As AI agents become increasingly capable, businesses eager to deploy them across various applications, workflows, and products face a significant hurdle: ensuring each agent behaves correctly when operating in diverse environments. Microsoft aims to tackle this issue with a new, open-source standard known as the Agent Control Specification (ACS). This framework is designed to give developers a more uniform and detailed method for managing what AI agents are permitted to do. Essentially, the specification allows development, compliance, and security teams to define their own policies that agents must follow. These rules can specify allowed actions, prohibited actions, when human approval is needed, and what evidence must be recorded for future audits. The policy files are checked at several "interception points" while the agent performs tasks, ensuring it stays within designated guardrails.

This specification arrives as developers are creating ad-hoc methods to control what their AI sees and does, particularly as discussions highlight AI workflows failing due to tool misuse or unintended actions that lead to cascading failures. Currently, developers might embed instructions in system prompts, add custom checks within application code, or use classifiers to catch problematic inputs and outputs. While these approaches work, they often result in fragmented controls that are difficult to audit and challenging to reuse across different frameworks, interfaces, and systems.

ACS aims to unify these controls into a common governance layer. Microsoft explains that the specification can verify whether an agent adheres to guardrails at multiple points in its workflow—before it receives input, before it calls a tool, after a tool returns a result, and before the final response is sent to the user. A policy might allow an action, block it, redact sensitive information, or even request human approval. Developers can also integrate classifiers for inputs and outputs to categorize information, predict outcomes, or determine how an agent should respond. Additionally, they can add LLMs with prompts to act as a "judge" for policies, along with logic for checking tool calls, tool selection, input accuracy, output usage, and responses. Because these policies can be written as single files, they can be bundled with agents, enabling a security policy to follow an agent across different frameworks and environments. ACS is being released as an SDK with plugins for LangChain, the OpenAI Agents SDK, the Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and more.