Agent Governance: Zehrava vs. Microsoft vs. Alternatives
TL;DR
Microsoft and Rebuno govern what agents can do autonomously. Zehrava governs what agents should do with human oversight. Complementary, not competing. Use together for a complete governance stack.
When evaluating agent governance tooling, developers encounter Microsoft Agent Governance Toolkit, Rebuno, NeMo Guardrails, Guardrails AI, LiteLLM, and Portkey. These are widely-used, well-regarded tools — but they solve fundamentally different problems.
The Core Distinction
| Tool | Core Focus | Primary User |
|---|---|---|
| Zehrava Gate | Human approval gates for high-consequence writes | Teams building production AI agents |
| Microsoft Agent Governance Toolkit | Autonomous policy enforcement, identity, sandboxing | Platform / security teams at enterprises |
| NeMo Guardrails (NVIDIA) | Conversational safety for chatbots | Developers building dialog systems |
| Guardrails AI | LLM output validation | Developers needing structured outputs |
| LiteLLM / Portkey | LLM gateway, routing, caching | Teams managing multi-provider access |
Microsoft Agent Governance Toolkit
Microsoft published github.com/microsoft/agent-governance-toolkit on March 18, 2026. It's enterprise-grade runtime governance for AI agents at scale.
What Microsoft Has
- 6,100+ tests — 10/10 OWASP Agentic Top 10 coverage
- <0.1ms policy engine — deterministic pre-execution action validation
- Zero-trust agent identity — Ed25519 cryptographic credentials, SPIFFE/SVID support
- 4-tier execution sandboxing — privilege rings for agent actions
- Agent SRE — SLOs, error budgets, chaos engineering, circuit breakers
- 12+ framework integrations — LangChain, CrewAI, AutoGen, Dify, LlamaIndex, Google ADK, OpenAI Agents
- Python · TypeScript · .NET SDKs
What Microsoft Doesn't Have
- No approval dashboard — their
EscalationHandleris backend-only (webhook or in-memory queue) - No persistent approval history
- No async propose → approve → execute flow — agent blocks waiting for response
- No visual intent management
How Zehrava Complements Microsoft
Microsoft = autonomous governance at scale (95% of actions auto-governed via policy)
Zehrava = human-in-the-loop approval layer (5% of actions that always need human eyes)
Use case split:
- Microsoft's policy engine handles: read operations, low-risk tool calls, internal APIs → auto-allow/deny in <0.1ms
- Zehrava handles: email blasts, database deletes, financial transactions, customer-facing content → human approval required
Integration Pattern
from agent_os import PolicyEngine
from zehrava import Gate
# Microsoft's policy engine handles auto-allow/deny
policy = PolicyEngine(capabilities=...)
decision = policy.evaluate(agent_id, action, tool)
if decision.allowed:
# Auto-allowed by policy — proceed
execute_action()
elif decision.require_human_approval:
# Route to Zehrava for visual approval
intent = gate.propose(action, payload)
if intent.status == "approved":
execute_action()
Microsoft's toolkit includes an EscalationHandler for human approval, but it's backend-only (webhook or in-memory queue). Zehrava provides the approval dashboard, persistent history, and async intent lifecycle that teams need in production.
Feature Comparison
| Feature | Zehrava | Microsoft | Rebuno | NeMo | Guardrails AI |
|---|---|---|---|---|---|
| Agent action governance | ✅ | ✅ | ✅ | ❌ | ❌ |
| Human approval dashboard | ✅ | ❌ | ⚠️ Generic | ❌ | ❌ |
| Async propose → approve → execute | ✅ | ❌ | ⚠️ Signal-based | ❌ | ❌ |
| Deterministic policy engine | ❌ | ✅ <0.1ms | ✅ YAML | ⚠️ | ❌ |
| Zero-trust agent identity | ❌ | ✅ Ed25519 | ❌ | ❌ | ❌ |
| Execution sandboxing | ❌ | ✅ 4-tier | ❌ | ❌ | ❌ |
| Agent SRE (SLOs, chaos) | ❌ | ✅ | ❌ | ❌ | ❌ |
| LLM output validation | ❌ | ⚠️ | ❌ | ✅ | ✅ |
| Setup time | 5 min | ~1 hour | ~30 min | ~30 min | ~20 min |
| Target user | Solo devs, small teams | Enterprises, platform teams | Platform builders | Chatbot devs | Output parsing |
Rebuno
Rebuno is a kernel-authoritative execution runtime for AI agents. It's Go-based and sits between agents and their tools — agents connect via SSE, receive executions, and submit intents. The kernel enforces policy and records everything.
What Rebuno Has
- Kernel-controlled execution — agents receive work from the kernel (push model)
- Policy engine — YAML rules for allow/deny/
require_approval - Human approval via signals — execution blocks until human sends approval signal
- Next.js dashboard ("Explorer") — execution list, event stream, signal dialog
- Remote tool execution — optional "runners" for distributed tool execution
- Full audit trail — every state transition logged
What Rebuno Doesn't Have
- No dedicated approval queue UI — signal dialog is generic (you type the signal type manually)
- No visual intent cards — approval is signal-based, not intent-based
- More complex setup — requires Go kernel + agent + policy YAML
How Zehrava Complements Rebuno
Rebuno = kernel-controlled execution + policy-based governance (95% of actions auto-governed)
Zehrava = human-in-the-loop approval layer with purpose-built dashboard (5% that need human eyes)
Use case split:
- Rebuno's policy engine handles: policy-based auto-allow/deny for most agent actions
- Zehrava handles: visual approval queue for high-consequence writes (email blasts, database deletes, deployments)
Rebuno has require_approval policy capability, but the UI is a generic signal dialog. Zehrava provides the visual approval cards, context preview, and approve/reject buttons that teams need in production.
Other Tools
NeMo Guardrails (NVIDIA)
What it does: Adds conversational guardrails to LLM-based chatbots — blocking off-topic requests, enforcing dialog flows (Colang), and filtering harmful outputs.
Where it excels: Chatbot safety and topicality constraints.
What it doesn't cover: Governing what an agent does (tool calls, spawns, file writes, API invocations).
Guardrails AI
What it does: Validates and coerces LLM outputs into structured formats (JSON schemas, Pydantic models) — ensuring outputs conform to expected shapes.
Where it excels: Reliable structured data extraction from LLM responses.
What it doesn't cover: Any form of pre-execution action governance.
LiteLLM & Portkey
What they do: Unified LLM API gateways that abstract over 100+ providers behind a single interface — including routing, caching, observability, and spend tracking.
Where they excel: Multi-provider LLM management and cost optimization.
What they don't cover: Agent-level governance (tool calls are invisible to these gateways).
When to Use Each
| If your question is… | Use… |
|---|---|
| "I need a human approval dashboard for high-consequence writes" | Zehrava Gate |
| "I need a kernel that controls all agent execution" | Rebuno |
| "I need enterprise-grade autonomous governance at scale" | Microsoft Agent Governance Toolkit |
| "I need policy-based auto-allow/deny with optional human approval" | Rebuno (policy) + Zehrava (dashboard) |
| "Did the model return valid JSON?" | Guardrails AI |
| "Is this chatbot staying on topic?" | NeMo Guardrails |
| "How do I route across 100+ LLM providers?" | LiteLLM or Portkey |
The Complete Governance Stack
For production agentic systems, you likely need multiple tools working together:
- Rebuno or Microsoft Agent Governance Toolkit — enforces policy-based governance before every tool call (Rebuno = kernel-controlled execution, Microsoft = enterprise-scale + zero-trust identity)
- Zehrava Gate — adds human approval gates for the 5% of actions that always need oversight (email blasts, database deletes, financial transactions)
- Guardrails AI or NeMo — ensures the LLM's words conform to format and safety rules
- LiteLLM or Portkey — routes, caches, and observes the underlying model calls
"For production agentic systems, you likely need the Agent Governance Toolkit plus one or more of the above tools working together."
Zehrava Gate is "one of the above tools." It's the human-approval layer that sits on top of autonomous policy enforcement.
Summary
Microsoft Agent Governance Toolkit handles autonomous governance at scale — 95% of agent actions auto-governed via policy in <0.1ms. It's enterprise-grade, OWASP-certified, and comes with zero-trust identity, execution sandboxing, and Agent SRE tooling.
Rebuno is a kernel-authoritative execution runtime. It controls the full agent lifecycle — executions, steps, policy enforcement, signals, audit trail. It has approval capability via require_approval policy, but the UI is generic (freeform signal dialog).
Zehrava Gate handles human-in-the-loop approval for the 5% of actions that always need human eyes. It's the visual dashboard, persistent approval history, and async intent lifecycle that neither Microsoft nor Rebuno provide.
Use Rebuno or Microsoft for autonomous governance. Use Zehrava for human oversight. Use both for a complete stack.
Add human approval gates to your agent stack.
MIT license. Self-hostable. Framework-agnostic. Takes 5 minutes to get a dashboard.
Get started free →