Two pip install commands connect any AGT-governed agent to enterprise-grade runtime execution control — with cryptographic proof, budget enforcement, and standards-based identity. No code changes required.
On April 10, 2026, we published two MIT-licensed Python packages on PyPI:
pip install authzen-policy-backend
# AuthZEN PDP as an AGT PolicyEvaluator backend
pip install aria-agentkit
# Full AGT extension point adapters
These packages turn EmpowerNow ARIA into a first-class backend inside Microsoft's Agent Governance Toolkit. Any developer building agents with AGT can now add enterprise runtime execution control — policy enforcement at the network boundary, tamper-evident audit receipts, and budget governance — without changing a single line of their agent code.
This post explains what we built, why we built it, and what it means for teams putting AI agents into production safely.
Microsoft Built Something Real
Credit where it's due. Microsoft's Agent Governance Toolkit is serious engineering. It provides deterministic, in-process policy enforcement at sub-millisecond latency. It gives agents cryptographic identity through Ed25519 credentials. It implements four-tier privilege rings, saga orchestration for multi-step workflows, and SRE primitives like SLOs, error budgets, and circuit breakers. It covers all ten categories in the OWASP Agentic Top 10. And it does all of this across five language SDKs — Python, TypeScript, .NET, Rust, and Go.
This is not vaporware. It's a legitimate governance SDK with thousands of tests, published packages, and a clear engineering vision. We've studied the source code thoroughly — it's MIT-licensed, so anyone can.
The question isn't whether the toolkit is good. The question is whether it's sufficient for production enterprise deployments. We don't think it is — not yet, and possibly not by design. Here's why.
The In-Process Boundary Problem
The Agent Governance Toolkit operates entirely within the agent's process. Its policy engine evaluates actions before execution — and that's valuable. But the enforcement boundary is the Python interpreter (or the equivalent runtime in other languages). The toolkit's own architecture documentation acknowledges this directly, recommending container isolation for high-security deployments.
This creates a structural limitation. An in-process policy engine can be bypassed if the agent code is misconfigured, if a dependency introduces a vulnerability, or if a developer simply forgets to wire up the governance middleware. Every agent must individually include and correctly configure the toolkit. There is no central enforcement point that governs agents regardless of how they are built.
Think of it this way: the toolkit provides seatbelts. Seatbelts save lives. But traffic law enforcement — speed cameras, toll barriers, traffic signals — works regardless of whether the driver buckled up. Both layers matter. Responsible deployments use both.
ARIA operates at the network boundary. Its Policy Decision Point (PDP) evaluates every request over HTTPS using the OpenID AuthZEN Authorization API 1.0 — a public standard, not a proprietary wire protocol. ARIA Shield intercepts LLM traffic. ARIA MCP Gateway intercepts tool invocations. Neither depends on the agent having correctly initialized an SDK. If the agent can reach the network, the agent is governed.
What We Shipped: Two Packages, Two Integration Depths
Rather than positioning ARIA against the toolkit, we built adapters that make them work together. The two packages implement AGT's own extension point interfaces, so the integration is native — not a shim, not a wrapper, not a hack.
authzen-policy-backend — Standards-Based Policy Evaluation
This package implements AGT's ExternalPolicyBackend protocol. When a PolicyEvaluator in an AGT-governed agent needs to make a policy decision, it can delegate that decision to any AuthZEN-compliant PDP over HTTPS.
from agent_os.policies import PolicyEvaluator
from authzen_backend import AuthZENBackend
evaluator = PolicyEvaluator()
evaluator.add_backend(AuthZENBackend(
pdp_url="https://pdp.example.com/access/v1/evaluation",
pdp_application="my-agent-platform",
token="my-bearer-token",
))
Three lines of configuration. The evaluator now consults ARIA's PDP for every policy decision. But here's what matters: the wire protocol is OpenID AuthZEN 1.0. Any compliant PDP works. We chose to build on a public standard because lock-in objections kill enterprise deals, and because we believe our platform wins on capability, not on proprietary integration.
The package supports both synchronous and asynchronous evaluation, OAuth 2.0 client credentials for token management, and ARIA-enhanced response extraction — obligations, constraints, and denial advice that go beyond binary allow/deny.
aria-agentkit — Full Extension Point Adapters
This package goes deeper. It implements four AGT extension points:
ARIAToolInterceptor → ToolCallInterceptor
Every tool call passes through this interceptor, which maps the call to an AuthZEN 1.0 evaluation request and routes it to ARIA's PDP. Tool name, arguments, agent identity, and delegator context are all included in the authorization request.
ARIAPolicyProvider → PolicyProviderInterface
Retrieves policy definitions from ARIA's authorization infrastructure, centralizing policy management rather than scattering YAML files across agent repositories.
