 컴플라이언스 검증. LangChain, CrewAI, AutoGen, Anthropic 등과 함께 작동한다.
GitHub: https://github.com/microsoft/agent-governance-toolkit
License: MIT
Languages: Python, TypeScript, .NET, Rust, Go
# 모든 컴포넌트를 포함한 전체 설치
pip install agent-governance-toolkit[full]
# 개별 컴포넌트 (선택적)
pip install agent-os-kernel # Policy engine
pip install agentmesh-platform # Zero-trust identity & trust mesh
pip install agentmesh-runtime # Runtime supervisor & privilege rings
pip install agent-sre # SRE toolkit (SLOs, error budgets)
pip install agent-governance-toolkit # Compliance & attestation
pip install agentmesh-marketplace # Plugin lifecycle management
pip install agentmesh-lightning # RL training governance
npm install @agentmesh/sdk
dotnet add package Microsoft.AgentGovernance
cargo add agentmesh
go get github.com/microsoft/agent-governance-toolkit/packages/agent-mesh/sdks/go
from agent_os.policy import PolicyEngine, CapabilityModel
# 에이전트 기능 정의
capabilities = CapabilityModel(
allowed_tools=["web_search", "read_file", "send_email"],
denied_tools=["delete_file", "execute_shell"],
blocked_patterns=[r"\b\d{3}-\d{2}-\d{4}\b"], # Block SSN
max_tool_calls=10,
max_tokens_per_call=4096,
require_human_approval=True
)
# 정책 엔진 생성
engine = PolicyEngine(capabilities=capabilities)
# 액션 평가
result = engine.evaluate(
agent_id="researcher-1",
action="web_search",
input_text="latest security news"
)
print(f"Allowed: {result.allowed}")
print(f"Reason: {result.reason}")
import { PolicyEngine, AgentIdentity, AuditLogger } from "@agentmesh/sdk";
// 암호화 ID 생성
const identity = AgentIdentity.generate("my-agent", ["web_search", "read_file"]);
// 정책 엔진 생성
const engine = new PolicyEngine([
{ action: "web_search", effect: "allow" },
{ action: "read_file", effect: "allow" },
{ action: "delete_file", effect: "deny" },
{ action: "shell_exec", effect: "deny" },
]);
const decision = engine.evaluate("web_search"); // "allow"
const denied = engine.evaluate("delete_file"); // "deny"
| Component | Purpose | Key Features |
|---|
| Agent OS | 정책 엔진 & 프레임워크 어댑터 | Sub-millisecond evaluation, regex/semantic detection |
| Agent Mesh | 제로-트러스트 ID & 신뢰 스코어링 | Ed25519 signatures, SPIFFE/SVID, 0–1000 trust scale |
| Agent Runtime | 실행 감시자 & 샌드박싱 | 4-tier privilege rings, kill switch, saga orchestration |
| Agent SRE | 신뢰성 엔지니어링 | SLOs, error budgets, circuit breakers, replay debugging |
| Agent Compliance | OWASP 검증 & 증명 | Badge generation, JSON audit trails, integrity checks |
| Agent Marketplace | 플러그인 라이프사이클 관리 | MCP security scanning, rug-pull detection |
| Agent Lightning | RL 훈련 거버넌스 | Training data validation, model drift detection |
policies:
researcher_agent:
allowed_tools:
- web_search
- read_file
- database_query
denied_tools:
- execute_code
- delete_database
- modify_system
# 민감한 패턴 차단 (SSN, API keys, emails)
blocked_patterns:
- "\\b\\d{3}-\\d{2}-\\d{4}\\b" # SSN
- "[Aa][Pp][Ii][_-]?[Kk][Ee][Yy]" # API key
- "\\S+@\\S+\\.\\S+" # Email (PII)
# 리소스 제한
max_tool_calls: 20
max_tokens_per_call: 8192
max_concurrent_calls: 5
# 권한 링 할당
execution_ring: 2 # 0=kernel, 1=system, 2=user, 3=sandbox
# 특정 액션에 대해 승인 필요
require_human_approval_for:
- send_email
- modify_database
- external_api_call
# 신뢰 임계값
min_trust_score: 500 # 0–1000 scale
# 출력 검증
enable_prompt_injection_detection: true
enable_sensitive_data_detection: true
enable_code_validation: true
from agent_os.policy import PolicyEngine, CapabilityModel
# YAML에서 정책 로드
engine = PolicyEngine.from_yaml("policies.yaml")
# 도구 호출 평가
decision = engine.evaluate(
agent_id="researcher-1",
action="tool_call",
tool="web_search",
params={"query": "security trends"}
)
if not decision.allowed:
print(f"Blocked: {decision.reason}")
else:
print("Proceeding with tool call...")
from agent_os import PolicyEngine, CapabilityModel
from agent_os.integrations import LangChainIntegration
# 기능 정의
capabilities = CapabilityModel(
allowed_tools=["web_search", "calculator"],
max_tool_calls=10
)
# 정책 엔진 생성
engine = PolicyEngine(capabilities=capabilities)
# LangChain 에이전트의 경우
from langchain.agents import initialize_agent
governed_agent = LangChainIntegration(
agent=your_langchain_agent,
policy_engine=engine,
audit_log=True
)
# 모든 도구 호출이 이제 가로채지고 평가된다
result = governed_agent.run("What is 2+2?")
# 1. 도구 allowlist/blocklist 확인
✓ Is tool in allowed_tools list?
✓ Is tool NOT in denied_tools list?
# 2. 패턴 매칭 (주입, PII, 비밀)
✓ No prompt injection patterns detected
✓ No SSN, API keys, or PII in parameters
✓ No SQL injection or code execution payloads
# 3. 리소스 제약
✓ Token usage within limits
✓ Concurrent call limit not exceeded
✓ Rate limiting not triggered
# 4. 권한 링 검증
✓ Agent has required privilege level
✓ Tool operates within agent's ring tier
# 5. 신뢰 스코어링
✓ Agent meets minimum trust score
✓ No anomalous behavior detected
# 6. 인간 승인 (필요한 경우)
✓ Sensitive action approved by human
import { AgentIdentity, TrustCard } from "@agentmesh/sdk";
// 암호화 ID 생성
const identity = AgentIdentity.generate(
"researcher-agent",
["web_search", "read_file"]
);
console.log(identity.did); // did:mesh:agent-xxxxx
console.log(identity.publicKeyPEM); // Ed25519 public key
console.log(identity.allowedCapabilities); // ["web_search", "read_file"]
// 아웃바운드 통신에 서명
const signature = identity.sign("outgoing message");
// 피어 에이전트 ID 확인
const isValid = identity.verify(peerPublicKey, message, signature);
from agentmesh.trust import TrustScorer
scorer = TrustScorer()
# 신뢰 스코어의 구성 요소:
trust_score = scorer.compute(
agent_id="agent-1",
factors={
"success_rate": 0.95, # 95% of tasks succeed
"error_budget_remaining": 0.8, # 80% error budget left
"last_violation_age_hours": 72, # Last violation 3 days ago
"api_key_rotation_days_ago": 30, # Keys rotated 30 days ago
"audit_log_completeness": 1.0, # Full audit trail
}
)
print(f"Trust score: {trust_score} / 1000")
# 신뢰 계층
# 0–200: Untrusted (sandbox only)
# 200–400: Low trust (limited tools)
# 400–600: Medium trust (standard tools)
# 600–800: High trust (privileged tools)
# 800–1000: Maximum trust (admin capabilities)
┌─────────────────────────────────┐
│ Ring 0: Kernel │ Filesystem, system calls, process control
├─────────────────────────────────┤
│ Ring 1: System │ Database, API gateways, secrets manager
├─────────────────────────────────┤
│ Ring 2: User │ Web search, internal APIs, file read
├─────────────────────────────────┤
│ Ring 3: Sandbox │ No outbound access, isolated execution
└─────────────────────────────────┘
from agent_os.runtime import ExecutionRing, AgentRuntime
runtime = AgentRuntime()
# 신뢰도에 따라 에이전트를 링에 할당
runtime.assign_ring(agent_id="trusted-agent", ring=ExecutionRing.SYSTEM)
runtime.assign_ring(agent_id="untrusted-agent", ring=ExecutionRing.SANDBOX)
# 실행 중에 링 집행
@runtime.enforce_ring
def execute_tool(agent_id, tool_name, params):
# 이 함수는 에이전트가 링에 대한 권한을 가진 경우에만 실행된다
return tool_name(params)
# 악의적인 에이전트를 위한 킬 스위치
runtime.terminate_agent("agent-123", reason="Excessive tool calls")
# 검증 보고서 생성
agent-compliance verify
# JSON으로 출력 (CI/CD용)
agent-compliance verify --json
# README용 배지 생성
agent-compliance verify --badge
# 모듈 무결성 검증 (Ed25519 signatures)
agent-compliance integrity --verify
{
"version": "1.0",
"timestamp": "2026-04-04T12:00:00Z",
"coverage": {
"ASI-01": {"status": "covered", "mechanism": "PolicyEngine"},
"ASI-02": {"status": "covered", "mechanism": "MCPGateway"},
"ASI-03": {"status": "covered", "mechanism": "MemoryGuard"},
"ASI-04": {"status": "covered", "mechanism": "RateLimiter"},
"ASI-05": {"status": "covered", "mechanism": "SupplyChainGuard"},
"ASI-06": {"status": "covered", "mechanism": "PII Detection"},
"ASI-07": {"status": "covered", "mechanism": "MCPSecurityScanner"},
"ASI-08": {"status": "covered", "mechanism": "ExecutionRings"},
"ASI-09": {"status": "covered", "mechanism": "DriftDetector"},
"ASI-10": {"status": "out_of_scope", "reason": "Model-level, not agent-level"}
},
"overall_score": "9/10"
}
# 모듈에 대한 무결성 해시 생성
agent-compliance integrity --generate
# 변조가 감지되지 않았는지 검증
agent-compliance integrity --verify
# 배지로 출력
agent-compliance integrity --badge
from agent_os.integrations import LangChainIntegration
from agent_os.policy import PolicyEngine, CapabilityModel
from langchain.agents import initialize_agent
from langchain.tools import Tool
# 도구 생성
tools = [
Tool(name="web_search", func=search_fn, description="Search web"),
Tool(name="calculator", func=calc_fn, description="Calculate"),
]
# 거버넌스 에이전트 초기화
agent = initialize_agent(tools, llm, agent="zero-shot-react-description")
# 거버넌스로 래핑
capabilities = CapabilityModel(allowed_tools=["web_search"])
governed = LangChainIntegration(agent, PolicyEngine(capabilities))
# 도구 호출이 이제 집행된다
result = governed.run("What is 2+2?")
from crewai import Agent, Task, Crew
from agent_os.integrations import CrewAIDecorator
from agent_os.policy import PolicyEngine, CapabilityModel
@CrewAIDecorator(
policy_engine=PolicyEngine(
CapabilityModel(allowed_tools=["web_search", "file_read"])
)
)
def create_crew():
agent = Agent(
role="Researcher",
tools=[web_search_tool, file_read_tool],
)
task = Task(description="Research AI trends", agent=agent)
return Crew(agents=[agent], tasks=[task])
crew = create_crew()
crew.kickoff()
using Microsoft.Agent.Framework;
using AgentGovernance.Policy;
var kernel = new GovernanceKernel(new GovernanceOptions
{
PolicyPaths = new() { "policies/default.yaml" },
EnablePromptInjectionDetection = true,
EnableSensitiveDataDetection = true,
});
var middleware = new FunctionMiddleware(kernel);
// Semantic Kernel에 등록
kernel.ImportPlugin(middleware);
// 모든 함수 호출이 이제 거버넌스를 통과한다
var result = await kernel.InvokeAsync("web_search", "AI trends");
name: Agent Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install governance toolkit
run: pip install agent-governance-toolkit[full]
- name: Scan agent code
run: |
agent-compliance verify --json > report.json
- name: Generate badge
run: agent-compliance verify --badge > GOVERNANCE_BADGE.md
- name: Check OWASP coverage
run: |
COVERAGE=$(jq '.overall_score' report.json)
if [[ "$COVERAGE" != "10/10" && "$COVERAGE" != "9/10" ]]; then
echo "OWASP coverage below threshold: $COVERAGE"
exit 1
fi
- name: Upload artifact
uses: actions/upload-artifact@v3
with:
name: governance-report
path: report.json
#!/bin/bash
# .git/hooks/pre-commit
FILES=$(git diff --cached --name-only | grep -E "\.yaml$")
for file in $FILES; do
echo "Validating policy: $file"
agent-compliance verify "$file" || exit 1
done
exit 0
| # | Risk | Mechanism | Status |
