Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
As AI agents become more powerful, organizations racing to run them across applications, workflows, and products face a new challenge: ensuring the agent does what it’s supposed to do when deployed across different environments.
Microsoft is trying to solve this problem using a new open source standard called Agent control specificationsor ACS, which aims to give developers a more consistent and precise way to control what AI agents are allowed to do.
The specification essentially allows developers and compliance and security teams to define their own policies for agents to follow. Rules can specify what an agent may and may not do, when a human must agree to an action, and what evidence must be recorded for later review. These policy files are checked at several “intercept points” while the agent is outside executing a task to ensure they remain within the guardrails.
These specifications come at a time when developers are improvising ways to control what their AI sees and does, especially as conversations focused on AI workflows go wrong due to… Misuse of the toolOr unintended actions that lead to cascading failures.
Today, developers may specify instructions at the system prompt, add custom checks in application code, or use classifiers to catch problematic inputs and outputs. These approaches work, but they often leave companies with fragmented controls that are difficult to audit and difficult to reuse across different frameworks, interfaces, and systems.
ACS aims to consolidate those controls into a common governance layer. Microsoft says the specification can be used to check whether an agent is adhering to guardrails at multiple points in its workflow — before it receives input, before it calls a tool, after the tool returns a result, and before the final response is sent to the user. The policy may allow an action, prohibit an action, redact sensitive information, or even require someone to agree to it.
Developers can also include input and output classifiers to classify information, predict outcomes, or determine how an agent will respond; Add an LLM with claims to act as a “judge” of policy; The logic for checking tool calls, tool selection, input precision, and use of outputs and responses.
Because these policies can be written as individual files, they can be bundled with agents, allowing the security policy to follow the agent across different frameworks and environments.
ACS ships as a Software Development Kit (SDK) containing plugins for LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP Tools, and more.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.
