Why Microsoft Is Releasing AI Agent Safety Tools Now
Microsoft has open-sourced two AI agent safety tools, RAMPART and Clarity, in a bid to move AI safety from abstract policy debate into concrete engineering practice. Developed by Microsoft’s AI Red Team and previously used internally, the tools aim to help developers, product teams, and security staff build agents that can safely access tools, business systems, and live data. Recent prompt injection techniques and poisoned content attacks have highlighted how easily an agent can be pushed toward unauthorized tools, credentials, or unintended actions. Instead of treating safety as a one-off review or compliance exercise, Microsoft wants teams to integrate AI safety design and testing throughout the entire development lifecycle. By opening the code, the company invites outside inspection, issue reporting, and community-contributed fixes, and positions these AI agent safety tools as shared infrastructure rather than proprietary controls.
Clarity: Structuring AI Safety Design Before Code Is Written
Clarity targets the earliest—and often most neglected—stage of AI safety: design. Rather than letting agent architectures evolve informally, Clarity guides engineers through a structured series of conversations covering problem clarification, solution exploration, failure analysis, and decision tracking. The goal is to surface risky assumptions, dependencies, and failure modes before teams commit to production code. In practice, Clarity behaves like an always-available safety architect, prompting teams with the kinds of questions seasoned engineers and product leaders would ask: What tools will the agent control? What happens if upstream data is poisoned? How will the system fail safely under misbehavior or misuse? By capturing this reasoning in a repeatable format, Clarity helps teams document trade-offs, align on AI safety design choices, and create a clear audit trail that can inform later implementation, testing, and incident response work.
RAMPART: Turning Red-Team Scenarios into CI Test Cases
Where Clarity shapes design, the RAMPART framework turns AI safety requirements into executable tests. Built on top of Microsoft’s PyRIT red-teaming library, RAMPART is a pytest-based harness that plugs directly into CI/CD pipelines. Developers encode adversarial scenarios—such as prompt injection or tool-abuse attempts—as tests that connect to agents through thin adapters, orchestrate interactions, and evaluate observable outcomes. Each test returns a clear pass or fail, so AI agent safety checks can gate builds alongside standard integration tests. Because AI systems are probabilistic, RAMPART supports running the same test multiple times and enforcing thresholds like “this action must remain safe in at least 80 percent of runs.” This shifts red-team testing CI work from manual, sporadic exercises to repeatable, automated safeguards that run on every code change, every new tool integration, and every data source expansion.
From Incident Response to Everyday Development Practice
Microsoft’s internal use of RAMPART hints at how the tools can compress incident response timelines and improve coverage. When a security researcher reported a vulnerability in an agentic application, Microsoft’s AI incident response team used RAMPART to generate close to 100 variants of the attack vector and run them across the system, including multi-turn conversations. Engineers then applied mitigations and reran the same battery of tests to confirm that fixes held up across all variants, turning what once took weeks into work measured in hours. Combined with Clarity’s structured pre-code reviews, this creates an end-to-end workflow: clarify risks and design constraints, implement agents with those constraints in mind, and continuously red-team them in CI. The open-source release is meant to democratize this pattern so that any team can adopt the same AI agent safety tools, adapt them, and contribute improvements back.