|---|
| ASI-01 | 프롬프트 주입 | PolicyEngine + PromptInjectionDetector + MCP scanning | 9/10 |
| ASI-02 | 안전하지 않은 출력 처리 | CodeValidator + DriftDetector | 9/10 |
| ASI-03 | 훈련 데이터 중독 | MemoryGuard + ContentHashInterceptor | 9/10 |
| ASI-04 | 모델 서비스 거부 | TokenBudgetTracker + RateLimiter + circuit breakers | 9/10 |
| ASI-05 | 공급망 취약점 | SBOM + Ed25519 signing + MCPFingerprinting | 9/10 |
| ASI-06 | 민감한 정보 공개 | PII patterns + secret detection + egress policy | 9/10 |
| ASI-07 | 안전하지 않은 플러그인 설계 | MCPGateway + schema validation + rug-pull detection | 9/10 |
| ASI-08 | 과도한 에이전트 기능 | ExecutionRings + kill switch + rogue detection | 9/10 |
| ASI-09 | 에이전트 출력에 과도한 의존 | DriftDetector + confidence threshold | 9/10 |
| ASI-10 | 모델 도용 | 범위 초과 (model-level, not agent-level) | 0/10 |
| TOTAL | | 10가지 중 9가지 OWASP 위험 커버 | 9/10 |
from agent_os.marketplace import MCPSecurityScanner
scanner = MCPSecurityScanner()
# 위협에 대해 도구 정의 스캔
findings = scanner.scan(
tool_name="suspicious_tool",
schema={
"type": "object",
"properties": {
"command": {"type": "string"},
"api_key": {"type": "string", "description": "Never ask for this"}
}
}
)
if findings.has_rug_pull_patterns:
print("WARNING: Rug-pull detection triggered!")
print(f"Issues: {findings.issues}")
if findings.has_typosquatting:
print("Tool name matches known typosquat target")
if findings.has_hidden_instructions:
print("Detected hidden instructions in schema")
# 여러 제어를 계층화
governance = PolicyEngine(
capabilities=CapabilityModel(
allowed_tools=["web_search"],
blocked_patterns=[r"password", r"api.?key"],
max_tool_calls=10,
require_human_approval=True,
),
enable_injection_detection=True,
enable_pii_detection=True,
enable_code_validation=True,
)
# 에이전트를 필요한 최소 링에 할당
policies:
untrusted_agent:
execution_ring: 3 # Sandbox: no filesystem, no network
allowed_tools: [] # No tools
researcher_agent:
execution_ring: 2 # User: limited tools
allowed_tools: [web_search, read_file]
system_agent:
execution_ring: 1 # System: database, APIs
allowed_tools: [database_query, api_call]
from agent_os.audit import AuditLogger
audit = AuditLogger(
storage="elasticsearch", # Persistent audit trail
include_params=False, # Don't log sensitive data
structured_logging=True,
)
engine = PolicyEngine(
capabilities=capabilities,
audit_logger=audit,
)
# 모든 결정이 타임스탬프, 에이전트 ID, 액션과 함께 로깅된다
from agentmesh.trust import TrustMonitor
monitor = TrustMonitor()
# 에이전트의 신뢰도가 떨어지면 경고
monitor.watch(
agent_id="researcher-1",
min_trust_score=400,
alert_webhook="https://slack.com/hooks/...",
)
# 자동 해결: 신뢰도 < 200이면 샌드박스로 강등
@monitor.on_low_trust
def demote_to_sandbox(agent_id):
runtime.assign_ring(agent_id, ExecutionRing.SANDBOX)
# 주간 무결성 검증 예약
0 0 * * 0 agent-compliance integrity --verify
# 월간 에이전트 자격증명 회전
0 0 1 * * for agent in $(agent-mesh list --all); do
agentmesh rotate-credentials "$agent"
done
# 월간 거버넌스 보고서 생성
0 0 1 * * agent-compliance verify --json > reports/$(date +%Y-%m).json
| Issue | Solution |
|---|
| 정책이 집행되지 않음 | 프레임워크 통합에 PolicyEngine이 연결되었는지 확인 (LangChain callback, CrewAI decorator) |
| 도구 호출 타임아웃 | max_tokens_per_call 및 rate_limiter 설정 확인; 필요하면 제한 증가 |
| PII에 대한 높은 거짓 양성 | blocked_patterns에서 정규식 튜닝; 알려진 안전한 패턴에 대해 allowlist 사용 |
| 에이전트가 샌드박스로 강등됨 | 신뢰 스코어 확인: agentmesh trust report ; 만료되면 자격증명 복원 |
| 모듈 무결성 실패 | Python 버전 확인 (3.10+); Astro 빌드를 사용하는 경우 scripts/patch-datastore.mjs 다시 실행 |
