Microsoft Unveils Open-Source Standard for AI Agent Control
Quick Look
- Microsoft has introduced the Agent Control Specification (ACS), an open-source standard designed to provide developers with granular control over AI agent actions across various environments.
- ACS allows for defining policies on agent behavior, human approval workflows, and evidence logging, aiming to create consistent and auditable governance layers for AI applications.
AI-generated summary
Why It Matters
As AI agents become more capable, enterprises face challenges in ensuring they perform as intended across different environments. Current methods for controlling AI behavior are often fragmented and difficult to audit.
As AI agents grow ever more capable, enterprises racing to put them to work across applications, workflows, and products face a new challenge: ensuring an agent does what it’s supposed to do when it’s deployed across different environments.
Microsoft is trying to solve this problem with a new open-source standard called Agent Control Specification, or ACS, that aims to give developers a more consistent and granular way to control what AI agents are allowed to do.
The specification essentially lets developer, compliance, and security teams define their own policies for agents to follow. The rules can define what the agent may do, what it must not do, when a human should approve an action, and what evidence should be logged for later review. These policy files are checked at several “interception points” when the agent is off performing a task to make sure it stays within the guardrails.
The spec comes as developers are improvising ways to control what their AI sees and does, especially with conversations focusing on AI workflows going wrong due to tool misuse, or unintended actions that result in cascading failures.
Today, developers might specify instructions in a system prompt, add custom checks in the application code, or use classifiers to catch problematic inputs and outputs. Those approaches work, but they often leave companies with fragmented controls that are hard to audit and harder to reuse across different frameworks, interfaces, and systems.
ACS aims to integrate those controls into a common governance layer. Microsoft says the specification can be used to check whether an agent is sticking to guardrails at multiple points in its workflow — before it receives input, before it calls a tool, after a tool returns a result, and before the final response is sent to the user. A policy may allow an action, block it, redact sensitive information, or even ask a person to approve it.
Developers can also insert classifiers for inputs and outputs to categorize information, predict outcomes, or determine how an agent should respond; add LLMs with prompts to act as a “judge” for policies; and logic for checking tool calls, tool selection, input accuracy, output usage, and responses.
And because these policies can be written as single files, they can be bundled with agents, allowing a security policy to follow an agent across different frameworks and environments.
ACS is shipping as an SDK with plugins for LangChain, the OpenAI Agents SDK, the Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and more.
Open Questions
- How widely will ACS be adopted by the AI development community?
- What are the potential performance overheads of implementing ACS?
- Will ACS be able to keep pace with the rapid advancements in AI capabilities?
- Are there any security vulnerabilities inherent in the ACS specification itself?
