As AI agents become increasingly capable, enterprises are facing new challenges as they race to power them across their applications, workflows, and products. It’s about ensuring that agents do what they’re supposed to do when they’re deployed in different environments.
Microsoft is trying to solve this problem with a new open source standard called Agent Control Specification (ACS) that aims to give developers more consistent and granular control over what their AI agents are allowed to do.
This specification essentially allows developers, compliance, and security teams to define their own policies for agents to follow. Rules can define what agents can and cannot do, when humans must approve actions, and what evidence must be recorded for later review. These policy files are checked at several “interception points” when the agent is stopping performing tasks to ensure that the agent remains within guardrails.
The specification emerges as developers devise ways to improvise control over what AI sees and does, with a particular focus on AI workflows that go awry through tool misuse or unintended actions that cause cascading failures.
Today, developers may specify instructions at system prompts, add custom checks to application code, and use classifiers to detect problematic inputs and outputs. While these approaches work, they often leave enterprises with fragmented controls that are difficult to audit and difficult to reuse across different frameworks, interfaces, and systems.
ACS aims to consolidate these controls into a common governance layer. According to Microsoft, this specification can be used to check whether an agent adheres to guardrails at multiple points in a workflow, including before the agent receives input, before invoking a tool, after the tool returns a result, and before the final response is sent to the user. Policies can also allow or block actions, redact sensitive information, or require user approval.
Developers can also insert classifiers on inputs and outputs to classify information, predict outcomes, and decide how the agent should respond. Add an LLM with a prompt to act as a policy “arbiter”. It also includes logic for checking tool calls, tool selection, input accuracy, output usage, and responses.
Additionally, because these policies can be written as a single file, they can be bundled with agents, allowing security policies to follow agents across different frameworks and environments.
ACS ships as an SDK that includes plugins such as LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, and MCP tools.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
