[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-how-microsoft-s-rampart-and-clarity-bring-continuous-security-to-ai-agents-en":3,"ArticleBody_mAe5IJdmPSf3JNnL5aHVbNHEdIM0AMQizcasyACmh2U":216},{"article":4,"relatedArticles":185,"locale":65},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":57,"transparency":59,"seo":62,"language":65,"featuredImage":66,"featuredImageCredit":67,"isFreeGeneration":71,"trendSlug":72,"niche":73,"geoTakeaways":77,"geoFaq":86,"entities":96},"6a1407e7a33b9706f9fe063c","How Microsoft’s RAMPART and Clarity Bring Continuous Security to AI Agents","how-microsoft-s-rampart-and-clarity-bring-continuous-security-to-ai-agents","Enterprise AI has moved from answering questions to taking actions: reading email, querying CRM, filing tickets, and even writing and executing code on production systems.[1][3] Misbehavior is now operationally dangerous, not just inconvenient.  \n\nSecurity teams must defend adaptive, tool-using agents operating at machine speed, not just web apps.[1] Traditional periodic testing and red-teaming are too slow.\n\n- If agents touch real systems or sensitive data, you need security practices designed for agents, not just APIs and UIs.[1][3]  \n- [Microsoft](\u002Fentities\u002F6939ad36312dc892c4c184d9-microsoft) open-sourced [RAMPART](\u002Fentities\u002F6a108e8d07a4fdbfcf5f3db2-rampart) and Clarity to make this continuous:  \n  - Clarity: design safer agents before coding  \n  - RAMPART: enforce safety on every code change[1][3][4]  \n- This supports a broader shift where AI scaling is treated as an operating-model and people challenge, not just a tooling issue.[7]\n\n---\n\n## From Text Generation to Agentic Action: Why New Security Tools Are Needed\n\nModern agents orchestrate email, CRM, ticketing, ERP, and code repositories, often with write permissions.[1][3] A bad instruction can cancel orders or leak documents, not just return a wrong answer.\n\nNew failure modes include:\n\n- Prompt and cross-[prompt injection](\u002Fentities\u002F69822206e28785d1e150b8aa-prompt-injection) from poisoned docs, tickets, or emails  \n- Unintended tool use (e.g., destructive scripts instead of read-only queries)  \n- Data exfiltration across tenants or business units  \n- Intermittent, hard-to-reproduce incidents caused by LLM randomness[2][3][4]\n\nClassic app security:\n\n- Focuses on HTTP inputs and known vuln classes  \n- Assumes deterministic code paths and repeatable behavior[2][4]  \n- Does not model multi-step conversations, dynamic tool selection, or probabilistic outputs\n\n⚠️ **Key point:** A single successful prompt injection in a rarely used workflow can be catastrophic if the agent controls powerful tools.[2][3]\n\nMicrosoft’s AI Red Team finds many costly incidents stem from early design choices—like overly broad tool access—more than exotic model exploits.[1][4] RAMPART and Clarity help bring safety into everyday workflows instead of relying on rare expert reviews.[1][3]\n\n[IBM](\u002Fentities\u002F693ada51312dc892c4c18785-ibm) reports similar lessons: safe AI scaling depends on operating models, training, and repeatable governance (“[AI license to drive](\u002Fentities\u002F6a0cc44d07a4fdbfcf5e45d5-ai-license-to-drive)”), not just technical controls.[7] Organizations need to codify safety expectations and check them as agents evolve.\n\n---\n\n## Inside RAMPART: Turning Red-Team Scenarios into Continuous AI Agent Tests\n\nRAMPART is an open-source framework, built on PyRIT, that turns safety scenarios into automated tests.[1][3][4] It runs in CI alongside existing integration tests.\n\nDevelopers write pytest-style cases that:\n\n- Connect to an agent via a lightweight adapter  \n- Orchestrate one or more interactions (including tool calls)  \n- Assert on observable outputs and side effects[3][4]\n\nCI then gates on simple pass\u002Ffail signals for each pull request.[3][4] In one incident, Microsoft turned a reported vulnerability into 100 scenario variants, applied mitigations, and re-validated via RAMPART in hours instead of weeks.[4]\n\n📊 **Data callout:** Running many variants of a single vulnerability scenario with RAMPART compressed weeks of expert work into hours.[4]\n\nBecause agents are probabilistic, RAMPART supports:\n\n- Statistical trials (repeat a scenario N times)  \n- Thresholds (e.g., ≥95% of runs must resist prompt injection or refuse dangerous tools)[3][4]\n\nThis reduces passing “by luck” on a single run.