Section navigation
ARCS-Microsoft-AGT Crosswalk
Purpose
This crosswalk maps Microsoft Agent Governance Toolkit runtime-governance artifacts to the ARCS record-custody layer, the SRS portable envelope, and GARP Gateway/Reconstructor evidence classes.
The document is not a product comparison and does not claim Microsoft endorsement. It treats Microsoft AGT as a runtime-governance evidence producer: a system that can create policy decisions, audit events, trace identifiers, approval records, identity artifacts, and reconstructible decision evidence during ordinary operation.
ARCS governs the record surface those artifacts enter.
Namespace note
This crosswalk uses ARCS-AGT for the ARCS v1.0 Agent Runtime control family and Microsoft AGT for Microsoft Agent Governance Toolkit. The names are adjacent but not interchangeable.
The convergence frame
The governing ARCS frame is the protocol-and-record tetrad:
auth.md provisions. MCP acts. x402 settles. ARCS records, with SRS as the portable envelope that carries them.
Microsoft AGT extends the same pattern into runtime governance. Its public release stream describes policy evaluation, identity and trust, execution context, MCP security, audit sinks, Merkle audit chains, ToolPolicy, RAG governance, approval records, and Decision BOM reconstruction. Those artifacts confirm that agent systems increasingly externalize governance evidence. They do not, by themselves, settle cross-vendor custody, lifecycle, publication, preservation, or non-creation posture.
The SRS envelope was not designed against any single publication. The correspondence with NSA, MCP RC, auth.md, and Microsoft AGT reflects independent convergence on what a useful receipt structure looks like for the governed AI boundary recording problem.
Layer map
| Layer | What the layer governs | Representative Microsoft AGT artifact | ARCS / SRS / GARP reading |
|---|---|---|---|
| Runtime action control | Whether an agent may call a tool, send a message, or delegate | Policy decision, ToolPolicy, approval gate | Evidence for ARCS-AGT and Reconstructor policy-context fields |
| Runtime identity and delegation | Which agent, credential, trust score, or delegation chain was used | Agent identity, trust artifact, delegation chain | Actor, authority, and delegation evidence for SRS extensions and Reconstructor inputs |
| Runtime audit and integrity | What governance event occurred and whether the audit stream is tamper-evident | Audit sink, StdoutAuditSink, Merkle audit chain |
Vendor application log, provenance evidence, integrity evidence |
| Portable boundary receipt | How boundary evidence can be carried across systems | Governance receipt or Decision BOM output, where fields map cleanly | SRS-compatible receipt evidence, Gateway/Reconstructor receipt input |
| Post-hoc composition | How scattered evidence is assembled after the fact | Decision BOM data sources, trace identifiers, audit records | Reconstructor evidence-source class, with completeness status assigned by GARP |
| Record custody | Which records exist, where they persist, who holds them, and what lifecycle applies | Not a primary Microsoft AGT object | ARCS-LIF, ARCS-CUS, ARCS-TAX, ARCS-PUB, ARCS-NCR, ARCS-PV, ARCS-VER, ARCS-DEL |
Crosswalk table
| Microsoft AGT artifact | ARCS / SRS / GARP slot | Record-custody consequence |
|---|---|---|
| Decision BOM | Reconstructor evidence source / decision-lineage input | Helps reconstruct the runtime governance decision, but does not itself classify every record the interaction created or touched |
Audit sink / StdoutAuditSink |
Vendor application log / runtime audit evidence | Creates governance-layer records with their own lifecycle and custody surface |
| Merkle audit chain | Provenance and integrity evidence | Supports verification of audit-event integrity while leaving retention, preservation, and production posture to the operator |
| ToolPolicy | Policy-context evidence; possible later mapping to AIB Policy Pack vocabulary | Documents runtime permission structure and approval requirements that may influence custody analysis |
| Approval records | Human authorization / operator decision evidence | Creates a review and authorization record that may be distinct from the underlying workflow record |
| MCP Security Gateway events | Boundary event / protocol_binding = mcp evidence |
Documents tool and resource boundary activity requiring lifecycle and custody classification |
| RAG governance events | Retrieval / source-access evidence | Helps identify knowledge sources consumed or accessed during an interaction |
| Identity and trust artifacts | Actor, delegation, and authority evidence | Helps identify who or what acted, but does not by itself establish full custody chain |
| Governance receipts | SRS-compatible receipt evidence, if fields map cleanly | May be carried or translated into SRS receipt posture if provenance, protocol binding, artifact class, and hash fields are available |
| Trace identifiers | Reconstructor correlation handle / protocol-binding evidence | Supports post-hoc association across logs and systems, subject to completeness limits |
| Execution-context fields | Runtime environment evidence and operator-boundary context | Helps identify where the action occurred and which environment produced the evidence |
Boundary principles
Denied actions still create records
A blocked tool call may create policy decisions, audit events, trace identifiers, reviewer tasks, denial reasons, and integrity proofs. Denial prevents the requested action. It does not mean no record was created.
