Feature: GovernancePlugin — policy enforcement, threat detection, and audit trails #4543
Description
Feature Request: Governance Plugin for ADK
Problem
ADK's plugin architecture (BasePlugin) has all the right hooks for governance enforcement — before_tool_callback, before_agent_callback, on_user_message_callback — but there's no built-in governance plugin. The existing plugins cover analytics (BigQuery), logging, context filtering, and retry, but nothing for policy-based access control, threat detection, or audit trails.
Enterprise teams building multi-agent systems need to enforce who can call what tools, detect dangerous prompts before they reach agents, and maintain compliance-grade audit logs.
Proposed Solution: GovernancePlugin
A BasePlugin implementation that provides:
- Tool-level policy enforcement (
before_tool_callback) — Allowlist/blocklist tools per policy, block on content patterns (credentials, PII), enforce rate limits - Prompt threat detection (
on_user_message_callback) — Scan user messages for data exfiltration, privilege escalation, prompt injection, system destruction signals before they reach the agent - Agent-level trust gating (
before_agent_callback) — Verify trust scores before allowing agent delegation in multi-agent systems - Audit trail (
after_tool_callback+after_agent_callback) — Append-only log of all governance decisions
Example API
from google.adk.runners import Runner
from governance_plugin import GovernancePlugin, GovernancePolicy
policy = GovernancePolicy(
name="production",
allowed_tools=["search_docs", "query_db", "create_ticket"],
blocked_tools=["shell_exec", "delete_records"],
blocked_patterns=[r"(?i)(api[_-]?key|password)\s*[:=]"],
max_calls_per_request=25,
require_human_approval=["create_ticket"],
)
runner = Runner(
agent=root_agent,
plugins=[GovernancePlugin(policy=policy)],
# ...
)Design Decisions
| Decision | Approach | Rationale |
|---|---|---|
| Policy source | YAML/JSON config files | Policies change without deploys |
| Composition | Most-restrictive-wins merging | Org → Team → Agent layering |
| Fail mode | Closed (deny on error) | Safety-first for production |
| Audit format | JSON Lines | Compatible with log aggregation |
| Threat detection | Regex pattern matching | Deterministic, auditable, no LLM dependency |
Why Not the Existing Samples?
safety-pluginsfocuses on Google Model Armor integration (cloud-dependent content safety)policy-as-codefocuses on infrastructure policy checking (Terraform/OPA)- This proposal is about runtime tool-level governance — controlling what agents can do within their execution, independent of cloud services
Context
We've built this pattern across multiple frameworks:
- pydantic-ai-governance (PydanticAI, 57 tests)
- crewai-agentmesh (CrewAI)
- Agent-OS governance engine
Happy to contribute a PR implementing this plugin.