Microsoft open-sourced two tools on May 20 designed to shift agent safety from periodic audits to continuous engineering practice. RAMPART is a test framework that turns red-team findings into repeatable CI tests. Clarity is a structured decision tool that forces teams to validate architecture assumptions before writing code.

Both tools target what Microsoft calls the core risk of agentic systems: agents that can act across email, CRM, code execution, and connected services can also act in ways nobody intended.

What RAMPART Does

RAMPART builds on Microsoft’s existing PyRIT red-teaming framework but flips the audience. Where PyRIT is designed for security researchers probing black-box systems after they ship, RAMPART is built for engineers testing as they build.

The developer experience mirrors standard integration testing. Teams write pytest tests describing scenarios from their threat model. Each test connects to the agent through a thin adapter, orchestrates an interaction, and evaluates observable outcomes with a pass/fail signal that gates CI, according to Microsoft’s announcement. When a team adds a new tool or data source to an agent, the corresponding safety test can ship in the same pull request.

The framework’s most mature coverage focuses on cross-prompt injection attacks: scenarios where agents retrieve or process poisoned content from documents, emails, or tickets that manipulate behavior indirectly. Evaluators inspect which tools the agent invokes, what side effects occur, and whether actions stay within expected boundaries. They are composable with boolean logic, allowing teams to express nuanced safety conditions rather than relying on a single binary signal.

Extension points use Python protocols, keeping integration lightweight even for complex agent architectures.

What Clarity Does

Clarity targets the design mistakes that produce the most expensive safety failures. Microsoft’s framing: by the time a red team surfaces a design-level issue, the system is built and fixing it means starting over.

The tool runs as a desktop app, web UI, or embedded inside a coding agent. It guides engineers through structured conversations covering problem clarification, solution exploration, failure analysis, and decision tracking. Results write to a .clarity-protocol/ directory in the repo as plain markdown files that get committed, reviewed in pull requests, and diffed like source code.

The failure analysis uses multiple AI “thinkers” that independently examine the system from security, human factors, adversarial, and operational angles. Clarity tracks staleness across these documents: when a problem statement changes, it flags that the solution description and failure analysis may need revisiting.

The CI Safety Gap

The release reflects a pattern across the enterprise agent stack. Agent governance has moved from policy documents to engineering tooling. Google’s Agent cryptographic identity standard shipped last week. OpenClaw’s five-point security roadmap addresses filesystem and network boundaries. Microsoft’s contribution targets the testing layer: making safety regressions as catchable as broken unit tests.

RAMPART is led by Bashir Partovi. Clarity is a joint project from Yonatan Zunger, Dharmin Shah, and team. Both are available now on GitHub.