Microsoft shipped two governance additions to Agent Framework in six days: a devblog post on May 14 walking through Agent Governance Toolkit integration with the framework’s runtime policies, followed on May 20 by FIDES, an information-flow control middleware that propagates integrity and confidentiality labels through agent pipelines automatically. Both are technically credible. Neither addresses the structural problem Forbes documented six weeks earlier: Microsoft’s agent stack now spans six distinct surfaces, and even the company’s own IT org couldn’t pick one when building an internal self-service agent.
Governance where it wasn’t
The Agent Governance Toolkit (AGT), released April 2 as MIT-licensed open-source, claims to be the first framework covering all 10 OWASP Agentic AI Top 10 risks. It ships 10 formal specification documents, SDKs for Python, TypeScript, .NET, Rust, and Go, and reports sub-0.1ms p99 policy-enforcement latency. That latency figure is vendor-benchmarked; independent confirmation is not available as of late May.
The May 14 devblog post by Imran Siddique and Shawn (both on the AGT team) demonstrates how the toolkit pairs with Agent Framework for runtime policy enforcement and end-to-end auditability. FIDES, released six days later, adds deterministic enforcement: integrity and confidentiality labels that propagate through the agent pipeline without manual annotation. The acronym stands for Flow Integrity Deterministic Enforcement System, and the mechanism is worth noting because most agent frameworks still handle prompt-injection risk with best-effort input sanitization rather than labeled information-flow control.
These are real capabilities. The sub-0.1ms latency claim, if it holds under enterprise workloads, addresses a legitimate concern about governance adding request-path overhead. The OWASP coverage gives compliance teams a checklist they can map to emerging regulations. The gap is that governance tooling answers “is this auditable?” without answering “which of Microsoft’s six agent surfaces should we audit?”
Six surfaces and counting
Forbes reported on April 6 that Microsoft’s agent stack spans at least six surfaces: Agent Framework (pro-code), Copilot Studio (low-code), Foundry Agent Service (runtime), M365 Agents SDK (distribution), Azure OpenAI Service (model access), and Agent 365 ($15/user/month, GA May 1, per Forbes). The same report noted that Microsoft’s own IT organization could not settle on a single platform when building an internal self-service agent.
The competitor path: one SDK, one runtime
Google ADK offers a single CLI command to deploy a local agent to managed Agent Engine on Vertex AI. AWS presents a comparable single-framework-to-managed-runtime path. Both present a coherent path that Microsoft’s six-surface stack does not.
This is not an ergonomic preference. When a platform team at an enterprise has to choose between deploying an agent on Agent Framework versus Copilot Studio, the decision involves different runtime environments, different tooling chains, different governance surfaces, and different pricing models. Google and AWS force one choice. Microsoft forces six evaluations and then expects the team to add AGT on top.
The migration tax on existing users
Agent Framework 1.0, released April 3, merged Semantic Kernel and AutoGen into a single codebase. Forbes documented the migration costs: developers who had picked one framework and lived with its tradeoffs now face a consolidation that addresses the build layer but leaves the broader stack fragmentation intact.
Adding governance tooling to a framework that just forced its existing user base through a major migration is a specific kind of timing problem. Teams that spent Q1 migrating to Agent Framework now need to evaluate whether AGT’s policy model fits their rewritten architecture, or whether the policy layer introduces another migration step. The toolkit’s multi-language SDKs help, but the SDK surface is only useful once the underlying agent code has settled.
Regulatory urgency as adoption accelerant
Regulatory deadlines compress the evaluation window. The EU AI Act’s high-risk obligations take effect August 2026. TechFastForward’s April coverage notes that Microsoft is positioning AGT as the governance substrate enterprises can deploy before those deadlines hit.
The OWASP Agentic AI Top 10 mapping is the strategic lever. If OWASP’s risk categories become the language compliance reviewers and procurement teams use to evaluate agent deployments, and AGT is the only framework that maps to all ten, Microsoft has a defensible position regardless of how many surfaces the stack contains. The caveat: the OWASP list itself is not yet formally referenced in EU implementation guidance. The compliance mapping is marketing-grade until regulators adopt it.
What to watch
The governance additions are real engineering work. FIDES in particular, deterministic information-flow control for agent pipelines, addresses a class of prompt-injection risk that most frameworks still handle with best-effort sanitization. The question is whether Microsoft can consolidate the six surfaces into a coherent platform before enterprises lose patience and standardize on the simpler paths Google and AWS already offer.
The regulatory clock helps Microsoft. The stack sprawl helps competitors. Whichever pressure wins first determines whether AGT becomes the default governance layer or a capable tool in search of a single platform to govern.
Frequently Asked Questions
How many organizations are already using AWS’s competing agent SDK?
AWS Strands Agents SDK has surpassed 14 million downloads and pairs with AgentCore, which runs agents in Firecracker microVMs for workload isolation. That adoption head start gives AWS production deployment data that Microsoft’s Agent Framework, consolidated only since April 3, cannot match regardless of AGT’s governance depth.
What specific code changes do Semantic Kernel users face migrating to Agent Framework 1.0?
Semantic Kernel users must rewrite plugin architectures as tool systems, collapse multiple agent classes into a single Agent type, and rework session handling. AutoGen users face a parallel migration from event-driven patterns to graph-based workflows. Both migrations landed on teams in early April, six weeks before the governance layer (AGT and FIDES) was bolted on top.
What happens to AGT’s OWASP coverage claim if the risk list itself changes?
The OWASP Agentic AI Top 10 is a community-maintained catalog, not a ratified standard, and its categories could be revised or expanded. If OWASP redefines a risk category, AGT’s position as the only framework covering all ten becomes contingent on a spec it does not control. The compliance mapping Microsoft is building around OWASP also depends on regulators formally referencing those categories in implementation guidance, which has not occurred as of May 2026.
Does Microsoft’s product renaming history signal anything about future surface consolidation?
Azure AI Studio was renamed Azure AI Foundry in late 2024, then Microsoft Foundry in 2025. Each rename forced enterprise architecture teams to re-evaluate platform commitments. If Microsoft consolidates its six agent surfaces into fewer products, a similar rename cycle could invalidate tooling investments teams make today, including any AGT policy configurations tied to a specific surface’s runtime model.
Is AGT’s sub-0.1ms governance latency realistic under production load?
The figure is a vendor benchmark with no independent third-party verification as of late May 2026. Latency in the p99 tail depends on policy complexity, the number of active agents in a pipeline, and whether FIDES label propagation adds overhead during multi-step tool calls. Teams evaluating AGT should budget their own load testing before relying on the published number for capacity planning.