governance-sdk vs the alternatives
Inline enforcement is different from a gateway proxy, different from observability, and different from offline evals. Here's exactly how we compare — strengths, weaknesses, and who each tool is actually for.
Three mechanisms, three trade-offs
We're describing where policy decisions are made and when, not ranking vendors. Most production teams end up with a mix.
Policy runs in the same process as the agent framework, before the tool executes. No network round-trip. Availability coupled to the host process. This is governance-sdk's model.
Traffic routes through an external service; the gateway decides. Availability and latency coupled to that service, but easier to deploy across heterogeneous languages and runtimes.
Captures traces and scores them after calls return. Doesn't gate execution. Great for debugging, evaluation, and session replay — orthogonal to pre-call enforcement.
Mechanism by product
Focused on how each product works, not how well it sells. For live feature sets, follow the homepage link — these descriptions can drift.
External proxy that sits in front of MCP traffic. Policy decisions happen in a separate service and return over the network.
Injection detection, kill switch, RBAC.
Pairs well with governance-sdk if you want a network-layer perimeter in addition to in-process enforcement at the framework level.
Instruments agent frameworks to capture session traces and reports on them after the fact. Does not block calls.
Framework integrations (LangChain, OpenAI Agents, etc.).
Use alongside governance-sdk — send enforcement events from gov.events to AgentOps for session replay.
Offline eval harness, dataset management, and production logging. Scoring runs against captured traces, not before-call.
Logging, dataset tooling.
Route governance-sdk audit events into Braintrust for evaluation; keep enforcement in-process.
Team-owned TypeScript/Python middleware. You write the policy engine, audit chain, injection patterns, and compliance mapping.
Full control.
Reasonable choice for teams with dedicated infra engineers and 6+ months runway. Import governance-sdk primitives (e.g. supply-chain-cyclonedx, injection-patterns) à la carte to skip the parts you don't want to rebuild.
Matrix and descriptions last reviewed 2026-04-16. Spot something wrong? Email [email protected] or open an issue on GitHub.
Feature matrix
| Feature | @lua/gov | Runlayer | AgentOps | Braintrust | DIY |
|---|---|---|---|---|---|
| Inline enforcement (before execution) | ✓ | ✗ | ✗ | ✗ | ~ |
| Zero runtime dependencies | ✓ | ✗ | ✗ | ✗ | ~ |
| In-process enforcement (no network) | ✓ | ✗ | n/a | n/a | ~ |
| 54-pattern injection detection (regex F1 ≈ 0.48) | ✓ | ✓ | ✗ | ✗ | ~ |
| HMAC-chained tamper-evident audit | ✓ | ✗ | ✗ | ✗ | ~ |
| Agent governance scoring (L0–L4) | ✓ | ✗ | ✗ | ✗ | ✗ |
| EU AI Act compliance module | ✓ | ✗ | ✗ | ✗ | ✗ |
| Kill switch + fleet revive | ✓ | ✓ | ✗ | ✗ | ~ |
| Mastra / Vercel AI SDK adapters | ✓ | ✗ | ✓ | ✗ | ~ |
| LangChain + OpenAI Agents SDK | ✓ | ✗ | ✓ | ✗ | ~ |
| Enterprise RBAC + multi-tenancy | ✓ | ✓ | ✗ | ✗ | ~ |
| Open source (MIT) | ✓ | ✗ | ✓ | ✓ | ✓ |
| Free tier | ✓ | ✗ | ✓ | ✓ | ✓ |
Try it in 2 minutes
Inline enforcement. Zero dependencies. MIT license. Start free.
npm install governance-sdkQuickstart →