The Operating System for AI Agents

Kernel-level governance for autonomous AI agents. Stop hoping your agents behave—enforce it.

Get Started in 5 Minutes View on GitHub

GitHub stars PyPI version License: MIT Python 3.9+

Quick Answers

What is Agent OS? A kernel architecture that enforces safety policies on AI agents at runtime—like how Linux enforces permissions on applications. Your agents can't violate rules because the kernel blocks violations before execution.
Who is it for? Teams deploying AI agents in production who need **compliance guarantees**, **audit trails**, and **runtime control**. Finance (trading bots), healthcare (patient data agents), DevOps (autonomous infrastructure), and any domain where "the AI went rogue" isn't acceptable.
How is it different from LangChain's built-in safety? LangChain/CrewAI safety relies on prompts and callbacks—the agent decides whether to comply. Agent OS uses **kernel-level enforcement**—the agent has no choice. You can use both together: build with LangChain, govern with Agent OS.
How fast can I get started? Two lines: `pip install agent-os` then wrap your agent. See [5-minute quickstart](#getting-started).

The Problem with AI Agents Today

Traditional agent safety relies on prompts: “Please don’t do dangerous things.”

The agent decides whether to comply. That’s not safety—that’s hope.

graph LR subgraph "Prompt-Based Safety ❌" A1["Please be safe"] --> B1["LLM decides"] B1 --> C1["Maybe complies 🤷"] end subgraph "Kernel-Based Safety ✅" A2["Action request"] --> B2["Policy Engine"] B2 --> C2{Check} C2 -->|Pass| D2["Execute"] C2 -->|Fail| E2["SIGKILL 🛑"] end

Agent OS: Kernel-Level Enforcement

Agent OS applies operating system concepts to AI agent governance. Just like Linux doesn’t ask applications to behave—it enforces permissions—Agent OS doesn’t ask agents to be safe—it enforces policies.

graph TB subgraph "User Space" A1[Agent 1] A2[Agent 2] A3[Agent N] end subgraph "Kernel Space" PE[Policy Engine] SD[Signal Dispatcher] VFS[Virtual File System] AUD[Audit Log] end subgraph "Infrastructure Modules" CMVK[Cross-Model Verification] EMK[Episodic Memory] IATP[Inter-Agent Trust] AMB[Message Bus] end A1 --> PE A2 --> PE A3 --> PE PE --> SD PE --> VFS PE --> AUD PE --> CMVK PE --> EMK PE --> IATP 
1
2
3
4
5
6
7
8
9
10
11

from agent_os import KernelSpace

kernel = KernelSpace(policy="strict")

@kernel.register
async def my_agent(task: str):
    # Your agent code here
    return process(task)

# Every action is checked against policies
result = await kernel.execute(my_agent, "analyze data")

Zero violations. Not because agents are trained to behave, but because the kernel won’t let violations execute.

Key Features

🛡️ Policy Engine

Define what agents can and cannot do. Block destructive SQL, file deletes, secret exposure—before execution.

⚡ POSIX Signals

SIGKILL, SIGSTOP, SIGCONT—control agent execution like processes. Non-catchable termination on violations.

🔍 Cross-Model Verification

Verify outputs across multiple LLMs. Detect hallucinations through consensus, not trust.

🧠 Episodic Memory

Immutable, append-only ledger of agent experiences. Time-travel debugging. Learn from mistakes.

🤝 Inter-Agent Trust

Cryptographic signing of messages between agents. Know exactly who said what.

📊 Full Observability

Prometheus metrics, OpenTelemetry tracing, Grafana dashboards—see everything your agents do.

