Govern Your AI Agents on Azure: AKS, AI Foundry, Workload Identity

[Knapp-Kevin]

Govern Your AI Agents on Azure: Container Apps, AI Foundry, Workload Identity

The Agent Governance Toolkit was built on Azure. Here's what's available today.

🏗️ Deploy on Container Apps in 4 Steps

The governance toolkit deploys as a sidecar container alongside your agent in a Container Apps Environment:

# Build governance sidecar to ACR, deploy with sidecar pattern
az acr build --registry myacr --image agent-governance-sidecar:latest .
az containerapp create --name my-governed-agent --resource-group my-rg \
  --environment my-env --yaml ./containerapp-with-sidecar.yaml

Full environment setup, Log Analytics workspace wiring, and the sidecar YAML manifest in the Azure Container Apps deployment guide.

🤖 Govern Azure AI Foundry Agents

AGT works with Foundry Agent Service. Wrap tool calls with PolicyEvaluator.evaluate() and every action goes through your YAML policy engine before it runs:

from agentmesh import PolicyEvaluator

evaluator = PolicyEvaluator.from_yaml("policies/foundry-agent.yaml")
decision = evaluator.evaluate(action="azure:foundry:invoke_model", context={"model": "gpt-4o"})
if not decision.allowed:
    raise PermissionError(decision.reason)

🔑 Workload Identity ↔ DID Bridge

EntraManagedIdentity maps AGT's Ed25519 agent DIDs to user-assigned managed identities via federated credentials. Your governed agents acquire Azure tokens using their mesh identity. No client secrets, no key files:

from agentmesh.identity.managed_identity import EntraManagedIdentity

identity = EntraManagedIdentity(
    agent_did="did:mesh:my-agent",
    client_id="00000000-0000-0000-0000-000000000000",
)
token = identity.get_token(scope="https://cognitiveservices.azure.com/.default")

📊 Enterprise Azure Stack

Azure Service	AGT Integration
Container Apps	Serverless sidecar deployment
AKS	Full Helm chart with AgentMesh
AI Foundry	Policy-gated model invocations
Entra Workload Identity	DID → federated token bridge
Key Vault	Ed25519 key storage and rotation (CSI driver)
Azure Monitor	Container Insights + Prometheus metrics
Azure DB for PostgreSQL	Audit log persistence
Event Grid	Audit log export pipeline

📚 Full Docs

• Azure Container Apps Deployment: sidecar pattern in 4 steps
• Azure AKS Deployment: AKS + Workload Identity + Key Vault + HA topology
• Quick Start: pip install agentmesh-platform

---

AGT is pure Python, MIT licensed, and vendor-independent. Azure's where it was born, but it runs identically on AWS and GCP. 🚀

[imran-siddique]

Great writeup @Knapp-Kevin — thank you for putting this together! The Container Apps sidecar pattern and Workload Identity bridge are exactly the deployment model we had in mind.

We recently shipped the OpenClaw sidecar Helm chart and Dockerfile which aligns well with this guide. Would love your feedback on whether the sidecar image works smoothly in your AKS setup.

This is a valuable community resource — we will link to it from our deployment docs.