Microsoft's Agent Governance Toolkit: An Honest Review for Enterprise Leaders — What It Fixes, What It Doesn't, and What to Pair It With

When Microsoft open-sourced its Agent Governance Toolkit in April 2026, it gave the market the thing it had been missing: a credible action-layer policy kernel that sits between an autonomous agent and the actions it tries to take. Adopt it for that and it earns its place. But there is a gap leaders should see before they treat it as the whole answer. Its native policy model is attribute-based — rules about properties — while most consequential enterprise agent decisions are relational: who is the agent acting for, what does that principal own, which delegation chain authorises this session, which team membership grants this access. Attributes cannot express that cleanly. So for most large enterprises the honest architecture is not “adopt” or “build,” but compose — pair the toolkit with a relational authoriser (a Zanzibar-style permission graph), and overlay a hardware-backed confidential-computing layer where workloads are regulated. Agent governance is splitting into four distinct layers — content guardrails, action governance, relational authorisation, confidential computing — and the agents that survive production at scale will be the ones whose owners built all four on purpose rather than assuming one product covered them.