ARIAAuditBackend → AuditBackend
Instead of structured log entries, exports tamper-evident receipts to ARIA's Receipt Vault. Each receipt is an RS256 JWS with policy decision snapshot, schema hash, spend attribution, delegator context, and a hash chain link. Includes recursive field redaction, idempotency keys, exponential backoff retry, and dead-letter routing.
MCP Configuration Emitters
Generates correct Streamable HTTP transport parameters for ARIA MCP Gateway, including Bearer authentication and protocol version negotiation. Agents using MCP tools get routed through cryptographic schema pinning automatically.
Both packages are contract-tested against AGT 3.0.x types. If Microsoft changes an interface in a future release, our CI pipeline breaks before any customer's agent does.
Why Standards Matter More Than SDKs
Microsoft's toolkit uses custom did:mesh: identifiers for agent identity. These are backed by Ed25519 key material and include a trust scoring system — technically sound, but entirely separate from enterprise identity infrastructure.
Every enterprise we talk to already has an identity provider. Azure AD, Okta, Ping — they don't want a parallel identity system for their agents. Agent identity should be an extension of the existing identity fabric, not a silo beside it.
ARIA uses OAuth 2.0 Token Exchange (RFC 8693) and DPoP (RFC 9449). An agent acting on behalf of a user receives a delegated token through the same identity chain the enterprise already operates. Revocation is scoped to specific user-agent relationships. Audit trails link every agent action to a human principal through standard claims.
The same principle applies to policy evaluation. AuthZEN is an OpenID standard. The evaluation API is published, interoperable, and vendor-neutral. Our authzen-policy-backend makes that policy decision available over a standard network API, which means the same PDP governs agents, APIs, and UI sessions through a single policy surface.
The Capabilities AGT Doesn't Have (Yet)
We're being direct about this because customers will discover it anyway, and intellectual honesty builds more trust than marketing spin.
Budget Governance
AGT has no cost tracking, spending limits, or financial controls. ARIA enforces budgets at the point of execution — pre-checks before the tool runs, stream-time caps on token consumption, and HTTP 402 when budgets are exhausted.
Cryptographic Receipts
AGT produces structured logs. ARIA issues RS256-signed JWS receipts with per-agent hash chains — independently verifiable proof designed for regulatory retention. Our ARIAAuditBackend bridges this gap.
Schema Pinning
AGT's MCPSecurityScanner uses heuristic detection — warnings, not enforcement. ARIA MCP Gateway validates RS256-signed schema pins on every invocation. Invalid or missing pins block execution.
OAuth Vault
In the toolkit, credentials live in agent process memory. ARIA's OAuth Vault ensures tokens are fetched and used server-side only. No code path returns tokens to callers. Agents receive data, not credentials.
When to Use Both
The strongest architecture combines both layers. The toolkit's in-process governance provides defense in depth — fast, local policy checks that catch obvious violations before they hit the network. ARIA's infrastructure provides the enforcement boundary, the cryptographic proof, and the enterprise integrations that the toolkit isn't designed to provide.
Start with AGT
If you're in early-stage AI exploration. The toolkit is free, MIT-licensed, and provides genuine guardrails. Build your agents with governance from day one.
Add pip install aria-agentkit
When your deployment moves toward production — when you need to prove compliance to an auditor, enforce budgets for FinOps, integrate agent identity with your enterprise directory, or pin MCP tool schemas cryptographically.
Zero-Friction Promise
An existing AGT agent gains ARIA's runtime execution control through configuration, not code changes. The adapters implement AGT's own interfaces. The wire protocol is a public standard. The packages are MIT-licensed.
What This Means for the Market
Microsoft's entry validates the problem space. A year ago, governing what AI agents actually do at runtime was a slide in a futurist's deck. Today, Microsoft has published an SDK, the EU AI Act enforcement date is four months away, and enterprises are actively evaluating how to put agents into production safely.
We welcome the validation. And we responded not with a competitive counter-campaign, but with published, installable, contract-tested adapters that make the two systems work together.
Because the real competition isn't between governance vendors. The real competition is between governed agents and ungoverned ones. Every enterprise that deploys agents with proper runtime execution control — regardless of which vendor provides it — moves the industry forward. We just made it easier to get there.
Links
authzen-policy-backend on PyPI → aria-agentkit on PyPI → Microsoft Agent Governance Toolkit on GitHub → OpenID AuthZEN Authorization API 1.0 → EmpowerNow ARIA is runtime execution control from EmpowerID. ARIA authorizes, audits, and budgets every action AI agents take in production — with cryptographic proof that satisfies regulators, auditors, and boards. Learn more about ARIA →