The Model Context Protocol (MCP) standardizes how AI agents discover and invoke tools, but lacks built-in governance over what tool calls are actually permitted. Microsoft introduces the Agent Governor toolkit (AGT), an open-source runtime governance layer that sits between MCP clients and tool servers. AGT provides tool definition scanning for poisoned descriptions, per-call policy enforcement via declarative rules (OPA/Cedar/OPA), response inspection, cryptographic agent identity with trust scoring, execution gating via privilege rings, and append-only audit logs. Internal red-team benchmarks showed a 26.67% policy violation rate when relying solely on prompt-based safety instructions, motivating the need for deterministic enforcement. AGT covers 7 of 10 MCP-specific risks from the new MCP Top 10 and all 10 from the broader agentic risk list, with integrations for 20+ frameworks and SDKs in Python, TypeScript, .NET, Go, and more. It is currently in Public Preview under MIT license.
Table of contents
How MCP tool execution works – and where trust breaks down Copy linkThe MCP attack surface is real and growing Copy linkWhat’s missing: a governance layer between discovery and execution Copy linkIntroducing the Agent Governance Toolkit Copy linkWhat’s next Copy linkSort: