Back to Blog
Tutorial

AI Agent Governance in 5 Minutes

February 18, 2026  ·  6 min read  ·  Yusuf Jacobs

Your AI agent has access to databases, APIs, file systems, and user data. But without governance, every tool call is a potential compliance violation. Here's how to fix that in 5 minutes.

Why Your Agent Needs Governance

Modern AI agents — whether built with LangChain, CrewAI, AutoGen, or the OpenAI Agents SDK — are incredibly powerful. They can call tools, query databases, send emails, and make API requests autonomously. But “powerful” without “controlled” is just “dangerous”.

Consider a customer support agent with database access. Without governance:

• It could expose customer SSNs, credit card numbers, or medical records in its responses

• A prompt injection could trick it into running destructive SQL queries

• There's no audit trail for compliance teams (HIPAA, GDPR, SOC 2)

• No way to instantly shut it down if something goes wrong

Tork solves all of these problems with a single SDK.

Step 1: Install the SDK

Pick your language. Tork supports 11 SDKs:

npm install tork-governance    # JavaScript/TypeScript
pip install tork-governance    # Python
go get github.com/torkjacobs/tork-go-sdk # Go
cargo add tork-governance     # Rust

Step 2: Add PII Detection

Wrap your agent's output with Tork's PII scanner. Every response is scanned for 50+ PII types across 13 countries before it reaches the user:

import { TorkGovernance } from 'tork-governance';

// Initialise once
const tork = new TorkGovernance({
  apiKey: process.env.TORK_API_KEY,
});

// Scan agent output before returning to user
const result = await tork.pii.scan(agentResponse);

if (result.detections.length > 0) {
  // Auto-redact PII
  const safe = await tork.pii.redact(agentResponse);
  return safe.redacted;
}

This catches SSNs, credit cards, emails, phone numbers, Medicare numbers, TFNs, NHS numbers, Aadhaar numbers, and dozens more — all running locally on your infrastructure.

Step 3: Enforce Policies

Define what your agent can and cannot do. Policies are JSON rules that Tork evaluates before every tool call:

// Check policy before tool execution
const decision = await tork.policy.check({
  tool: 'database_query',
  args: { query: sqlQuery },
  agent: 'support-agent',
});

if (decision.action === 'block') {
  console.log('Blocked:', decision.reason);
  return; // Tool call never executes
}

if (decision.action === 'require_approval') {
  await tork.hitl.requestApproval(decision);
}

Step 4: Generate Compliance Receipts

Every governance decision automatically generates a cryptographic receipt — an HMAC hash-chained audit entry that proves what happened, when, and why:

{
  "id": "rcpt_1a2b3c4d",
  "timestamp": "2026-02-18T10:30:00Z",
  "agent": "support-agent",
  "action": "pii_redacted",
  "detections": ["SSN", "EMAIL"],
  "hash": "sha256:a1b2c3...",
  "chain_prev": "sha256:d4e5f6..."
}

Hand these to your auditors for HIPAA, GDPR, SOC 2, PCI-DSS, or any other compliance framework. The hash chain makes them tamper-evident.

Step 5: Add a Kill Switch

Because sometimes you just need to stop everything:

// Emergency halt — blocks all tool calls immediately
await tork.killSwitch.activate({
  agent: 'support-agent',
  reason: 'Detected anomalous behaviour',
});

// Or via the REST API
// POST /api/v1/kill-switch/activate

Framework Integration

Tork integrates natively with the frameworks you already use. Here's LangChain:

from tork_governance import TorkGovernance
from tork_governance.adapters.langchain import TorkCallbackHandler

tork = TorkGovernance(api_key=os.environ["TORK_API_KEY"])

# One line to govern your entire chain
agent = initialize_agent(
  tools=tools,
  llm=llm,
  callbacks=[TorkCallbackHandler(tork)],
)

Similar adapters exist for CrewAI, AutoGen, Semantic Kernel, DSPy, and 110+ other frameworks.

What You Get

In under 5 minutes, your agent now has:

PII Detection — 50+ types across 13 countries, running locally

Policy Enforcement — Block, allow, or escalate any tool call

Compliance Receipts — Tamper-evident audit trail for every decision

Kill Switch — Emergency halt via API or dashboard

Human-in-the-Loop — Require approval for sensitive operations

All of this runs on your infrastructure. Your data never leaves your servers unless you opt into Tork Cloud for centralised dashboards.

Try It Now

Head to the interactive demo to test PII detection and policy enforcement in your browser. Or sign up at tork.network/signup to get your API key — free tier, no credit card.

Tork Network Pty Ltd — Sydney, Australia