PERMISSION/PROTOCOL

Engineering · May 21, 2026

Microsoft AGT vs Permission Protocol: Two Halves of the Agentic Stack

Microsoft's Agent Governance Toolkit and Permission Protocol get compared a lot. They're not competitors. They cover different halves of the same problem. Here's the technical breakdown.

The one-liner

AGT decides what an agent can do. Permission Protocol records who said it could.

Both are runtime governance. They diverge on what they govern, at what latency, and what artifact they produce.

What AGT is

Microsoft Agent Governance Toolkit launched in April 2026 as an MIT-licensed open source project. Repo at github.com/microsoft/agent-governance-toolkit. The toolkit covers:

  • A deterministic policy engine — YAML, OPA/Rego, Cedar. Sub-millisecond allow/deny (0.012ms p50). 35K ops/sec concurrent. Fail-closed.
  • Identity and trust scoring — Ed25519 with post-quantum ML-DSA-65. SPIFFE/SVID compatible. Behavioral trust scoring 0–1000 that decays when agents misbehave.
  • Execution sandboxing — four privilege rings, saga orchestration, kill switch.
  • SRE for agents — SLOs, error budgets, chaos engineering, circuit breakers, OTel observability.
  • Tamper-evident audit logs — Merkle-chained. Auto-mapped to EU AI Act, SOC 2, HIPAA, GDPR.

SDKs in Python, TypeScript, .NET, Rust, and Go. Adapters for LangChain, CrewAI, AutoGen, OpenAI Agents, Semantic Kernel, AWS Bedrock, and 20-plus other frameworks. The repo claims 100% coverage of the OWASP Agentic Top 10.

In short: a serious, well-engineered policy engine for AI agents, with Microsoft signed releases and a working community.

What AGT is not

Four things AGT explicitly does not do. None of these are criticisms — they are simply outside the scope AGT chose.

  1. It does not route consequential actions to a named human. AGT decides in software at machine speed. There is no built-in concept of pausing for a human signoff, no approval queue, no Slack/Teams/email gating, no review surface.
  2. It does not produce a legally durable receipt. Tamper-evident audit logs are valuable, but they record what happened. They do not name the human who authorized the action — because in AGT's model, the policy is the authority, not a person.
  3. It does not have a workflow surface. No escalation routing, no human-readable diff previews, no signer eligibility based on organizational role.
  4. It is not financial-services or regulated-industry shaped. AGT is a generic agent governance toolkit for developers building agents. The product surface and the documentation are oriented to security engineers, not Chief Compliance Officers or regulatory examiners.

What Permission Protocol is

Permission Protocol is the runtime layer that picks up where the sandbox and the policy engine end. When an agent action targets production and authorization actually matters, PP evaluates it:

  • Policy auto-approve for routine consequential actions, producing a receipt that names the policy as the signer.
  • Human signoff routing for the actions policy cannot decide — escalation to a named human via the approver's preferred surface, with full diff preview and contextual evidence.
  • Tamper-evident, cryptographically signed receipts naming the human (or policy) signer, the action, the policy applied, the evidence consulted, and the time to the millisecond. Retained for years, exportable to any audit pipeline.

Receipts map to OWASP Agentic Top 10, NIST AI RMF, SR 11-7, EU AI Act Article 14, and Reg S-P.

Composition: how they fit together

A mature agentic stack uses both. The mental model:

Agent action
    │
    ├──► Sandbox ─ routine, never touches production
    │
    └──► AGT ──── policy gate, sub-ms allow/deny, identity/trust
                  │
                  ├──► routine production action ──► auto-approve, audit log
                  │
                  └──► consequential action ──► PP
                                                 │
                                                 ├──► policy auto-approve ──► receipt
                                                 │
                                                 └──► escalate ──► named human ──► receipt

AGT handles the routine. PP handles what AGT escalates as consequential. Each layer produces an audit artifact appropriate to its surface — AGT's Merkle log captures the technical event; PP's receipt captures the named-human authorization.

OWASP framework coverage

AGT claims 10/10 OWASP Agentic Top 10 coverage. PP claims direct coverage of six of those risks — the ones whose listed mitigations explicitly require named-human signoff and tamper-evident receipts.

AGT's strongest claims: ASI01 (intent), ASI04 (supply chain attestation), ASI07 (inter-agent identity and PKI).

PP's strongest claims: ASI02 (per-action approval), ASI03 (privilege escalation routing), ASI08 (cascading-failure receipts), ASI09 (multi-step approval), ASI10 (signed audit logs naming the human approver).

Where they overlap: ASI05 (code execution). Both are credible. AGT's sandbox isolates; PP's named human approves elevated runs. Most real deployments use both.

Full risk-by-risk mapping in our OWASP Agentic Top 10 page.

When to use which

Pick AGT if your primary need is high-throughput policy enforcement on agent actions and identity/trust at the protocol layer. Especially if you are deep in the Microsoft stack already (Copilot, Azure, Entra) or building developer tooling on top of LangChain, AutoGen, or Semantic Kernel.

Pick PP if your primary need is producing the regulator-grade authorization artifact — named human signers, signed receipts, workflow routing — for consequential agent actions. Especially in financial services, healthcare, regulated industry, or any environment where the auditor's question is “who specifically authorized this?”

Pick both if you are running agents in production at scale in a regulated environment. That is the mature configuration.

What we are not claiming

PP is not a policy engine in AGT's sense. Our policy DSL is intentionally narrower — it is built around routing decisions to humans and producing receipts, not deterministic allow/deny at machine speed across 35K ops/sec. If you need sub-millisecond policy gating on every agent tool call, AGT is the right tool.

PP is not an identity provider, an inter-agent communication layer, or a sandbox. We compose with those. Bridgewater-style deployments will run Entra for identity, AGT for policy, and PP for named-human authorization. Each layer has a job.