From AI Safety Philosophy to Engineering Practice
Microsoft has open-sourced two AI agent safety tools, RAMPART and Clarity, designed to embed risk thinking directly into software engineering workflows. Developed by Microsoft’s AI Red Team and used internally before release, the tools target teams building agents that can call tools, touch production systems, or act on live business data. Clarity provides a structured way to question design assumptions, while the RAMPART framework converts adversarial scenarios into automated tests. Together, they aim to shift AI safety from high-level policy debates to repeatable engineering controls, so that AI agent safety tools become as routine as unit tests or code reviews. By releasing the code, Microsoft invites external developers, security engineers, and researchers to inspect implementations, contribute improvements, and challenge performance claims, signalling that agent safety should be treated as an open, testable discipline rather than a closed internal process.
Clarity: Risk-Aware Planning Before a Single Line of Code
Clarity targets the earliest stage of the AI agent lifecycle: planning and architecture. Instead of letting safety concerns surface only after incidents, Clarity guides teams through structured conversations about problem framing, solution options, failure modes, and trade-offs. It effectively acts as a lightweight design review partner, asking the kinds of questions an experienced architect, product manager, or safety engineer would raise in a design meeting. By documenting assumptions, anticipated failure cases, and mitigation choices, Clarity creates an audit trail that development and security teams can revisit as the system evolves. This pre-code focus makes it easier to spot risky tool access, unclear accountability, or ambiguous objectives before they are baked into production agents. For organizations standardizing AI governance, Clarity offers a practical way to make safety reviews a repeatable step in the planning process rather than an ad hoc discussion.
RAMPART: Continuous Red-Team Testing in CI/CD Pipelines
RAMPART is a pytest-based Risk Assessment and Measurement Platform for Agentic Red Teaming, built on Microsoft’s PyRIT library. It turns attack simulations into repeatable tests that plug directly into CI/CD pipelines, giving AI testing automation the same status as integration tests. Developers write pytest cases that describe adversarial scenarios such as prompt injection, tool misuse, or unsafe multi-turn interactions. Thin adapters connect these tests to live agents, orchestrate conversations, and evaluate observable outcomes, returning clear pass/fail signals that can gate releases. Because AI agents behave probabilistically, RAMPART supports statistical trials: teams can require, for example, that a given action remains safe in at least a defined percentage of runs instead of trusting a single clean outcome. This model-aware approach makes red-team testing CI friendly, allowing security checks to run on every code change, model update, or new tool integration without manual intervention.
From Incidents to Mitigations: Using RAMPART in the Real World
Beyond theoretical value, RAMPART has already been applied to real security incidents inside Microsoft. When a researcher reported a vulnerability in an agentic application, the AI Red Team used RAMPART to automatically generate close to 100 variants of the attack vector and replay them across the system, including in multi-turn conversations. This allowed incident responders to understand how broadly the flaw applied and how reliably it could be triggered. Engineers then implemented mitigations and re-ran the same RAMPART scenarios, verifying that fixes held up not just against the original exploit, but across all generated variants and hundreds of trials. Work that previously took weeks of manual red teaming was compressed into hours. This incident-driven workflow illustrates how developers can operationalize AI agent safety tools: encode a discovered weakness as a test suite, harden the system, and keep those tests as permanent regression guards in CI.
Practical Integration Steps for Development Teams
For teams adopting these tools, the integration path runs from planning through production. During ideation and design, engineers can run Clarity sessions to document objectives, tool access, data touchpoints, and anticipated failure modes for each new AI agent. Those outputs naturally inform what should be tested later. As implementation begins, security and development teams can translate high-risk scenarios into RAMPART tests written in pytest, adding adapters for their specific agents, tools, and datasets. These tests then become standard red-team testing CI gates, running automatically on pull requests and releases. When agents gain new capabilities—such as connecting to fresh data sources or business systems—corresponding safety tests can be added in the same pull request. Because both RAMPART and Clarity are open source, teams can extend them, share adapters and scenarios, and contribute back improvements, helping the broader community normalize AI safety as everyday engineering practice.