ADR-0080: Agent governance interoperability (Microsoft AGT crosswalk)¶
- Status: Draft
- Date: 2026-05-27
- Relates to: ADR-0006 (Cedar policy), ADR-0009 (Provenance always-on), ADR-0011 (DID identity), ADR-0013 (ACT/ECT primitives), ADR-0014 (Supply-chain integrity), ADR-0030 (Verifiable Credentials), ADR-0038 (Explainable provenance), ADR-0052 (Memory security), ADR-0053 (Memory trust boundaries), ADR-0071 (OTel propagation), ADR-0073 (Triple-level source attribution)
- External artifact: Microsoft Agent Governance Toolkit (AGT), https://github.com/microsoft/agent-governance-toolkit — MIT, Public Preview as of 2026-05.
Context¶
Microsoft published the Agent Governance Toolkit (AGT): an application-middleware suite for policy enforcement, identity, sandboxing, and monitoring of autonomous agents. Its components:
| AGT component | Function |
|---|---|
| Agent OS | Policy engine (YAML + OPA + Cedar) |
| AgentMesh | Zero-trust identity (SPIFFE / DID / mTLS) |
| Agent Runtime | Privilege rings, saga orchestration |
| Agent SRE | SLOs, error budgets, circuit breakers, chaos |
| Agent Compliance | OWASP Agentic Top 10, policy linting, integrity |
| MCP Security Gateway | Tool-poisoning + hidden-instruction scanning |
| Agent Discovery | Shadow-AI inventory, risk scoring |
It ships 10 RFC 2119 specs with ~992 conformance tests, Merkle audit logs with "decision BOMs", and maps to OWASP Agentic Top 10, NIST AI RMF 1.0, EU AI Act, and SOC 2. Adapters exist for AutoGen, LangChain, LangGraph, CrewAI, OpenAI Agents SDK, Google ADK, Semantic Kernel, and others, plus Claude Code / Copilot CLI as first-party surfaces.
The question this ADR answers: should Trails adopt, integrate, or otherwise leverage AGT?
The key observation: scope overlap, not gap-fill¶
AGT is not a missing layer for Trails. Trails already implements every one of AGT's governance concerns, natively and at the kernel boundary:
| AGT concern | Trails equivalent (already shipped) |
|---|---|
| Policy engine (Cedar) | Cedar PDP/PEP at the @capability boundary — ADR-0006, unified matcher ADR-0022 |
| Identity mesh (DID / SPIFFE) | DID resolver did:key/did:web — ADR-0011; pluggable identity schemes incl. SPIFFE/WIMSE — ADR-0073 |
| Verifiable attribution | Verifiable Credentials v2 (Ed25519, RFC 8785) — ADR-0030 |
| Privilege / attenuation | Biscuit token attenuation — ADR-0010; capability denial Outcome::Denied |
| SRE (circuit breakers, recovery) | CircuitBreaker (three-state) + RecoveryManager — M5 |
| Tamper-evident audit (Merkle / decision BOM) | PROV-O always-on + hash chains — ADR-0009; explainable provenance + confidence — ADR-0038; triple-level source attribution — ADR-0073 |
| MCP security gateway | MCP server + memory security gateway (DID-spoofing prevention, hash-chain integrity) — ADR-0052; SPARQL-injection / SSRF guards |
| Observability | End-to-end OTel + W3C Traceparent — ADR-0071 |
| Compliance baselines | Baseline configs incl. compliance preset + doctor checks — ADR-0027 |
The two systems are therefore largely parallel implementations of the same problem with different centers of gravity:
- AGT is enterprise middleware: imperative interception, flat Merkle audit logs, Microsoft-Agent-Framework / Semantic-Kernel home turf, Python/TS/.NET/Go/Rust polyglot, MIT.
- Trails is a semantic-web framework: governance artifacts are first-class graph nodes (queryable, typed, SHACL-validated, PROV-O-linked), a Rust kernel + Python surface, Apache-2.0, with a hard anti-complexity north star (ADR-0021: one surface, additive features).
Adopting AGT as a dependency would duplicate Cedar, DID, OTel, circuit breakers, and audit that Trails already owns; pull a Public-Preview ("breaking changes before GA") dependency into the kernel seam; and pull against ADR-0021's minimalism. That is rejected.
What is genuinely valuable is that AGT codifies the standards vocabulary (OWASP Agentic Top 10, NIST AI RMF, EU AI Act) and an interop format (decision BOMs, conformance specs) that Trails currently implements but does not claim or expose. Trails can be governance-complete and not be able to prove it to an enterprise buyer or an AGT-governed estate. That is the gap worth closing — interop and attestation, not adoption.
