Agent Tool-Governance Maturity Kit ATGM Framework

The Agent Tool-Governance Maturity Kit (ATGM) gives engineering teams a structured way to assess, score, and systematically improve how their AI agents are permitted to call external tools — APIs, file systems, shell commands, databases, and third-party services. If you are shipping Claude Code, LangChain, CrewAI, AutoGen, or any agentic system and your current policy is "we trust the LLM not to do anything bad", you are at Level 1. This kit moves you from Level 1 to Level 5 in one afternoon's work. It is designed for engineers and platform leads who own AI infrastructure, not compliance officers writing PDFs nobody reads.

What You Get

• ATGM-scorecard.csv — A 38-row scoring matrix covering five governance domains (Scope, Auth, Audit, Blast-Radius, Recovery). Each row maps a specific control to its maturity level (1–5), a pass/fail test, and a remediation action. Drop it into Excel or Google Sheets and score your current agent stack in under 30 minutes.
• ATGM-workbook.md — The full WOWHOW ATGM framework document. Defines all five maturity levels with precise criteria, explains the 38 controls with worked examples, and includes a decision tree for assigning tool permission tiers (Read-Only, Idempotent-Write, Destructive-Write, Privileged-Exec). Essential reading before you touch CLAUDE.md.
• CLAUDE-governance-template.md — A drop-in CLAUDE.md governance block with pre-filled permission rules, tool-call logging hooks, blast-radius guards, and rollback instructions. Structured so you can copy the relevant sections directly into your project's CLAUDE.md. Covers bash, file I/O, network calls, and MCP server registrations.
• tool-registry-template.yaml — A machine-readable YAML registry for every tool your agent can call. Captures tool name, permission tier, allowed scopes, max call rate, required human-approval threshold, and incident-response owner. Acts as the single source of truth your audit log and CI gates can validate against.
• README.md — Step-by-step setup instructions, a quick-start checklist, and guidance on integrating the scorecard into your sprint cycle or quarterly review.

How to Use

1. Read ATGM-workbook.md front-to-back (about 25 minutes). The five levels are cumulative — you cannot skip Level 3 and claim Level 4.
2. Open ATGM-scorecard.csv in a spreadsheet. For each row, mark your current pass/fail status. The sheet auto-totals your domain scores and overall maturity level.
3. Identify your lowest-scoring domain. That is your highest-risk area. Prioritise it in the next sprint.
4. Copy the relevant blocks from CLAUDE-governance-template.md into your project's CLAUDE.md. Uncomment the rules that match your current maturity target.
5. Register every tool your agent calls in tool-registry-template.yaml. Commit it to your repo. Wire your CI pipeline to diff it on every PR.
6. Re-run the scorecard each quarter. A mature team should advance at least one domain level per quarter.

Who This Is For

• Engineers shipping production agentic systems with Claude Code, LangChain, CrewAI, AutoGen, or custom agent frameworks
• Platform and DevOps leads who need an auditable record of what their AI agents are permitted to do
• Security engineers doing threat-model reviews of AI-assisted pipelines
• Solo founders and small teams who know they need governance but cannot afford a six-month compliance project
• AI teams preparing for SOC 2, ISO 27001, or internal security audits where agent tool-call scope is a question

The ATGM kit pairs well with the AI Model Cost Calculator (track what your agents are spending per tool call) and the free developer resources in the WOWHOW product library. Every control in the scorecard was designed around real production incidents, not theoretical checklists — if a control appears in the workbook, it maps to a failure mode that has caused an outage, data leak, or runaway spend in real agentic deployments.