\n\nRAMPART operationalizes red-teaming:\n\n- Once you find cross-prompt injection, exfiltration, or tool-misuse paths, encode them as regression tests  \n- Run them on every change to agents, tools, or prompts[1][2][3][4]  \n- Over time, incident history becomes a reusable safety net.\n\n---\n\n## Clarity and the Secure-Agent Workflow: Designing the Right System Before You Code\n\nClarity addresses earlier risk: [designing the wrong agent](\u002Farticle\u002Fnvidia-s-nemoclaw-how-an-open-ai-agent-toolkit-will-reshape-enterprise-workflows). It is an open-source, structured design-review tool used before coding to act as a “sounding board.”[1][3][4]\n\nClarity guides teams through:\n\n- Problem, users, and success criteria  \n- Data and tool access the agent truly needs  \n- Task decomposition and guardrail placement  \n- Abuse cases, failure modes, and escalation paths[1][2][4]\n\nThis is a pre-mortem on trust boundaries, permissions, and scopes, so foundational safety issues appear before deployment.[1][2]\n\n💡 **Key takeaway:** Clarity is a structured conversation, not a yes\u002Fno checklist. It produces markdown artifacts you can track, review, and version.[4]\n\nRAMPART and Clarity work together:\n\n- Clarity defines acceptable behavior, risk appetite, and guardrails  \n- RAMPART encodes those decisions as tests that run whenever agents or dependencies change[1][3][4]  \n\nGovernance shifts from slide decks to executable code.\n\nEnterprises can embed these tools by:\n\n- Requiring Clarity-style design reviews at solution intake, tied to “AI license to drive” training so builders understand data and security duties[1][7]  \n- Making RAMPART suites mandatory CI gates for staging\u002Fproduction promotion[3][4]  \n- Having fusion teams (security, product, domain) own and evolve scenarios over time[7]\n\n---\n\n## Conclusion: Making AI Agent Safety a Continuous Practice\n\nAs agents gain power across critical systems, safety must run from architecture to CI, not from audit to audit.[1][3] Clarity structures upfront decisions about purpose, users, tools, and risks, avoiding unnecessary agent power.[1][2][4]  \n\nRAMPART turns those decisions—and real incidents—into automated tests on every change, catching regressions before production.[1][3][4]\n\n⚡ **Call to action:** Explore the RAMPART and Clarity repos, apply them to one high-impact agent, and use the results to standardize a secure, test-driven agent workflow across your organization.[1][3][4][7]","\u003Cp>Enterprise AI has moved from answering questions to taking actions: reading email, querying CRM, filing tickets, and even writing and executing code on production systems.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Misbehavior is now operationally dangerous, not just inconvenient.\u003C\u002Fp>\n\u003Cp>Security teams must defend adaptive, tool-using agents operating at machine speed, not just web apps.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> Traditional periodic testing and red-teaming are too slow.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>If agents touch real systems or sensitive data, you need security practices designed for agents, not just APIs and UIs.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"\u002Fentities\u002F6939ad36312dc892c4c184d9-microsoft\">Microsoft\u003C\u002Fa> open-sourced \u003Ca href=\"\u002Fentities\u002F6a108e8d07a4fdbfcf5f3db2-rampart\">RAMPART\u003C\u002Fa> and Clarity to make this continuous:\n\u003Cul>\n\u003Cli>Clarity: design safer agents before coding\u003C\u002Fli>\n\u003Cli>RAMPART: enforce safety on every code change\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>This supports a broader shift where AI scaling is treated as an operating-model and people challenge, not just a tooling issue.\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>From Text Generation to Agentic Action: Why New Security Tools Are Needed\u003C\u002Fh2>\n\u003Cp>Modern agents orchestrate email, CRM, ticketing, ERP, and code repositories, often with write permissions.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> A bad instruction can cancel orders or leak documents, not just return a wrong answer.