Governance for AI Agents (Part 1): The Gap, the OWASP Agentic Top 10, and Where AGT Fits
🎯 TL;DR
You’ve built a single agent, or wired up a multi-agent orchestration with LangChain / AutoGen / CrewAI / Microsoft Agent Framework. It works.
Now answer this: how are you covering the OWASP Agentic Top 10? How do you prove to a regulator that the agent did only what it was allowed to do? Prompt engineering and content filters don’t reach the layer where actions happen.
The Agent Governance Toolkit (AGT), an open-source Microsoft project I work on, puts a sub-millisecond deterministic policy decision in front of every tool call, gives every agent a cryptographic identity, and produces a tamper-evident audit trail.
This post is Part 1 of a series: what the governance gap is, what the OWASP Agentic Top 10 actually contains, and where AGT sits in your stack.
If you’ve shipped anything with LangChain, AutoGen, CrewAI, or Microsoft Agent Framework recently, you’ve probably hit the same wall I did. The agent works. It plans, calls tools, remembers things. And then you try to put it somewhere it can actually do harm, touch a database, hit a real API, run shell commands, talk to another agent, and you realise you have no good way to bound what it can do.
You have a model. You have prompts. You have a tool list. You don’t have a policy layer. So you do what we all do: stitch together if-statements, allowlists, regex filters on prompts, maybe a sandbox if you’re feeling fancy. It mostly works. Until it doesn’t.
flowchart LR
U([User / Prompt]) --> M[LLM Planner
non-deterministic]
M -->|tool call| T{{No policy layer}}
T -->|just runs| DB[(Database)]
T -->|just runs| API[(Production API)]
T -->|just runs| SH[/Shell /]
T -->|just runs| A2[Other Agents]
style T fill:#ffd6d6,stroke:#c0392b,stroke-width:2px,color:#000
style M fill:#fff4c2,stroke:#b7950b,color:#000The agent works. The governance doesn’t exist yet. That gap is what the OWASP Agentic Top 10 and every AI regulation is pointing at.
