AI agents are increasingly connecting to real-world tools via the Model Context Protocol (MCP), but this opens the door to security risks like data exfiltration, prompt injection, and unauthorized actions. The Agent Governance Toolkit (AGT) for .NET provides a robust governance layer that enforces policy, inspects inputs and outputs, and makes trust decisions explicit. In this article, we'll explore six key components of AGT that help you govern MCP tool execution, from pipeline evaluation to response sanitization. Each item includes practical insights and code examples you can adapt immediately. Let's dive in.
- Why MCP Needs a Governance Layer
- McpGateway – A Governed Pipeline for Tool Calls
- McpSecurityScanner – Detecting Suspicious Tool Definitions
- McpResponseSanitizer – Cleaning Tool Output
- GovernanceKernel – Tying It All Together with Policy and Telemetry
- Getting Started with AGT in .NET
1. Why MCP Needs a Governance Layer
The MCP specification explicitly recommends that clients prompt for user confirmation on sensitive operations, show tool inputs before execution to prevent accidental data exfiltration, and validate tool results before passing them to the LLM. However, most MCP SDKs leave these responsibilities to the host application—meaning they're often unimplemented. AGT fills this gap by acting as a consistent enforcement point across all your .NET agents. It applies policy checks, input inspection, and response validation at every stage. For example, a malicious MCP server might define a tool named read_flie (note the typo) with a description containing prompt injection like
2. McpGateway – A Governed Pipeline for Tool Calls
The McpGateway is a central pipeline that evaluates every tool call before execution. It acts as a proxy between the LLM and MCP servers, intercepting each request and applying configurable rules. For instance, you can enforce that file-reading tools only execute if the requested path matches an allowed pattern, or that any API call requiring write access must be approved by a human. The gateway also logs all calls for audit and debugging. In .NET, you set up the McpGateway with a policy file (YAML or JSON) that specifies thresholds and allowed actions. Once configured, every tool invocation passes through this governance layer, reducing the risk of unintended or harmful operations. The gateway integrates seamlessly with other AGT components, forming a complete security envelope for your agent.
3. McpSecurityScanner – Detecting Suspicious Tool Definitions
Before an LLM even sees a tool, the McpSecurityScanner can inspect its definition for indicators of compromise. This scanner analyzes the tool's name, description, input schema, and server metadata for anomalies such as typosquatting (e.g., read_flie instead of read_file), embedded system prompts (as in prompt injection), or suspicious URLs pointing to data exfiltration endpoints. It outputs a risk score (0–100) and a list of detected threats. For example, scanning the malicious tool above would flag the typo, the injected system tag, and the exfiltration URL, returning a high risk score. This proactive vetting helps you decide which tools to expose to the LLM, preventing attacks before they can start. The scanner is lightweight and can be called synchronously or as part of an automated CI/CD pipeline.
4. McpResponseSanitizer – Cleaning Tool Output
Even after a tool call executes, its response may contain harmful content like credentials, prompt injection payloads, or URLs directing the LLM to exfiltrate data. The McpResponseSanitizer automatically scrubs these items before the output reaches the model. It uses pattern matching (e.g., regex for API keys, URLs to known bad domains) and configurable filters to remove or redact sensitive pieces. For instance, if a database tool returns an error message containing an SQL injection attempt, the sanitizer can strip the malicious code. This prevents the LLM from being manipulated by tainted response data. You can customize the sanitizer with your own rules, tailoring it to your organization's threat landscape. Combined with the gateway and scanner, the sanitizer ensures that no harmful content enters the model's context, maintaining integrity throughout the agent's workflow.
5. GovernanceKernel – Tying It All Together with Policy and Telemetry
The GovernanceKernel is the orchestration layer that wires together the gateway, scanner, sanitizer, and other future components. It reads a YAML-based policy file that defines which checks to apply, thresholds, and actions (e.g., block, warn, or log). The kernel also emits audit events for every decision, making governance transparent and verifiable. These events can be exported to OpenTelemetry for integration with observability tools like Jaeger or Azure Monitor. For example, you can trace a tool call from the LLM's request through the gateway, scanner, sanitizer, and finally execution—with each step logged. This holistic view helps you monitor compliance, detect anomalies, and debug issues. The kernel's modular design lets you add custom processors or replace components easily, adapting to your evolving security needs.
6. Getting Started with AGT in .NET
To start using AGT in your .NET projects, simply install the Microsoft.AgentGovernance NuGet package (MIT-licensed, targets .NET 8.0+). It has a single direct dependency—YamlDotNet—and requires no external services. After installation, you can define a governance policy in a YAML file, instantiate the GovernanceKernel, and configure the McpGateway, scanner, and sanitizer as middleware. The toolkit is designed to be lightweight and unobtrusive, integrating naturally with existing MCP client code. For code samples and detailed documentation, check the official AGT repository. With just a few lines, you can add a powerful governance layer to any .NET agent, making it safer and more trustworthy.
In summary, the Agent Governance Toolkit provides a comprehensive, modular way to enforce policies, inspect inputs and outputs, and detect threats across your MCP-powered AI agents. By adopting these six components, you can significantly reduce the risk of data exfiltration, prompt injection, and unauthorized actions. Start small with the security scanner or response sanitizer, then gradually build up to a full governed pipeline with the GovernanceKernel. The toolkit's .NET-native implementation makes it easy to integrate without leaving your existing ecosystem. Give it a try and take control of your agent's tool calls today.