Python: feat: governance filter for function calls — deterministic policy evaluation, cost tracking, audit (TealTiger)

[nagasatish007]

Is your feature request related to a problem? Please describe.

Semantic Kernel's Filter system (IFunctionInvocationFilter, IAutoFunctionInvocationFilter) provides the right interception points for governance, but there's no built-in or community governance filter that:

• Evaluates deterministic policies before function/plugin execution
• Enforces per-agent cost budgets (block calls that would exceed daily/session limits)
• Tracks and attributes LLM cost per agent, per plugin, per session
• Produces structured audit records for compliance (EU AI Act Article 12)
• Provides per-provider circuit breaking to prevent cascading failures

Today you'd need to implement custom IFunctionInvocationFilter logic in every project, which doesn't scale.

Describe the solution you'd like

A governance filter that plugs into SK's existing filter pipeline:

Python:

from semantic_kernel import Kernel
from sk_tealtiger import TealTigerFilter

kernel = Kernel()

# Zero-config: observe all function calls, track cost, detect PII
kernel.add_filter("function_invocation", TealTigerFilter())

# With policies
from tealtiger import TealEngine
engine = TealEngine(policies=company_policies, mode="ENFORCE")
kernel.add_filter("function_invocation", TealTigerFilter(engine=engine))

C# (if community demand exists):

var kernel = Kernel.CreateBuilder()
    .AddFilter<TealTigerGovernanceFilter>()
    .Build();

The filter would:

• Intercept FunctionInvocationContext before execution
• Evaluate policy against the function name, arguments, and caller context
• Return ALLOW (proceed), DENY (throw), or REVISE (modify args)
• Track token cost after execution and check against budget limits
• Emit structured audit entries with correlation IDs
• Circuit-break on repeated provider failures

Describe alternatives you've considered

• Custom IFunctionInvocationFilter per project — works but verbose, no reuse across projects
• External proxy/sidecar — adds network latency, incompatible with offline/in-process constraint
• Azure Content Safety service — cloud-dependent, LLM-based (non-deterministic), doesn't handle cost/budget/tool-restriction

Additional context

• TealTiger — open-source AI agent security platform (Apache-2.0, NVIDIA Inception)
• Published on PyPI (tealtiger v1.3.0) and npm (tealtiger-ai-sdk v0.1.0)
• Covers 8/10 OWASP Agentic Security Index categories
• All governance is deterministic and in-process — no external service, <5ms overhead, works offline
• Already integrated with LangChain, Vercel AI SDK, CrewAI, and proposals open for LlamaIndex, AG2, Haystack, Pydantic AI, Mastra
• SK's existing Filter system (per blog post) is the natural integration point
• EU AI Act compliance angle: structured audit records with retention_until, input/output traceability

References:

• https://github.com/agentguard-ai/tealtiger — TealTiger source (Apache-2.0)
• https://pypi.org/project/tealtiger/ — TealTiger on PyPI (v1.3.0)
• https://www.npmjs.com/package/tealtiger-ai-sdk — Vercel AI SDK middleware (v0.1.0)
• https://devblogs.microsoft.com/agent-framework/filters-in-semantic-kernel/ — SK Filters blog post
• https://owasp.org/www-project-top-10-for-large-language-model-applications/ — OWASP Agentic Security Index

Contribution plan: Happy to contribute a Python IFunctionInvocationFilter implementation as a community sample or standalone pip package. Would this be welcome as a sample in the repo or as an external community integration?

[chopmob-cloud]

We have this running in production as a Semantic Kernel plugin — useful to share what the production shape looks like.

The filter interception point you have identified (IFunctionInvocationFilter before execution) is right. A few things we found that shaped the design:

REFER beats binary ALLOW/DENY for regulated workloads. A three-state verdict (ALLOW | REFER | DENY) is more useful than two. DENY blocks execution. REFER escalates — routes to a human approver or a higher-authority compliance system — without terminating the task. For any scenario involving real financial transactions or regulated data, you need an escalation path that is not just a hard stop.

The receipt format is as important as the verdict. Deterministic policy evaluation is the right approach, but the output needs to be externally auditable — not just an internal log. We produce a compliance_receipt_v1 per gate evaluation: closed categorical verdict + basis enum + JCS-canonical binding to the action scope. This makes the compliance record citable in FCA/DORA/EU AI Act documentation without relying on the operator's logs.

Adversarial testing is a separate layer from policy. Deterministic policy catches known-bad inputs. It does not catch LLM reasoning exploits — prompt injection, steganographic bypass, context exhaustion. Our ATB (Agent Trust Bench) runs 166 adversarial payment scenarios against the filter layer specifically. The ATB credential can be carried as a pre-filter signal (X-ATB-ZK-Credential header) so the compliance gate gets a trust-tier input before policy evaluation.

Both layers are live — compliance gate via algovoi-plugin-semantic-kernel (publishing to PyPI this weekend), ATB at api.algovoi.co.uk. IETF I-D: draft-hopley-x402-compliance-receipt-02.

AlgoVoi (chopmob-cloud) — docs.algovoi.co.uk/compliance-receipt

[chopmob-cloud]

algovoi-plugin-semantic-kernel 0.1.1 is now on PyPI. Includes AlgoVoiPlugin (kernel_function decorated — create_payment, verify_payment, screen_recipient, get_compliance_status), AlgoVoiComplianceFilter (IFunctionInvocationFilter — ALLOW/REFER/DENY + compliance_receipt_v1 on every evaluation), and AlgoVoiComplianceGate alias. This is our first release so further testing in your environment is recommended before production use — issues and feedback welcome.

AlgoVoi (chopmob-cloud) — docs.algovoi.co.uk/compliance-receipt