Non-retention is not non-existence
An operator may configure a runtime not to retain prompts, outputs, or payload bodies. That posture does not eliminate residual artifacts such as hashes, timestamps, trace identifiers, policy decisions, audit receipts, billing events, routing metadata, provider telemetry, cache markers, deletion markers, or legal-hold exceptions. ARCS-NCR governs the non-creation and residual-artifact posture.
Identity attribution is not full custody chain
Agent identity, trust score, and delegation evidence help answer who acted. Custody also asks where the resulting records persist, which parties hold independent copies, whether records crossed organizational boundaries, and what lifecycle posture applies at each surface.
Publication and export are custody transitions
A governance receipt, audit export, Decision BOM, or compliance evidence package may itself become a record. Exporting evidence can create a new custody surface even when the exported artifact was produced to prove governance.
ARCS control family orientation
| ARCS family | Microsoft AGT relationship |
|---|---|
| ARCS-LIF | Runtime governance artifacts require lifecycle classification after creation |
| ARCS-CUS | Audit, identity, trace, and gateway records may persist across multiple custodians |
| ARCS-TAX | Governance-layer records should be classified separately from workflow records |
| ARCS-OPB | Runtime evidence helps identify the operator boundary but does not resolve it alone |
| ARCS-PUB | Evidence exports, receipts, and compliance packages are publication or handoff candidates |
| ARCS-NCR | Non-retention claims require residual-artifact mapping and verification |
| ARCS-PV | Retention flags and legal-hold states need preservation procedure and cross-surface propagation |
| ARCS-VER | Merkle chains, receipts, and trace identifiers supply verification evidence, not full record custody by themselves |
| ARCS-AGT | Microsoft AGT is relevant runtime-governance infrastructure for Agent Runtime control analysis |
| ARCS-DEL | Identity, delegation, trust, credential, and memory artifacts are evidence for delegation and memory custody analysis |
Practical reading
Microsoft AGT can help prove that a runtime governance decision occurred, which agent requested an action, which policy applied, and what audit evidence was emitted. ARCS asks the next record-custody question: what records did that governed interaction create, where do those records persist, who holds them, and what lifecycle, publication, preservation, non-creation, and verification posture applies.
Deferred work
A later crosswalk revision should map Microsoft AGT ToolPolicy semantics against AIB Policy Pack vocabulary after the AIB Policy Pack Spec v0.1 and Conformance Pack v0.1 stabilize.
A later Reconstructor implementation brief may define a RuntimeGovernanceEvidenceAdapter abstraction. Microsoft AGT logs and Decision BOM artifacts would be one evidence-source class under that abstraction, alongside vendor application logs, W3C Trace Context, MCP Apps audit trails, Task lifecycle records, agent_delegation records, external agent session receipts, and agent outcome objects.
ARCS v1.0 | ARCS-Microsoft-AGT Crosswalk | arcsstandard.org