What You'll Build
By the end of this tutorial, you will have a governed AI agent with a policy that controls which actions it can take, and an audit trail proving it. The entire setup takes less than five minutes.
We will walk through this in both Python and JavaScript. Pick whichever matches your stack.
Step 1: Install the SDK
Python:
pip install meshguard
JavaScript:
npm install @meshguard/sdk
Sign up at meshguard.app if you haven't already. Grab your API key from Settings > API Keys in the dashboard.
Step 2: Register an Agent
Every AI agent you want to govern needs to be registered with MeshGuard. Registration tells MeshGuard about the agent's identity, environment, and team ownership.
Python:
from meshguard import Client
mg = Client(api_key="mg_your_api_key")
agent = mg.agents.register(
name="support-assistant",
environment="production",
labels={"team": "customer-success", "tier": "standard"},
)
print(f"Agent registered: {agent.id}")
JavaScript:
import { MeshGuard } from "@meshguard/sdk";
const mg = new MeshGuard({ apiKey: "mg_your_api_key" });
const agent = await mg.agents.register({
name: "support-assistant",
environment: "production",
labels: { team: "customer-success", tier: "standard" },
});
console.log(`Agent registered: ${agent.id}`);
Step 3: Create a Policy
Policies define what your agents are allowed to do. Let's create one that allows our support assistant to read customer records but blocks it from deleting anything.
Python:
policy = mg.policies.create(
name="support-read-only",
agent_id=agent.id,
rules=[
{
"effect": "allow",
"action": "read_record",
"resource": "customers:*",
},
{
"effect": "deny",
"action": "delete_record",
"resource": "*",
},
],
)
print(f"Policy created: {policy.id}")
JavaScript:
const policy = await mg.policies.create({
name: "support-read-only",
agentId: agent.id,
rules: [
{ effect: "allow", action: "read_record", resource: "customers:*" },
{ effect: "deny", action: "delete_record", resource: "*" },
],
});
console.log(`Policy created: ${policy.id}`);
Step 4: Evaluate Before Acting
Before your agent performs an action, ask MeshGuard whether the policy allows it. This is the governance checkpoint.
Python:
# This should be allowed
read_decision = mg.policies.evaluate(
agent_id=agent.id,
action="read_record",
resource="customers:acme-corp",
)
print(f"Read decision: {read_decision.effect}") # "allow"
# This should be blocked
delete_decision = mg.policies.evaluate(
agent_id=agent.id,
action="delete_record",
resource="customers:acme-corp",
)
print(f"Delete decision: {delete_decision.effect}") # "deny"
JavaScript:
// This should be allowed
const readDecision = await mg.policies.evaluate({
agentId: agent.id,
action: "read_record",
resource: "customers:acme-corp",
});
console.log(`Read decision: ${readDecision.effect}`); // "allow"
// This should be blocked
const deleteDecision = await mg.policies.evaluate({
agentId: agent.id,
action: "delete_record",
resource: "customers:acme-corp",
});
console.log(`Delete decision: ${deleteDecision.effect}`); // "deny"
Step 5: Check the Audit Log
Every policy evaluation is automatically recorded. Open the MeshGuard dashboard and navigate to Audit Log. You will see both evaluations with full details: the agent, the action, the resource, the policy that matched, and the decision.
You can also query the audit log programmatically:
Python:
events = mg.audit.list(agent_id=agent.id, limit=10)
for event in events:
print(f"{event.timestamp} | {event.action} | {event.decision}")
What's Next
You now have a governed agent with policy enforcement and an audit trail. From here you can:
- Add more policies for rate limiting, resource scoping, or time-based access windows.
- Set up alert channels to get notified on policy violations.
- Test policies interactively in the Policy Playground.
- Explore RBAC to control who can modify your governance configuration.
Full documentation is at docs.meshguard.app. If you get stuck, reach out on our community Discord or email support@meshguard.app.