Microsoft Agent Governance Toolkit

https://github.com/microsoft/agent-governance-toolkit

Cross-Model Verification Kernel (CMVK) requires majority-voting agreement across multiple model calls before a memory-influenced action. Agent OS package intercepts every action (memory included) at sub-millisecond latency. MIT licensed.

At a glance

Type
Cross-Model Verification Kernel + Agent OS
Tier
T2
Created
2026-03
Latest release
v3.4.0 2026-05-05
License
MIT
Pricing
free / open source (MIT)
Funding
not applicable — Microsoft Research; no external funding

Taxonomy

storage
append-only
retrieval
agentic
persistence
session
update
read-only
unit
policy
governance
auditable
conflict
llm-arbitrate

When to use

Optimised for: governance + compliance + audit + adversarial hardening

Anti-fit: not for hobbyist / non-production use cases

Pros & cons

Pros

Microsoft's governance toolkit for AI agents — covers memory access policies + audit trails as part of broader agent governance.

Cons

Microsoft-stack-tilted; less applicable outside M365 / Azure deployments.

Claims & capabilities

p99 < 0.1ms. Integrations for LangChain, CrewAI, Google ADK, Microsoft Agent Framework. Python / TypeScript / Rust / Go / .NET. April 2026.

Technical surface

API surface
REST, PowerShell
Backend storage
custom (Microsoft 365)
Deployment
library/SDK integration; multi-language (Python TypeScript Rust Go .NET); LangChain/CrewAI/Google ADK integrations
Embedding model
not applicable — governance tool
Multi-tenancy
hard-isolation
MCP
Yes — MCP Security Scanner (tool poisoning, typosquatting, hidden instructions); A2A/MCP Protocol Bridge in Agent Mesh
A2A
Yes — Agent Mesh provides A2A/MCP/IATP protocol bridges (per agentmesh-platform docs); zero-trust identity + trust scoring
OpenTelemetry
Yes — Telemetry package provides OpenTelemetry integration (per PACKAGE-FEATURE-MATRIX.md)

Similar systems

Other memory governance, privacy & safety in the catalog, ranked by inbound references.

  • Acuvity (now Proofpoint) T1

    Runtime enforcement targeting memory poisoning, unauthorised execution, identity spoofing per the OWASP LLM threat list. Visibility/control over MCP servers and locally-installed AI tools — the infrastructure layer where memory is most exposed.

  • Enkrypt AI T1

    Applies guardrails at three points: (1) before write to vector DB, (2) before query reaches embedding model, (3) before response. Detects malicious instructions in stored memory before retrieval; scans for PII/PHI in/out. Text + image + voice modalities.

  • HiddenLayer AISec Platform 2.0 T1

    Targets the supply-chain / lineage layer rather than runtime memory writes. Model Genealogy tracks training/fine-tuning/modification history — catches poisoning baked in during training. AIBOM generates auditable inventory of model components + datasets. Runtime layer also monitors agentic workflows.

  • Lakera Guard / Lakera Red T1

    Screens every prompt, response, and retrieved document for indirect prompt injection — primary vector for memory poisoning. Treats memory as untrusted: anything written to or read from memory is adversarial until proven clean. Lakera Red provides "Agent Breaker" gamified red-teaming.

  • Mem0 Security / OpenMemory T1

    Commercial Mem0 ships SOC 2 / HIPAA, zero-trust access controls, BYOK encryption, real-time monitoring, audit logs, workspace governance as defaults. OpenMemory is the local self-hosted variant (Docker + FastAPI + Postgres + Qdrant) for privacy-first deployments.

  • OWASP Agent Memory Guard T3

    Open-source runtime defense. Enforces YAML policies on every memory read/write. SHA-256 baselines detect tampering, injection, sensitive-data leakage, protected-key modification, rapid-change anomalies. Forensic snapshots + rollback. Reference impl for OWASP ASI06 (Memory Poisoning).

Row last verified 2026-05-14. Catalog data is CC-BY-4.0 — see how to read this.