Framework guides
Microsoft Agent Governance Toolkit integration
Use Microsoft Agent Governance Toolkit for policy decisions and Contro1 for human approval routing, signed callbacks, and audit evidence.
When Microsoft AGT says require_approval, Contro1 turns it into a routed human decision with signed resume and audit evidence.
Use the integration skill
Copy this skill link into your code agent to add Microsoft Agent Governance Toolkit and Contro1 to your system.
Key takeaways
- Policy engines decide when approval is required. Contro1 runs the approval path.
- Send policy_context so the approval record preserves the Microsoft AGT policy source, rule, reason, version, and enforcement mode.
- High and critical risk approvals require a reviewer comment, and approval_comment_required can force comments on any request.
- Production approvals must use Contro1 APIs and signed webhooks.
Where each system sits
Microsoft Agent Governance Toolkit evaluates policy before a tool or action runs. Contro1 receives the approval request when that policy decision requires a human.
Use Microsoft AGT for policy enforcement. Use Contro1 for human approval routing, signed callbacks, and audit evidence.
Bridge flow
- The agent proposes a tool call.
- Microsoft AGT evaluates policy and returns allow, deny, or require_approval.
- For require_approval, the bridge creates a Contro1 request with policy_context.
- Contro1 routes the request, enforces comment rules, tracks SLA/escalation, and stores evidence.
- The runtime verifies the signed Contro1 callback and resumes only on approved status.
Request payload
Policy context fields
| Field | Use |
|---|---|
| source | Policy engine or integration source, such as microsoft_agt. |
| policy_name | Policy file or policy set that triggered review. |
| rule_id | Stable rule identifier for audit and search. |
| rule_reason | Human-readable reason the rule required approval. |
| policy_version | Policy version, commit, date, or release tag. |
| enforcement | Decision mode, usually require_approval. |
Webhook handling
Callbacks include policy_context alongside risk_level, policy_trigger, decision_context, status, response, and protocol_response. Verify X-CentCom-Signature and X-CentCom-Timestamp before doing anything with the result.
Resume only when status is approved. Denied, cancelled, timed_out, invalid signatures, and duplicate callback delivery IDs should fail closed.
Send full agent traceability
Beyond the approval call, attach identity, a run trace, the tools you invoked, and the context you retrieved. Each field is optional — add what you have. The verified identity always comes from your API key; a caller-supplied actor.agent_id is recorded as a claimed sub-agent until an admin verifies it.
- trace_id / parent_trace_id — link one run (and sub-agent runs) into a single trace.
- tool_calls[] — what the agent tried to do, so reviewers see the actions.
- retrieved_context[] — the data the decision was based on (RAG provenance).
- Then export a signed evidence packet from GET /requests/:id/evidence.
Make the approval the gate, not a suggestion
The signed webhook is cryptographic proof of a human decision. Verify it inside the system that executes the action - not inside the agent. Any tool that must never run without human sign-off (payments, deploys, data deletion) should refuse to act without a verified approval; that way no agent, including shadow agents nobody registered, can trigger it by skipping Contro1.
- Verify the signature and reject timestamps older than 5 minutes (replay protection; the timestamp marks callback delivery, not request creation, so long SLAs are unaffected).
- Bind the approval to the exact action parameters via metadata / correlation_id - never treat "an approval arrived" as permission for a different action.
- Execute each request_id exactly once (idempotency on your side).
- When in doubt, confirm state directly with GET /v1/requests/:id using a read-only API key.
Frequently asked questions
Does Contro1 replace Microsoft AGT?
No. Microsoft AGT remains the policy enforcement layer. Contro1 runs the human decision path once policy requires approval.
Is policy_context a policy engine?
No. policy_context is ingestion and evidence metadata. It records which external policy source, policy, and rule caused the review.