\u003C\u002Fp>\n\u003Cp>New failure modes include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Prompt and cross-\u003Ca href=\"\u002Fentities\u002F69822206e28785d1e150b8aa-prompt-injection\">prompt injection\u003C\u002Fa> from poisoned docs, tickets, or emails\u003C\u002Fli>\n\u003Cli>Unintended tool use (e.g., destructive scripts instead of read-only queries)\u003C\u002Fli>\n\u003Cli>Data exfiltration across tenants or business units\u003C\u002Fli>\n\u003Cli>Intermittent, hard-to-reproduce incidents caused by LLM randomness\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Classic app security:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Focuses on HTTP inputs and known vuln classes\u003C\u002Fli>\n\u003Cli>Assumes deterministic code paths and repeatable behavior\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Does not model multi-step conversations, dynamic tool selection, or probabilistic outputs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚠️ \u003Cstrong>Key point:\u003C\u002Fstrong> A single successful prompt injection in a rarely used workflow can be catastrophic if the agent controls powerful tools.\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Microsoft’s AI Red Team finds many costly incidents stem from early design choices—like overly broad tool access—more than exotic model exploits.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> RAMPART and Clarity help bring safety into everyday workflows instead of relying on rare expert reviews.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"\u002Fentities\u002F693ada51312dc892c4c18785-ibm\">IBM\u003C\u002Fa> reports similar lessons: safe AI scaling depends on operating models, training, and repeatable governance (“\u003Ca href=\"\u002Fentities\u002F6a0cc44d07a4fdbfcf5e45d5-ai-license-to-drive\">AI license to drive\u003C\u002Fa>”), not just technical controls.\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa> Organizations need to codify safety expectations and check them as agents evolve.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Inside RAMPART: Turning Red-Team Scenarios into Continuous AI Agent Tests\u003C\u002Fh2>\n\u003Cp>RAMPART is an open-source framework, built on PyRIT, that turns safety scenarios into automated tests.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> It runs in CI alongside existing integration tests.\u003C\u002Fp>\n\u003Cp>Developers write pytest-style cases that:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Connect to an agent via a lightweight adapter\u003C\u002Fli>\n\u003Cli>Orchestrate one or more interactions (including tool calls)\u003C\u002Fli>\n\u003Cli>Assert on observable outputs and side effects\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>CI then gates on simple pass\u002Ffail signals for each pull request.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> In one incident, Microsoft turned a reported vulnerability into 100 scenario variants, applied mitigations, and re-validated via RAMPART in hours instead of weeks.\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>📊 \u003Cstrong>Data callout:\u003C\u002Fstrong> Running many variants of a single vulnerability scenario with RAMPART compressed weeks of expert work into hours.\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Because agents are probabilistic, RAMPART supports:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Statistical trials (repeat a scenario N times)\u003C\u002Fli>\n\u003Cli>Thresholds (e.g., ≥95% of runs must resist prompt injection or refuse dangerous tools)\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This reduces passing “by luck” on a single run.\u003C\u002Fp>\n\u003Cp>RAMPART operationalizes red-teaming:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Once you find cross-prompt injection, exfiltration, or tool-misuse paths, encode them as regression tests\u003C\u002Fli>\n\u003Cli>Run them on every change to agents, tools, or prompts\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Over time, incident history becomes a reusable safety net.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>Clarity and the Secure-Agent Workflow: Designing the Right System Before You Code\u003C\u002Fh2>\n\u003Cp>Clarity addresses earlier risk: \u003Ca href=\"\u002Farticle\u002Fnvidia-s-nemoclaw-how-an-open-ai-agent-toolkit-will-reshape-enterprise-workflows\" class=\"internal-link\">designing the wrong agent\u003C\u002Fa>. It is an open-source, structured design-review tool used before coding to act as a “sounding board.”\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Clarity guides teams through:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Problem, users, and success criteria\u003C\u002Fli>\n\u003Cli>Data and tool access the agent truly needs\u003C\u002Fli>\n\u003Cli>Task decomposition and guardrail placement\u003C\u002Fli>\n\u003Cli>Abuse cases, failure modes, and escalation paths\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This is a pre-mortem on trust boundaries, permissions, and scopes, so foundational safety issues appear before deployment.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>💡 \u003Cstrong>Key takeaway:\u003C\u002Fstrong> Clarity is a structured conversation, not a yes\u002Fno checklist. It produces markdown artifacts you can track, review, and version.\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>RAMPART and Clarity work together:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clarity defines acceptable behavior, risk appetite, and guardrails\u003C\u002Fli>\n\u003Cli>RAMPART encodes those decisions as tests that run whenever agents or dependencies change\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Governance shifts from slide decks to executable code.\u003C\u002Fp>\n\u003Cp>Enterprises can embed these tools by:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Requiring Clarity-style design reviews at solution intake, tied to “AI license to drive” training so builders understand data and security duties\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Making RAMPART suites mandatory CI gates for staging\u002Fproduction promotion\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Having fusion teams (security, product, domain) own and evolve scenarios over time\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>Conclusion: Making AI Agent Safety a Continuous Practice\u003C\u002Fh2>\n\u003Cp>As agents gain power across critical systems, safety must run from architecture to CI, not from audit to audit.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Clarity structures upfront decisions about purpose, users, tools, and risks, avoiding unnecessary agent power.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>RAMPART turns those decisions—and real incidents—into automated tests on every change, catching regressions before production.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚡ \u003Cstrong>Call to action:\u003C\u002Fstrong> Explore the RAMPART and Clarity repos, apply them to one high-impact agent, and use the results to standardize a secure, test-driven agent workflow across your organization.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n","Enterprise AI has moved from answering questions to taking actions: reading email, querying CRM, filing tickets, and even writing and executing code on production systems.[1][3] Misbehavior is now ope...","trend-radar",[],816,4,"2026-05-25T08:34:28.871Z",[17,22,26,30,34,38,42,46,49,53],{"title":18,"url":19,"summary":20,"type":21},"Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow | Microsoft Security Blog","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F20\u002Fintroducing-rampart-and-clarity-open-source-tools-to-bring-safety-into-agent-development-workflow\u002F","The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing...","kb",{"title":23,"url":24,"summary":25,"type":21},"The Hacker News on X: \"⚡ Microsoft open-sourced RAMPART and Clarity to test AI agent safety earlier in development. RAMPART checks cross-prompt injection, data exfiltration, and regressions; Clarity pressure-tests design assumptions before coding. How the tools work: https:\u002F\u002Ft.co\u002FOx0q5E8EWT\" \u002F X","https:\u002F\u002Fx.com\u002FTheHackersNews\u002Fstatus\u002F2057146854736036291","Microsoft open-sourced RAMPART and Clarity to test AI agent safety earlier in development. RAMPART checks cross-prompt injection, data exfiltration, and regressions; Clarity pressure-tests design assu...",{"title":27,"url":28,"summary":29,"type":21},"Microsoft Open Sources AI Safety Tools for Agent Development","https:\u002F\u002Fredmondmag.com\u002Farticles\u002F2026\u002F05\u002F20\u002Fmicrosoft-open-sources-ai-safety-tools-for-agent-development.aspx","Microsoft released RAMPART and Clarity as open-source projects intended to help developers test AI agents earlier in the software lifecycle and turn red-team findings into repeatable engineering check...",{"title":31,"url":32,"summary":33,"type":21},"Microsoft open-sources tools for designing and testing AI agents","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2026\u002F05\u002F21\u002Fmicrosoft-open-sources-tools-for-designing-and-testing-ai-agents\u002F","Microsoft has open-sourced two tools aimed at bringing security discipline to AI agent development: Clarity, a structured design review tool, and RAMPART, a continuous testing framework.\n\nThe release ...",{"title":35,"url":36,"summary":37,"type":21},"Certifying AI models for classified military networks: evaluation framework and deployment details","https:\u002F\u002Fwww.linkedin.com\u002Fposts\u002Fggospodinov_pentagon-signs-classified-ai-deals-with-tech-activity-7456757654812651520-H7Iq","What does it actually take to certify a frontier language model for deployment on classified military networks, and how much of that certification process is visible to anyone outside the Pentagon? Th...",{"title":39,"url":40,"summary":41,"type":21},"The War Department Announces Agreements with Leading AI Companies to Deploy Capabilities on Classified Networks","https:\u002F\u002Fwww.war.gov\u002FNews\u002FReleases\u002FRelease\u002FArticle\u002F4475177\u002Fclassified-networks-ai-agreements\u002F","The War Department has entered into agreements with eight of the world's leading frontier artificial intelligence companies, SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services,...",{"title":43,"url":44,"summary":45,"type":21},"Scaling enterprise AI: lessons in governance and operating models from IBM","https:\u002F\u002Fstackoverflow.blog\u002F2026\u002F01\u002F29\u002Fscaling-enterprise-ai-lessons-in-governance-and-operating-models-from-ibm\u002F","Scaling enterprise AI: lessons in governance and operating models from IBM\n\nKey takeaways\n- Successful AI implementation at the enterprise level requires balancing timely innovation and experimentatio...",{"title":47,"url":48,"summary":41,"type":21},"Classified Networks AI Agreements > U.S. Department of War > Release","https:\u002F\u002Fwww.reddit.com\u002Fr\u002FAMD_Stock\u002Fcomments\u002F1t2mcus\u002Fclassified_networks_ai_agreements_us_department\u002F",{"title":50,"url":51,"summary":52,"type":21},"DoD strikes deals with major tech firms to deploy AI on classified networks","https:\u002F\u002Ffederalnewsnetwork.com\u002Fdefense-news\u002F2026\u002F05\u002Fdod-strikes-deals-with-major-tech-firms-to-deploy-ai-on-classified-networks\u002F","The Defense Department has struck agreements with some of the nation’s largest technology companies to deploy their advanced artificial intelligence capabilities on its classified networks, part of a ...",{"title":54,"url":55,"summary":56,"type":21},"IBM Announces Defense-Focused AI Model to Accelerate Mission Planning and Decision Support","https:\u002F\u002Fnewsroom.ibm.com\u002F2025-10-29-ibm-announces-defense-focused-ai-model-to-accelerate-mission-planning-and-decision-support","---TITLE---\nIBM Announces Defense-Focused AI Model to Accelerate Mission Planning and Decision Support\n---CONTENT---\nIBM Announces Defense-Focused AI Model to Accelerate Mission Planning and Decision ...",{"totalSources":58},10,{"generationDuration":60,"kbQueriesCount":58,"confidenceScore":61,"sourcesCount":58},199461,100,{"metaTitle":63,"metaDescription":64},"RAMPART and Clarity: Continuous AI Agent Security Platform","Shield agentic AI at machine speed. Microsoft’s RAMPART and Clarity enable continuous testing, prevention, and enforcement to secure agents—see steps.","en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1662947036644-ecfde1221ac7?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxtaWNyb3NvZnQlMjBvcGVufGVufDF8MHx8fDE3Nzk2OTc2Mzl8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":68,"photographerUrl":69,"unsplashUrl":70},"BoliviaInteligente","https:\u002F\u002Funsplash.com\u002F@boliviainteligente?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Fa-glass-of-beer-wIBDrEv73xY?utm_source=coreprose&utm_medium=referral",true,"microsoft-open-sourcing-rampart-and-clarity-for-securing-ai-agents",{"key":74,"name":75,"nameEn":76},"ia","Intelligence Artificielle","Artificial Intelligence",[78,80,82,84],{"text":79},"Microsoft’s RAMPART and Clarity are open-source tools that shift agent safety from periodic red-teaming to continuous practices, with RAMPART running automated tests in CI on every pull request and Clarity enforcing structured design reviews before coding.",{"text":81},"RAMPART compresses weeks of expert red-team work into hours by converting incidents into pytest-style scenarios and running statistical trials (e.g., ≥95% pass thresholds) to reduce fluke passes.",{"text":83},"Clarity codifies design decisions—purpose, required data\u002Ftools, guardrails, abuse cases—into versioned artifacts that feed RAMPART tests and make governance