Agent Governance in 2026: Who's Building the Guardrails?
Sandboxing, policy enforcement, security scanning, and compliance — scored on quality daily. A decision guide for teams deploying autonomous agents who need governance tooling that actually works.
Your organisation is deploying autonomous agents. They're writing code, making API calls, accessing databases, and executing shell commands. The question isn't whether you need governance — it's whether any governance tooling actually exists that's ready for production.
PT-Edge tracks 1,263 repositories across 12 agent governance subcategories and scores them daily on maintenance, adoption, maturity, and community. This guide maps what exists, what's mature, what's experimental, and where the critical gaps remain.
The governance stack: four layers, unequal maturity
Agent governance isn't one problem. It's a stack, and each layer is at a different stage of maturity:
- Sandboxing — runtime isolation. Prevent the agent from touching what it shouldn't. Most mature.
- Guardrails — pre-action authorisation. Intercept and approve actions before execution. Early but accelerating.
- Monitoring — observability. See what your agent did, trace decisions, track costs. Mature, but borrowed from adjacent tooling.
- Auditing & compliance — prove to regulators and stakeholders that your agents operate within policy. Almost nothing exists.
Understanding which layer you need — and which layers are actually ready — is the key decision.
Sandboxing: the only governance layer with real adoption
Execution sandboxing is where agent governance is most mature. The problem is well-defined (isolate untrusted code), the solutions draw on decades of container and VM technology, and there's real adoption.
| Project | Score | Stars | Approach |
|---|---|---|---|
| E2B | 92/100 | 11,263 | Cloud sandboxes, multi-language SDKs |
| OpenSandbox | 87/100 | 7,681 | Docker/K8s runtimes, enterprise-grade |
| boxlite | 60/100 | 1,524 | Embeddable, stateful, hardware isolation |
| agent-safehouse | 57/100 | 1,184 | macOS-native, filesystem-level |
| nono | 63/100 | 980 | Kernel-enforced, capability-based, Rust |
| zeroboot | 57/100 | 1,592 | Sub-millisecond VMs via COW forking |
| capsule | 43/100 | 225 | WebAssembly isolation |
E2B (92/100, 11,263 stars) is the market leader for cloud agent sandboxes. It's well-maintained (34 commits in the last 30 days) and has the highest quality score in the entire governance landscape. If you need cloud-hosted isolated environments and don't want to build infrastructure, E2B is the default choice.
OpenSandbox from Alibaba (87/100, 7,681 stars, 306 commits in the last 30 days) is the enterprise alternative. Multi-language SDKs, unified sandbox APIs, and Docker/Kubernetes runtimes. If you're running agents at scale on your own infrastructure, OpenSandbox is built for that.
For local development, agent-safehouse (1,184 stars) is the macOS-native option — it reached 492 points on Hacker News and focuses on filesystem-level isolation for local AI agents. nono (980 stars, 267 commits in the last 30 days) takes a more ambitious approach: kernel-enforced capability-based isolation with cryptographic audit chains, written in Rust.
The sandboxing space is active enough that Hacker News is asking "Why are so many rolling out their own AI/LLM agent sandboxing solution?" — a sign the ecosystem is fragmenting before consolidating. Expect a shakeout over the next 6-12 months.
Guardrails: intercepting actions before they execute
Sandboxing limits where an agent can operate. Guardrails decide what an agent is allowed to do. This is the layer that decides whether a database query should run, whether a file deletion should proceed, or whether an API call should be blocked.
| Project | Score | Stars | What it does |
|---|---|---|---|
| agent-governance-toolkit | 64/100 | 47 | AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution... |
| guardrails | 70/100 | 6,534 | Adding guardrails to large language models. |
| agent-control | 42/100 | 116 | Centralized agent control plane for governing runtime agent behavior at scale.... |
| DashClaw | 61/100 | 121 | 🛡️Decision infrastructure for AI agents. Intercept actions, enforce guard policies,... |
| destructive_command_guard | 56/100 | 670 | The Destructive Command Guard (dcg) is for blocking dangerous git and shell commands... |
Microsoft's agent-governance-toolkit (64/100) is the most comprehensive project in this layer. It claims coverage of all 10 items in the OWASP Agentic Top 10: policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering. With 47 stars it's still early in adoption, but it's the only project attempting a full governance framework rather than solving a single problem.
guardrails-ai/guardrails (6,534 stars) is the most adopted project in this space, but it solves a narrower problem: LLM output validation. It's a guardrail on what the model says, not on what the agent does. For teams that need input/output filtering — PII detection, hallucination checks, schema enforcement — it's the established choice. But it doesn't cover the agent action layer.
agent-control (116 stars) takes the control plane approach: centralised governance of runtime agent behaviour at scale. DashClaw (121 stars, 61/100) focuses on decision infrastructure — intercept actions, enforce guard policies, require approvals, produce audit-ready decision trails.
For a simpler, immediate need, destructive_command_guard (670 stars) blocks dangerous shell and git commands. It's a blunt instrument, but it's the kind of tool you deploy today while building something more sophisticated.
