Microsoft released version 3.2.2 of its open-source Agent Governance Toolkit on April 25, adding end-to-end encrypted agent-to-agent messaging built on the Signal protocol (X3DH key agreement plus Double Ratchet), a formal wire protocol specification, and registry and relay services for agent discovery and offline message delivery. The update also fixes encryption exports for the npm package.

The toolkit, released under MIT license, provides runtime governance for autonomous AI agents: deterministic policy enforcement, zero-trust identity with Ed25519 and quantum-safe ML-DSA-65 credentials, execution sandboxing with four-tier privilege rings, and SRE tooling including SLOs, circuit breakers, and chaos engineering. According to Microsoft’s open-source blog, it is the first toolkit to address all 10 OWASP Agentic AI Top 10 risks with deterministic enforcement, backed by over 9,500 tests.

What the Encryption Layer Adds

The v3.1.1 release (April 21) introduced the core encryption modules: X3DH key agreement using Ed25519 identity keys, Double Ratchet with ChaCha20-Poly1305 encryption providing per-message forward secrecy, a high-level SecureChannel API for send/receive operations, and an EncryptedTrustBridge that gates channels on trust verification. The changelog lists 61 tests across all encryption modules.

Version 3.2.2 extends this with the AgentMesh Wire Protocol v1.0 specification, a TypeScript port of the full encryption stack to the @microsoft/agentmesh-sdk npm package, a MeshClient for relay transport with plaintext peers and KNOCK pending queues, a first-party registry service with pre-key bundles and presence tracking, and a store-and-forward relay service with 72-hour TTL offline inbox. The wire spec includes a clean-room IP statement and recommended cryptographic libraries.

Framework Coverage

The toolkit integrates with over 20 agent frameworks, according to Microsoft’s developer blog, including AWS Bedrock, Google ADK, Azure AI, LangChain, CrewAI, AutoGen, OpenAI Agents SDK, and others. SDKs ship in Python, TypeScript, .NET, Rust, and Go. Each integration hooks into a framework’s native extension points rather than requiring code rewrites.

Microsoft’s blog noted that prompt-based safety has a 26.67% policy violation rate in red-team testing, per the project’s published benchmarks. The toolkit’s deterministic application-layer enforcement reports 0.00%.

The Governance Maturity Signal

The v3.2.2 release marks a shift from policy enforcement as an advisory layer to a production infrastructure requirement. Agent messaging now has the same cryptographic guarantees that Signal provides for human messaging: forward secrecy, offline delivery, and verifiable identity. For teams deploying multi-agent systems where agents communicate across trust boundaries, encrypted channels become a baseline expectation rather than a feature request.

With the EU AI Act’s high-risk AI obligations taking effect in August 2026 and the Colorado AI Act enforceable in June 2026, according to Microsoft’s announcement, the toolkit’s inclusion of an EU AI Act Risk Classifier and automated OWASP compliance verification positions it as compliance infrastructure, not just security tooling.