executable rather than slide-based.",{"text":85},"Enterprises must require Clarity-like intake and make RAMPART suites mandatory CI gates to ensure agents with write privileges do not cause data leaks or destructive actions.",[87,90,93],{"question":88,"answer":89},"What exactly are RAMPART and Clarity and how do they work together?","RAMPART is a PyTest-style open-source framework that turns red-team scenarios into automated CI tests, and Clarity is a structured pre-coding design-review tool that captures requirements, risk appetite, and guardrails as versioned artifacts. Together they create a closed loop: Clarity defines acceptable behaviors, data access, and failure modes; those definitions become concrete regression tests in RAMPART that run on every change to agents, prompts, or tooling. This pairing moves safety from infrequent expert reviews into developer workflows by making design decisions testable, repeatable, and enforceable through CI gates, enabling organizations to catch regressions and encode incident learnings as reusable scenario suites.",{"question":91,"answer":92},"How does RAMPART handle the probabilistic nature of LLM-driven agents?","RAMPART handles nondeterminism by supporting statistical trials and configurable thresholds—teams can run a scenario N times and require a high pass rate (for example, 95%) before a test is considered passing. This reduces the chance that a single lucky response masks a reproducible vulnerability and lets teams quantify risk, tune thresholds for sensitive workflows, and detect intermittent failures that would be missed by single-run tests.",{"question":94,"answer":95},"What are the first operational steps an enterprise should take to adopt these tools?","Start by mandating Clarity-style design reviews at solution intake to define data access, tool scopes, and abuse cases, then convert those outputs into RAMPART test scenarios and add them as CI gates for staging and production promotions. Form a cross-functional “fusion” team of security, product, and domain experts to maintain scenario libraries and evolve thresholds based on incident history and business risk.",[97,105,111,118,124,130,136,142,148,152,156,160,167,173,179],{"id":98,"name":99,"type":100,"confidence":101,"wikipediaUrl":102,"slug":103,"mentionCount":104},"69822206e28785d1e150b8aa","prompt injection","concept",0.99,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection","69822206e28785d1e150b8aa-prompt-injection",92,{"id":106,"name":107,"type":100,"confidence":101,"wikipediaUrl":108,"slug":109,"mentionCount":110},"6981045ee28785d1e150ada7","data exfiltration","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration","6981045ee28785d1e150ada7-data-exfiltration",12,{"id":112,"name":113,"type":100,"confidence":114,"wikipediaUrl":115,"slug":116,"mentionCount":117},"6a0cc44d07a4fdbfcf5e45d5","AI license to drive",0.95,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FDrive.ai","6a0cc44d07a4fdbfcf5e45d5-ai-license-to-drive",9,{"id":119,"name":120,"type":100,"confidence":121,"wikipediaUrl":122,"slug":123,"mentionCount":117},"695bce4319d266277e14d2d4","clarity",0.96,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FClarity","695bce4319d266277e14d2d4-clarity",{"id":125,"name":126,"type":100,"confidence":127,"wikipediaUrl":128,"slug":129,"mentionCount":14},"6a108e8e07a4fdbfcf5f3db5","statistical trials",0.88,null,"6a108e8e07a4fdbfcf5f3db5-statistical-trials",{"id":131,"name":132,"type":100,"confidence":133,"wikipediaUrl":128,"slug":134,"mentionCount":135},"69871dba033ff25c8c6129e0","thresholds",0.86,"69871dba033ff25c8c6129e0-thresholds",2,{"id":137,"name":138,"type":100,"confidence":139,"wikipediaUrl":140,"slug":141,"mentionCount":135},"6a14094ea2d594d36d22b606","continuous integration",0.9,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FContinuous_integration","6a14094ea2d594d36d22b606-continuous-integration",{"id":143,"name":144,"type":100,"confidence":145,"wikipediaUrl":128,"slug":146,"mentionCount":147},"6a1409b6a2d594d36d22b63a","fusion teams",0.85,"6a1409b6a2d594d36d22b63a-fusion-teams",1,{"id":149,"name":150,"type":100,"confidence":139,"wikipediaUrl":128,"slug":151,"mentionCount":147},"6a1409b5a2d594d36d22b637","LLM randomness","6a1409b5a2d594d36d22b637-llm-randomness",{"id":153,"name":154,"type":100,"confidence":127,"wikipediaUrl":128,"slug":155,"mentionCount":147},"6a1409b5a2d594d36d22b638","pytest-style