MS Agent Governance Toolkit vs Google AX — two opposite layers of 2026 agent infrastructure
Two of the largest agent infrastructure projects of 2026 dropped within weeks
of each other. They share the keyword "agent runtime" but sit on opposite
sides of the stack. Reading them as competitors misses the point — they're
the two halves of the same architecture.
TL;DR
- MS Agent Governance Toolkit (AGT) — a policy & security plane that decides what an agent is allowed to do.
- Google AX (Agent eXecutor) — a distributed execution plane that runs the agent and survives crashes.
- Not competitors. AGT explicitly ships a Google ADK integration; AX leaves governance out of scope. The intended deployment is AGT on top of AX, not one or the other.
1. Positioning
Dimension | MS Agent Governance Toolkit | Google AX |
Layer | Governance / security side-car | Execution runtime (orchestration core) |
Core value | Action control, compliance | Reliability, automatic recovery |
Announced | 2026-04-02 (MS Open Source blog) | KubeCon NA 2025-11 → expanded 2026 |
License | MIT | Apache 2.0 |
Maturity | Public Preview, v3.7.0 (May 2026) | Active early development, pre-v1.0 (breaking changes expected) |
Explicit non-goals | Prompt guardrails, content safety | Policy/identity beyond audit call wiring |
The split is intentional. AGT's documentation states that prompt-based safety
("just tell the model to follow the rules") yields a 26.67% policy violation
rate, whereas application-layer enforcement reaches 0.00%. AX takes the
inverse stance: it doesn't try to police what the agent says, it makes sure the
agent's process survives and its state is recoverable.
2. Microsoft Agent Governance Toolkit
Features
Capability | Detail |
Policy Engine | YAML, OPA/Rego, Cedar. Single rule eval at 0.012 ms (72K ops/sec), full enforce at 0.091 ms, 50-agent parallel run at 35,481 ops/sec |
Zero-Trust Identity | Ed25519 plus post-quantum ML-DSA-65, trust score 0–1000 |
Execution Sandboxing | 4-tier privilege rings, Saga orchestration, kill-switch |
Agent SRE | SLO / error budget / chaos engineering / circuit breakers |
MCP Security Scanner | Tool poisoning, lookalike-name attacks, hidden-instruction detection |
Shadow AI Discovery | Auto-detection of unregistered agents |
Compliance coverage | OWASP Agentic Top 10 ASI-01 ~ ASI-10 in full (first toolkit to do so, validated by 13K+ tests) |
Tech stack — polyglot across 5 languages
Language | Package | Install |
Python | agent-governance-toolkit[full] | pip install ... |
TypeScript | @microsoft/agent-governance-sdk | npm install ... |
.NET | Microsoft.AgentGovernance | dotnet add package ... |
Rust | agent-governance | cargo add ... |
Go | agent-governance-toolkit | go get ... |
Copilot CLI | @microsoft/agent-governance-copilot-cli | npx ... |
Claude Code | dedicated plugin | — |
Python package layout
- Agent OS — policy engine, capability model, MCP security gateway
- AgentMesh — zero-trust identity, trust scoring, mesh coordination
- Agent Runtime — privilege rings, saga orchestration, execution control
- Agent SRE — SLOs, error budgets, chaos, circuit breakers
- Agent Compliance — OWASP verification, policy linting, integrity checks
Framework integrations
Each adapter hooks into the framework's native extension point — no agent
code rewrite required:
- Microsoft Agent Framework, Semantic Kernel
- LangChain / LangGraph (callback handlers)
- CrewAI (task decorators)
- AutoGen, OpenAI Agents SDK
- Google ADK (plugin system), LlamaIndex, Haystack, Mastra, Dify
- Azure AI Foundry, AWS Bedrock
Strengths
- Full coverage of OWASP Agentic Top 10 → NIST AI RMF and EU AI Act compliance ready out-of-the-box
- 5 languages × almost every major agent framework — drops into existing code
- Sub-millisecond enforcement, Microsoft-signed builds, MIT
- Only option that ships governance plugins for Claude Code and Copilot CLI
Weaknesses
- Provides no execution plane — a separate runtime is still required
- Content safety / prompt injection is explicitly out of scope
- Still Public Preview at v3.7.0 — breaking changes possible before GA
- Maintaining 5 language implementations risks feature drift across them
3. Google AX (Agent eXecutor)
Features
- Distributed runtime — Controller, Skill, Tool, and Agent each run as independent processes
- Single-writer architecture — guarantees state consistency
- Event log on SQLite — durable record of every execution, enables automatic resume after interruption
- gRPC actor communication — uniform interface for local and remote agents (default
localhost:8494)
- A2A protocol bridge — interoperates with any A2A-compliant external agent
- Native on GKE Agent Sandbox / Agent Substrate — 16× growth in 5 months of preview
Tech stack — Go-centric monolithic core
- Language: Go 84.8%, Python 12.6%
- Transport: gRPC (
proto/ax.proto)
- Storage: SQLite (event log)
- AI: Gemini API (built-in planner)
- Deployment: Kubernetes / Agent Substrate on GKE (recommended)
- Install:
go install github.com/google/ax/cmd/ax@latest
Components
Controller— coordinates execution, manages state
EventLog— SQLite-backed durable event store
AgentService— gRPC interface for remote agents
Planner— default Gemini-backed planning agent
Supported SDKs
Native AX agent, Google ADK (Python), A2A-compliant external agents,
Google Colab (experimental).
Strengths
- Long-running execution and failure recovery as first-class citizens — event log handles automatic resume
- gRPC + Kubernetes-native — horizontal scale and multi-node distribution feel natural
- A2A bridge for cross-ecosystem interoperability
- Combined with GKE Agent Sandbox, sandboxing and scaling are delegated to the substrate
- Single Go core keeps operational surface simple
Weaknesses
- Pre-v1.0 with major breaking changes announced upfront
- Go toolchain and Kubernetes are effectively required (Substrate is the recommended path)
- Policy / governance / identity is limited to "wiring audit calls" — no real enforcement
- Optimized around Google ADK — integrations for other frameworks rely on the A2A bridge
- Documentation and examples are still sparse (early development)
4. Decision guide
Situation | Pick |
Already running LangGraph / CrewAI / Semantic Kernel agents and worrying about compliance, audit, MCP risk | AGT (one-line install) |
Running dozens to hundreds of agents on GKE, watching them die and losing state | AX (event-log resume) |
Enterprise full stack — both governance and reliable execution | AGT + AX together (AGT explicitly lists ADK integration → same-stack deployment is the intended path) |
Need to attach governance to Claude Code or Copilot CLI | AGT — the only option with dedicated plugins |
5. Why this matters in 2026
- Two hyperscalers open-sourced opposite abstraction layers at almost the same moment. That's a signal that 2026 agent infrastructure is splitting cleanly into runtime (AX) and governance (AGT).
- AGT explicitly shipping a Google ADK integration is the strongest hint that the two were designed to compose, not compete.
- OWASP's December 2025 release of the Agentic Top 10 is becoming the de-facto standard — AGT is its first comprehensive implementation.
- AX's 16× growth on GKE Agent Sandbox confirms the trend of "agents as container workloads", which makes a Kubernetes-native execution plane the new baseline.
Sources
TECH LINKS
- 𝕏 @webnori