Getting Started

Installation

1

pip install agent-os

Or with all features:

1

pip install agent-os[full]

Your First Governed Agent

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from agent_os import KernelSpace

# 1. Create kernel with strict policy - blocks destructive operations
kernel = KernelSpace(policy="strict")

# 2. Register your agent function with the kernel
@kernel.register
async def my_agent(task: str):
    # Your LLM logic here - any framework works
    return f"Processed: {task}"

# 3. Execute through the kernel - all actions are policy-checked
import asyncio
result = asyncio.run(kernel.execute(my_agent, "Hello, Agent OS!"))
print(result)  # Output: Processed: Hello, Agent OS!
Line What it does
KernelSpace(policy="strict") Creates a kernel that blocks file writes, destructive SQL, shell commands, and secret exposure
@kernel.register Wraps your function so every call goes through the policy engine
kernel.execute() Runs your agent with governance—violations trigger SIGKILL before execution

What Happens

  1. @kernel.register wraps your function with kernel governance
  2. kernel.execute() runs your agent through the policy engine
  3. If policy violated → automatic SIGKILL before execution

Read the Full Tutorial →

What Teams Are Saying

“Reduced our compliance review time from 2 weeks to 2 days. The audit logs alone saved us.”

DevOps Lead, Fortune 500 Financial Services

“We went from ‘hoping the agent doesn’t delete production data’ to actually sleeping at night.”

ML Platform Engineer, Healthcare Startup

“The CMVK module caught 3 hallucination incidents in our first week that would have gone to customers.”

AI Safety Researcher, Enterprise SaaS

Have a story? Share it on GitHub Discussions →

Framework Integrations

Agent OS wraps existing frameworks—use it with what you already have:

Framework Integration
LangChain LangChainKernel().wrap(my_chain)
CrewAI CrewAIKernel().wrap(my_crew)
OpenAI Assistants OpenAIKernel().wrap_assistant(assistant)
Semantic Kernel SemanticKernelWrapper().wrap(kernel)
AutoGen AutoGenKernel().wrap(agents)

See All Integrations →

IDE & CLI Extensions

Use Agent OS directly in your development environment:

Tool Description
VS Code Real-time policy checks, kernel debugger, memory browser
Cursor Composer interception, safe alternatives
JetBrains IntelliJ, PyCharm, WebStorm plugins
GitHub Copilot Safety layer for AI suggestions
Chrome DevTools Monitor AMB messages and IATP trust

Browse Extensions →

Production Examples

See Agent OS in action with full observability:

🏥 HIPAA-Compliant Data Agent

Healthcare

Patient data analysis with guaranteed PHI protection. Full audit trail for compliance.

View Case Study →

🎓 Safe Tutoring Bot

Education

Age-appropriate content filtering. No PII collection. Parent-visible audit logs.

View Case Study →

🏦 Financial Compliance

Finance / ESG

Fraud detection with multi-model consensus. Complete audit trails for regulators.

View Use Cases →

⚡ Energy Grid Coordination

Energy / IoT

Multi-agent coordination for grid balancing. IATP trust protocols for agent verification.

View Use Cases →

🔧 Autonomous DevOps

Infrastructure

Self-healing infrastructure with guardrails. Can’t delete prod, can’t expose secrets.

View Use Cases →

💼 Enterprise Operations

Business

Customer support, document processing, workflow automation with governance.

View Use Cases →

Why Agent OS?

  Traditional Approach Agent OS
Safety Prompt-based (hope) Kernel-enforced (guarantee)
Violations Detected after the fact Blocked before execution
Audit Logs if you remember Complete immutable ledger
Control Restart the whole thing SIGSTOP/SIGCONT any agent
Trust “I think it’s working” Cryptographic verification

Read the Full Comparison →

Roadmap & Transparency

We believe in building in the open. Here’s what’s coming:

Timeline Feature Status
Q1 2026 Multi-language SDKs (TypeScript, Go) 🔄 In Progress
Q2 2026 Visual Policy Editor 📋 Planned
Q2 2026 Large swarm support (1000+ agents) 📋 Planned
Q3 2026 Declarative policy language (Rego-like) 📋 Planned
Q3 2026 Enterprise SSO & RBAC 📋 Planned

Current Limitations:

View full roadmap on GitHub →

Community

Share Agent OS:

Twitter LinkedIn Reddit

Stay Updated

Agent OS is actively developed. Star the repo to follow updates:

⭐ Star on GitHub 📰 RSS Feed

Ready to Govern Your Agents?

1

pip install agent-os

Get Started → Read the Docs →

v1.1.0 · Changelog · Benchmarks · MIT License