cases","6a1409b5a2d594d36d22b638-pytest-style-cases",{"id":157,"name":158,"type":100,"confidence":139,"wikipediaUrl":128,"slug":159,"mentionCount":147},"6a1409b6a2d594d36d22b639","Clarity-style design review","6a1409b6a2d594d36d22b639-clarity-style-design-review",{"id":161,"name":162,"type":163,"confidence":101,"wikipediaUrl":164,"slug":165,"mentionCount":166},"6939ad36312dc892c4c184d9","Microsoft","organization","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMicrosoft","6939ad36312dc892c4c184d9-microsoft",381,{"id":168,"name":169,"type":163,"confidence":101,"wikipediaUrl":170,"slug":171,"mentionCount":172},"693ada51312dc892c4c18785","IBM","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FIBM","693ada51312dc892c4c18785-ibm",142,{"id":174,"name":175,"type":176,"confidence":121,"wikipediaUrl":128,"slug":177,"mentionCount":178},"694e303a19d266277e149806","agents","other","694e303a19d266277e149806-agents",33,{"id":180,"name":181,"type":182,"confidence":183,"wikipediaUrl":128,"slug":184,"mentionCount":117},"699b63c69aa9beba177cd001","PyRIT","product",0.98,"699b63c69aa9beba177cd001-pyrit",[186,194,201,209],{"id":187,"title":188,"slug":189,"excerpt":190,"category":191,"featuredImage":192,"publishedAt":193},"6a1b0c207037f29365deb828","Anthropic Mythos vs OpenAI GPT‑5.5: Are ‘Hacking‑Capable’ Frontier Models a Cybersecurity Time Bomb?","anthropic-mythos-vs-openai-gpt-5-5-are-hacking-capable-frontier-models-a-cybersecurity-time-bomb","Two of the world’s most advanced large language models—Anthropic’s Mythos and OpenAI’s GPT‑5.5—are arriving in enterprises as governments warn that generative AI is reshaping state‑backed hacking.[1]...","security","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1675865254433-6ba341f0f00b?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhbnRocm9waWMlMjBteXRob3MlMjBvcGVuYWklMjBncHR8ZW58MXwwfHx8MTc4MDA3MTE2OXww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-30T16:16:00.558Z",{"id":195,"title":196,"slug":197,"excerpt":198,"category":191,"featuredImage":199,"publishedAt":200},"6a19b97d197de28733023185","Anthropic Mythos vs OpenAI GPT‑5.5: Are Hacking‑Capable LLMs a Cybersecurity Time Bomb?","anthropic-mythos-vs-openai-gpt-5-5-are-hacking-capable-llms-a-cybersecurity-time-bomb","Frontier large language models are shifting from autocomplete tools to semi‑autonomous digital workers that operate software, write complex code, and orchestrate tools over long tasks.[2] The same sys...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1675865254433-6ba341f0f00b?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhbnRocm9waWMlMjBteXRob3MlMjBvcGVuYWklMjBncHR8ZW58MXwwfHx8MTc3OTk0NTE4MXww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-29T16:12:33.194Z",{"id":202,"title":203,"slug":204,"excerpt":205,"category":206,"featuredImage":207,"publishedAt":208},"6a1229ca5242169466949532","When AI Fakes the Footnotes: What the ‘Future of Truth’ Scandal Reveals About Nonfiction in the Age of LLMs","when-ai-fakes-the-footnotes-what-the-future-of-truth-scandal-reveals-about-nonfiction-in-the-age-of-","A nonfiction book about artificial intelligence and truth has just failed its own reality test.  \n\nSteven Rosenbaum’s The Future of Truth: How AI Reshapes Reality includes multiple quotes that never h...","hallucinations","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1695238668015-7bc526956af7?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxmYWtlcyUyMGZvb3Rub3RlcyUyMGZ1dHVyZSUyMHRydXRofGVufDF8MHx8fDE3Nzk1NzU0NTB8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-23T22:30:50.344Z",{"id":210,"title":211,"slug":212,"excerpt":213,"category":11,"featuredImage":214,"publishedAt":215},"6a0ab3c0e92e33c825dab26e","Pope Leo XIV’s AI Encyclical: How “Magnifica Humanitas” Could Reshape Tech Ethics and Digital Labor","pope-leo-xiv-s-ai-encyclical-how-magnifica-humanitas-could-reshape-tech-ethics-and-digital-labor","Artificial intelligence is reshaping how people work, learn, and relate across educational technology, finance, and manufacturing.[2][3] Artificial intelligence—especially large language models and Ge...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1538175911510-25336f95b07d?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxwb3BlJTIwbGVvJTIweGl2JTIwZW5jeWNsaWNhbHxlbnwxfDB8fHwxNzc5MDg2NTU3fDA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-18T06:42:36.379Z",["Island",217],{"key":218,"params":219,"result":221},"ArticleBody_mAe5IJdmPSf3JNnL5aHVbNHEdIM0AMQizcasyACmh2U",{"props":220},"{\"articleId\":\"6a1407e7a33b9706f9fe063c\",\"linkColor\":\"red\"}",{"head":222},{}]