OWASP Agentic Top 10 crosswalk: AGT runtime enforcement + SWT3 independent witness evidence for Foundry, Scout, and Windows Agent Runtime
For: Enterprise architects using AGT, Azure security engineers, CISOs evaluating independent compliance for Foundry deployments, auditors assessing AGT controls
Time: 15 minutes to read; 2 hours to integrate
The Microsoft Agent Governance Toolkit (AGT) is an open-source, MIT-licensed framework that provides runtime security governance for autonomous AI agents. Released in April 2026 and featured at Microsoft Build 2026, AGT covers all 10 OWASP Agentic AI Top 10 risks with deterministic, sub-millisecond policy enforcement.
AGT operates as the runtime enforcement layer:
AGT integrates with Microsoft Foundry Agent Service, Scout autopilots, and the Windows Agent Runtime via the ToolCallInterceptor and PolicyProviderInterface extension points.
AGT handles runtime enforcement: intercepting actions, applying policies, and logging decisions. This is essential. But regulated enterprises face a second requirement: independent attestation that the governance controls were active, effective, and unmodified during operation.
SWT3 fills this gap by operating as an out-of-band witness layer:
The two layers are complementary: AGT enforces policy at runtime. SWT3 attests that enforcement happened, independently.
| OWASP Risk | AGT Enforcement | SWT3 Attestation | Procedures | Coverage |
|---|---|---|---|---|
| AGA-01 Excessive Agency | PolicyEngine scope rules, tool allowlist | Tool authorization records, policy version binding | AI-TOOL.1, AI-ACC.1, AI-GRD.3 | Full |
| AGA-02 Inadequate Sandboxing | MXC containers, Agent Service sessions | Hardware attestation, environment fingerprint | AI-HW.1, AI-ENV.1 | Partial |
| AGA-03 Unmonitored Execution | Ed25519 audit logs, tamper-evident chain | Independent Merkle-rooted audit trail, chain forensics | AI-AUDIT.1, AI-CHAIN.1, AI-INF.1 | Full |
| AGA-04 Prompt Injection | Input validation, PolicyEngine guardrails | Guardrail presence attestation, threat score | AI-GRD.1, AI-GRD.2 | Partial |
| AGA-05 Insecure Output | Output filtering, content safety | Output classification, safety check attestation | AI-GRD.1, AI-SAFE.1 | Partial |
| AGA-06 Identity Spoofing | SPIFFE/DID identity, Ed25519 signing | Agent identity binding (HMAC/ML-DSA-65), trust verification | AI-ID.1, AI-TRUST.1 | Full |
| AGA-07 Knowledge Poisoning | RAG content validation | RAG provenance, relevance attestation, memory context | AI-RAG.1, AI-RAG.2, AI-SKILL.2 | Full |
| AGA-08 Privilege Escalation | RBAC, least-privilege tool access | Access decisions, tool call witnessing with authorization_id | AI-ACC.1, AI-TOOL.1 | Full |
| AGA-09 Supply Chain | Dependency scanning, SBOM | AI bill of materials, supply chain attestation, model weight hashes | AI-SBOM.1, AI-SUPPLY.1, AI-MDL.5 | Full |
| AGA-10 Insufficient Logging | Structured audit logs | Tamper-evident Merkle-rooted trail, chain forensic timeline | AI-AUDIT.1, AI-CHAIN.1 | Full |
7 of 10 risks have full independent attestation coverage. The 3 partial risks (sandboxing, prompt injection, insecure output) depend on runtime detection that AGT performs; SWT3 attests the guardrail was active and records its output.
AGT enforces: PolicyEngine intercepts tool calls against an allowlist. Only tools matching the policy scope are executed. Denied calls are logged with the rule name and reason.
SWT3 attests: Every tool call (allowed or denied) is independently witnessed with a cryptographic anchor. The policy version hash is embedded in the anchor, so auditors can verify which policy was active at the time of the decision.
# AGT enforces tool scope at runtime
# (Microsoft Agent Governance Toolkit)
from agt.core import PolicyEngine
policy = PolicyEngine.from_yaml("policy.yaml")
# SWT3 independently witnesses every tool call
from swt3_ai import Witness
from swt3_ai.adapters.foundry import wrap_foundry
witness = Witness(
endpoint="https://sovereign.tenova.io",
api_key="axm_live_...",
tenant_id="YOUR_TENANT",
agent_id="scout-finance-agent",
signing_key="your-signing-key",
policy_version="v2.1.0",
)
# Wrap the Foundry agent -- witnesses execute() and interceptToolCall()
agent = wrap_foundry(my_foundry_agent, witness=witness)
result = agent.execute("Summarize Q4 earnings from the shared drive")AGT enforces: Microsoft Execution Containers (MXC) provide kernel-enforced sandboxing with 8 containment backends. The Windows Agent Runtime isolates agent processes.
SWT3 attests: Hardware runtime parameters (GPU topology, memory allocation) and environment snapshots (OS version, dependency manifest) are witnessed. This confirms the execution environment at the time of inference, independently of the container runtime.
Partial SWT3 attests the environment but does not enforce container boundaries. AGT/MXC handles enforcement.
AGT enforces: Ed25519-signed audit logs record every policy decision with rule name, parameters, and rationale. Logs are tamper-evident within the AGT chain.
SWT3 attests: An independent, out-of-band audit trail is maintained with daily Merkle rollups. Each inference gets a unique fingerprint. The chain monitor produces forensic timelines that an auditor can verify using only the anchor fingerprint, with no access to the Microsoft environment required.
# SWT3 chain monitoring produces forensic timelines
from swt3_ai import ChainMonitorExporter
exporter = ChainMonitorExporter(wal_path="/tmp/swt3-wal/YOUR_TENANT")
report = exporter.build_report()
# Export HTML forensic timeline for auditors
with open("audit-trail.html", "w") as f:
f.write(exporter.export_html())AGT enforces: PolicyEngine validates inputs against injection patterns. Suspicious prompts are blocked or flagged before reaching the model.
SWT3 attests: Records whether guardrails were active at inference time and captures the guardrail count and pass/fail status. This proves the defense was in place, even if the specific injection detection is handled by AGT.
Partial SWT3 attests guardrail presence and outcome. The actual injection detection logic is AGT's responsibility.
AGT enforces: Output filtering and content safety checks intercept harmful or policy-violating responses.
SWT3 attests: Records the safety check outcome and output classification. The response hash in the witness anchor proves the exact content was evaluated, without storing the content itself (privacy-preserving).
Partial SWT3 attests the safety check happened. The actual output filtering is AGT's responsibility.
AGT enforces: SPIFFE/DID-based identity with Ed25519 signing. Agents authenticate to the platform via mTLS.
SWT3 attests: A second, independent identity layer using HMAC-SHA256 or ML-DSA-65 (post-quantum) signatures. The agent_id is embedded in every witness anchor. Trust Mesh enables bilateral verification between agents before data exchange.
The two identity layers are complementary: AGT proves identity to the platform; SWT3 proves identity to the auditor.
# Dual identity: AGT platform identity + SWT3 auditor identity
witness = Witness(
endpoint="https://sovereign.tenova.io",
api_key="axm_live_...",
tenant_id="YOUR_TENANT",
agent_id="scout-finance-agent", # SWT3 independent identity
signing_key="your-hmac-key", # HMAC-SHA256 payload signing
signing_algorithm="hmac-sha256", # Or "ml-dsa-65" for post-quantum
)AGT enforces: RAG content validation to detect poisoned or manipulated retrieval results.
SWT3 attests: Witnesses RAG retrieval provenance (source document hashes, chunk IDs), relevance scores, and the memory context state. An auditor can trace which documents influenced a given inference and verify that no unauthorized sources were injected.
AGT enforces: RBAC with least-privilege tool access. Privilege boundaries are enforced at the PolicyEngine level.
SWT3 attests: Every access decision is witnessed with the authorization_id, target resource, and grant/deny outcome. The pre-inference authorization gate (authorization_id field) ensures that access was approved before the inference executed, not retroactively.
AGT enforces: Dependency scanning, Ed25519-signed plugins, and SLSA-compatible build provenance with cryptographic hash pinning.
SWT3 attests: Witnesses the full AI software bill of materials, supply chain risk assessment, and model weight file hashes (SHA-256). If a model file changes between deployments, the witness anchor detects the drift.
AGT enforces: Structured audit logs with policy decision records.
SWT3 attests: An independent audit trail with daily Merkle tree rollups. Each anchor is chained via fingerprints, and the daily root hash can be verified by any party. The chain monitor exporter produces forensic HTML/JSON reports showing the complete tool execution timeline, token consumption, and policy violation flags.
# pip install swt3-ai
from swt3_ai import Witness
from swt3_ai.adapters.foundry import wrap_foundry
# Initialize the independent witness layer
witness = Witness(
endpoint="https://sovereign.tenova.io",
api_key="axm_live_...",
tenant_id="YOUR_TENANT",
agent_id="scout-document-agent",
signing_key="your-hmac-key",
)
# Wrap your Foundry agent (duck-typed, no Microsoft SDK dependency)
agent = wrap_foundry(my_agent, witness=witness)
# Every execute() call is now independently witnessed
result = agent.execute("Summarize the compliance report")
# Every tool interception is also witnessed
result = agent.intercept_tool_call("search", {"query": "audit findings"})// npm install @tenova/swt3-ai
import { Witness } from "@tenova/swt3-ai";
import { wrapFoundry } from "@tenova/swt3-ai/adapters/foundry";
const witness = new Witness({
endpoint: "https://sovereign.tenova.io",
apiKey: "axm_live_...",
tenantId: "YOUR_TENANT",
agentId: "scout-document-agent",
signingKey: "your-hmac-key",
});
// Wrap the Foundry agent
const agent = wrapFoundry(myAgent, witness);
// Every execution is independently witnessed
const result = await agent.execute("Summarize the compliance report");# Initialize with the microsoft-foundry profile
# swt3 init --profile microsoft-foundry
# swt3.yaml (auto-generated)
profile: microsoft-foundry
api_key_env: SWT3_API_KEY
tenant_id: YOUR_TENANT
agent_id: your-foundry-agent
signing_key_env: SWT3_SIGNING_KEYThe microsoft-foundry profile pre-configures SWT3 for Foundry Agent Service deployments:
| Setting | Value | Rationale |
|---|---|---|
| Clearing Level | 2 (Sensitive) | Enterprise data classification for Foundry workloads |
| Trust Mesh | Strict, Level 2 | Multi-agent Foundry sessions require bilateral verification |
| Tool Witnessing | All tools, fail-secure | Every Foundry Toolbox call gets an independent anchor |
| Chain Depth | 12 | Foundry supports deeper agent delegation chains |
| Token Budget | 200,000/session | Enterprise session budget with hard cap |
| Merkle Rollup | Enabled, 60s interval | Tamper-evident accumulation for continuous attestation |
| Required Procedures | AI-INF.1, AI-GRD.1, AI-TOOL.1, AI-CHAIN.1, AI-ID.1, AI-ACC.1, AI-AUDIT.1 | Core attestation for OWASP Agentic coverage |
When AGT and SWT3 operate together: