how-to-guide

Implementing LiabilityLedger with SlashingEngine for Agent Accountability in the Agent Governance Toolkit

May 29, 2026 microsoft/agent-governance-toolkit ↗

The Microsoft Agent Governance Toolkit provides a modular framework that combines an immutable audit ledger with an automated slashing engine to enforce agent accountability through cryptographically verifiable evidence trails and configurable penalty mechanisms.

Implementing LiabilityLedger with SlashingEngine for agent accountability requires a coordinated architecture that tracks every decision while automatically applying sanctions when policies are violated. The microsoft/agent-governance-toolkit repository provides these capabilities through the agentmesh Go package, which chains together policy evaluation, tamper-evident logging, and trust-score manipulation to create a complete governance loop.

Core Architecture of the Liability Ledger and Slashing System

The toolkit separates concerns into distinct layers that work together to create an accountable agent runtime. Each layer corresponds to specific source files in the agent-governance-golang/packages/agentmesh directory.

Policy Definition and Evaluation

The governance pipeline begins with declarative policy rules. In policy.go, the toolkit defines core data structures for policy representation, while policy_backends.go implements multiple evaluation engines including OPA (Open Policy Agent), Cedar, and YAML-based rules. When a request arrives, the Evaluate method interprets these policies and produces a decision: allow, deny, or modify.

The Audit Ledger: Immutable Event Storage

Every policy decision and agent interaction flows through the audit subsystem defined in audit.go. This component creates an append-only, cryptographically signed chain of events that constitutes the LiabilityLedger. Each entry records the agent identity, request context, policy outcome, and timestamp. Entries are signed using credentials from credential_vault.go, ensuring the ledger serves as non-repudiable evidence for compliance audits or dispute resolution.

Trust Scoring and the Slashing Engine

The SlashingEngine operates on top of the audit ledger within kill_switch.go. This engine consumes new audit entries and evaluates them against configurable penalty rules. When a rule matches—such as three deny decisions within one hour—the engine applies sanctions via the ApplyPenalty function. Sanctions can reduce the numeric trust score (calculated in trust.go) or trigger immediate termination.

Lifecycle Management and Kill Switches

The lifecycle.go file implements a state machine that manages agent transitions between states: Active, Quarantined, and Revoked. The TransitionIfNeeded function monitors trust scores after slashing events and automatically moves agents into restricted states when trust falls below configured thresholds. This creates a direct feedback loop where ledger violations result in runtime enforcement actions.

End-to-End Implementation Flow

The runtime integration follows a strict sequence that ensures every request creates accountability evidence before the agent logic executes:

Request Interception: HTTP/GRPC middleware defined in middleware.go captures incoming requests before they reach the agent handler.
Policy Evaluation: The middleware calls policy.Evaluate against the configured backend, producing a decision that is immediately logged.
Ledger Recording: The audit subsystem creates a signed entry in the LiabilityLedger, establishing immutable evidence of the decision context.
Slashing Evaluation: The new ledger entry is passed to kill_switch.ApplyPenalty, which evaluates penalty rules and mutates the agent's trust score if violations are detected.
Lifecycle Transition: lifecycle.TransitionIfNeeded checks the updated trust score and transitions the agent state if necessary, potentially quarantining or revoking the agent.

This flow ensures that the LiabilityLedger remains append-only and verifiable, while the SlashingEngine provides real-time enforcement without manual intervention.

Practical Implementation: Go Code Examples

The following example demonstrates how to wire these components into a runnable agent service. This code initializes the policy engine, audit ledger, slashing engine, and lifecycle manager, then wraps an HTTP handler with governance middleware.

package main

import (
	"log"
	"net/http"

	agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang/packages/agentmesh"
)

func main() {
	// 1️⃣ Initialise core services
	policyEngine, err := agentmesh.NewPolicyEngineFromFile("policy.yaml")
	if err != nil { log.Fatal(err) }

	auditLedger := agentmesh.NewAuditLedger()
	slashing := agentmesh.NewSlashingEngine(auditLedger, agentmesh.DefaultPenaltyRules)
	lifecycle := agentmesh.NewLifecycleManager()