Decision¶
Do not adopt AGT as a runtime dependency. Instead, pursue three narrow, additive workstreams, in priority order.
1. Governance crosswalk (positioning + compliance artifact) — now¶
Maintain a living crosswalk document mapping Trails primitives to:
- AGT's 10 RFC 2119 component specs,
- OWASP Agentic AI Top 10,
- NIST AI RMF 1.0 functions,
- EU AI Act obligations relevant to agent systems.
Location: docs/governance/crosswalk-agt.md, with a short summary table
linked from the docs site trust section. Each row cites the Trails ADR /
module that satisfies the control and notes any genuine gap (e.g. no
shadow-AI discovery; no chaos-testing harness). This is a documentation
and positioning artifact with zero kernel impact, and it directly feeds
the SemWeb-governance paper narrative ("agent governance expressed as a
validated knowledge graph, crosswalked to emerging standards").
2. Decision-BOM / audit projection (interop bridge) — deferred, on demand¶
Trails already records every capability decision as PROV-O with hash chaining. Add an optional projection that serializes a Trails provenance subgraph into AGT's decision-BOM / Merkle-audit format, so a Trails app can drop into an AGT-governed estate as an audit source. This follows the established Trails pattern of projections, not re-implementations (MCP as a projection of the capability manifest — ADR-0008; WoT TD as a projection — ADR-0015a). It is a serializer over existing data, not a new source of truth, and stays out of the kernel.
Build only when a concrete user/estate requires it. Until then this section is a recorded design intent, not work in flight.
3. Conformance-test discipline (borrow the method, not the code) — opportunistic¶
AGT's RFC-2119-spec + conformance-suite discipline is a good model for
hardening Trails' own normative specs. Trails already has
tests/conformance/ (SPARQL, PROV-O). When the governance ADRs
(0006/0009/0011/0030/0052/0053) are next revised, lift AGT's pattern of
pairing each MUST/SHALL clause with a named conformance test. This is a
process convention, borrowed, with no AGT dependency.
Explicitly rejected¶
- AGT as a dependency (any component). Duplicates owned functionality; Public-Preview stability; polyglot middleware against a Rust-kernel framework; license/idiom mismatch.
- AgentMesh / SPIFFE-mTLS adoption — Trails identity is DID + VC + pluggable schemes (ADR-0011/0073), which already accommodates SPIFFE as one identity URI scheme. No mesh runtime needed.
- Agent Discovery (shadow-AI inventory) and Agent SRE chaos testing — orthogonal to a KG-app framework; out of scope.
- MCP Security Gateway adoption — relevant to standalone MCP servers
(e.g. the workspace's
mcp-server-fints), not to Trails, which already guards its own MCP surface (ADR-0052).
Consequences¶
Positive
- Trails gains a defensible, standards-anchored governance story (OWASP/NIST/EU AI Act) at documentation cost, strengthening both enterprise positioning and the governance paper.
- The crosswalk surfaces real gaps (discovery, chaos) as honest, bounded non-goals rather than silent omissions.
- The optional decision-BOM projection keeps Trails interoperable with the emerging Microsoft governance estate without coupling to it — Trails stays the source of truth, AGT becomes one possible consumer.
- No kernel change, no new runtime dependency, no ADR-0021 violation.
Negative / risks
- The crosswalk must track two moving targets (AGT is Public Preview; the EU AI Act guidance evolves). Mark it dated and review on the same cadence as other compliance docs.
- A decision-BOM projection commits Trails to tracking AGT's audit format if/when built — acceptable because it is an isolated serializer, but it must be versioned against a pinned AGT spec revision.
Alternatives considered¶
- Adopt AGT wholesale as the governance layer. Rejected: duplicates Trails' shipped Cedar/DID/VC/PROV-O/OTel/circuit-breaker stack, couples a semantic-web Rust framework to Public-Preview polyglot middleware, and breaks ADR-0021 minimalism.
- Ignore AGT entirely. Rejected: AGT is becoming a reference vocabulary for enterprise agent governance; being crosswalked to it (and optionally interoperable) is cheap insurance and good positioning.
- Reverse-adapter: ship Trails as an AGT framework adapter. Deferred into workstream 2 (audit projection) rather than a full adapter — Trails' value is being the governed substrate, not another agent runtime AGT wraps.