Skip to main content
AI & Machine LearningQuantum Computing

Microsoft Bolsters AI Safety with RAMPART and Clarity Tools

Researchers collaborate in a modern lab with computer workstations and technical equipment.

“It’s high time we stop talking about AI safety as a philosophy and start thinking about AI safety as an engineering discipline,” Ram Shankar Siva Kumar, Microsoft’s data cowboy and founder of its AI red team, told The Register.

RAMPART: automated red‑teaming for agentic applications

On Wednesday Microsoft open‑sourced RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming. RAMPART is delivered as a pytest framework built on Microsoft’s open‑source PyRIT toolkit and is intended to embed automated red‑team tests into CI/CD pipelines for agentic AI applications. According to Microsoft, those tests can simulate real‑world attack scenarios such as prompt injection, and verify that agents remain within approved tool use, actions, and behavioral boundaries.

Measuring safety statistically and reproducing findings

RAMPART supports statistical trials so teams can encode probabilistic safety policies – for example, a policy that “this action must be safe in at least 80 percent of runs.” The framework also emphasizes reproducibility: it lets red teams and incident responders reproduce AI security findings to confirm that agents behave as intended and that mitigations actually work.

Microsoft’s account includes a concrete internal example described by Kumar. After a security researcher found a vulnerability, the Redmond red team used RAMPART to expand that single vector into “close to 100 different variants of that vector,” Kumar said, then exercised the asset “not just one time, not two times, but close to 300 times.” He added the tests were conducted “in the context of multi‑turn conversations,” and that RAMPART helped the team build mitigations and then validate whether those remediations “actually held water, not just against one vector … but multiple variations of those vectors.”

Clarity: an agent that asks the questions before code is written

Microsoft also published an open‑source agent named Clarity, which Kumar described in a Wednesday blog as a “structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code.” Clarity prompts teams with architecture and safety questions that mimic those an experienced architect, product manager or safety engineer might ask.

A screenshot Microsoft posted on GitHub shows Clarity asking: “Before we design that - what happens when two people edit the same paragraph at the same time? Do you need true real‑time (cursors, presence), or is ‘no one loses work’ the actual requirement? Those lead to very different architectures.” Kumar framed the agent as a pause‑for‑thought: “It’s inherently collaborative,” he said. “It helps the team take a step back, and say, ‘Hey, before we build this, are we going in the right direction? Because code is cheap. It takes a snap of a finger to generate a full system. Are we doing this in a way that makes sense?’”

Open source release and Microsoft’s internal use

Microsoft made both RAMPART and Clarity available as open‑source tools on Wednesday. The company reports that it has been using RAMPART internally, and that the tool has been incorporated into workflows for red teams, incident responders and engineers to exercise agents at scale and validate fixes. Kumar declined to provide further specific details about the internal deployments beyond the example he described to The Register.

What this means for red teams, incident responders, and developers

  • Red teams: RAMPART offers a way to systematically expand a single discovered vector into many variants and run automated trials in CI/CD, enabling broader coverage of attack permutations and multi‑turn scenarios.
  • Incident responders and engineers: The ability to reproduce findings “close to 300 times” and validate whether a remediation holds across variants gives responders a repeatable method to test fixes before and after deployment.
  • Developers and product teams: Clarity acts as an early‑stage interlocutor that surfaces architecture and safety tradeoffs before code is written, helping teams define requirements such as whether real‑time collaboration needs true cursor presence or merely guarantees against data loss.

Microsoft’s release couples a testing framework that quantifies agentic risk with an agent that encourages pre‑implementation thinking. Taken together, the tools aim to shift work from ad hoc safety conversations to reproducible engineering practices — a shift Kumar urged when he said it is time to treat AI safety as engineering. Whether teams adopt these open‑source tools in production, or how widely they will be integrated into CI/CD pipelines, remains to be seen.

Original story