	// 2️⃣ Build HTTP middleware that ties everything together
	middleware := agentmesh.NewMiddleware(
		agentmesh.WithPolicyEngine(policyEngine),
		agentmesh.WithAuditLedger(auditLedger),
		agentmesh.WithSlashingEngine(slashing),
		agentmesh.WithLifecycle(lifecycle),
	)

	// 3️⃣ Simple handler – the actual agent logic lives here
	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Agent‑specific processing…
		w.Write([]byte("hello, regulated world"))
	})

	// 4️⃣ Wrap handler with the governance middleware
	http.Handle("/", middleware.Wrap(handler))

	log.Println("Agent service listening on :8080")
	log.Fatal(http.ListenAndServe(":8080", nil))
}

In this implementation, the user-defined handler operates after all governance checks complete. The middleware automatically records every request to the LiabilityLedger, evaluates slashing rules, and may transition the agent to a quarantined state without additional application code.

Configuring Custom Penalty Rules

You can extend the SlashingEngine by implementing the PenaltyRule interface. This allows domain-specific penalties based on audit entry content, such as financial cost thresholds or sensitivity classifications.

The following example creates a custom rule that applies heavy penalties for high-cost request denials:

type HighValueDenialRule struct{}

func (r HighValueDenialRule) Match(entry agentmesh.AuditEntry) bool {
	return entry.Decision == agentmesh.Deny && entry.RequestCost > 1000
}

func (r HighValueDenialRule) Apply(state *agentmesh.AgentState) {
	state.TrustScore -= 30 // heavy penalty for costly denials
}

customRules := []agentmesh.PenaltyRule{HighValueDenialRule{}}
slashing := agentmesh.NewSlashingEngine(auditLedger, customRules)

Now any deny decision on requests costing over 1000 units immediately reduces trust by 30 points. According to the logic in lifecycle.go, if this reduction drops the score below the configured minimum, the lifecycle manager automatically quarantines the agent.

Summary

The LiabilityLedger in audit.go creates an immutable, signed chain of evidence for every agent decision, providing non-repudiable audit trails for compliance and dispute resolution.
The SlashingEngine in kill_switch.go evaluates penalty rules against ledger entries and automatically adjusts trust scores or triggers termination, enforcing accountability without human intervention.
Policy evaluation (policy_backends.go) and lifecycle management (lifecycle.go) bridge the gap between rule definition and runtime enforcement, quarantining agents when trust thresholds are breached.
The middleware.go package provides HTTP/GRPC interceptors that integrate the entire governance pipeline into existing services with minimal code changes.
Custom PenaltyRule implementations allow teams to tailor slashing logic to specific regulatory requirements, financial constraints, or risk models.

Frequently Asked Questions

How does the LiabilityLedger ensure tamper-evident audit trails?

The LiabilityLedger uses the credential_vault.go signing infrastructure to cryptographically sign each audit entry with agent-specific credentials. Once written to the ledger in audit.go, entries cannot be altered without invalidating the signature chain, creating an append-only log suitable for regulatory evidence and forensic analysis.

What triggers the SlashingEngine to penalize an agent?

The kill_switch.go component evaluates every new audit entry against the configured penalty rules—either default rules or custom implementations of the PenaltyRule interface. Common triggers include policy denials, high-cost request failures, or pattern-based violations (such as three denials within one hour), which result in trust score reductions via ApplyPenalty.

Can agents recover from a quarantined state?

Yes. The lifecycle manager in lifecycle.go implements bidirectional state transitions between Active, Quarantined, and Revoked states based on trust score trends. If an agent in quarantine demonstrates compliant behavior over time, the trust score recovery logic in trust.go can elevate the score above the threshold, triggering TransitionIfNeeded to reactivate the agent.

How do I integrate the governance middleware into existing microservices?

The middleware.go package provides NewMiddleware with functional options like WithPolicyEngine, WithAuditLedger, and WithSlashingEngine. You wrap existing HTTP handlers using middleware.Wrap(handler), which automatically injects policy evaluation, ledger recording, and slashing logic before your business logic executes, requiring no changes to the underlying service code.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how microsoft/agent-governance-toolkit works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →