Why Microsoft Is Open-Sourcing AI Agent Safety Tools Now
Microsoft’s AI Red Team has released two open-source AI agent safety tools, RAMPART and Clarity, to move safety from policy debates into concrete engineering controls. The tools target teams building AI agents that use tools, connect to business systems, and act on live data—exactly where prompt injection and other attack patterns can cause real-world impact. Instead of treating AI safety as an abstract risk, Microsoft is packaging its internal practices into reusable frameworks that fit familiar developer workflows. RAMPART focuses on continuous AI safety testing, while Clarity helps teams stress-test design assumptions before code is written. By opening the code, Microsoft invites external scrutiny, bug reports, and contributions, giving developers direct visibility into how enterprise-grade AI agent safety tools are built. The move also signals a broader shift: AI agent safety is expected to be designed, implemented, and validated like any other critical software quality.
Clarity: Design-Time Guardrails Before You Write Agent Code
Clarity is a structured design review agent that targets the earliest phase of AI agent development: the planning and architecture stage. Instead of jumping straight into implementation, teams interact with Clarity through guided, multi-step prompts that walk through problem clarification, solution exploration, failure analysis, and decision tracking. It behaves like a sounding board, asking the kinds of probing questions seasoned architects, product managers, and safety engineers would pose. This includes surfacing risky assumptions about tool access, data sources, side effects, and operational boundaries long before they turn into production incidents. By documenting alternatives, trade-offs, and potential failure modes up front, Clarity helps teams bake AI agent safety tools and controls into the design itself. That makes it easier to translate design decisions into concrete tests later, while providing an auditable trail of why certain safety choices were made.
RAMPART: Turning AI Red Team Testing into CI/CD Gates
RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a pytest-based framework that embeds AI red team testing directly into CI/CD pipelines. Built on top of Microsoft’s PyRIT library, it lets developers encode adversarial scenarios—such as prompt injection attempts or unsafe tool-use requests—as automated tests. Each test connects to an AI agent via a thin adapter, orchestrates an interaction, and evaluates observable outcomes, returning a clear pass/fail result that can block releases like any other integration test. Because AI models are probabilistic, RAMPART supports statistical trials: teams can require, for example, that an action remains safe in at least a specified percentage of runs, rather than relying on a single clean pass. Incident responders have already used it to expand a single reported vulnerability into roughly 100 variants, apply mitigations, and validate them across hundreds of runs, compressing work that once took weeks into hours.
From Design Reviews to Continuous AI Safety Testing
Together, Clarity and RAMPART cover the full lifecycle of AI agent safety engineering. Clarity sits at the front, helping teams clarify the problem, identify sensitive tools and data paths, and anticipate failure modes before any production code is written. Those insights can then be turned into concrete AI safety testing requirements: what behaviors must be blocked, what tools require strict guardrails, which inputs are most likely to be poisoned or adversarial. RAMPART operationalizes those requirements as repeatable AI red team testing suites in CI, letting each new tool, connector, or dataset ship with its own adversarial test coverage in the same pull request. Over time, this creates a living safety harness around the agent, updated with every change. By open-sourcing both layers, Microsoft is effectively democratizing access to the kinds of AI agent safety tools and practices its own AI red team and incident responders rely on internally.