The pattern across this layer: 250 repos in the agent-authorization-guardrails category, but average quality is just 24.1/100. Most are experimental or demo-grade. The gap between what enterprises need and what exists is wide.
Security scanning: finding vulnerabilities before deployment
A growing class of tools scans agent configurations, skills, and MCP setups for security issues before they run in production.
agent-audit (52/100, 104 stars) is the most complete static scanner: 49 rules mapped to the OWASP Agentic Top 10, with support for LangChain, CrewAI, and AutoGen. It covers prompt injection detection, MCP config auditing, and taint analysis.
AgentSeal (66/100, 119 stars) takes a broader approach — scanning your machine for dangerous skills, MCP configurations, supply chain attacks, and testing prompt injection resistance. artguard focuses specifically on detecting malicious AI artifacts: skills, MCP servers, and IDE rule files.
The CoSAI Risk Map (65 stars) provides a framework rather than a tool — it's for identifying, analysing, and mitigating security risks in AI systems, developed under the OASIS standards body.
Monitoring: seeing what your agents do
Observability is the most mature adjacent capability. Several established tools provide visibility into agent behaviour, though they were built for general LLM monitoring and have been adapted for governance use cases.
| Project | Score | Stars | Focus |
|---|---|---|---|
| agentops | 63/100 | 5,363 | Agent monitoring, cost tracking, benchmarking |
| trulens | 74/100 | 3,160 | Evaluation and tracking for LLM experiments |
| coze-loop | 70/100 | 5,354 | Full lifecycle: debug, evaluate, monitor |
| tracecat | 71/100 | 3,519 | Security automation, purpose-built for agents |
AgentOps (5,363 stars) is the most widely integrated — it works with CrewAI, Agno, OpenAI Agents SDK, LangChain, AutoGen, and CamelAI. TruLens (74/100) has the highest quality score among monitoring tools, focused on evaluation and tracking.
The distinction matters for governance: these tools tell you what happened. They don't prevent the wrong thing from happening. A monitoring tool can show you that an agent accessed a production database at 3am. A guardrail would have stopped it. For teams starting their governance journey, monitoring is the right first step — you need visibility before you can write enforcement policies.
The compliance gap: what's missing
The most striking finding in this landscape is what doesn't exist. Only agent-shield even attempts to map agent behaviour to regulatory frameworks — EU AI Act, GDPR, OWASP LLM Top 10, and NIST AI RMF. It has 2 stars.
For enterprises that need to deploy agents in regulated environments — financial services, healthcare, government — there is almost no tooling that connects agent actions to compliance obligations. You can sandbox your agents and monitor their behaviour, but you cannot automatically demonstrate compliance.
NIST is actively seeking public comment on AI agent security standards. The OWASP Agentic Top 10 was published in early 2026. The standards are being written, but the tools to implement them barely exist. This is the largest opportunity in the governance space.
Three patterns shaping agent governance
1. Sandboxing first, governance later
Most teams start with isolation. It's the most tractable problem: you can sandbox an agent in an afternoon with E2B or agent-safehouse. Policy enforcement, compliance mapping, and audit trails require much more organisational work. The practical path is: sandbox now, add guardrails as you understand your agents' behaviour, then build compliance when regulators require it.
2. The OWASP Agentic Top 10 is creating a shared vocabulary
Six months ago, "agent governance" meant different things to every team. The OWASP Agentic Top 10 (175 stars) is changing that. Microsoft's governance toolkit explicitly maps to all 10 items. agent-audit's 49 rules are mapped to the same framework. This shared vocabulary will accelerate convergence — expect more tools to align to it over the next year.
3. The gap between "agent monitoring" and "agent governance" is closing
Monitoring tools are adding policy features. Governance tools are adding observability. coze-loop already spans debug, evaluation, and monitoring in a single platform. As these categories converge, the governance stack will consolidate into fewer, more complete platforms rather than the fragmented landscape we see today.
How to use this data
Every project mentioned in this guide has a quality-scored page in our agents directory, updated daily. You can:
- Browse all 250 guardrails projects ranked by quality
- Compare 114 sandboxing tools side by side
- Track 106 security scanning tools as the space evolves
- Check trending agent projects to see what's gaining momentum this week
Quality scores update daily from live GitHub, PyPI, and npm data. When a governance project stops being maintained, the score drops. When a new tool starts gaining real adoption, it climbs. The data does the work so you don't have to manually audit each repo before trusting it with your agent infrastructure.
Related analysis
Your Agent is Hitting its Ceiling — Who's Actually Fixing It
You've lost sessions to compaction, watched agents redo work, and restarted after crashes with nothing to resume...
Agent Platforms Are Four Problems, Not One
You'll deploy a coding agent and think you're done. You won't be told you also need sandboxing, governance, and...
Your Agent Doesn't Have an Email Address (Yet)
30+ repos are building identity, credentials, email, and payment infrastructure for agents as first-class entities....
Your Docs Are Written for Humans. Your Users Are Agents.
Agents choose developer tools based on documentation quality. llms.txt is the new robots.txt. The MCP data proves...